Half of the Storm⚡Watch crew is DoS’d at RSA this week, so we’re taking a bit of a break! But, the cyber news never stops, so, we’ve put together an async edition of the show to ensure our amazing live contributors, video-on-demand viewers, and podcast listeners have something to fill the dire gap that will exist in your lives.
Rest assured, we’ll be back next Tuesday with the full crew and plenty to dig into.
Ransomware (Statistics) Roulette
As a team, we made a call to tune-down the amount of time and number of shows we talk about breaches and ransomware attacks. It’s easy pickings, others do it better than we do, and — let’s face it — while each event may be “new”, the situation is not exactly “news”.
As noted in a previous episode, Storm⚡Watch guest, Brett Callow, tracks ransomware events and statistics very closely and recently posited (albeit in a tongue-and-cheek manner) on what stats can we rely on. Should we believe Chainalysis (first image) or Sophos (second image)?
The main reason for conflicting stories (between any vendor) is that they have wildly different data sets from which to work.
Our pals at the Verizon DBIR have all the sources (well, far more than any single vendor) and mentioned “ransomware” a whopping 96 times in their 100-page 2024 report. As they note on page 31, “ransomware (or some type of Extortion) appears in 92% of industries as one of the top threats.” Honestly, though, Figure 33 from the report says it all regarding whether severe ransomware incidents are going up or down.
If you trust the government more than a corporate entity, then the recently released FBI Internet Crime Complaint Center (IC3) report for 2023 also takes umbrage on those who would purport that ransomware events and impacts are declining:
“In 2023, ransomware incidents continued to be impactful and costly. After a brief downturn in 2022, ransomware incidents were again on the rise with over 2,825 complaints. This represents an increase of 18% from 2022. Reported losses rose 74%, from $34.3 million to $59.6 million. Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.”
Remember, always read vendor reports with a critical eye (even ours!), poke around to ensure they have a methodology section, and whether they acknowledge that there will always be an inherent bias in any data source.
Ch…Ch…Ch…Ch…Change Ransomware, Redux
Speaking of ransomware, that reminds us about the latest information regarding the UnitedHealth / Change Healthcare breach:
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multifactor authentication.”
Although it may be tempting to criticize this part of the incident in hindsight, what stands out is what was not mentioned. Specifically, an organization that handles more than one-third of Americans' insurance claims placed a system, Citrix, on the public internet. Citrix is known to be highly targeted by attackers with numerous prior zero-day and critical vulnerabilities that frequently lead to ransomware. This is the initial mistake that violates industry standards. Then we can acknowledge that the application did not use multifactor authentication, which is also an industry norm, allowing authentication via compromised credentials for nine days before the ransomware was deployed. Since ransomware is not stealthy, it is generally launched once the attacker has obtained what they want and wants to be recognized. How long could the attackers have dwelled if they didn’t launch?
Fast-forward to now, and UHC/Change was forced to pay the ransom; that is a business decision but the outcome of that is there is a threat actor with $22 million in funding to use to torment other organizations with the “advanced persistent threat” of credential stuffing random servers on the internet which may or may not have deleted the data they stole. (There is no way to know).
Ransomware isn’t going away. Cryptocurrency isn’t going away (for now). Paying a ransom is highly frowned upon, but may be the “best decision” at the moment. It is past time for regulators to outline the consequences of paying a ransom so that organizations can understand the potential regulatory changes and fines associated with this decision. By making the known costs of paying a ransom clear, organizations can be encouraged to invest proactively in security measures that actually protect their consumers, instead of relying on the “it's cheaper to pay the ransom if it happens” model.
Tool Time
Despite some folks asserting our industry is doing just fine when it comes to the current state of CVE, it really is not. Whether it’s the recent NVD fiasco, or a deluge of questionable CVEs from the new self-managed Linux CNA, or, even, major networking vendors just casually forgetting to note a devastating bug in a third-party library they use, the situation is only degrading. Said degradation is taking and will further take many forms. One of them is in the area of bogus CVEs.
To their major credit, the CVE Board understood this would be an issue and has a good process for challenging a CVE. However, just as one needs to be vigilant in academic circles and pay close attention to sites like Retraction Watch to know when a paper one relies on is defunct, security professionals need to monitor the CVE feed for CVEs that have been DISPUTED or REJECTED. However, we’d also like to suggest you monitor this tool/resource that tracks what are affectionately dubbed “bogus CVEs”. They’re not so frequent (yet), but it won’t hurt to add that repo to your RSS feeds. It could save defenders and IT operations folks time to help focus their scant resources for vulns that actually matter.
Tag Roundup
The frenetic pace of new tags has finally slowed down now that we’ve gone through the sizable portion of them that our Sift process found and that had verifiable proof-of-concept code:
- JetBrains TeamCity Auth Bypass CVE-2024-23917 Attempt
- JetBrains TeamCity Path Traversal CVE-2024-24942 Attempt
In terms of major tag activity, organizations that run Fortinet gear should be aware that a new campaign of brute force attempts was spun up over the weekend, as detected by our usually quiescent tag.
KEV Roundup
Just two KEV releases since our last “show”, and RSA is this week, so it’s unlikely we’ll see more KEV updates until next week (yes, I did just jinx that):
- CVE-2024-29988: Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
- CVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerability
FIN
Thank you for “tuning into” this decidedly offline edition of Storm⚡Watch, where we weather the storms of the cyber world together. Keep your systems secure and your curiosity alive until we return with more updates from the eye of the digital storm. Farewell, and may your networks remain vigilant!