The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good

This week saw the inaugural LABScon – a security conference intent on fostering the advancement of cybersecurity research to build a stronger collective digital defense. LABScon is hosted by SentinelLabs, the research arm of SentinelOne, with the aim of bringing together researchers and experts from across the industry to share and disseminate critical threat intelligence and knowledge.

The multi-day event featured talks from prominent infosec voices including Mark Russinovich (Microsoft Azure), Chris Krebs (Krebs Stamos Group), Dmitri Alperovitch (Silverado Policy Accelerator), and Thomas Rid (Alperovitch Institute), among others.

On the second day of the event, SentinelLabs researchers revealed their discovery of a previously unknown advanced threat actor. Dubbed ‘Metador’, the shady group attacks high-value targets in the telecoms, networking, and education sectors using novel malware frameworks and custom-built backdoors.

The researchers said that the advanced nature of the actor’s toolset was difficult to detect and challenging to reverse engineer, warning that we have likely only seen the tip of the iceberg of intrusions attributable to Metador. Describing the group as the “1%ers” in reference to their elite status, the researchers called on the infosec community to review their telemetry and collaborate on learning more about this new adversary.

Security research events such as LABScon are significant in the infosec space as they provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to push the envelope of threat landscape understanding.

The Bad

This week, New York emergency response and ambulance service provider, Empress EMS, disclosed a ransomware attack resulting in the exfiltration of sensitive patient files.

As the files contained protected health information (PHI) like patient names, insurance information, and social security numbers, Empress EMS has reached out to affected individuals offering credit monitoring services and recommending that they review their healthcare statements for any discrepancies regarding charged services. Investigations report that the breach and encryption were followed by double-extortion efforts.

Through the HITECH Act, the U.S. Department of Health and Human Services (HHS) must publish breaches involving unsecured PHI affecting 500 or more individuals. So far, the Empress breach has affected 318,558 individuals.

While Empress EMS did not disclose the identity of the hackers that infiltrated their systems, the report points to the Hive ransomware group having published their victim’s data in late July. The breach unfortunately comes right on the heels of a warning issued just this April by the HHS about Hive’s aggressive, financially-motivated attacks disproportionately targeting healthcare organizations.

So, what happens when emergency services have their own emergencies? The question is a brutal one, throwing the reality of cyberattacks on healthcare into stark relief. When medical services and practitioners are impeded by cyberattacks, it’s people’s lives on the line. As the industry further digitizes its health record management, clinical support, prescription and dispensing, telemedicine, and health surveillance systems, healthcare providers will need to establish robust cybersecurity solutions to safeguard their increasingly complex data environments.

The Ugly

Once in a while, cybercriminals have to contend with the trouble of insider threats, too. News came out this week detailing a data leak coming from “an allegedly disgruntled developer” within the LockBit ransomware operation itself.

The “developer” leaked a builder for the newest version of the LockBit encryptor, which had been tested and launched in June and boasted new anti-analysis features, a ransomware bug bounty program, and all-new methods for encryption.

Reports noted that VX-Underground was given a copy of the builder and communicated directly with a public representative of LockBit operations. The representative denied that LockBit had been hacked, claiming rather that a disgruntled developer who was unhappy with the group’s leadership chose to leak the builder.

The ramifications of this leak will be fairly severe for the LockBit gang as competing threat actors will seek to leverage the builder to launch their own attacks. Worse for the rest of us, the new encryptor enables anyone with the code to build and launch their own ransomware operations as it includes the encryptor, decryptor, and specialized hacking tools needed for a threat campaign. Reports show that the builder allows any user to customize a ransomware campaign to their exact needs and link a ransom note directly to their own hacking infrastructure.

News of this insider leak lends yet another peek into the inner workings of cyber criminal enterprises, the last major incident in this vein occurring early this February when sixty thousand of Conti group’s chat messages were exposed. Ransomware operations closely resemble many professional establishments in having product testing processes, bug bounty programs, and even dealing with acts of vengeful employees through public relations representatives.

The rise of Ransomware-as-a-Service (RaaS) groups shows the alarming advancement and professionalization of cybercriminals. As low and medium-level threat actors increasingly turn to RaaS groups to launch complex campaigns, robust cybersecurity solutions are no longer a nice-to-have for organizations – they’re an absolute necessity.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *