this week in security β may 12 edition
THIS WEEK, TL;DR
U.S. accuses Russian national of being LockBit mastermind
Justice Department: I'm back after a week off, and we start with a big one. Happy LockBitSupp reveal week to all those who celebrate! π₯³ Finally! At long last, the feds have identified their guy they accuse of running the LockBit ransomware gang. The feds blame Dimitry Khoroshev for developing LockBit and being behind the main administrator's persona, known as LockBitSupp, and making around $100 million by extorting LockBit victims. LockBit's site was seized in February, allowing the feds to identify the LockBit admin, along with affiliates who hack victims and deploy LockBit ransomware. Now he's been named, the U.S. Treasury sanctioned Khoroshev, making it monumentally more difficult for him to collect ransom payments β at least from Americans or U.S. victims (some of which include Boeing, which never paid). Khoroshev's indictment is worth the read, and shows that LockBit's admin will try to throw anyone under the bus to keep himself alive. Given he's in Russia, he's likely to stay there β but since the feds accuse him of also targeting victims inside Russia, he might not see sunlight for that much longer. Here are a few more interesting morsels we learned from this week's indictment.
More: U.S. Treasury | National Crime Agency | KrebsOnSecurity | Analyst1
U.K. can't rule out 'state involvement' of Armed Forces payroll hack
BBC News: The U.K. defence secretary confirmed a cyberattack on a government contractor, which handles payroll for the U.K. Armed Forces, compromised servicemembers' names, bank details, and in some cases their home addresses. The Financial Times ($) says the firm is SSCL and that some 270,000 military records were compromised. The U.K. blames the "suspected work of a malign actor," but hasn't said who, though U.K. ministers suspect China (without providing evidence β yet). If we're looking for anyone to blame, the U.K.'s Conservative government set up SSCL back in 2013 as "part of a wider drive to save taxpayer money," which is code for penny-pinching. You're probably wondering, like me, why sensitive information about the U.K. Armed Forces were handled by a third-party contractor and not the government directly? And if there were "evidence of failings" by the third-party, why didn't the government act sooner?
More: U.K. Government | The Record | Sky News | TechCrunch | The Register
Cyberattack forces U.S. hospital network to divert ambulances
CNN: What's starting to become a trend, another major U.S. hospital system was hit by ransomware and was forced to divert patients to nearby hospitals. CNN reports that Ascension, a St. Louis-based nonprofit network that includes 140 hospitals in 19 states, was hacked and caused widespread outages, including access to patient records. Top U.S. cyber official Anne Neuberger says it's ransomware, and Ascension says it has no timeline for recovery. The healthcare-focused gang Black Basta group is to blame, per CNN's sources. Local media has reporting of major disruption at Ascension hospitals across the U.S. This comes as the U.S. government battles with healthcare groups over new rules that would require hospitals meet minimum security standards, which hospitals say the issues are with third-party systems. Actually, it's both.
More: Ascension | Detroit Free Press | Bloomberg ($) | Cyberscoop
~ ~
THE STUFF YOU MIGHT'VE MISSED
VPNs aren't as secure as some companies claim
Leviathan: VPNs allow you to funnel all of your network traffic away from your internet provider, but that means trusting some other company with your sensitive internet data. VPNs have become a huge snake oil space with promises of privacy and anonymity, and seldom actually do. And new research shows it's possible to decloak VPN users on the same network, effectively rendering the VPN moot. More from Brian Krebs with a write-up. If you want anonymity, use Tor.
London Drugs stores reopen; but "no evidence" of customer data breach
CBC: The president of London Drugs, one of the largest retail stores across parts of Canada, remains tightlipped about its recent cyberattack that forced the closure of its 79 outlets over a week ago. Clint Mahlman says his company "can't and won't" release details about the attack citing the ongoing security risks that the company faces. (Hate to break it to you, Clint, but the 'security through obscurity' approach doesn't help β and clearly hasn't so far.) But so far, there's "no evidence" that customer data has been compromised. Did millions of customers get lucky this time, or does London Drugs simply not have the evidence to confirm? @brett has the full note to customers.
FISA critics want details of expanded spying provision declassified
Brennan Center: Remember a few weeks ago when U.S. lawmakers wedged in a new expansion of FISA's spying law, which critics (and some lawmakers!) fear could be read as broadly forcing "almost any U.S. business" to assist with NSA spying? That passed into law, so it's here to stay β for now. Turns out the provision was meant to allow the NSA to spy on datacenters, which it was told previously by the FISA Court that it wasn't allowed. But because this is technically a government secret, the House pushed through the very vaguely worded provision that was meant to fill the gap, but instead created an enormous backdoor for snooping on, well, everything. Now the Brennan Center and others want the U.S. to declassify documents on its side to clear all of this up, since fears are that future governments could push the letter of this provision to the absolute extreme. @LizaGoitein has a great thread on this.
Brazilian stalkerware linked to Spanish developer
maia arson crimew: Yet more stalkerware research from Switzerland-based researcher maia arson crimew investigating the links between a Portuguese-language spy app WebDetetive, a whitelabeled version of OwnSpy, which crimew dug into last year. All these roads seem to lead back to a key figure in the stalkerware operation, Antonio Calatrava, the CEO of Spanish developer Mobile Innovations. Really important findings here, especially as these spyware makers attempt to hide their activities.
USPTO had another leak of filers' addresses
TechCrunch: The U.S. Patents and Trademark Office said about 14,000 applicants' private addresses were inadvertently included in bulk datasets the agency puts out to help academic and economic research. If this sounds somewhat familiar, it's because it is β a near-identical leak happened last year, affecting some 61,000 applicants' addresses. USPTO's deputy chief information officer told me in a call that the agency put in place new measures β essentially a technical process to handle "error correction with file creation" β so that this won't happen again... for a third time. (Disclosure: I wrote this!)
~ ~
OTHER NEWSY NUGGETS
Apple, Proton, Wire helped police identify an activist: Encrypted services often refer to a user's encrypted contents, like messages, photos and documents, but all too often the information about account holders β or metadata β is not encrypted. In the case of one pro-Catalan independence activist, Spanish police demanded information from two encrypted providers Proton and Wire, which helped to identify an iCloud address belonging to the activist. Apple then provided the iCloud address owner's full name and two home addresses. All of this to say, your online metadata matters. (via TechCrunch, VitaWeb)
U.S. lays out its commercial data collection rules (...kinda): The U.S. government's spy chief this week laid out the intelligence community's policies for collecting and using information it collects commercially, that is data its spy agencies purchase from data brokers, such as location data from users' phones and cars. Critically, though, the new policy doesn't say what kinds of Americans' data is off limits β such as medical records, credit information, banking data β which largely kicks the ball back into Congress' part to legislate. @ByronTau has a really good thread on the new rules. (via Cyberscoop)
DocGo? More like DataGone: DocGo, a healthcare contractor giant mired in controversy, disclosed in an SEC 8-K filing that cyber-crims "accessed and acquired" protected health information from DocGo's U.S.-based ambulance transportation business. It's not known what kind of data this includes, but PHI specifically often relates to health-related information and medical records. No word on how many affected β yet. (via BleepingComputer)
49 million Dell customer addresses scraped: In a case of not-quite-hacking, a threat actor claims to have scraped 49 million Dell customer addresses directly from the computer maker's systems, thanks to a leaky endpoint and the use of user accounts that Dell ultimately approved. Dell's handling of this breach has not been great, since it refuses to say how many are affected or say anything, frankly, even though it seems to bear at least some responsibility for this incident. TechCrunch confirmed that the threat actor has legitimate Dell customer data by checking customer names (with their consent against the scraped dataset (via TechCrunch)
~ ~
THE HAPPY CORNER
It's what we're all waiting for, here's the happy corner. A special shout-out to all everyone recovering from a busy RSA!
Congrats to the awesome cyber-pros @likethecoins and @C_C_Krebs for their appointments to the Cyber Safety Review Board, the U.S. government panel that investigates major cyber incidents and makes recommendations. The CSRB is a great panel doing important work, and has already put out reports into the handling and aftermath of the Lapsus$ hacks, Microsoft's email debacle, and the Log4j bug.
I'm very much enjoying the positive energy from this bot, which auto-toots random, bizarre but often very sweet starters for emails that begin, "I Hope This Email Finds You..." My personal recent favorite is, "I hope this email finds you, wherever you are," especially this week after migrating my newsletter's DNS records.
Moving on... if anyone else, like me, has a deep skepticism of AI and how companies are using it, this video is for you β and it had me in tears laughing because this is so true.
And finally, this closing thought. And for once, I'm with the robots since I can't read CAPTCHAs half the time anymore.
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
~ ~
CYBER CATS & FRIENDS
This week's cyber cat is Taco, who can be seen here guarding a huge bag of potatoes. Look, sometimes cyber takes you to weird and wonderful places β don't question it, just roll with it. You're doing vital work, Taco! Many thanks to Brandon R. for sending in!
Send in your cyber cats! Feel free to drop me a photo of your cyber cat (or non-feline friend!) with their name and they will be featured in an upcoming newsletter!
~ ~
SUGGESTION BOX
That's it for this week's newsletter! It's good to be back. Hope you had a great week and enjoyed this roundup β there's a lot going on.
I love hearing from you, whether it's your cyber cats (or their friends) or something you worked on that you want to share. If there's something you think might be a good fit for the newsletter, get in touch by email any time!
All my best,
@zackwhittaker