Lockbit resurface after takeover & Lazarus are hitting Feb 25th – March 2nd - This Week in Security
Introduction
This week's security editor is Lior Rotkovitch. The latest news highlight was all about the return of Lockbit after the take down of the Lockbit “ransomware-as-a-service” The hacking group responded to the takedown and said they were lazy as they were swimming in money they forgot to update the php servers. This is the nature of security, one goes down one comes up, or the same one.
Reading the news is just one way to know what's up. Driving a car in endless traffic jams is a great time for listening to podcasts of your favorite kind. The security podcasts that I listened to last week are :
Episode 19 - February 2024 - AI App Security For IoT Edge Devices
It is always a pleasure hearing my EMEA partner Aaron B talking
Risky Business #738 -- LockBit is down but not out. Yet.
One of my favorite podcasts
Malicious Life - Kevin Mitnick, Part 1
And finally, Malicious Life is back with an episode on Kevin Mitnick
Until next time, keep it safe.
LockBit ransomware returns, restores servers after police disruption
On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.
Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.
LockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5 years of swimming in money, I became very lazy.”
“Due to my personal negligence and irresponsibility, I relaxed and did not update PHP in time.” The threat actor says that the victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824.
https://www.securityweek.com/lockbit-ransomware-gang-resurfaces-with-new-site/
Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin
The flaw, tracked as CVE-2024-1071 (CVSS score of 9.8), affects websites running the Ultimate Member WordPress membership plugin and could be exploited by unauthenticated attackers to append SQL queries to existing ones and extract information from databases.
According to Defiant, the bug exists because of an insecure implementation in users' query functionality, which results in the text sanitization function failing to protect against SQL injection attacks.
The company’s researchers also found that the structure of the query only allows attackers to take a time-based blind approach, using SQL CASE statements and the sleep command while observing the response time for the requests to steal information.
https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordpress-plugin/
The Week in Ransomware - March 1st 2024 - Healthcare Under Siege
The most impactful attack of 2024 so far is the attack on UnitedHealth Group's subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was later linked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack.
In some cases, patients are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments.
To make matters worse, the BlackCat ransomware operation, aka ALPHV, claims to have stolen 6TB of data from Change Healthcare during the attack, containing the personal information of millions of people.
The attack has led the FBI, CISA, and the HHS to issue a joint advisory warning of BlackCat attacks on hospitals.
Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems
Hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository to infect developer systems with malware.
The disclosure comes days after Phylum uncovered several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview.
An interesting commonality between the two sets of attacks is that the malicious code is concealed within a test script ("test.py"). In this case, however, the test file is merely a smokescreen for what's an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT.
The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that's responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file.
https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html