Welcome to The Cybersecurity 202! Pretty wild NCAA basketball tournament so far, right? They call it “March Madness” for a reason.
The year’s second mass ransomware attack has claimed some big victims
A slow-motion mass ransomware attack has been unfolding over nearly two months, with new victims like Procter & Gamble and a U.K. pension fund acknowledging as recently as last week that they were hit.
In all, Clop — the ransomware gang responsible for the attack, whose name is sometimes stylized as Cl0p — claims that it has hit 130 victims by exploiting a previously unknown “zero-day” vulnerability in a popular file-transfer software.
It’s the second mass ransomware attack this year already, as ransomware gangs explore different approaches following a year of fewer reported attacks and fewer victims willing to pay the hackers to unlock their systems and/or keep stolen data private.
This round of attacks — which exploited a vulnerability in Fortra’s file-transfer tool, GoAnywhere — isn’t affecting as many organizations as the other massive ransomware attack this year. But it does seem to be causing more trouble for the individual organizations than the previous so-called “ESXiArgs” campaign, which infected thousands of servers but in some cases just hit victims’ noncritical systems.
Timeline
Fortra issued a private notice on its customer portal on Feb. 1 about the identification of the zero-day exploit, as cybersecurity journalist Brian Krebs first reported. One victim, Hatch Bank, later said in a notice to customers that Fortra said it had determined there was unauthorized access to the GoAnywhere site from Jan. 30 to Jan. 31.
On Feb. 7, Fortra released a fix for the vulnerability.
The company has faced questions about what it told customers.
- “Software maker Fortra told its corporate customers that their data was safe — even when it wasn’t — following a ransomware attack on its systems, TechCrunch has learned,” Zack Whitaker and Carly Page wrote.
- Two victim organizations told TechCrunch they didn’t learn they’d lost data to the hackers until they received a ransom demand, despite what Fortra told them. “When asked about this by email, Fortra spokesperson Rachel Woodford would not comment but did not dispute what the two organizations had told us or that Fortra had told customers their data was safe,” Whitaker and Page wrote.
- A Fortra spokesperson told The Post that the company “immediately took multiple steps” after being “made aware of suspicious activity” with the GoAnywhere software. The company is notifying affected customers and worked with the Cybersecurity and Infrastructure Security Agency to add the GoAnywhere vulnerability to its list of “must-patch” vulnerabilities in February, they said. “We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”
The usual caveat applies when discussing what ransomware gangs claim: They have a track record of fabricating information about victims and are prone to bravado. So take Clop’s claim to have hit “130 victims” with a grain of salt.
That said, a combination of media reports and public disclosures from targets suggests that the campaign has claimed a significant number of victims.
In the past week alone:
- Procter & Gamble said it was a victim of the hackers exploiting the GoAnywhere vulnerability, and they took employee information.
- Virgin Group said its rewards club system was affected.
- The hackers also swiped employee data at the U.K. Pension Protection Fund, a spokesperson said.
- Health-care program provider US Wellness said it suffered a breach that might have affected customer information. It didn’t explicitly say it was a victim of Clop, but TechCrunch reported it was.
Other prominent victims include data security company Rubrik; health-care provider Community Health Systems, which said it believed that approximately 1 million patients might have been affected; and Hitachi Energy, which is owned by the Japanese tech giant of the same name. Hitachi Energy said its customer data was not impacted.
Government response
The U.S. government is increasingly prioritizing disruptive operations in response to ransomware gangs and other cybercriminals, focusing on actions like taking down cybercrime forums or recovering ransomware payments that victims make to the gangs.
Whether that activity — or something else, or some combination of events — led to the 2022 ransomware downturn is a subject of debate. It’s also unclear whether the downturn is a trend or a blip.
The Department of Health and Human Services warned last month about Clop and other threats in a notice about the GoAnywhere incidents.
“The probability of cyberthreat actors like Clop targeting the healthcare industry remains high,” the notice said. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent an cyberattack remains the best way forward for healthcare organizations.”
Correction: A previous version of this newsletter stated that Hitachi Energy said its customer data was impacted. This version has been updated.
The keys
China-linked VPN apps used in U.S. pose greater threat than TikTok
Virtual private network (VPN) apps that are linked to Chinese developers and downloaded often in the United States pose a greater threat to security and privacy than TikTok, though the former has not gotten as nearly as much attention as the popular short-form video app, our colleague Joseph Menn writes.
VPNs allow users to disguise their virtual and physical location to navigate around online safeguards or blocked sites, but experts say VPNs are able to track and see everything a user tries to hide while surfing the web, and many popular VPNs used in America are based in China or controlled by Chinese nationals, according to interviews and reviews of corporate records.
“You have a bunch of lazy people calling themselves VPNs who are making money from your data, just like Google,” said Dennis Batchelder, president of AppEsteem, which evaluates app safety for anti-virus companies. “I would have reservations about VPNs based in any country that can tell your company they want to grab your data.”
Some lawmakers have warned of the risks of VPNs, but “other members of Congress generally have been silent about the risks posed by VPNs, even from Chinese providers, while championing restrictions and outright bans on TikTok, which has far less access to what users do online,” Menn writes.
VPNs would be covered in the RESTRICT Act led by Sens. Mark R. Warner (D-Va.) and John Thune (R-S.D.) that would require the Commerce Department to evaluate the national security risks of foreign technology.
New details of alleged BreachForums founder emerge
New details have been reported following the arrest earlier this month of Conor Brian Fitzpatrick, who law enforcement accused of being behind the popular cybercriminal forum BreachForums.
The Justice Department announced on Friday that Fitzpatrick, 20, made a court appearance weeks after his arrest, adding that the FBI and Health and Human Services Department conducted an operation to take the site offline. An apparent staffer at the site wrote that they would be shutting down the site after they noticed that someone had logged into a key account after Fitzpatrick’s arrest.
- CyberScoop’s AJ Vicens writes that Fitzpatrick admitted to being BreachForums’s administrator, known as Pompompurin, and that he was making some $1,000 per day on stolen data trades, according to a cited affidavit. The affidavit adds that Fitzpatrick played the role of a middleman between the transactions and that several operational security mistakes linked his personal email, phone and address back to the site.
- Fitzpatrick has been charged with conspiracy to commit access device fraud, a crime carrying a maximum five-year prison sentence. Vicens reports that he previously appeared March 16 in a New York federal court and was released on a $300,000 bail.
- To prove BreachForums facilitated the exchange of stolen data, the FBI purchased data sets from the marketplace undercover, TechCrunch’s Lorenzo Franceschi-Bicchierai reports. Among several steps, they tracked several IP addresses back to Fitzpatrick, who was arrested March 15.
BreachForums, one of the most well-known cybercriminal markets, gained greater attention in recent weeks following the DC Health Link hack that exposed the data of hundreds, including Capitol Hill staffers and some lawmakers.
Your Cybersecurity 202 host reported last week that the impact of the site’s shutdown will have negative effects on the cybercrime world, though over time it will be replaced by something else that remains to be seen.
Parts of Twitter source code leaked on GitHub, company says
Twitter said in a legal filing that a GitHub user known as “FreeSpeechEnthusiast” posted part of Twitter’s underlying source code on the platform, our colleague Rachel Pannett reports. The company asked a federal judge to issue a subpoena ordering GitHub to identify the person who “posted, uploaded, downloaded or modified” the code, which Twitter said infringed its copyright.
- In Twitter’s takedown request to GitHub, the company described the code as “proprietary source code for Twitter’s platform and internal tools”; a legal filing said it was “various excerpts of Twitter source code.”
“A GitHub spokesman confirmed in an emailed statement that the company complied with a request from Twitter to take down the leaked code but would not comment further,” Rachel writes. “Twitter did not respond to a request for comment Sunday night.”
The filing was first reported by the New York Times.
Government scan
Global cyberspace
Cyber insecurity
Encryption wars
Privacy patch
Industry report
Daybook
- The Silverado Policy Accelerator holds the second day of its inaugural summit at 10:15 a.m., which will explore geopolitics, semiconductors and the global cybersecurity landscape, among other areas.
- The U.S. Chamber of Commerce convenes an in-person event to discuss how the recently released national cybersecurity strategy aims to protect critical infrastructure at 1:30 p.m.
Secure log off
Threat intelligence analysts after writing a YARA rule. pic.twitter.com/W2hTnDdcWC
— Matt Suiche (@msuiche) March 25, 2023
Thanks for reading. See you tomorrow.