The hottest information security news for February 2024
Hi all! The last winter month has died down, so let’s sum it up. The main event, of course, was the large-scale interception of the LockBit infrastructure, which dealt the group a blow from which it has little chance of recovering. BlackCat also made a splash in the United States by introducing a payment system in healthcare, which resulted in an exit scam and the group leaving the ransomware scene in early March. In addition, February was marked by a rare beast – a large-scale leak of the internal kitchen of the Chinese cybersecurity firm i-SOON, a major hack of AnyDesk, and a couple of high-profile cybercriminal names in the context of their court cases. Read about this and other hot cybersecurity events of the coldest month of the year under the cut!
Lockbit says goodbye to servers
February started off quite poetically for LockBit, considering everything that followed. The group hit another rock bottom and claimed responsibility for the attack on a hospital in Chicago on December 18. St. Anthony's Hospital suffered a ransomware attack and theft of patient data. The attackers demanded $850 thousand in ransom. The hospital is a non-profit, so the amount was obviously unaffordable for it.
What’s interesting is that a year earlier LockBit was in a similar situation – one of the group’s partners attacked a children’s hospital in Toronto. To the point that the attack also took place on December 18th. Then, on New Year’s Eve, the group apologized, sent a decryptor, and allegedly kicked out the offending partner. Apparently, since then, the restrictions on attacks for ransomware have become less stringent, and they have stopped flirting, pretending to have a semblance of moral principles. Well, then came the well-deserved retribution.
On February 19, LockBit's infrastructure was intercepted by the FBI and international police. In the wake of “Operation Kronos”, under the control of the British NCA, there turned out to be a site with the group’s leaks in TOR, with a colorful plug hanging from it. Some of their sites were still working following the interception, others lay down.
We also installed the LockBit partner panel. According to the message about her capture, law enforcement agencies received the LockBit source code, chats, information about victims and stolen data. Security guards in uniform were sarcastic and suggested that the attackers thank comrade Lockbitsupp for the vulnerabilities in the infrastructure that led to the interception. The latter had a message in its status that the servers had been hacked using a PHP exploit, and this was later confirmed. In general, no sooner had LockBit taken advantage of BlackCat’s December turmoil than it faced the same thing. During the operation in Poland and Ukraine, two ransomware operators were arrested, 200 crypto wallets, and 34 servers around the world were intercepted. And the decryptor is posted.
France and the United States issued international arrest warrants and brought charges against several members of the group. Among them are two who are documented as Russian citizens, Artur Sungatov and Ivan Gennadievich Kondratiev, according to the State Department, aka Bassterlord. In general, in the second half of February, Europol announced a week of arrest of LockBit servers and partners – the number of ransomware attacks will temporarily decrease by a quarter. And the members of the group, who were stuck in unfriendly countries with extradition, briskly packed their suitcases in order to lie low somewhere in Bruges Saratov.
Following the operation, the State Department decided to consolidate the success: the usual reward of up to 15 million dollars awaits those escaping from the sinking cybercriminal ship. Ten million for the leaders of the group and another five for LockBit partners. Judging by information from the authorities, they had a total of 188 partners, but they did not report how many servers were active at the time of the interception.
Subsequently, Santa Barbara around LockBit continued: following the interception of infrastructure, the group set up a new website, comrade LockbitSupp began writing letters to the FBI and threatening to leak data from the hacking of the government website of Fulton County in the United States.
In delirium of grandeur, LockbitSupp said that “Operation Kronos” was carried out to prevent legal cases from being leaked to Trump, which would allegedly affect the elections. The new meter was set to drain on March 1st. The further content of the Lokbitites’ letter to the American devil is mostly incoherent muttering that they will not be intimidated and will never be stopped. And between the lines there is some technical information about the interception of servers, which there is no particular reason to believe – the group is clearly greatly downplaying the consequences.
In general, the forgotten PHP update really unsettled my comrades. LockBit spent the rest of the month actively trying to save face and claimed in an interview that the FBI had arrested a couple of random people, but they had nothing on the key persons of the group, and also offered $20 million for their deanon. In the new season, we could potentially expect a rebranding or the triumphant phenomenon of LockBit 4.0, which the group was actively working on before the interception, and the continuation of the soap opera.
However, judging by what is happening, things are clearly not going well in the Ransomware Kingdom of LockBit. Following bombshell FBI emails containing megalomaniacal conspiracy theories surrounding the hack of a US government website, LockBit said Fulton County has paid the ransom. What is their evidence? “We have deleted the data.” But bad luck, the district reported that no one paid them anything. Apparently, LockBit did not retain any data after the servers were intercepted, and it was just a bluff.
Other “new” victims on the group’s new website also bashfully disappear from the blog due to the close attention of security guards. Because judging by the analysis, this is old data disguised as new hacks. Simply put, fakes. In general, it all looks like LockBit is straining to portray a routine return to work and is desperately trying to convince its partners that nothing serious happened in mid-February. But it doesn't work out very well.
In other words, the brand is going to the bottom, and convulsive twitching is only causing new holes to appear in it. We are also taking bets on whether they will be able to swim out, but so far the odds are clearly not in their favor. And assumptions are becoming louder that this will soon be the end of the story of the key brand of the early stage scene of recent years.
BlackCat's latest high-profile attack
In the second half of February, serious problems began in the United States with the payment system in healthcare, large pharmacy chains, CVS and Walgreens and other structures associated with it. The reason for this was a ransomware attack on the IT service provider for the medical sector, Change Healthcare. On February 21, he reported the attack and shut down the systems, which remained down for several weeks from then on. BlackCat was behind the attack.
Due to faulty systems, pharmacies had problems with software for checking insurance payments and patient prescriptions. Well, without the ability to process this data, a conventional American risks, for example, being left without insulin and not receiving other prescriptions on time. Next, the FBI and CISA confirmed that BlackCat is conducting targeted attacks on American healthcare. Since mid-December, the industry has become a key target for the group's attacks, and of the 70 leaks, a significant number were hospitals and other healthcare facilities.
Let me remind you that after the interception of the group’s infrastructure in December, its leaders announced that they would now allow their partners to attack targets that ransomware operators usually avoid, so as not to attract unnecessary media attention. Now they could block hospitals, nuclear power plants, anything, anywhere (except the CIS). Obviously, the partners were happy to take up the initiative – there are many words to describe the information security on average in hospitals, but “well protected” is usually not one of them.
The collapse of the medical sector following the shutdown of Change Healthcare systems continued in the first days of March. It got to the point that the US government had to intervene – a rather rare precedent in the context of cyber attacks. And a striking example of why it is not necessary to drive all transactions through one supplier: the entire healthcare payment infrastructure fell down the chain.
So far, the government has eased payment terms for affected companies and recommends providing funding for those especially affected. In general, BlackCat’s December bravado “Now we’ll shut down your critical infrastructure” backfired on them. They put it down. And now they are suddenly going to the bottom – in early March, the group pulled off a large-scale exit scam, disappeared with the money of their partners, including a $22 million ransom from Change Helathcare, and clumsily blamed it on the feds, who had nothing to do with what happened. DarkSide goes into the sunset 2.0, like clockwork.
In other words, the Colonial Pipeline incident in 2021 did not teach BlackCat administrators anything – then the group hit critical infrastructure in the same way in the United States, only to be forced to curtail the operation due to pressure from law enforcement agencies. Either that, or the cue ball that broke through the ceiling gave someone dreams of a comfortable retirement. Read more about the results of the ransomware operation, which became the rebrand of DarkSide and BlackMatter, next month.
State Department Badge of Honor for Hive
Hive also deserves a special mention for February. Like LockBit and BlackCat, Uncle Sam gave the Ransomware group a badge of honor: The State Department offered its standard reward of up to $10 million for information leading to the identification, discovery, or arrest of its members. The men in black also noted: the FBI will throw another $5 million on top of those who want to share valuable data.
The reward is being offered to potential unsavory heroes just over a year after the FBI intercepted Hive servers. The successful operation then cost Hive more than $200 million in lost ransoms from keys sent to victims. Now its members have joined the orderly ranks of ransomware players with a 10 million price tag per head, where Cl0p, Conti, REvil and DarkSide already stand. The only question is whether there is honor among cyberthieves. More precisely, do they have any dirt on each other for Deanon?
Leaked internal kitchen of Chinese i-SOON
Last month we experienced a rare beast: a leak due to the Great Firewall of China. Namely, from the top information security company i-SOON in Shanghai. Apparently from a disgruntled employee. There were more than five hundred documents in the GitHub leak that allowed us to peek into the company’s inner workings. Marketing data, employee correspondence, screenshots, materials about attack tools, and much more were exposed.
In addition to the everyday correspondence of employees complaining about overwork and low wages, there is also some rather interesting information. About government contracts for espionage, which China feeds to private information security firms, and work for the Chinese Ministry of Public Security – the local equivalent of the Ministry of Internal Affairs. Thus, one of the addresses in the correspondence is associated with a domain that was featured in the Tibet campaign in 2019, and security officers from i-SOON were then designated as the APT group Poison Carp.
Most of i-SOON's targets are expected to be in Asia, but chats suggest there were UK organizations on the list, including the Home and Foreign Offices, plus staff discussing the sale of some NATO-related data. In its own region, the company worked on targets in India, Vietnam, Nepal, Thailand, Mongolia, Myanmar and Kazakhstan.
i-SOON also experiences embarrassment. Thus, one employee reports a successful hacking of a Thai university. And the boss sends him a screenshot in which this university is not on the hacking list. And in general, judging by the documents, the company’s clients are often dissatisfied with the information provided in the wake of hacking, and the equipment they sell is outdated.
In general, the material is interesting. Leaks of this kind from the Digital Celestial Empire are a rarity.
Hack AnyDesk
In February, remote access software maker AnyDesk reported a serious hack. The attack took place at the end of January. The attackers gained access to the source code and private code signing keys. AnyDesk did not share the details of the attack – it is known that it was not a ransomware, but as a result of the hack, the company revoked security certificates and passwords for its website. It also revoked the compromised code signing certificate.
Private keys, tokens and passwords are not stored on their systems, so, as AnyDesk confidently reports, there is no threat to users. However, it is recommended that everyone change their passwords, especially if they are reused somewhere, and download the latest version of the software with a new certificate.
Meanwhile, following the attack on Exploit[.]in, the access data of ~18,000 of the company’s clients was put up for sale – apparently in anticipation of a possible password reset. In general, AnyDesk has everything under control. Someone, of course, tinkered with their product systems. But this is so, an everyday matter.
My boss is a deepfake
Fraud using deepfakes reached a whole new level in February. An international company in Hong Kong lost $25.6 million. An employee of her financial department was sent a phishing email requesting transactions and, to be convincing, was invited to a call with the financial director, colleagues and other persons. Following the instructions, he transferred the money to different accounts. Except all the participants in the video call were deepfakes.
The case is notable for the substantial amount stolen and a whole front group of digital individuals and synthesized voices. Enthusiasts are already coming up with ways to check the reality of the interlocutor on a video call, especially if he asks for a loan of a hundred [миллионов гонконгских долларов].
In general, there is a lot to learn from these deepfake pioneers of the zero-trust society predicted by the futurists. After all, you can train a deepfake yourself to go on calls for yourself. Let him take the rap.
High-profile court cases of February
And finally, to the big names of the cybercrime scene behind bars. In February, Joshua Schulte, the former CIA programmer responsible for the notorious Vault 7 leak, received an expected draconian sentence. They couldn’t get him the death penalty, but they gave him 40 years in prison. And they added lifelong supervision after leaving in the 2060s.
Vault 7 became the largest leak in the history of the CIA, leaked to WikiLeaks and revealing many interesting details about the internal workings of US intelligence. Full of such details that a person unfamiliar with the realities of information security will inadvertently remember with a kind word one famous mathematician of Polish origin.
Schulte was found guilty of espionage, hacking, contempt of court and making false statements. After his equipment was seized, a huge amount of child pornography was also found on the hard drives, which added weight to the charges and made Schulte's life in prison much more difficult. All in all, an unenviable ending.
And finally, last month, the leader of JabberZeus, Vyacheslav Penchukov, admitted his guilt on charges of controlling the groups behind the Zeus and IcedID malware. The attacker, extradited to the United States last year, faces up to 40 years in prison – twenty for each group.
Penchukov, let me remind you, was arrested in Switzerland in the fall of 2022. The comrade has ten years on the FBI's list of most wanted criminals. He was also behind the Maze malware, pioneers of double extortion that used stolen data to pressure victims.
Penchukov evaded arrest for many years, believed to be due to his connections with the former Ukrainian government. However, the events of recent years apparently led to his departure from the country and his arrest in Geneva. The outcome of the story of the criminal who lived a rather fascinating life will be known on May 9 – on this day the Donetsk dude nicknamed Slava Rich will be sentenced.
