Welcome to Safety Sunday – 8. Week. our weekly round-up of events in the world of cyber security (19 – 25 February 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

Ransomware group LockBit disrupted by global police operation

Britain’s National Crime Agency (NCA) confirmed on Tuesday that it had obtained the source code of the LockBit group, as well as a wealth of intelligence relating to its activities and its affiliates, as part of a specialised task force called Operation Cronos.

The agency also announced the arrest of two LockBit members in Poland and Ukraine. More than 200 cryptocurrency accounts linked to the group have been frozen. Charges and sanctions have also been handed down in the US against two other Russian nationals.

Artur Sungatov and Ivan Gennadyevich Kondratyev (also known as Bassterlord) have been indicted by the US Department of Justice (DoJ) for deploying the LockBit system against numerous victims across the US.

Kondratyev was also charged with three felonies stemming from the use of a variant of the Sodinokibi ransomware, also known as REvil, to encrypt data, exfiltrating victims’ information.

The NCA called LockBit “the world’s most damaging cybercrime group”.

The agency said it took control of LockBit’s services as part of the action. This includes the administration environment used by affiliates and the publicly accessible leak pages hosted on the darkweb.

In addition, 34 servers were also seized and more than 1,000 decryption keys were recovered from the seized servers.

The U.S. State Department has announced a cash reward of up to $15 million for information that could lead to the identification of key LockBit leaders and the arrest of anyone involved in the operation.

New SSH-Snake malware steals keys and spreads across the network

SSH-Snake was discovered by the Sysdig Threat Research Team (TRT), which describes it as a “self-modifying worm” that differs from traditional SSH worms by avoiding patterns typical of scripted attacks.

The worm searches for private keys in various places, including shell history files, and uses them to stealthily spread to new systems.

However, researchers at cloud security company Sysdig say SSH-Snake takes the typical concept of lateral movement to a new level by being more consistent in its search for private keys.

The researchers also report that one of the peculiarities of SSH-Snake is its ability to modify and shrink when it is first run. It does this by removing comments and unnecessary functions from its code.

The functionality of SSH-Snake was confirmed after the C2 (Command and Control) server was discovered to be used by its operators to store data obtained by the worm, including login credentials and IP addresses of victims.

This data shows signs of active exploitation of known Confluence vulnerabilities (and possibly other vulnerabilities) for initial access, which led to the deployment of the worm on these endpoints.

Researchers say the tool has been used to attack approximately 100 victims.

Sysdig considers SSH-Snake an “evolutionary step” in terms of malware, as it focuses on a secure connection method that is widely used in corporate environments.

FTC orders Avast to pay $16.5 million for selling user data

The US Federal Trade Commission (FTC) orders Avast to pay $16.5 million and prohibits it from selling or licensing users’ web browsing data for advertising purposes.

The complaint alleges that Avast violated the rights of millions of consumers by collecting, storing and selling their browsing data without their knowledge or consent, misleading them that the products used to collect their data would block online tracking.

“Although the FTC routinely brings privacy lawsuits against companies that misrepresent their data protection practices, Avast’s decision to explicitly market its products as protecting browsing and tracking records only to subsequently sell those records is particularly striking,” said FTC Chairwoman Lina M. Khan.

Moreover, the amount of data Avast has collected is staggering. The complaint alleges that by 2020, they have amassed more than eight petabytes of data.

Specifically, the FTC alleges that UK-based Avast Limited has been collecting consumers’ web browsing information without their knowledge or consent using Avast browser extensions and antivirus software since at least 2014.

Signal introduces usernames to keep phone numbers private

Popular app Signal said it is piloting a new feature that allows users to create unique usernames to protect their phone numbers.

“If you use Signal, your phone number will no longer be visible to everyone you chat with by default,” said Randall Sarafa of Signal

Setting up a new username requires account holders to enter two or more numbers at the end of the username. Usernames can be changed freely.

A username is an anonymous way to start a conversation on a chat platform without having to share phone numbers. Signal said it is also taking steps to hide users’ phone numbers from others who don’t have them stored in their phone’s contacts by default.

In addition, users can use other settings to control who can look them up by their numbers, limiting the people who can text them.

Cyber attack hits pharmacies across America

Pharmacies across the United States are reporting that they are having difficulty dispensing prescriptions to patients due to a cyberattack on a UnitedHealth unit.

The company said in a regulatory filing Thursday that its Change Healthcare division, which processes insurance prescriptions for tens of thousands of pharmacies nationwide, was attacked by hackers who gained access to some of its systems.

For example, the Naval Hospital in Camp Pendleton, California, said in a post on the X network that it could not process any prescriptions.

“Due to an ongoing company-wide issue, all Camp Pendleton and affiliated pharmacies cannot process any prescription requests,” the hospital said. “As a result, we are only able to help patients with urgent and emergent prescriptions from hospital providers at this time.”

Evans Army Hospital in Colorado said in a Facebook post that some prescription orders will be delayed.

“This outage impacts the dispensing of prescriptions in the pharmacy – resulting in delays in processing and in some cases the inability to process,” the hospital said. “Medication refills were also affected.”

The American Hospital Association has recommended that organizations using Change Healthcare’s services prepare contingency plans in case an outage lasts for an extended period of time.

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical vulnerability

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical privilege escalation vulnerability known as CVE-2024-21410, which hackers are actively exploiting.

Microsoft addressed this bug on the 13th. February, when it has already been exploited as a zero-day.

The security issue allows remote unauthenticated actors to perform NTLM relay attacks on Microsoft Exchange servers and elevate their privileges on the system.

Threat monitoring service Shadowserver announced today that its scanners have identified approximately 97,000 potentially vulnerable servers.

Out of a total of 97,000 servers, 28,500 servers were confirmed to have the CVE-2024-21410 vulnerability.

The most affected countries are Germany (22 903 cases), the United States (19 434), the United Kingdom (3 665), France (3 074), Austria (2 987), Russia (2 771), Canada (2 554) and Switzerland (2 119).

There is currently no publicly available proof-of-concept (PoC) exploit for CVE-2024-21410, which somewhat limits the number of attackers who can exploit this vulnerability in attacks.

To resolve vulnerability CVE-2024-21410, system administrators are advised to apply Exchange Server 2019 Cumulative Update 14 (CU14) released during February Patch Tuesday 2024.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-21410 to its catalog of “Known Exploited Vulnerabilities” and has given federal authorities until July 7. March 2024 to apply available updates/fixes or stop using the product.

Exploitation of the CVE-2024-21410 vulnerability can have serious consequences for an organization, as attackers with elevated privileges on the Exchange server can gain access to confidential data and use the server for other attacks on the network.

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.