It’s Monday, and there’s no better way to start a new week than with some cybersecurity-related news. So, if you need an excuse to procrastinate a bit more, allow us to fill that void. For this iteration, we made a few minor improvements, as always. In addition to the table of contents from last time, we’ve added more granularity by categorizing all the stories by type. For example, this week has four categories of reports – password managers, cyberlaw, new breaches, and threat actors.
This news sequence summarizes the LastPass incident that happened last year that we finally got more detailed information on, and another password manager-related story with BitWarden reporting an iframe exploit on their password manager. We will discuss the White House National Cybersecurity Strategy that outlines several key areas of critical infrastructure and domestic security posture. At the same time, the SEC charged Blackbaud for making misleading statements about their ransomware breach in 2020. There were a ton of new breaches, as usual, and we’ve extracted four interesting ones. An alleged breach of telehealth startup Cerebral, Dish Network seems to be struggling after a ransomware attack, and a US federal government-related breach. Finally, we end with a story on three EvilCorp members wanted in Germany, detailing some of their prior misdeeds.
Without further ado, onto the article.
Table of contents
- LastPass Incident Details Revealed
- BitWarden Reports Password Manager Vulnerability Exploited with Iframes
- White House Issues National Cybersecurity Strategy
- SEC Charges BlackBaud Over Failure to Disclose Full Impact of Breach
- Telehealth Startup Cerebral Notifies 3.18 Million Users of HIPAA Breach Exposing PHI
- Dish Network Customers Left in the Dark After Ransomware Breach
- United States House of Representatives PII Data Leaked on Public Forum; FBI Purchases Data?
1) LastPass Incident Details Revealed
You’d be hard-pressed not to have heard of the LastPass incident last year that trickled into late quarter one of this year. It’s the reason that this story is being brought back up in this iteration of Cybersecurity News. At the beginning of March, LastPass provided the long-awaited details on the incident. Actually, it was two incidents that seemed to meld together into one significant incident. However, LastPass CEO Karim Toubba summarized each incident in their most recent update.
The first incident on August 12, 2022, involved a compromise of a LastPass software engineer’s laptop. Because a software engineer can access source code, the threat actor stole that, other technical information, and some internal secrets. After an investigation, LastPass considered this incident closed. However, we learned that information from this incident led to the second incident on October 26, 2022.
The second incident was a daisy chain of events that compromised a cloud-based storage backup with sensitive customer vault data, company secrets, and the LastPass MFA/Federation database backup. There’s no sugarcoating it; this is not good for LastPass users. Your master passwords and vault credentials are at an increased risk of being compromised. So, it’s advised, at minimum, to change ALL of your vault passwords and your master password. LastPass has released two security bulletins with further information on protecting yourself – one for Free, Premium, and Families, and another for Business users.
The most interesting aspect of this whole saga is how the threat actor infiltrated LastPass the second time around. According to their blog post on the incident, a senior DevOps engineer used a vulnerable third-party media software (allegedly Plex) on their home computer that the attacker exploited. The exploit led to the deployment of malware that allowed for remote code execution (RCE) on the engineer’s device. Using RCE, the attacker installed a keylogger that led to a compromise of credentials to LastPass’ Amazon storage servers, hosting sensitive data only four other DevOps engineers had access to. From there, sensitive data got exfiltrated, which leads us here.
2) BitWarden Reports Password Manager Vulnerability Exploited with Iframes
Bitwarden is one of many password manager services out there, along with LastPass, 1Password, Dashlane, Keeper, and a myriad of others. For those who aren’t aware, a password manager is likely what you think it is – software that manages all your passwords. This prevents you from having to remember dozens or hundreds of passwords. You only need to remember one master password and, hopefully, access to a multi-factor authentication (MFA) mechanism.
What sets Bitwarden apart from many other password managers is that it is open source, hosting its source code on GitHub for all to see. Some may see open source software as a double-edged sword where transparency is respected, but it also allows users with nefarious intent to find vulnerabilities within the code. However, it also provides security researchers with the intent to protect the software with the same access. This is what this saga is about – researchers finding and addressing vulnerabilities within the code before bad actors exploit it first.
There are two vulnerabilities in question: CVE-2018-25081 and CVE-2023-27974. CVE-2018-25081 states that Bitwarden versions 2023.2.1 and after are susceptible to an auto-fill vulnerability when a user visits a URL’s subdomain. To get a better understanding of this, here is a simple infographic showing the difference between subdomains, hostnames, and top-level domains (TLDs):
So, if a user visits amazon.com and “Auto-fill on page load” is enabled, Bitwarden will fill in the authentication fields for you, as expected. However, if you visit aws.amazon.com, then the fields are still auto-filled. Why is this a problem? Well, some cloud services use subdomains for hosting services. So, an attacker can spoof Amazon or something similar, host it on a cloud subdomain, and if you click the phish, those credentials are auto-filled on a malicious subdomain. Bitwarden’s current fix is to disable the “Auto-fill on page load” feature, which it currently configures by default.
The other CVE, CVE-2018-25081, leverages the same auto-fill feature but is exploited differently. For this vulnerability, an attacker can compromise a website and display an authentication iframe that auto-fills when a user visits the domain. There’s no point in reinventing the wheel; researchers from Flashpoint perfectly describe how this occurs. We recommend reading their short and well-described post on this iframe vulnerability if you want to understand it further. More references are below to understand these issues better, but the message is the same – turn off the “Auto-fill on page load” feature.
3) White House Issues National Cybersecurity Strategy
Earlier this month, the White House released its National Cybersecurity Strategy. It’s a 39-page document with five overarching pillars:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
The first pillar is pretty straightforward. It focuses on enhancing and bolstering cybersecurity for the 16 critical infrastructure sector assets, systems, and networks. The White House aims to achieve this by establishing requirements for securing these assets, improving public and private sector collaboration, integrating federal cybersecurity centers, updating incident response plans, and modernizing defenses. An example of how hackers can disrupt critical infrastructures occurred when an attacker tried to poison a Florida city’s water supply in 2021.
The second pillar is something we’ve seen grow in popularity in recent years. That is the idea of attempting to directly thwart threat actors by dismantling their infrastructure or simply arresting them with worldwide partners’ help. Just a few months ago, authorities from the US and Europe dismantled the HIVE ransomware group. The White House addresses this pillar by integrating federal disruption activities, increasing public and private sector collaboration, increasing the speed and scale of threat intelligence, preventing infrastructure abuse, and countering cybercrime. Clearly, the White House is adamant about disrupting threat actors and taking them on directly or “attacking back.”
Pillar three focuses on hardening defenses that organizations often overlook. For example, one objective of this pillar is to drive the secure development of IoT devices. The White House also wants data stewards to be held accountable and shift liability for insecure products to the owners. There are also three other objectives: use federal grants to improve security, leverage federal procurement to enhance accountability, and explore national cyber insurance further.
The fourth pillar is forward-looking in that the objectives all focus on improving the technological landscape to prepare for future developments. The first objective focuses on securing Internet access as a foundation. The White House also seeks to increase federal research for cybersecurity efforts, prepare for a “post-quantum future,” secure clean energy, develop digital identities, and create a strategy to increase the cybersecurity workforce.
Finally, the fifth pillar is all about collaboration, which cybersecurity depends on. The objectives are building a coalition to counter threats and reinforce global norms, strengthen international partner capacity, expand US’ ability to assist global partners, and secure global supply chains. It’s a robust strategy that addresses seemingly every facet of cybersecurity. We recommend giving the strategy a read if you want to know more.
4) SEC Charges BlackBaud Over Failure to Disclose Full Impact of Breach
BlackBaud is a cloud software provider for mostly non-profits and charitable organizations but also services universities in North America and Europe. As such, they are subject to various regulations and frameworks, including PCI DSS, NIST CSF, ISO 27001, SOC 1 and SOC2, GDPR, and probably a few others. If a security incident were to occur, they would be subject to all of the regulations provided therein. Unfortunately for Blackbaud, they were subject to a security incident that affected many customers using their services.
It was a prolonged incident that involved ransomware from February 7, 2020, through May 20, 2020. Meaning their data was encrypted and was, unfortunately, subject to simultaneous data exfiltration. Apparently, during ransom negotiations, decision-makers at Blackbaud decided to pay the ransom in exchange for deleting the data. Blackbaud representatives are adamant that there was no data disclosure because of their actions; the vulnerability that allowed the attackers in had been fixed; and they employed a cybersecurity team to monitor for further incidents. However, many customers who hosted data with Blackbaud were not okay with this and filed multiple class action lawsuits.
After the legal process played out in South Carolina – Blackbaud’s headquarters location – the story leads us here. Here is what allegedly happened: Blackbaud is required to notify customers within 72 hours of learning about the incident. Apparently, they learned about the incident in May 2020 but didn’t notify customers until July 2020. Also, they mislead customers about what data the ransomware operators accessed. Initially, they stated this data was in question:
- Date of Birth
- Contact Information
- Email Address
- Spouse’s Name
- Other Demographic Information
- Donation Information
However, they later claimed the attackers accessed this data:
- Credit Card Information
- Social Security Numbers
- Bank Account Information
- Authentication Information
Blackbaud agreed to pay a $3 million settlement this month because of the abovementioned events. We researched heavily to determine which group was responsible for this attack, and it doesn’t appear that information is available. However, based on the activity of ransomware groups at the time, we suspect it may be MAZE, Nefilim, Pysa, DoppelPaymer, AKO, Netwalker, Ragnar Locker, or REvil. However, we’re not here to speculate.
5) Telehealth Startup Cerebral Notifies 3.18 Million Users of Breach Exposing PHI
The United States is experiencing a mental health crisis like none other. Some researchers chalk this up to western culture’s individualism and materialism. The sharp increase in mental health disorders, which almost a quarter of Americans are experiencing at any given time, has subsequently led to a rise in mental health services – especially remote telehealth services such as Cerebral. Cerebral is a telehealth startup specializing in mental health, claiming to “democratize access to high-quality mental health care for all.” Not sure what “democratizing” access to health care is, but addressing the mental health crisis is always positive.
That is, until Cerebral exposed the protected health information (PHI) of 3.18 million customers. According to a Notice of HIPAA Privacy Breach from Cerebral, they used tracking technologies known as “pixels” made available to the data-hungry giants, Google, Meta, TikTok, and other third parties. Since HIPAA requires health providers to adhere to strict data control and privacy policies, this broke compliance, and thus, Cerebral had to notify the affected parties. The following information may have included:
- Phone Number
- Email Address
- Date of Birth
- IP Address
- Cerebral Client ID Number
- Other Demographic Information
- Mental Health Self-Assessment Details
- Subscription Plan Type
- Appointment Dates
- Booking Information
- Health Insurance Information
- Co-Pay Amounts
As a sidebar, many people misinterpret HIPAA and what it means. So, here’s a high-level summary from a cybersecurity viewpoint.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The act defines standards and guidelines for organizations that deal with and store what is known as protected health information (PHI). So, even if you’re not a healthcare provider, you fall under these standards if you handle or store PHI, period. Much of the data policies revolve around the privacy of PHI and how to protect the data from accidental exposure or disclosure from malicious actors. For example, a doctor can’t release or disclose patients’ health information without their consent, and if they do, it has to be scrubbed (anonymized).
It’s a compliance requirement similar to the Payment Card Industry Data Security Standard (PCI-DSS), the National Standards for Security and Technology Special Publication 800-53 (NIST SP 800-53), and the International Organization for Standardization 27001 (ISO 27001) standard. These compliance regulations and standards define how organizations should handle and store sensitive data using people, processes, and technology (PPTs). Some of the HIPAA requirements are that organizations must execute mitigation procedures in case of a breach, report a crime within 60 days, and perform an impact analysis assessment. You can read more about HIPAA on their website.
6) DISH Network Customers Left in the Dark After Ransomware Breach
It’s been almost a month, and DISH Network seems to be struggling after a ransomware cybersecurity incident hit its network last month. A United States Securities and Exchange Commission (SEC) Form 8-k filed by DISH provides a timeline of the occurrence and further details. On February 23, 2023, the American television provider announced on an earnings call that an internal incident had occurred, affecting internal networks and telephone services. Authorities arrived to investigate the incident further as well.
The investigation resulted in the discovery of data exfiltration, including personal information. DISH also stated that DISH, Sling, and other wireless networks remain operational, but internal communication services, call centers, and all Internet sites are down. Complete service disruption followed by data exfiltration sounds like the modern playbook for ransomware groups. Sure enough, a few days later, news sources somewhat confirmed that Black Basta deployed ransomware on DISH’s network.
It’s been a few weeks since that occurred, and surprisingly, there has been little additional information about this incident. From the outside, it looks like DISH is struggling to recoup after this attack, and some news sources are still searching for more answers. This incident highlights the destruction ransomware can cause and why it’s at the top of mind for many security-minded decision-makers. We hope DISH can recover from this and resume normal operations as soon as possible.
If you’re wondering why DISH is capitalized throughout this story, it’s because it is an acronym for Digital Sky Highway. Who knew?
7) United States House of Representatives PHI Data Leaked on Public Forum; FBI Purchases Data?
On Monday, March 6, DC Heath Link learned of a breach and data exfiltration of its systems from a user posting the information on BreachForums. The individual selling the data was IntelBroker, whom we’ve kept tabs on since late last year. IntelBroker is the creator and operator of Endurance ransomware and is a data broker and initial access broker for other threat actors. Subsequently, IntelBroker received a ban from the forum. Former CISA Director, Christopher Krebs, speculates that IntelBroker was banned because the forum didn’t want the impending heat from federal law enforcement. However, the ban was a “self-ban,” meaning the user requested or banned themselves. Truth be told, we don’t exactly know what a self-ban entails, but IntelBroker will likely be back. Hopefully not, though. The original data leak post and proof of the ban are below.
If you look closely at the original leak post on the forum, it says there are 170k users affected. However, DC Health Link provided a statement saying there are 56,415 customers impacted. The actual number is probably somewhere in between. DC Health Link places the affected customers into two groups – Group 1 and Group 2. Group 1 is known-impacted individuals; the health insurance provider notified them directly. Group 2 had its data stored the same manner as Group 1, but there’s no evidence of its compromise.
What adds a twist to this data breach is that DC Health Link happens to be the provider of members of the US House of Representatives (USHOR). In an even further twist, a letter from Speaker of the USHOR Kevin McCarthy and Minority Leader Hakeem Jefferies confirmed the data breach and that the FBI has purchased some of the PII data. The FBI buying the data is unorthodox and goes against the rule of thumb to not pay ransoms. So, the data must be legit. This comes after the US Marshals Service experienced another separate breach from a ransomware attack. A rough few weeks for federal government entities.
8) Three EvilCorp Members Wanted in Germany, Including Supposed Second-in-Command Leader
Evil Corp, also known as Dudear, SectorJ04, Gold Drake, Dridex Gang, Indrik Spider, Grief Corp, and several other names, is responsible for some of the most infamous malware and ransomware in existence. Some of the earliest activities of the group date back to 2014 with the Dridex Trojan, derived from the well-known ZeusBot trojan. Although, some researchers state that Evil Corp’s actions began all the way back in 2007. Zeus is also the origin of Emotet, another infamous botnet used to spread malware and ransomware. Researchers have observed Evil Corp using other malware such as Trickbot, Snatch, TinyMet, FlawedAmmyy, and MineDoor. Basically, they are a sophisticated and well-connected group capable of using various tools to meet their objectives. Below are two Dridex infection chains from Palo Alto Network’s Unit 42.
Here is a list of some other malware and tools Evil Corp uses, taken from BlackBerry:
Unfortunately, since Evil Corp is financially motivated, many infections end with ransomware. Evil Corp is responsible for one of the most infamous ransomware of all time – Locky. That’s not it, though. The group is known to use various malware, tools, and ransomware (as you’ve seen). Researchers attribute Evil Corp to the following ransomware:
That doesn’t mean they created these ransomware strains. It just means they use these encryptors as part of their efforts. For example, The Rainmaker created Philadelphia ransomware and sold it on forums for $400 in 2016. Evidently, Evil Corp members purchased this ransomware and used it as part of their infection chains.
So, who are the members of Evil Corp that we know of? Well, Maksim “Aqua” Yakubets, pictured below with his custom Lamborghini presumably acquired with ill-gotten gains, is the leader. Second-in-command is Igor “Turashev” Turashev, who recently evaded authorities. Denis “Gusev” Gusev is another senior member suspected of heading much of the financial efforts. Other members who are either part of the group or have assisted in their efforts include:
- Aleksei Bashlikov
- Andrey Plotnitskiy
- Artem Yakubets
- Azamat Safarov
- Carlos Alvares
- David Guberman
- Dmitriy Slobodskoy
- Dmitriy Smirnov
- Georgios Manidis
- Gulsara Burkhonova
- Igor Garshin
- Irina Zemlianikina
- Ivan Tuchkov
- Kirill Slobodskoy
- Ruslan Zamulko
- Tatiana Shevchuk
Earlier in March, European authorities performed an operation that saw some members responsible for the dissemination of BitPaymer and DoppelPaymer arrested. Three of the members, including second-in-command Turshev, have evaded the police. German authorities are asking the public for any information on these individuals. Those three are pictured below:
There is a ton of information on this group, but if I had to pick one resource to understand Evil Corp better, it would be Killing The Bear.