The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good | FBI Obtains 7000 LockBit Decryption Keys

Past victims of LockBit ransomware received a boon this week from the FBI who revealed they obtained over 7000 decryption keys which can be used to recover encrypted data. This was announced at the 2024 Boston Conference on Cyber Security, where both known and suspected victims of the notorious threat group were invited to come forward to restore their systems.

FBI Cyber Division Assistant Director Bryan Vorndran delivers a keynote address at the 2024 Boston Conference on Cyber Security (Source: FBI)

This new initiative follows in the February takedown of LockBit’s infrastructure via ‘Operation Cronos’ – a collaborative effort between several international law enforcement agencies. Since 2020, LockBit has cost $91 million in losses within the U.S. alone with targets spanning across several critical sectors and industries. In the February operation, authorities were able to seize multiple darknet domains operated by LockBit leading to the disruption of the primary infrastructure that hosted their Ransomware-as-a-Service model.

In March, Mikhail Vasiliev was sentenced for his significant administrative role within LockBit operations and pled guilty to eight charges including cyber extortion, cyber mischief, and weapons-related allegations. Later in April, police unmasked some 200 affiliates of LockBit when they matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.

Though the gang has experienced major setbacks this year, they have also been able to resume posting old and new stolen data on leak sites, though without the same level of pre-seizure momentum. The U.S. Department of State continues to offer a reward up to $10 million for information leading to the arrest or conviction of several LockBit leaders and affiliates at large.

The Bad | Russian-Linked RaaS Attacks Pathology Provider, Interrupting Critical Services Across Major NHS Hospitals

A ransomware attack on Synnovis, a pathology and diagnostic services provider, caused major disruptions to NHS hospitals across London, U.K. this week. The developing incident is impacting critical services such as blood transfusions as well as operations and procedures relying on pathology services. These services have since been canceled or redirected, though the NHS has stated that emergency care services remain available.

The National Cyber Security Centre (NCSC), which is investigating the attack, reports that the ransomware attack is likely the work of Russian-based cybercriminals known as Qilin. CEO of the NCSC, Ciaran Martin, says, “They’re simply looking for money” despite the British government’s policy against paying ransom demands. Martin describes the attack on Synnovis as “one of the more serious” seen in the U.K.

Qilin ransomware was first observed in July of 2022 and operates as a Ransomware-as-a-Service (RaaS). The group specializes in double extortion, demanding payment for a decryptor and the release of exfiltrated data. Qilin is known to target large enterprises and high-value targets (many in the Commonwealth of Independent States) and has listed over 130 companies on their dark web leak site over the past two years. Notably, Qilin attackers target their victims through phishing and spear phishing campaigns, and often leverage exposed applications and interfaces like remote desktop protocol (RDP). The RaaS outfit also recruits heavily in well known underground forums and dark markets.

The critical healthcare sector continues to be a lucrative target for cyberattackers. Factors such as weak security infrastructures, lack of cyber expertise, third-parties, and aging software systems all contribute to an increasingly high risk of compromise. Working with cybersecurity providers can help healthcare providers keep their patient data safe, manage their regulatory compliance controls, and ensure continuous care for those in need.

The Ugly | Identity-Based Attacks Target Unprotected Snowflake Cloud Storage Accounts

Recent data breaches at Ticketmaster and Santander Bank this week serve as a marked reminder of how important cyber hygiene is in today’s digital landscape. A threat actor known as ‘ShinyHunters’ has reportedly taken responsibility for these breaches, claiming that they stole the data by compromising an employee account at Snowflake, a cloud storage provider. Snowflake has disputed this, clarifying that the source of the breaches was due to poor credential hygiene on targeted accounts.

The initial report from researchers said that the threat actors bypassed authentication processes through a compromised Snowflake employee’s ServiceNow account before generating session tokens to exfiltrate data. These credentials were allegedly stolen in October 2023 when the employee was infected by an infostealer. Later, this report was taken down.

ShinyHunters claim to be selling a trove of stolen data from the recent breaches including: the personal and financial data of 560 million Ticketmaster customers, banking information of 30 million Santander clients and employees, and 3TB of sales history and transactional data from Advance Auto Parts.

Snowflake representatives have since stated that while the threat actor is targeting user accounts that have multi-factor authentication (MFA) disabled, there is no evidence of exploiting misconfigurations or vulnerabilities in the platform infrastructure. Snowflake has released a list of IoCs here and urges customers to enable MFA, limit traffic networks to only trusted locations, and reset all credentials. CISA recommends customers to stay alert for suspicious activity and to take steps to prevent unauthorized access.

Under the cloud shared responsibility model, end-users are also responsible for following certain standard security best practices such as MFA to reduce risk. Despite the murky details and disputes developing alongside these incidents, what’s clear is how crucial basic security hygiene is for modern enterprises using cloud technology.