Overview:

• Phish Tale of the Week
• After the Takedown: LockBit Ransomware’s Resurgence
• Alarming Surge in BlackCat Ransomware Targets U.S. Healthcare
• How can Netizen help?

Phish Tale of the Week

Often times phishing/smishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as Coinbase and informing you that action needs to be taken regarding your account. The message first prompts you with a notification that your account has been accessed and gives you the choice if you want to lockdown your account assets, after which it sends you a link that you can click on in order to “secure your account.” It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this smishing link:

1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “Secure your account” and “Lockdown.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like Coinbase typically will use a simple, standardized domain as their website. For example, Royal Mail’s official website is simply “coinbase.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “16178234-coinbase.com,” it’s very obvious that this text is an attempt at a smish.

General Recommendations:

A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
2. Verify that the sender is actually from the company sending the message.
3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
4. Do not give out personal or company information over the internet.
5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

After the Takedown: LockBit Ransomware’s Resurgence

Following a substantial law enforcement takedown in mid-February, which saw the seizure of critical infrastructure and the arrest of associated individuals, the LockBit operators have boldly resurfaced. This resurgence is marked by the launch of a new leak site, a clear signal that the group is far from being dismantled.

On February 19, a coordinated effort by law enforcement agencies across North America, Europe, and Asia delivered a significant blow to LockBit. This operation not only resulted in the confiscation of 34 servers and the freezing of cryptocurrency assets but also led to the arrest of key suspects. Moreover, authorities claimed to have gained “unprecedented and comprehensive access” to the group’s operations, acquiring 1,000 decryption keys to aid victims in recovering their data without succumbing to ransom demands.

Recently, an individual associated with LockBit, known by the moniker “LockBitSupp,” announced the establishment of a new leak site. This platform not only lists hundreds of the group’s victims but also carries a detailed message from LockBitSupp, reflecting on the takedown and outlining future strategies. The creation of this new leak site underscores LockBit’s intent to not only recover from the setback but also to strengthen their operational security and decentralize their processes further.

Despite LockBit’s apparent resurgence, the group faces significant challenges. The law enforcement takedown has undoubtedly impacted its reputation, a crucial asset in the dark web’s competitive landscape. This is compounded by difficulties in attracting and retaining affiliates, as noted by cybersecurity firm Trend Micro. Additionally, LockBit’s credibility has taken a hit among the cybercriminal community, with reports of unpaid affiliates and bans from prominent hacking forums.

Amid these adversities, LockBit is reportedly developing a new iteration of its malware, tentatively named LockBit-NG-Dev. This version, still under development, aims to be platform-agnostic and more secure, potentially setting the stage for LockBit 4.0. This development indicates that the group is not only focused on recovery but is also actively seeking to innovate and adapt to the evolving cybersecurity landscape.

As the cybersecurity community continues to monitor the evolution of LockBit, the incident reinforces the need for ongoing vigilance, threat intelligence sharing, and collaboration across sectors to counteract the ever-present threat posed by ransomware operators. The resilience of groups like LockBit serves as a reminder of the persistent and evolving nature of cyber threats, necessitating a proactive and adaptive security posture for organizations worldwide.

To read more about this article, click here.

Alarming Surge in BlackCat Ransomware Targets U.S. Healthcare

The resurgence of BlackCat (a.k.a. ALPHV) ransomware attacks, particularly targeting the healthcare sector, has prompted a stern warning from the U.S. government. Since mid-December 2023, the healthcare industry has emerged as the primary victim among nearly 70 disclosed attacks, a trend seemingly spurred by a call from the ALPHV/BlackCat administrator urging affiliates to focus on hospital networks. This directive followed closely on the heels of a significant operational blow to the group’s infrastructure in early December.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have jointly issued an updated advisory, highlighting the threat to the healthcare sector. Despite a major law enforcement operation targeting BlackCat’s dark web operations late last year, the group managed to swiftly recover. They not only regained control of their leak sites but also transitioned to a new TOR data leak portal, maintaining their presence and operational capabilities.

The recent wave of attacks has not been limited to healthcare; BlackCat has also targeted critical infrastructure organizations, including Prudential Financial, LoanDepot, Trans-Northern Pipelines, and Optum, a subsidiary of UnitedHealth Group. These bold moves have led the U.S. government to offer financial rewards of up to $15 million for information that could lead to the identification and apprehension of the group’s key members and affiliates.

The Optum breach, attributed to BlackCat, reportedly exploited critical vulnerabilities in ConnectWise’s ScreenConnect remote desktop and access software, according to SC Magazine. However, BlackCat has publicly denied utilizing ConnectWise flaws for this particular attack, challenging the accuracy of cybersecurity intelligence reports.

These incidents highlight the broader issue of threat actors leveraging software vulnerabilities for initial access. The exploitation of ScreenConnect flaws by other ransomware gangs, including Black Basta and Bl00dy, as well as by actors deploying Cobalt Strike Beacons and other malicious tools, signals a disturbing trend. Attack surface management firm Censys has identified over 3,400 potentially vulnerable ScreenConnect hosts exposed online, predominantly in the U.S. and other major countries, spotlighting the critical risks associated with remote access software.

Moreover, the evolving tactics of ransomware groups, such as RansomHouse’s use of the custom tool MrAgent for deploying ransomware across VMware ESXi hypervisors, reflect a shift towards more sophisticated and large-scale attacks. The sale of direct network access by cybercriminal groups and the recent release of the Linux-targeting ransomware threat, Kryptina, further complicate the cybersecurity landscape.

These developments serve as a stark reminder of the continuous innovation and persistence of ransomware operators. As these groups refine their strategies and exploit new vulnerabilities, the need for heightened vigilance and robust cybersecurity measures has never been more critical, especially for high-risk sectors like healthcare. The collaborative efforts of law enforcement and cybersecurity agencies, alongside proactive security practices by organizations, are essential in mitigating the impact of these relentless cyber threats.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.