This sub is described to be for discussions about issues which have captured your imagination; this story has been a fun ride and certainly did for me. There is this whole underground criminal ecosystem that just runs in the background, raking in hundreds of millions of dollars a year, and almost no one really knows it's happening. In this post, I offer articles available to everyone in the timeline they occurred over the last week. Additionally, I am only moderately educated in tech- so some of the jargon I use may not be the usual standard. Conclusions about the situation I outline here and its potential outcome I leave to you.
‘It's odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it's watching the internet burn and trying to respond and remediate the best we can. We're watching the world burn.’
John Hammond
Principal Security Researcher at threat hunting firm Huntress
02/23.
02/19 Not a Bug, a Feature
On February 13th, a crowdsourced research team reached out to major IT company ConnectWise explaining a Proof of Concept (PoC) vulnerability within the company's flagship product ScreenConnect; the PoC outlines that these servers could be breached using a very simple flaw that allows hackers to create an Administrative account inside the server; by creating an administrative account, the hacker is then able to essentially do whatever they want with the machines connected to them. ScreenConnect servers host hundreds of thousands of endpoints (other PCs) across the world, the majority of these servers are used by local governments, emergency systems, and healthcare organizations.
This flaw is being tracked as CVE-2024-1709 (also called "the ScreenConnect Authentication Bypass") and described in a security bulletin by ArcticWolf as "embarrassingly easy" to execute. A video here posted on 02/20 shows how simple it is to accomplish- the ethical hacker finishes the exploit's steps in under 30 seconds and ends with "PLEASE PATCH". A detailed analysis of the bug by Huntress says
Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server
CVE-2024-1709 has been listed to have a Common Vulnerability Scoring System (CVSS) score of 10. IT experts use the CVSS to identify the scope and impact.
It is very common to see vulnerabilities with a base score of 9.8, but much less common to see any with CVSS 10.0. The difference in CVSS score is primarily due to the scope metric.....A vulnerability with CVSS 9.8 has the most severe exploit-ability and impact metrics, but its impact does not extend beyond the vulnerable component. However, while a vulnerability with CVSS 10.0 also has the most severe exploit-ability and most often the highest impact metrics, its impact extends also beyond the vulnerable component.
ConnectWise posted a public notice on February 19th, recommending that clients update to a new patch (23.9.8) that corrected this issue. Prior to this update (which is now being offered for free as of 02/23) clients needed to pay a monthly maintenance fee to continue to receive updates. By the end of the day Monday, several thousands online-connected servers were identified to still be operating on patch 23.9.7 or earlier. Making these servers and all their endpoints vulnerable to intrusion.
02/20 Operation Cronos
The United States' Cybersecurity and Infrastructure Security Agency (CSIA), Federal Bureau of Investigations (FBI), The National Crime Agency (NCA), in a joint effort with 9 other countries; released information about the completion of a few year investigation code-named 'Cronos' into a online cyber-gang named "LockBit" that specializes in Ransom as a Service (RaaS) attacks. Operation Cronos reportedly resulted in international arrests, shuttered 35 servers in the UK and US, 2 official arrests, and seizure of millions in crypto currency assets.
Authorities digging through the Bitcoin addresses are beginning to think the organization may have generated more than $1 billion in ransom since it's inception 4 years ago because of the ~20% cut they usually take with their investors; meaning the seized cryptocurrency likely amounted to significantly more in actual income.
Ransomware as a Service
Over the years cyber-gangs like LockBit have acted as threat actors for nation-state governments such as Russia, Korea, China, and Iran. The service they provide works like this:
- A entity hires a Cyber gang like LockBit to attack vulnerabilities in systems when they become available. The hiring entity pay a small commission to the cyber-gang, and then they get to work.
- The hackers install malware with these vulnerabilities that encrypts the victim's entire drive aside from the base configuration files. Allowing the user to still have access to their computer; but losing their data. The user is then prompted with an ominous message explaining the situation, and that they have a certain amount of days to pay LockBit or their information will be lost permanently.
- If the victim pays the attackers in time; the money is split with the entity that hired them and the decryption key is provided to the victim. If the allotted time passes with no payment or action, the victim loses their chance to recover the data on their drive. Their organization still profits as they keep the initial contract fee and will now attempt to sell the victim's data online.
Depending on the victim, these costs can be rather "reasonable" compared to something you'd expect in a movie; that's because they want you to actually be able to pay. They usually target companies that would provide valuable data to sell if payment isn't sent; but individual users have been attacked as well. They also do not usually attack the same place twice- all in the pursuit of handling this business professionally so they do not damage their "reputation"; and again, it's just so they will get paid. They usually do; this is because these organizations operate out of countries such as Russia, where these crimes are not against-the-law when they are targeted at western countries.
Adjacent cyber-gangs that also offer similar services include names like Cl0p, Akira, Play, ALPHV/Blackcat, and Rhyside.
The US Department of the Treasury and the Office of Foreign Assets Control posted trade sanctions that afternoon against hackers Ivan Kondratiev and Artur Ravilevich; announcing that any US based assets in their name would be seized and must be reported to the OFAC, anyone caught conducting trade with these individuals would be subject to arrest and potentially have the same sanctions posted on them. Additionally they posted a listing containing what they said to be the names of every individual associated with the cyber-gang.
List of LockBit affiliates released by Operation Cronos 02/21
The Cronos strike team claimed they only released one name per individual, with the reason they've shared it is to prove to the LockBit gang that they know who they are, and they are coming for them.
In addition to the seizures and arrests; Japan's National Police Agency claimed they were able to create a free decryptor for the LockBit 3.0 malware or LockBit Black from the software found in the confiscated hardware, and is asking that any victims of this malware reach-out for assistance in unlocking their data.
Tokyo-based cybersecurity firm Trend Micro which assisted with the Project Cronos LockBit investigation also had this to add
The ransomware operation was working on the "next-generation" crypto-locking malware, dubbed LockBit-NG-Dev*, "which could be an upcoming version the group might consider as a true 4.0 version once complete,"*
The language suggests that although 3.0 was used to create a decryptor, this is not the case with the new LockBit-NG-Dev variant.
LockBit Ethics
LockBit in the past has explained they have strict rules as to what targets are allowed by their members; one of those being that Hospitals are strictly off the table-
In December 2022, a LockBit member attacked a the Toronto Children's hospital SickKids. LockBit shortly after provided the decryption key to the hospital and released an apology statement on Twitter.
We formally apologize for the attack on sikkids(.)ca and give back the decryptor for free, the partner who attacked this hospital violates our rules, is blocked and is no longer in our affiliate program.
However now, the crime organization has appeared to have backtracked on those rules. In late January 2024, two Chicago hospitals were attacked using the LockBit software. On January 31st, the hospital's data was posted to their catalog with the remaining time left for the hospitals to pay, the ransom price ($895,294 USD), and the first few sentences of the description of the hospital's data
Screenshot captured from LockBit stolen data listing - Jan, 31st, 2024
The listing appears to have captured a new perspective the LockBit organization has taken up in regards to the United States' Healthcare system.
Later that day- Yossi Rachman senior Director of Research at Semperis; a IT security and recovery platform told InformationWeek:
It is possible individuals involved with LockBit could attempt to reorganize under the same name or a different name. It is also possible they will seek retaliation after the disruption of operations.
02/21 A $15 Million Reward
The morning of February 21st, Unitedhealth Group; a mega-corporation that deals primarily in medical services. Submitted a 8-K Form to the Security Exchange Commission explaining an ongoing situation in relation to one of their child companies Change Healthcare:
(United Healthgroup) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.
Change Healthcare hosts services that handle mission critical data such as medical delivery logistics, financial data/transactions, insurance claims, and storage of electronic medical health records which amount to 85 million patients in the US (25% of the population) among dozens of other services. These services handled 15 billion medical related transactions last year alone. Change Healthcare is also the sole provider for prescription medications to the United States' military worldwide, and handles data services for these bases as well.
Tricare news, an official military medical news source posted an announcement from "Military Health System Communications" not long after the SEC submission.
On Feb. 21, Change Healthcare disconnected their systems to protect patient information. This is impacting all military pharmacies worldwide and some retail pharmacies nationally.
A post from Navel Hospital Camp Pendleton corroborated this statement with a bulletin to their official website
A reported cyberattack on the nation’s largest commercial prescription processor, Change Healthcare, has affected military clinics and hospitals worldwide.
After Unitedhealth Group submitted the SEC form- The United States' Department of State posted a reward for information up to $15 million USD for any tip that leads to the arrest of a LockBit associated affiliate.
Reward for Information posted by Department of State 02/21
The Bugs Out the Bag
IT security newsletter TechCrunch talked to ConnectWise spoke person Amanda Lee that afternoon. Amanda declined to say how many of their customers had been attacked by this point; but said that ConnectWise has seen "limited reports" of suspected intrusions. She added
We have received updates of compromised accounts that our incident response team have been able to investigate and confirm (were attacked).” but also said that "there has been no data exfiltration reported to us.
In contrast- Cybersecurity Company Huntress' CEO Kyle Hanslovan told TechCrunch
I can’t sugarcoat it — this shit is bad. We’re talking upwards of ten thousand servers that each control hundreds of thousands of endpoints
Noting that as of that time Huntress' telemetry could identify 8,800+ ConnectWise servers that still remain vulnerable to the CVE-2024-1709 exploit (This number was corroborated by the Censys platform; another Cybersecurity agency), and added
Due to the sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.
When ConnectWise posted the advisory on Monday 02/19 regarding the ScreenConnect Authentication Bypass; the information as to the extent of the defect was vague and did not provide details on how serious of an exploit this is. Their excuse for not releasing the specifics was:
There should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors.
Unfortunately, by end of day 02/21; information on how to utilize the exploit was already being regularly shared and discussed.
02/22 The Calm Before the Storm
Around 1pm CST; a nonprofit security organization called Shadowserver, which declares itself to be "altruistically working behind the scenes to make the internet more secure for everyone" posted an update to Twitter about an analysis from the previous day:
We've improved the scanning/detection for vulnerable instances of ConnectWise ScreenConnect (CVE-2024-1709/CVE-2024-1708) - we now see over 8200 vulnerable instances (on 2024-02-21).
Shadowserver Map displaying vulnerable servers
As Shadowserver is a third-party investigator, these 8,200 instances are publicly-visible servers and are open to attack; any seasoned hacker would be able to easily find and exploit these machines. Shadowserver also added that 643 IP addresses had already been attacked at the time of their review which was handled the previous day.
Government Info Security, a cyber security newsletter posted that the official LockBit leak site (a site the crime organization used to make threats, list their victim's information, and release public statements) was then seized by the Operation Cronos team.
The LockBit victim data listing site on 02/22
Shortly after the seizure, authorities posted to the leak website that they had identified, but only referred for removal of more than 14,000 email accounts. Accounts hosted by peer-to-peer email encryption providers like Mega, Tutanota, and Protonmail.
Apply the patch, or throw it away
In an Alert posted by CISA addressed to ConnectWise clients, they write
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable before February 29th
John Hammond; principal security researcher at threat hunting firm Huntress told CRN
“This demonstrates the severity and the impact that we do really need to take this one seriously,” Hammond said. “They've updated it now to include that they are seeing it used to deploy ransomware. It’s very, very stern,” he added. “They’re saying, ‘Take care of this right now or pack it up and put it away.’ They’re trying to talk to the whole world or any business that uses this on-premise instance. It’s a slap in the face, the wake-up call, that says take action now or seriously just pull it off the shelf.”
Patrick Beggs, ConnectWise CISO, told CRN Friday in an apparent attempt to mitigate perception of the situation
We uplifted the [cloud] version. Sometimes the version updates just weren't showing, it’s literally that simple. There were a few glitches and we had to kind of re-push and then it happened.
But because every on-site server hasn’t been updated, exploits have now been reported.
Hammond, however, believes the exploitation to be a large cyberattack.
We were not going to release our proof of concept because that's just enabling threat actors,” Hammond said. “Then a proof of concept got out. It's odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it's watching the internet burn and trying to respond and remediate the best we can. We're watching the world burn.
SlashAndGrab
By mid-day Wednesday, the tech community began to identify a series of reported attacks using the ScreenConnect Authentication Bypass exploit in conjunction with another ScreenConnect defect tracked as CVE-2024-1708. This technique was labeled the "SlashAndGrab".
A technical Analyst Max Rogers working with a team including Analysts from Huntress Labs identified that critical systems such as Vet Offices, Health Clinics, and Local governments were being actively attacked using the LockBit malware and other techniques
Technical Analyst Max Rogers' post to X
In a post on BleepingComputer a tech related news source, described a report from Sophos, a Security management and operations company:
On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool
According to another BleepingComputer report; an ex-LockBit developer released the LockBit 3.0 software to GitHub available to the public in 2022. Sophos suggest that the attacks they are seeing are variants of this version.
It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as “buhtiRansom,” and the other did not have a name in its ransom note.
As the night faded into the next day- the amount of attacks increased.
02/23 The Free for All
In Sophos X-Ops director Christopher Budd told Madrastribune a tech newsletter based out of the UK
We’ve seen multiple attacks involving ScreenConnect in the past 48 hours. The most noteworthy has been a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers. But we’re also seeing RATs [remote access Trojans], infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect
The majority of these hackers were able to successfully install administrative accounts on the servers being attacked.
On an upbeat note; Sophos states in an official report on the situation:
most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural tradecraft; cybercriminals are rarely sophisticated, and the infosec community can beat them together.
(That link I have attached above to the Sophos official report about SlashAndGrab is actually a really interesting read; they go on to explain the different types of attacks they witnessed during the free for all and explain how they worked. I recommend it.)
In a report by BleepingComputer; at this point 119 Change Healthcare and Optum services were experiencing outages due to attacks utilizing the SlashAndGrab vulnerability; as I described before, each of these services are mission critical to the medical infrastructure, and especially so to the US Military.
Columbia University shuttered their website due to ties to with Unitedhealth and Optum healthcare
In a email to their employees Columbia University states
Additionally, to minimize the risk this external cyber security event presents to our computing environment, we have taken the extraordinary precaution of blocking email from the following domains: Optum, Changehealthcare, Caremount, Unitedhealthgroup, Uhc, and Uhg
As the day went on- cyberattack related reports began to pour i
- State of Emergency - Oakley, California
- City Computer Infrastructure - Pleasant Hill, California
- Royal Canadian Police Force
- I linked almost a dozen other articles here originally, but they broke the character count.
(News from the rest of the day became sleepy... And so did I)
02/24 LockBit Comes Back Online
Despite having it's servers and millions of dollars in assets seized. LockBit reestablished its Dark Web Data Leak site.
LockBitSupp, the gang's apparent leader- posted a update to their page, along with brand new stolen data that could very well have occurred during the ScreenWise error. They go on to say that authorities didn't actually make a decryption tool for LockBit Black as Operation Cronos claimed, but instead captured 1,000 decryption keys that the team may use to help those specific victims (if they can find them).
The lengthy missive says that was only 1k of 20k existing decryption keys; and that additionally, no servers were actually seized as a result of Operation Cronos. But instead the information that the strike team obtained was from using a PHP zero day default, and utilized that vulnerability to appear as though the operation was a success.
Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility
He goes on to say that the only reason the website was seized was in an attempt to block LockBit from selling data that was stolen from Fulton County, Ga earlier this month. Fani Willis, District Attorny for Fulton County is currently pursuing a case against former president Donald Trump. It begs the question- who hired the attack on Fulton County in the first place?
The data from the Fulton County heist has been posted to the LockBit data leak site as of this afternoon and is available for sale.
While LockBit's site was under-lock- the Operation Cronos team had this posted about LockBitSupp
We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement
In the message posted Saturday night; LockBitSupp calls bullshit
All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid
He even contests in his message, that the lists of names submitted from Operation Cronos are irrelevant as every name they shared is only an alias.
In the end- what is described by Leader LockBitSupp as apparent lies from the Operation Cronos team now leaves questions as to what was/wasn't actually achieved by its "success"; the LockBit organization is now back to life after being quiet for only 4 days; all while a critical error still exists in the majority of the United States' data infrastructure...
This situation is continuing to unfold, and as of this message, over 3000 ConnectWise servers still remain unpatched.
The original post I made was immediately deleted by the reddit auto mod; I believe because of the nearly 100 links I had in the post. I can't parse through them all. So I've attached a google drive link to a PDF of my crazy board of the situation. Most of the information provided here can be seen in that board, I don't have all the original links from this post, but it's most of the important ones. If you can't find it there, look it up- I hate having to say that, but I cant put in more effort to this post; I also did not make the thing "pretty" because I didn't expect I would have to provide it... sorry y'all.
Here is the link to my crazy-board PDF I've uploaded to my google drive.
