US offers $10 million bounty for info on 'Blackcat' hackers who hit UnitedHealth
The U.S. State Department on Wednesday offered up to $10 million for information on the "Blackcat" ransomware gang who hit the UnitedHealth Group's tech unit and snarled insurance payments across America.
BitDefender identified a MacOS backdoor written in Rust that has possible link to ALPHV/BlackCat ransomware group. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model." IOC provided.
🔗 https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/
Has DOJ given up on trying to display its seizure banner on the original AlphV onion site, or are they just taking a break from the back-and-forth? As of my checks this morning, AlphV's "unseized" splash page is what visitors to the old site see.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #50/2023 is out! It includes the following and much more:
➝ 🔓 🇺🇸 U.S. nuclear research lab #databreach impacts 45,000 people
➝ 🇩🇪 #Toyota Germany Says Customer Data Stolen in #Ransomware Attack
➝ 🔓 🏧 #Bitcoin ATM company Coin Cloud got hacked. Even its new owners don’t know how
➝ 🔓 🇺🇸 Norton #Healthcare discloses data breach after May ransomware attack
➝ 🇷🇺 Russian SVR-Linked #APT29 Targets #JetBrains TeamCity Servers in Ongoing Attacks
➝ 👥 #LockBit ransomware now poaching #BlackCat, NoEscape affiliates
➝ 🇻🇳 💻 #Microsoft seizes domains used to sell fraudulent #Outlook accounts
➝ 🇫🇷 💸 French police arrests Russian suspect linked to #Hive ransomware
➝ 🇨🇳 Chinese APT Volt Typhoon Linked to Unkillable SOHO Router #Botnet
➝ 🇺🇦 🇷🇺 Ukrainian military says it hacked #Russia's federal tax agency
➝ 🇨🇳 🚪 Researchers Unmask Sandman APT's Hidden Link to China-Based #KEYPLUG Backdoor
➝ 🇺🇦 📡 #Ukraine’s largest mobile communications provider down after apparent #cyberattack
➝ 🇪🇸 Kelvin Security hacking group leader arrested in #Spain
➝ 🔻 👮🏻♂️ #ALPHV ransomware site outage rumored to be caused by law enforcement
➝ 📹 🕵🏻♂️ #UniFi devices broadcasted private video to other users’ accounts
➝ 🇷🇺 🇪🇺 Russian Diplomat Expelled Amid EU Spy Purge Is Now An OSCE Election Observer In Serbia
➝ 🇺🇸 Harry Coker confirmed to be the next National Cyber Director
➝ 🇪🇸 🇺🇸 Spain expels two US spies for infiltrating secret service
➝ 📝 #MITRE Unveils EMB3D Threat Model for Embedded Devices Used in Critical Infrastructure
➝ 🩹 #ICS Patch Tuesday: Electromagnetic Fault Injection, Critical Redis Vulnerability
➝ 🦠 🇵🇸 New Pierogi++ #Malware by #Gaza Cyber Gang Targeting Palestinian Entities
➝ 🦠 🇮🇷 Iranian State-Sponsored #OilRig Group Deploys 3 New Malware Downloaders
➝ 🦠 🇩🇪 New MrAnon Stealer Malware Targeting German Users via Booking-Themed #Scam
➝ 🍪 #Google's New Tracking Protection in Chrome Blocks Third-Party #Cookies
➝ 🐛 👨🏻💻 #Zoom Unveils Open Source Vulnerability Impact Scoring System
➝ 🩹 🧱 #Sophos backports RCE fix after attacks on unsupported #firewalls
➝ 🔓 🧱 Over 1,450 #pfSense servers exposed to RCE attacks via bug chain
➝ 🩹 🍏 #Apple Ships iOS 17.2 With Urgent Security #Patches
➝ 🐛 Over 30% of #Log4J apps use a vulnerable version of the library
📚 This week's recommended reading is: "Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters (2nd Edition)" by Justin Seitz and Tim Arnold
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Checking AlphV's site today, they appear to be back online, but other than the API, there is no content .Their qTox status has been changed to "Everything is working."
DataBreaches contacted the admin on qTox to ask whether the site was really working and about the previous content -- whether it would be restored or was all gone. Admin ALPHV answered:
фдд цщкл
all work
files remove
all
I followed up: "So all of the old posts and data are gone? You are starting over? "
Admin ALPHV replied:
"All new only"
So it looks like they probably did lose everything they had, which may well result in affiliates who didn't get paid jumping ship and going to other groups.
And so far, there is still no statement from DOJ (I've just sent another request).
It's seems highly likely that this was law enforcement-related, but belief is not proof.
In other ransomware drama, some folks on a Russian forum have accused NoEscape of pulling an exit scam and cheating them of money. One noted they had also removed their forum deposit. NoEscape's status on the forum has been changed by the moderator.
For anyone who hasn't heard the news yet: RedSense announced on Twitter that they can confirm that the AlphV site going offline yesterday was a law enforcement takedown.
Updating: The AlphV tox account has changed its message from "REPAIR" to "Everything will work soon."
So was RedSense wrong, or did LE just temporarily disrupt AlphV and they are recovering, or is LE now in control of the AlphV tox account? Or none of the above?
Still no announcement from DOJ that might confirm or clarify the situation.
So AlphV (aka BlackCat) is trying something different again. This time, it seems they are claiming a victim before they have even attempted to contact the victim or extort them. They post no proof of claims. They state that they are taking this approach because the victim's cyberinsurance policy does not cover extortion, and their research into the victim (Tipalti) and one of the victim's clients (Roblox) suggests that their usual approach will not work. They intend to try to extort those firms and Twitch, all individually.
They even cite an academic reference on the potential benefit of paying ransom.
This listing is not the nasty approach that we've seen in some other listings on that leak site. But we'll see what happens if or when the victims don't respond.
I've sent an inquiry to Tipalti who is probably already swamped and running around trying to figure out what happened. AlphV claims to have been in multiple systems of theirs since September 8. Whether that's true or not remains to be seen.
The NCC Group has created a series that I look forward to finishing, titled "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families". The first installment covers the #BlackCat#ransomware (a.k.a. #ALPHV) and an incident that they observed that it was involved in that included new service and new accounts being created, and data being staged and believed to be exfiltrated. If you like technical reports like I do, this is one you don't want to miss! Enjoy and Happy Hunting!
One of Michigan's largest hospital networks was hit with ransomware. The attack was claimed by AlphV, which is threatening to leak data and alleged videos.
The Detroit Free Press reported that McLaren had to shut down computer networks at 14 different facilities
"One of Michigan's largest healthcare companies was attacked by our group. More than 6 Terabytes of data were stolen from the company's servers, not least due to negligence in network security and data storage. We give a good chance to negotiate and come to a reasonable solution and maintain the reputation and money and calm of your patients,who entrusted you with their health and safety.
If our proposal is ignored, we will publish all stolen data in a few days. The medical and personal data of SEVERAL MILLION US citizens are at stake. As well as various video materials regarding the work of this company.
It will be one of the biggest leaks of all time."