Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

FBI Warns U.S. Healthcare of Escalating Ransomware Attacks

The Federal Bureau of Investigation (FBI) warns the U.S. healthcare industry of escalating ransomware attacks in a new joint advisory with the Cybersecurity & Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS). The advisory provides new, known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) of the ALPHV Blackcat Ransomware-as-a-Service (RaaS) group.

ALPHV responsible for UnitedHealth cyberattacks

The warning comes as the U.S. healthcare industry remains disrupted for over a week after cyberattacks and a breach into UnitedHealth and its subsidiaries’ electronic data interchange (EDI) clearinghouse. The attacks have forced many individuals needing prescription refills to pay out of pocket, seek a different pharmacy, or be left without their prescriptions as pharmacies remain unable to process insurance claims.

Since the initial disruption of the UnitedHealth systems, ALPHV has now been attributed to the cyberattacks. Initially, the attacks were thought to have been a nation-state actor. Google Mandiant cybersecurity specialists have since been hired to investigate the breach.

According to the advisory, the updated IOCs and TTPs contain threat intelligence as recent as this month. The IOCs are available in XML and JSON formats for customers to use to help detect the ALPHV ransomware strains on their networks.

ALPHV gains access to target networks with legitimate remote access tools such as Ngrok. Once inside the target network, ALPHV employs cybersecurity tools such as Cobalt Strike and Brute Ratel C4 as beacons to command and control servers. They then use Evilginx2 to extract multifactor authentication (MFA) credentials, login credentials, and session cookies to hijack.

Typically, ALPHV evades detection by using whitelisted applications such as Metasploit. Logs are then purged from the domain controller. Cloud-hosted storage providers such as Mega.nz or Dropbox are used to exfiltrate valuable target data. Finally, ransomware is deployed on the target network, and a ransomware note is left with instructions to pay to recover access and decrypt the files.

Access the joint agency advisory with access to IOCs and TTPs using the MITRE ATT&CK framework for the complete documentation.

ALPHV remains resilient, with U.S. Government offering millions for arrests

Since December 2023, ALPHV has claimed over 70 victims and leaked their data to the public. The U.S. healthcare industry remains their top target, likely due to the complexity, sensitivity, and ease of breaching these networks.

The FBI had attempted to disrupt and dismantle the entire ALPHV Blackcat ransomware gang back in December 2023. But similar to the LockBit ‘Operation Cronos’ effort, ALPHV has proved resilient.

The U.S. Department of State is now offering up to $15 million for information leading to identifying or locating key leadership members of the ALPHV Blackcat ransomware gang. Additionally, up to $5 million is available for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.

New from our favorite blogs and journalists:

• Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns (Ars Technica)

• Iran hacking group impersonates defense firms, hostage campaigners (CyberScoop)

• Sen. Warner: US is less prepared to secure the 2024 election than 2020 (CyberScoop)

• Updated NIST cybersecurity framework adds core function, focuses on supply chain risk management (FedScoop)

• Biden executive order seeks to cut China off from Americans’ sensitive data (CyberScoop)

• Pentagon shifting to new model for assessing network readiness (DefenseScoop)

• Pay by 8:39 a.m. ransomware group tells Fulton County, Georgia (StateScoop)

• Aviation Industry to Tackle GPS Security Concerns (The Wall Street Journal)

• Forget Passwords and Badges: Your Body Is Your Next Security Key (The Wall Street Journal)

• Carmakers Park Aging Models as U.N. Cyber Rule Comes Into Effect (The Wall Street Journal)

• Hospitals and Pharmacies Reeling After Change Healthcare Cyberattack (The Wall Street Journal)

• A Cyberattack on a UnitedHealth Unit Disrupts Prescription Drug Orders (The New York Times)

• China’s Hacker Network: What to Know (The New York Times)

• Leaked Files Show the Secret World of China’s Hackers for Hire (The New York Times)

• U.S. Conducted Cyberattack Against Iranian Military Ship, an Official Says (The New York Times)

Cybersecurity Podcasts

New podcasts from some of our favorite cybersecurity/infosec personalities:

• The Cyber Queens - LIVE E49 - Optimizing Your Layoff: Networking, Upskilling, and Mindset (Twitter/X)

• The Darknet Diaries: Ep 17: Finn - A 14-year-old kid who finds himself bored in class decides to hack someone's Twitter account and ends up with more than he bargained for. (Darknetdiaries.com)

• The Phillip Wylie Show: Cathy Ullman - The Power of Active Defense. Cathy Ullman is known in the cybersecurity community as Investigator Chick. (YouTube)

• Hacker Valley Media - The Future of Endpoint Threats and Why Zero Trust is the Only Option (Twitter/X)

• Google Cloud Security Podcast - EP161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud (Google Cloud)

• Defense Mavericks - Instilling AI Readiness Across Your Teams with Capt. Jonathan Haase (Apple Podcasts)

Until next time…

Rob Waters
Founder, The Breach Report + Cybersecurity Careers Blog