Feds post $15 million bounty for info on ALPHV/Blackcat ransomware crew
ALSO: EncroChat crims still getting busted; ransomware takes down CO public defenders office; and crit vulns
infosec in brief The US government is offering bounties up to $15 million as a reward for anyone willing to help it take out the APLHV/Blackcat ransomware gang.
The Department of State announced last week that it was offering $10 million for information identifying key leaders in the ALPHV ransomware gang or their locations, and $5 million for information leading to the arrest or conviction of anyone "participating in or conspiring or attempting" to use the gang's notorious ransomware (ie, ALPHV affiliates).
ALPHV has made a habit of going after critical infrastructure targets, and last week claimed responsibility for an attack on the company operator of the Canadian Trans-Northern Pipelines, allegedly stealing around 190GB of data. The Trans-Northern attack is the fourth critical infrastructure operator that ALPHV claims to have attacked in recent months.
ALPHV is assumed to be Russia-backed and was temporarily disrupted by the US Department of Justice and FBI late 2023 in cooperation with an international cadre of law enforcement officials. The operation saw the FBI seize the website where ALPHV posted notice of new victims and release a decryption tool for the group's ransomware, but the operation appears to have had little effect.
Experts even speculated that the US government's takedown of ALPHV would end the existence of the group’s current incarnation, but the State Department's bounty notice implies the feds still see it as an active threat – not to mention the fact that the ALPHV website popped right back up days after the FBI took it down.
After its operations resumed, ALPHV reportedly lifted its internal rules on who affiliates were allowed to target – meaning it's open season on critical infrastructure around the world. Consider yourself warned.
Critical vulnerabilities of the week: Siemens flaws everywhere
This month's patch Tuesday delivered plenty of patches to keep infosec pros busy. But those using Siemens hardware have even more to do, as the company last week revealed several critical flaws. Time to get patching this lot.
- CVSS 9.8 – Multiple CVEs: Siemens Scalance W1750D devices contain a series of vulnerabilities that could allow an attacker to inject commands, deny service, and trigger RCE.
- CVSS 9.8 – Multiple CVEs: Several versions of software on Siemens Scalance XCM-/XRM-300 switches contain numerous vulnerabilities that could be exploited to affect confidentiality, integrity and availability of devices.
- CVSS 9.8 – Multiple CVEs: All versions of Siemens SINEC NMS software prior to v2.0 SP1 contain a series of vulnerabilities that could let an attacker bypass authentication and execute arbitrary code.
- CVSS 9.3 – CVE-2024-23816: Several versions of Siemens Location Intelligence software contain hard-coded credentials.
- CVSS 9.1 – Multiple CVEs: All versions of Siemens SIDIS Prime prior to 4.0.400 can be exploited to give an attacker access to the entire network where SIDIS Prime is installed.
- CVSS 9.1 – Multiple CVEs: Siemens Scalance families in the SC-600 family contain a chain of vulnerabilities that could be exploited to let an attacker spawn a system root shell on vulnerable systems.
- CVSS 8.7 – CVE-2023-51440: Several models of Siemens SIMATIC and SIPLUS NET controllers are improperly verifying the source of a communication channel, allowing an attacker to spoof TCP reset packets and cause DoS.
- CVSS 8.5 – CVE-2024-22042: All versions of Siemens Unicam FX software are incorrectly using privileged APIs that could allow an attacker to gain system-level privileges.
- CVSS 8.5 – Multiple CVEs: All versions of Siemens Polarion ALM software contain incorrect default permissions and are improperly authenticating users, allowing an attacker to gain access and elevate their privileges.
EncroChat still paying dividends for UK law enforcement
It's been nearly four years since French and Dutch police infiltrated and killed the encrypted EncroChat service used widely by criminals around Europe and the UK, and it's still leading to convictions.
Case in point: The sentencing of former Scandinavian footballer and Liverpool resident Wayne McKenzie to 30 years in prison this week for his role in a crime ring that imported drugs and guns into the UK. McKenzie's backup career was discovered when data seized from EncroChat was provided to the National Crime Agency after the service was shut down in 2020.
Disruption of EncroChat, which sold encrypted phones and service for $1,500 a month, resulted in nearly 750 arrests in the UK immediately following the police action. By mid-2023, some 6,558 people had been arrested worldwide, and nearly €740 million in criminal funds had been seized.
Let this latest sentence be a warning to those who hoped illicit activity on EncroChat went unnoticed. It probably didn't – just give the cops time.
Ransomware knocks Colorado public defender's office offline
As if public defenders weren't already overworked enough as it is, now a ransomware attack has taken the entire Colorado State Public Defender's office network offline.
The attack kicked off last Friday, leading the PDO to take its systems offline proactively to contain the damage, the office revealed on Sunday.
"As a preventative measure, we temporarily disabled our computer network and are working to safely and securely bring systems back online," the PDO office announced in a statement.
By Monday, systems were still offline, leaving PDO attorneys without access to online court systems or email, and unable to do much work for clients.
The PDO admitted that the attack involved ransomware, but didn't say who may be behind the attack, whether they were able to exfiltrate any data, or what demands may have been made for restoration.
"We are in the early stages of the response to, and review of, this matter … and we cannot speculate on how this matter affects information stored on the computer network," the PDO revealed in an FAQ published for the incident.
The PDO didn't respond to questions about the breach or offer an update on the status of its systems or a possible timeline for restoration of service.
Unnamed state govt breached by unnamed crooks
Criminals breached an unnamed US state government's network after obtaining compromised administrator credentials belonging to a former employee, and then used this access to steal host and user information, which the crooks then posted on a dark-web brokerage site.
This, according to the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), which were brought in to help with incident response.
The agencies determined that the criminals used admin credentials that were likely stolen in an earlier data breach to authenticate to an internal VPN access point and snoop around.
This ex-employee's credentials gave the miscreants access to a virtualized SharePoint server where they nabbed another set of credentials with administrative privileges to both the on-premises network and the Azure Active Directory.
The second set of stolen credentials is significant, because it gave the intruders access to both the on-premises AD and Azure AD – but we're told the snoops didn’t have any luck moving laterally from the on-premises environment into the victim's cloud environment, where the sensitive data and systems lived.
Additionally, the criminals conducted lightweight directory access protocol (LDAP) queries of the AD – probably via open source tool AdFind[dot]exe, we're told.
"CISA and MS-ISAC assess the threat actor executed the LDAP queries to collect user, host, and trust relationship information. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site," according to the alert.
But perhaps the main takeaway from this break-in is that neither of the administrative accounts had multifactor authentication (MFA) enabled. So please – even before reading the rest of the technical details in the advisory – turn on MFA. ®