Malware Activity
MOVEit Campaign Impacts Colorado Department of Health Care Policy and Financing, Exposing Over 4 million Individuals' Data
The Colorado Department of Health Care Policy and Financing (HCPF) has disclosed a data breach impacting over 4 million individuals. HCPF manages the Health First Colorado (Medicaid) and Child Health Plan Plus programs along with supporting low-income families, the elderly, and disabled citizens. The agency confirmed that the data breach stemmed from a third-party contractor, IBM, and that HCPF systems were not directly compromised. IBM notified HCPF that it was impacted by exploitation of the recent MOVEit vulnerability, CVE-2023-34362, and the vendor utilizes the application to "move HCPF data files in the normal course of business." On June 13, 2023, it was identified that HCPF files, specifically files that contained Health First Colorado and CHP+ members' information, on IBM's MOVEit application were accessed by an unauthorized actor around May 28, 2023. The sample of the data breach notification detailed the following information was exposed to the unauthorized actor: "full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information." HCPF is not the only state organization in Colorado to be affected by a large-scale data breach in August 2023, as the Department of Higher Education (CDHE) disclosed a data breach on August 4, 2023, that exposed data spanning sixteen (16) years. CTIX analysts will continue to monitor campaigns impacting Colorado organizations and provide updates on the state's latest data breaches as needed.
- Bleeping Computer: Department of Health Care Policy and Financing Data Breach Article
- August 8, 2023, FLASH Issue: Department of Higher Education Data Breach
Threat Actor Activity
Monti Ransomware Returns from Hiatus, Unveils New Linux Ransomware Variant
Over the past several weeks, activity from the Monti ransomware organization appears to have increased alongside the unveiling of their new ransomware encryptor specifically for Linux systems. Monti, believed to be a rebranded organization of the Conti Ransomware group, has been operational since June 2023 and is well known for their striking similarities to Conti. Aside from their similar group names, attack tactics and techniques, and ransomware source code, Monti primarily targets entities operating on Linux systems within the healthcare, legal, manufacturing, and government industries. The group has been on a brief hiatus for around two (2) months but have come back in force with a new ransomware campaign and publication of compromised entities' data on their leak site. In terms of the Linux ransomware variant, around 29% of the code was reused from previous Conti ransomware variants and now has the capabilities to whitelist specific machines from encryption, encrypt systems with AES-256-CTR cryptographic encryption rather than Salsa20, and adjust encryption style based on file size. Alongside these capabilities come changes to Monti's ransom note and functions to gather system information from targeted endpoints. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Mandates Patching of Actively Exploited Critical Citrix ShareFile Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just added an actively exploited critical vulnerability in the Citrix ShareFile storage zones controller to the Known Exploited Vulnerabilities (KEV) catalog. The addition mandates that all Federal Civilian Executive Branch (FCEB) agencies become compliant by patching their vulnerable infrastructure by no later than September 6, 2023, or be held accountable by the regulators. ShareFile is a managed cloud-based file transfer and collaboration solution allowing organizations to share data internally as well as with their clients and partners. Storage zones controller extends the ShareFile Software-as-a-Service (SaaS) cloud storage by providing enterprise entities with ShareFile accounts to configure private data storage to host files. The flaw, tracked as CVE-2023-24489, has a CVSS score of 9.8/10 and is described as an improper access control bug. Successful exploitation of this vulnerability could allow unauthenticated threat actors to compromise the customer-managed ShareFile storage zones controller remotely and upload malicious arbitrary files. The flaw was discovered by the cybersecurity firm AssetNote, who published a working proof-of-concept (PoC) exploit, which is successful due to errors in ShareFile's AES encryption. They state that the vulnerability has been patched, and CTIX analysts recommend that all Citrix ShareFile administrators ensure their software is up to date with the latest secure firmware. Technical details, as well as the PoC and Citrix advisory, can be found in the articles linked below.
- The Hacker News: CVE-2023-24489 Article
- Bleeping Computer: CVE-2023-24489 Article
- Citrix: CVE-2023-24489 Advisory
- AssetNote: CVE-2023-24489 Report (PoC)
Honorable Mention
Raccoon Stealer Returns with New Features
The developers behind the “Raccoon Stealer” information-stealing malware have announced their return after a six (6) month hiatus following the arrest of their administrator back in October 2022. The new current authors told the cybercriminal community that they have spent their time developing Raccoon 2.3.0, which comes with new strengths and new features to help enrich the user experience. Raccoon is a highly popular info-stealing malware-as-a-service sold on the dark web, and along with being hailed for its simplicity and customization, these new integrations come with the aim of continuing to keep the malware in the top-tier of the info-stealers market. Raccoon 2.3.0 has several added improvements that make it easier and safer to use, making it less likely for users to be traced by researchers and law enforcement, as well as making the service easier for less experienced threat actors to use. A new quick search tool has been added in the Raccoon Stealer dashboard making it more seamless to find specific stolen data or links and retrieve credentials or other documents in large datasets with millions of documents and thousands of different links that exist. Another added feature counters suspicious and unusual activity likely disseminating from bots used by cybersecurity firms or law enforcement, and deletes records associated with such activities, making it harder for tools to detect the malware. Additionally, protective measures have been put in place that detect and block IPs used by crawlers and bots that monitor Raccoon's traffic, typically used by cyber-intelligence firms. Lastly, a new “Log Stats” panel gives users an overview of the group’s operations, the most successfully targeted countries, and the number of breached computers. Raccoon malware is often installed via phishing emails, and steals not just credentials and financial information, but also session cookies that allow threat actors to bypass multi-factor authentication (MFA), constituting a massive threat to both home users and businesses. A variety of attacks can be leveraged against individuals once a foothold has been established, such as data theft, ransomware, business-email compromise, and cyber espionage. CTIX analysts encourage readers to enable MFA on all accounts and to use password managers rather than storing credentials on their browsers. CTIX offers dark web monitoring for readers who believe their accounts may have been compromised.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
