TLDR Information Security 2024-04-24

More than two months after a devastating ransomware attack, healthcare firm Change Healthcare finally confirmed paying a ransom. The payment of around $22 million in Bitcoin on March 1st was previously identified by researchers but unacknowledged by Change Healthcare. However, the company now warns that a "substantial proportion" of Americans' sensitive medical data may still have been stolen despite the ransom payment.

MITRE announced that it has discovered a network breach due to two chained Ivanti VPN zero days. The threat actors bypassed MFA via session hijacking to move laterally across the network and deployed a combination of webshells and backdoors to harvest credentials and maintain access. Evidence collected thus far shows that the attackers did not breach the core enterprise network or partner networks.

A phishing campaign is exploiting a bug in Nespresso's website to bypass detection by security tools that fail to identify malicious nested or hidden links. The attack begins with a phishing email about Microsoft sign-in activity. Clicking the link directs victims to a legitimate but compromised Nespresso URL, which delivers a fake Microsoft login page designed to steal credentials, all while evading security warnings due to the use of the Nespresso address.

This post from Lutra Security demonstrates an email phishing technique called Kobold Letters. In this attack, an attacker makes use of CSS selectors to make an email appear benign until it is forwarded, at which point the phishing email appears. This occurs because the HTML content is moved when the email is forwarded. Examples are provided for various email clients.

Common GitHub workflows rely upon long-lived credentials such as PATs or GitHub apps to interact with repos. To eliminate the possibility of credentials leaking, Chainguard built an STS for GitHub which exchanges short-term credentials for short-term credentials. The architecture for the middleware is described in the post.

This article discusses how to decode synology patch files using various reverse engineering techniques like decrypting an archive, extracting contents using keytypes and keybuffers, verifying message blocks, and decrypting entries using a ChaCha20Poly1305 key. It shows the process of decrypting and verifying entries in an archive using Python and various cryptographic functions. The article concludes with the successful decryption and verification of the contents of the archive entries.

Blauhaunt is a tool suite for filtering and visualizing logon events that seeks to track logon events and actions from the user.

Bash script which quickly identifies open network ports and any associated vulnerabilities.

Strikeready is a security management platform that empowers SOC with AI automations and provides assistance to complex threats.

Researchers have discovered a dependency confusion vulnerability affecting the archived Apache Cordova App Harness project. Dependency confusion attacks exploit the fact that package managers prioritize public repositories over private ones, allowing attackers to publish malicious packages with the same name publicly.

The director general of the UK's National Crime Agency has urged Meta to reconsider its rollout of end-to-end encryption (E2EE) on Instagram, echoing concerns raised by European police chiefs about compromising law enforcement's ability to identify illegal activity. The call follows a joint declaration expressing concern over tech platforms implementing encryption that prevents access to message content for monitoring purposes, citing potential threats to child safety.

This article discusses Intellexa Consortium, which is a network of spyware companies that is facing sanctions for selling surveillance software with human rights and security risks. The consortium's complex structure involves multiple companies and investors, prompting calls for tighter oversight and regulation in the spyware market. Governments are urged to implement "know-your-vendor" requirements to increase transparency and accountability in the industry.

Mandiant's annual M-Trends report highlights improvements in defender capabilities, with global median time to identify dropping from 16 days in 2022 to 10 days in 2023.

Phylum discusses the approaches nation-state actors are taking to publish malware to Node Package Manager (NPM).

The popular EvilGinx phishing framework has launched an integration with the GoPhish framework in the newest release.