Another doozy of a week. The one thing about InfoSec is that the breaches, vulnerabilities, and exploits keep on coming. On the menu this week:

• Blackcat disappears: Take that money and runnnnnnn

• This week’s can’t miss: Microsoft has a source code problem

• The NSO-no moment: Poland’s spying problem

• Might have missed: FBI, you’re pushing the limits on surveillance

• Swimming with the fishes: The odd and wonderful world of IoT hacks

Big News

Blackcat’s got 99 problems but $22 Million ain’t one

No honor among thieves it would seem. Last week, we wrote about the Change Healthcare ransomware attack that froze over 67,000 pharmacies across the US. The healthcare payments company is still reeling from the attack, and it seems to be getting worse for them. The threat actor group that hacked them, an affiliate for the Blackcat/ALPHV ransomware group, claimed responsibility and if they get paid, a king’s ransom.

What happened: On that note, it looks like Change Healthcare, or rather their parent company United Healthcare, made a $22 million Bitcoin payment to the ransomware group. But, once Blackcat received the payment, they closed shop with the money and refused to pay the affiliate group responsible for the attack, which also means Change Healthcare won’t receive the decryption key they appear to have desperately needed.

Why is it important: This is a big deal. Blackcat may finally be gone. After Blackcat’s attempted takedown in December 2023 by the DOJ, they regrouped and brought higher payments to their affiliates. Typically, they were paying affiliates about 60 percent of the ransom, but after December, they raised the payout to 90 percent.

The other side: With this latest development, it looks like the leaders of Blackcat may have decided to run an exit scam on their affiliates to take one lump sum and retire. CHA-CHING. The group claims the DOJ took them down, but law enforcement denies any involvement in the takedown. The gang doesn’t appear to be done cashing in either as they’re listing their source code for a new ransomware group to purchase for $5 million, likely due to pressure from law enforcement.

The takeaway: Honestly, who knows? Blackcat is gone, but ransomware isn’t. Until attackers lose their incentive to ransom and extort it will keep on keeping on. On one side, law enforcement pressure may have pushed them to close shop. On the other hand, cybercriminals see a $22 million payment coming from a victim. Will the preventative measures or greed win out? My money’s on greed.

tl;dr: Change Healthcare hacked. Change Healthcare paid. Cybercriminals rip off other cyber criminals and Healthcare is left holding the bag with no data.

More: DarkReading | KrebsOnSecurity | TheRegister

Can’t Miss

Breaches, vulns, and more.

Poland, you’ve got some splainin’ to do

We’ve talked a lot about spyware, but primarily the kind that Big Tech uses to sell us the next widget. There’s another kind of spyware though, one that can grant full access to your phone to extract passwords, messages, photos, browsing history, or even activate your microphone and camera without you knowing. It’s called Pegasus and was created by a firm called the NSO Group out of Israel.

What happened: Poland’s new Prime Minister has come out with information that he says “confirms 100%” that his predecessors purchased and used the software illegally, primarily targeting political opponents and affecting the 2019 election outcome. While this software sits in a grey area and can be used to hunt down ‘bad’ guys, misuse is not hard to fathom with a tool that powerful.

Why is it important: Pegassus’ sole purpose is to find ways to extract data from people’s devices, but the NSO group doesn’t control the targets. In oppressive regimes, this software is used to target, and in extreme cases silence, activists, journalists, and political opponents. In recent years though, it’s been found that more and more countries in the EU, like Hungary, Spain, and Greece, have been deploying the spyware too.

The other side: The NSO groups claim to only sell to ‘verified government agencies and exclusively for the purpose of fighting terrorism and crime’. Riiiigggghhhhhttttt. Sure. Totally. Because every government and person defines those things the same and never uses those terms or labels on those who disagree. The only true good I can see out of this is that some, like those at Citizen Labs, work to help identify what governments are using the software to target their citizens.

The takeaway: Spyware is prevalent in all walks of life, but in the case of NSO, this is a true international arms issue. The US went as far as to ban the NSO Group from American technology, but I doubt that will do much, and our government likely has similar capabilities. 

tl;dr: Spyware group sells software. ‘Legit’ governments are purchasing it. Folks are surprised it’s being misused.

Side note: I will warn you, that I’ve been down the rabbit hole on NSO, it’s long, it’s complicated, it’s interesting, and it’s enlightening. Jack Rhysider, who produces Darknet Diaries, does an excellent job diving into them (Side note: also a stellar podcast).

More: TheRecord | Politico | AssociatedPress | BusinessMirror

Might have missed

Off Track

Fishtanks to hacks: A tale in securing IoT

Taking care of fish can be tough (at least for me it is). But with the advent of internet-connected everything, why not let the tank tell you when to feed and clean? That’s what one casino did a few years back, they just forgot to put it on a different network than the rest of their data.

What happened: Back in 2017, Darktrace, a network security monitoring company, told a story about a casino in North America that had an internet-connected fish tank. Hackers were able to gain remote access to the fish tank, and then pivot to other areas of the network. At the end of the day, they ended up exfiltrating 10 GB of data.

Why was it important: While the nature of the data and the type of data stolen were never released, it shows the vulnerable nature of things that we may think of as smart devices. Internet-connected appliances, like microwaves, ovens, and laundry machines. When these are on the same network as your personal devices, it can present potential security concerns. Let alone them being data-hungry, like this washing machine sending almost 4G GB of data a day.

The other side: But I love saying ‘Hey Google, what’s the weather tomorrow?’, and then ‘Hey Google, I said weather, not leather’, then ‘Hey Google, why are you so dumb?’, and finally ‘Screw it, I’ll check my phone.’ Jokes aside, IoT devices can bring a lot of convenience and efficiency to homes. It’s all about in how you manage them. Many home router providers will help you create separate networks for these devices.

The takeaway: When picking up something that’s internet-connected, consider the risks and rewards of doing so. Does that coffee maker really need to be connected to the internet? Or that Microwave? Is it that far away that you need to preheat the oven from your couch? Pick manufacturers with a history of patching their devices and maintaining support.

tl;dr: Casino fishtank hacked. Data stolen. Lesson: separate IoT devices from your network.

More: WashingtonPost$ | HackerNews | Forbes 

Cool Sh*t Corner

LED TV…..Floors? Finally, I can change my flooring every day.

Thanks for reading this week’s edition. If you have feedback or advice, or just hate everything you see? Hit this link!