Gemserv’s latest threat report uncovers the tactics and motivations behind the most sinister of threat actors, and crucially, delivers the recommendations you need to keep your organisation secure.
“Cyber Siege: United Health’s Optum Grapples with Nation-State Cyberattack”
On February 21, 2024, United Health Group reported a severe cyberattack targeting its subsidiary, Optum. This sophisticated “nation-state” assault compromised the Change Healthcare IT systems: an essential component of the United States healthcare infrastructure. Optum, which manages Change Healthcare, a major platform facilitating payment exchanges between healthcare providers and patients, experienced significant disruptions due to this security breach.
The immediate response saw the affected systems being shut down, and a strenuous effort is underway to restore them. In a proactive move, the American Hospital Association (AHA) advised healthcare organisations using Optum’s services to sever connections to sensitive data to mitigate further risks.
The repercussions of the cyberattack are extensive, causing notable interruptions across numerous U.S. healthcare organisations. Analysts are still in the process of identifying the perpetrators behind this significant cybersecurity incident.
Updates on the situation reveal that on April 16, 2024, the cybercriminal group @RansomHub began leaking sensitive data allegedly pilfered from Change Healthcare. This leak followed the involvement of an @ALPHV ransomware affiliate, which later accused @ALPHV of an exit scam, leading to its exclusion from a notable ransomware-focused cybercriminal forum. Despite the turmoil within their ranks, @ALPHV has claimed responsibility for the attack and alleged theft of 6TB of data including medical and insurance records, and personally identifiable information.
United Health Group has quantified the financial damage in its first-quarter earnings report, estimating the impact at a staggering $872 million. This figure includes $593 million allocated to immediate cyberattack response and an additional $279 million attributed to business disruptions. The company forecasts that the incident will dilute their per-share earnings by $0.74 in Q1, with anticipated full-year impacts ranging between $1.15 to $1.35 per share.
As this situation unfolds, the healthcare sector remains on high alert, and the call for enhanced cybersecurity measures has never been more urgent. This event underscores the sophisticated nature of cyber threats and the vital importance of robust security frameworks to protect sensitive health data and systems.
“Hide and Seek Goes Digital: SteganoAmor’s Crafty Campaign of Camouflaged Catastrophes”
In a digital twist on the classic game of hide and seek, the TA558 hacking group has been sneakily embedding malicious code into images—a trick known as steganography. Their campaign, cheekily dubbed “SteganoAmor,” has quietly targeted over 320 organisations globally, leaving cybersecurity professionals both intrigued and perturbed.
Steganography, the art of hiding information in plain sight, typically within harmless files, allows these nefarious payloads to bypass users’ eyes and security scanners alike. The latest shenanigans by TA558, active since 2018 and fond of troubling the hospitality and tourism sectors (with a soft spot for Latin America), have taken this old magic trick to new heights.
The scheme kicks off with innocent-looking emails, equipped with attachments like Excel and Word files. These files exploit the CVE-2017-11882 flaw—a well-known vulnerability within Microsoft Office’s Equation Editor patched back in 2017. However, if you’re still rocking an older version of Office, the exploit triggers a download of a Visual Basic Script (VBS) from the seemingly benign ‘paste upon opening the file. ee’ service.
What unfolds next could be straight out of a spy movie: the script fetches a JPG image harbouring a base-64 encoded nasty surprise. This isn’t just any old cat meme—it’s a Trojan horse! PowerShell code embedded within this digital deceit downloads the final payload, ingeniously hidden within a reversed base64-encoded executable inside a text file.
Researchers at Positive Technologies, who lifted the lid on these covert operations, have spotted a veritable rogues’ gallery of malware delivered through this vector. The lineup includes the likes of AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm—a malware smorgasbord that can steal everything from your keystrokes to your peace of mind.
These attacks aren’t just smart; they’re sinister. By storing the final payloads and malicious scripts in well-regarded cloud services like Google Drive and sending stolen data to be compromised but legitimate FTP servers, TA558 makes their malicious traffic blend in like just another day on the internet.
While most attacks have centred on Latin America, the scope of SteganoAmor is truly global. Thankfully, there’s a simple antidote: keeping Microsoft Office up to date renders these attacks about as effective as a chocolate teapot. A full list of indicators of compromise (IoCs) is available for those who want to stay ahead of TA558’s stealthy schemes.
In this high-stakes game of digital hide and seek, staying vigilant and updated is the key to staying safe. Don’t let SteganoAmor turn your organisation into “it” in this perilous play of cyber tag.
“Digital Dread: Unveiling APT44, Russia’s Master of Cyber Mayhem”
As Russia’s military engagement extends into its third year, a shadowy figure looms large in the cyber realm: APT44, also known as Sandworm or FROZENBARENTS. This group isn’t just another player in the digital shadows; it’s a central pillar in Russia’s cyber warfare strategy, influencing the battlefield from Ukraine to the global stage.
APT44 isn’t new to the game. Active since 2018 and sponsored by Russian military intelligence, the group has been a relentless force against Ukraine, executing some of the most disruptive cyber operations seen over the past decade. But their influence doesn’t stop at the border. Globally, APT44 has made its presence felt in political, military, and economic arenas, particularly where Russian interests are most at stake.
With a knack for espionage and sabotage, APT44 is the Swiss Army knife of cyber threats. It’s one of the few groups that has mastered the triad of cyber warfare: collecting intelligence, sabotaging networks, and conducting influence operations. These capabilities aren’t just siloed tools but are interwoven into a cohesive strategy, mirroring Russia’s broader doctrine of “information confrontation.”
The past year has seen APT44 shift its focus from straightforward disruption to more nuanced espionage. Their operations have provided crucial battlefield intelligence to Russian conventional forces, exemplifying a mature understanding of both digital and kinetic warfare. This shift isn’t just tactical but strategic, positioning APT44 as a key asset in Russia’s geopolitical ambitions.
APT44’s role extends beyond military disruptions; it is a tool of political power for the Kremlin, used to signal, respond to crises, and non-escalate tensions, albeit in a manner that suits Moscow’s interests. Their operations have marked some of the most significant cyber-attacks in history, such as the disruptive attacks on Ukraine’s energy grid and the infamous NotPetya incident, which rippled across the globe.
As APT44 continues to evolve, its threat extends beyond the immediate battlefield. The group’s activities offer a playbook for other state and non-state actors, lowering the barrier for entry into the arena of disruptive cyber capabilities. This poses a significant proliferation risk, with potential for these tactics to spread beyond the control of their originators.
Looking ahead, APT44 is poised to remain a formidable force in the global cyber threat landscape. As geopolitical tensions fluctuate and elections approach, the group’s capacity for cyber disruption is likely to influence events far beyond the digital realm. APT44 isn’t just a group to watch; it’s a stark reminder of the new frontiers of warfare where cyber and physical realms converge.
