Daily Brief

Mobile healthcare provider DocGo experienced a significant breach, resulting in the theft of patient health data. Hackers accessed protected health information from the company’s ambulance service records in the United States. DocGo has undertaken measures to contain the breach, including working with cybersecurity experts and informing law enforcement. There is currently no evidence of ongoing unauthorized access or impact on other business units within the company. DocGo believes the cyberattack will not materially affect its operations or financial stability. The exact number of affected individuals is undisclosed, and investigations are ongoing. The incident was disclosed through a FORM 8-K filing with the Securities and Exchange Commission (SEC). No specific threat actors have been identified, and the nature of the data stolen may lead to future extortion attempts if not addressed.

Researchers at Leviathan Security Group identified a vulnerability, dubbed TunnelVision, affecting numerous VPN clients by redirecting their encrypted traffic via rogue DHCP servers. This flaw operates across various VPNs and operating systems, with the exception of Android, as it does not support DHCP option 121 which is critical to the exploit. The vulnerability allows attackers to reroute VPN traffic through unsecured pathways, potentially exposing user data, despite the VPN's encryption methods being irrelevant to the exploit. Three attack scenarios were described: DHCP starvation, racing for DHCPDISCOVER responses, and ARP spoofing, each enabling the attacker to issue malicious DHCP leases. Although HTTPS and SSH traffic remain encrypted and unreadable, attackers can still see destination addresses, posing privacy concerns. Current mitigation recommendations include avoiding untrusted networks, using VPNs in secure environments like virtual machines, and employing host-based firewalls. The researchers noted the challenge in fully resolving this vulnerability without significant changes to how DHCP and VPNs operate, labeling it a broader systemic issue requiring attention from both users and providers.

Hackers are exploiting an outdated LiteSpeed Cache plugin vulnerability on WordPress sites to create admin accounts and control the websites. The LiteSpeed Cache plugin, used by over five million sites, speeds up page loads and improves Google rankings; older versions prior to 5.7.0.1 harbor a cross-site scripting flaw. More than 1.2 million probes from a single IP were recorded, indicating a wide-scale attempt to discover and compromise vulnerable sites. Attack tactics involve injecting malicious JavaScript into WordPress files or databases to establish unauthorized admin users. Despite updates, approximately 1.835 million installations of the LiteSpeed Cache plugin remain vulnerable due to non-upgradation. A similar exploit was observed with the less popular "Email Subscribers" plugin, highlighting a continuous risk across various plugins. Recommendations for site admins include updating plugins, removing non-essential components, and vigilant monitoring for unauthorized admin creation. Following a breach, comprehensive site cleanup procedures including account deletions, password resets, and database file restoration from clean backups are mandatory.

CISA launched the Ransomware Vulnerability Warning Pilot in January 2023 to identify and notify organizations of vulnerabilities exploited by ransomware gangs. In its first year, 1,754 notifications were sent out to entities with internet-exposed devices, aimed at closing security gaps quickly. Resultingly, 852 notifications led to actions such as patching or temporary system shutdowns to mitigate risks. This program is a direct result of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed by President Biden in March 2022. The pilot scheme is set to evolve into a fully automated warning system by the end of the next year. The initiative is part of a broader strategy by CISA to combat cyber threats, using proactive measures to make it financially and operationally difficult for threat actors. Acting section chief Gabe Davis likened CISA's comprehensive cybersecurity approach to a "full-court press" during the NBA playoff season, emphasizing relentless defense against cyber threats.

The UK Ministry of Defence confirmed a breach exposing payroll data of active, reserve, and some retired personnel. An external payment system managed by a contractor was compromised, affecting approximately 270,000 records. Personal data including names, banking details, and some addresses were exposed, though core MoD networks remained secure. All April salaries and payments were processed despite the breach, with no major impact on financial disbursements. Immediate measures were taken to isolate the affected system and halt further intrusion. An ongoing investigation has pointed to potential security lapses by the contractor handling the attacked system. There are currently no indications of data theft, though affected individuals have been informed of the potential risk. The incident has raised concerns about foreign state involvement, but no official attribution has been made yet.

TikTok and its parent company ByteDance are suing the US government, challenging the constitutionality of a recent law mandating the sale or shutdown of TikTok due to national security concerns. The law requires ByteDance to sell TikTok to an approved buyer within 270 days or face shutdown, with the possibility of a 90-day extension. US lawmakers argue that TikTok could be used by the Chinese government for surveillance or propaganda, allegations TikTok denies. The lawsuit claims the law is unconstitutional and does not fairly assess the alleged threats TikTok poses, with no concrete evidence provided by lawmakers. The deadline imposed by the law, according to the lawsuit, makes it commercially, technically, or legally impossible for TikTok to meet the conditions for sale. Critics of the law, including civil liberties experts, believe the US government may struggle to demonstrate the national security threats in court, given the general deference to national security interests. The conversation around TikTok’s ownership and potential ban raises broader concerns about the need for comprehensive consumer privacy legislation in the US.

A new cybersecurity threat named "TunnelVision" exposes VPN traffic by manipulating DHCP server settings. Attackers can reroute VPN traffic to a local network or a malicious gateway, bypassing encryption and allowing data snooping. The exploit utilizes DHCP option 121 to alter routing tables without authentication, compromising the intended secure VPN connection. Leviathan Security has identified the issue, tracked as CVE-2024-3661, and has reported it to CISA, EFF, and impacted vendors. Although the vulnerability has existed since 2002, there have been no reported active exploitations. TunnelVision primarily affects users on public Wi-Fi networks where attackers can more easily implement rogue DHCP servers. Devices running Windows, Linux, macOS, and iOS are vulnerable, while Android devices remain unaffected due to lack of DHCP option 121 support. Leviathan Security suggests that VPN providers improve their software to resist such DHCP manipulations and users remain vigilant on public networks.

Nearly 52,000 Tinyproxy servers are susceptible to a severe remote code execution vulnerability identified as CVE-2023-49606. The flaw, disclosed by Cisco Talos, impacts the latest versions of the Tinyproxy software and could allow attackers to execute malicious code remotely without the need for authentication. Despite efforts from Cisco Talos to communicate the vulnerability to Tinyproxy developers, there was an initial lack of response, complicating the resolution process. Analysis by Censys identified that 57% of observed Tinyproxy instances on the internet are vulnerable, mostly located in the U.S., South Korea, China, France, and Germany. Five days after public disclosure, Tinyproxy maintainers released a security fix to address the memory management issue that allowed the exploitation. Developers highlighted some inaccuracies in communication from Cisco Talos regarding the vulnerability disclosure process and provided interim security measures till the fix is more broadly integrated.

Police have revealed Dmitry Yuryevich Khoroshev as the leader of the notorious LockBit ransomware group. Khoroshev, also known by his alias LockBitSupp, has been added to several Western sanctions lists and faces various criminal charges in the US. The UK, US, and Australia have initiated sanctions against Khoroshev, who previously offered a $10 million reward for anyone who could expose his identity. Operation Cronos, led by British and US authorities, significantly disrupted LockBit activities, reducing their operations and unmasking key figures. Investigators analyzed LockBit's operations, finding many affiliates unprofitable and unsuccessful in extortion attempts. Despite a slight resurgence in LockBit activities, attacks have generally decreased by 73% in the UK, with reductions noted globally. Khoroshev faces up to 185 years in prison if convicted on numerous charges including conspiracy to commit fraud and extortion related to cyber activities. The exposure of Khoroshev represents a significant blow to cybercriminals globally, demonstrating enhanced international cooperation in battling cybercrime.

BetterHelp has agreed to pay $7.8 million to settle allegations by the FTC regarding the misuse and unauthorized sharing of consumer health data for ad targeting. The online therapy provider is accused of sharing sensitive data such as email and IP addresses, and health questionnaire responses with companies like Facebook and Snapchat. The exposed data was used to target similar consumers with advertisements, significantly boosting BetterHelp's clientele and revenue. Approximately 800,000 users who used BetterHelp services between August 2017 and December 2020 are eligible for refunds. The FTC uncovered these privacy violations following an investigation into BetterHelp's data handling practices. Consumers affected by this breach will receive an email from Ankura Consulting detailing the refund process with multiple payment options available. The settlement includes multiple BetterHelp-operated services like MyTherapist and Teen Counseling. Payments to the affected consumers will be issued this summer, with a deadline until June 10, 2024, to select a preferred payment method.

Dmitry Yuryevich Khoroshev, identified as the administrator and developer of LockBit ransomware, faces multiple international sanctions and a 26-count indictment with a potential 185-year sentence. Khoroshev used aliases including LockBitSupp and putinkrab and is linked to extensive cybercrimes against global corporations and institutions, leading to asset freezes and travel bans. The U.K.'s NCA, with support from the U.S. and Australian authorities, has collected over 2,500 decryption keys to assist LockBit’s 2,500+ victims worldwide. Since its inception in 2019, LockBit's RaaS activities have reportedly netted Khoroshev at least $100 million, demonstrating immense operational and financial scale. Authorities from the U.S., U.K., and Australia stated that LockBit accounted for significant percentages of their ransomware incidents, demonstrating its global impact. Post-operation efforts to revive LockBit have failed, though they falsely claimed recent attacks to inflate perceived activity. The coordinated international law enforcement operation, dubbed Cronos, successfully disrupted LockBit's operations, substantially reducing its network of affiliates.

Dmitry Yuryevich Khoroshev, leader of the LockBit ransomware gang, was finally identified and sanctioned after being a highly guarded secret. Operation Cronos led by the National Crime Agency (NCA) targeted this notorious ransomware operation, significantly impacting its activities worldwide. Despite sanctions, actual justice remains uncertain as Khoroshev resides in Russia, creating jurisdictional challenges. The US has offered a $10 million reward for information leading to Khoroshev's arrest or conviction, emphasizing the high stakes involved. Following the law enforcement disruption in February, LockBit's capabilities have been notably diminished, with many affiliates losing confidence. The initiative uncovered about 194 affiliates in February, with a large portion showing no profitable involvement in ransom operations. Recent data indicates a significant drop in LockBit attacks, with their operational capacity severely reduced post-intervention.

The FBI, UK National Crime Agency, and Europol announced indictments and sanctions against Dmitry Yuryevich Khoroshev, the admin of LockBit ransomware. Khoroshev, identified as a Russian national, faces multiple international legal actions including asset freezes and travel bans. The US Department of Justice is expected to release further details in an upcoming indictment. Concurrently, the US has issued a $10 million reward for information leading to Khoroshev's arrest or conviction under the Rewards for Justice program. Sanctions include prohibitions that complicate ransom payments, potentially leading to government fines for companies involved. Previous sanctions impacted the ability of ransomware negotiators to assist in transactions involving sanctioned entities. Law enforcement previously disrupted LockBit by seizing its infrastructure, obtaining over 2,500 decryption keys to aid victims. Europol continues to assist in the recovery process for those affected by LockBit ransomware attacks.

Modern organizations are highly interconnected, increasing the risk of third-party data breaches. The global data volume is expected to reach 147 zettabytes by 2024, emphasizing the scale and impact of potential breaches. Third-party breaches happen when an entity within a network is compromised, potentially affecting associated organizations. Examples include the SolarWinds incident where hackers infiltrated multiple networks via compromised software updates. Password reuse significantly exacerbates third-party breach impacts, with credential stuffing attacks exploiting this vulnerability. External Attack Surface Management (EASM) tools are vital for identifying and mitigating vulnerabilities in an organization’s network and its third parties. Continuous monitoring of potentially compromised credentials and regular attack surface assessments are recommended to minimize risks.

APT42, backed by the Iranian government, utilizes deceptive tactics posing as journalists to infiltrate target systems, particularly cloud environments. Targets include NGOs, media entities, academic institutions, legal sectors, and activists across the Western and Middle Eastern regions. Social engineering strategies by APT42 help build trust, facilitating credential harvesting to access victim's cloud data covertly. Data of strategic interest to Iran is exfiltrated using built-in features and open-source tools, minimizing detection risks. APT42 operates under Iran's IRGC and is linked to APT35 but focuses on espionage aligned with Iran's domestic politics and foreign policy stability. The group employs spear-phishing, typo-squatting, and masquerading techniques to obtain crucial credentials and bypass MFA systems. In addition to credential theft, APT42 uses custom backdoors for further network penetration and maintains operational secrecy using VPNs and anonymized infrastructure. Despite regional conflicts like the Israel-Hamas war, APT42 remains focused on intelligence gathering without shifting to disruptive cyber tactics.