New Group RansomHub Claims Attack on Change Healthcare

The Change Healthcare breach story has taken on a new twist after emerging ransomware group RansomHub claimed it had 4TB of data stolen from the healthcare tech company in February.

Following a devastating attack on Change Healthcare by the ALPHV/BlackCat group, RansomHub, a new ransomware group that first began claiming victims on its site in February 2024, according to SOCRadar, has stepped into the picture, demanding payment and threatening to leak the stolen data.

“Change Healthcare and United Health you have one chance to protecting your clients data. The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted,” the group wrote in a post on its website Monday, according to screenshots published by Dark Web Informer. “In the event you fail to reach a deal the data will be up for sale to the highest bidder here.”

RansomHub began a countdown of just over 12 days for UnitedHealth to make a ransom payment before the dataset is sold.

The group claims that the 4TB they obtained includes medical and dental records, payment and claims information, patient personal identifiable information (PII), including social security numbers, and PII of active US military personnel. The group also claims to have more than 3,000 source code files for Change Healthcare’s software solutions.

Malware resource-sharing group vx-underground subsequently posted a conversation one of its administrators had with a RansomHub admin, indicating that “many” former ALPHV/BlackCat affiliates had joined the group after they were deprived of any portion of a $22 million payment by Change Healthcare’s parent company UnitedHealthCare’s Optum subsidiary.

Malware resource-sharing group vx-underground subsequently posted a conversation one of its administrators had with a RansomHub admin, indicating that “many” former ALPHV/BlackCat affiliates had joined the group.

Ransomfeed also noted that it cross-referenced all 28 victims RansomHub has posted on its site with ALPHV/BlackCat victims and found only two overlaps, including Change Healthcare. This further supports the hypothesis that RansomHub is not a rebranded version of ALPHV/BlackCat but a new group recruiting past affiliates. (Laura French / SC Media)

Related: The Register, The Cyber Express, BankInfoSecurity, PCMag

Ukrainian hackers, possibly connected to the Security Service of Ukraine (SBU), destroyed a data center owned by OwenCloud.ru, a cloud service provider used by the Russian military, energy, and telecommunications industries.

According to sources in the SBU, more than 10,000 entities involved in the Russian military industry stored their data in the targeted cloud service.

These reportedly included companies from Russia's oil and gas production or metallurgical and aerospace industry, as well as major telecommunication giants: Ural Works of Civil Aviation, Rubin, Ural Plant Spectechniks, Gazprom, Transgaz, Lukoil, Rosneft, Nornickel, Rostelecom, or MegaFon.

The sources said more than 300 terabytes of data were destroyed. This included 400 virtual and 42 physical servers that stored internal documents, backup copies, and other programs through which clients remotely managed production at their enterprises.

The sources said the operation was jointly carried out by the Ukrainian hacker group Blackjack and the SBU's cybersecurity department.

At one point, the OwenCloud.ru website displayed a message supposedly left by the Blackjack hacker group, saying that the center's "IT infrastructure has been destroyed."

The sources said that the attack on the cloud service was a retaliation for a January hack of the Ukrainian Parkovyi data center. (Martin Fornusek / The Kyiv Independent)

Related: Ukrinform, The New Voice of Ukraine, Cybernews, RBC-Ukraine, Ukra News, UNN, Online.ua

US consulting firm Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole up to 341,650 Social Security numbers.

GMA provides economic and litigation support to companies and US government agencies, including the Department of Justice, bringing civil litigation. According to its data breach notice, GMA told affected individuals that their personal information “was obtained by the US Department of Justice (“DOJ”) as part of a civil litigation matter” supported by GMA.

GMA said that individuals notified of the data breach are “not the subject of this investigation or the associated litigation matters,” and the cyberattack “does not impact your current Medicare benefits or coverage.”

In a data breach notice, GMA wrote, “We consulted with third-party cybersecurity specialists to assist with our response to the incident, and we notified law enforcement and the DOJ. We received confirmation of which individuals’ information was affected and obtained their contact addresses on February 7, 2024.”

It’s unclear why it took GMA nine months to determine the extent of the breach and notify victims. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Maine Attorney General, The Record, Tech Times, Windows Report, iTech Post, PYMNTS

In an 8-K filing at the US Securities and Exchange Commission, B. Riley Financial, the parent company of mobile gadget and bag maker Targus, said that Targus is experiencing a “temporary interruption” to its business operations following a cyberattack on Friday.

B. Riley Financial said it discovered “a threat actor gained unauthorized access to certain of Targus’ file systems” and shut down much of its network to isolate the incident.

“The incident has been contained and Targus systems recovery efforts are in process,” the company said.

Targus did not say what kind of interruption to its operations it was experiencing. (Zack Whittaker / TechCrunch)

Related: SEC.gov, Bleeping Computer, Cybernews, Reuters, Dow Jones Newswires

A threat actor that calls itself CyberIntelligenciaSV posted personally identifiable information for more than five million Salvadorans, reflecting almost every adult in El Salvador, available for free download.

The information, including full names, birthdays, phone numbers, residential addresses, email addresses, and social security number-equivalent DUI numbers, has been stolen and made accessible via dark web torrents.

Moreover, the breach also includes millions of high-definition, unwatermarked, and DUI-numbered headshot photos of Salvadorans.

The massive 144GB data leak has been available to download for a $250 fee since August, but the threat actor who possessed the information claimed that the victims failed to pay his ransom demand. As punishment, the hacker released the data for free. (Protos)

Related: The Crypto Times, La Prensa Grafica, Coinlive, Daily Dark Web

According to a trove of internal Kremlin documents obtained by a European intelligence service, Kremlin-linked political strategists and trolls are waging an ongoing campaign to influence congressional and other political debates and stoke anti-Ukraine sentiment.

The files are part of a series of leaks that have allowed a rare glimpse into Moscow’s parallel efforts to weaken support for Ukraine in France and Germany, as well as destabilize Ukraine itself.

The strategists and trolls have written thousands of fabricated news articles, social media posts, and comments that promote American isolationism, stir fear over the United States border security, and attempt to amplify US economic and racial tensions.

One of the political strategists instructed a troll farm employee working for his firm to write a comment of “no more than 200 characters in the name of a resident of a suburb of a major city.” The strategist suggested that this fictitious American “doesn’t support the military aid that the US is giving Ukraine and considers that the money should be spent defending America’s borders and not Ukraine’s. He sees that Biden’s policies are leading the US toward collapse.”

Russia has been ramping up its propaganda operations as part of a second front that current and former senior Western officials said has become almost as crucial for Moscow as the military campaign in Ukraine, especially as congressional approval for further aid has become critical for Kyiv’s ability to continue defending itself.

The campaign has attempted to paint Ukrainian President Volodymyr Zelensky as corrupt, emphasized the numbers of migrants crossing the U.S.-Mexico border, called for border security to be funded over any aid to Ukraine, and described “white Americans” as the principal losers because of foreign aid, the documents show.

One document shows that the strategy promotes views from the far-right wing of the Republican Party and calls for some of the messaging to be voiced by American “public opinion leaders and politicians,” but it does not name any people who could be enlisted to do that.

Many documents contain metadata showing they were written by a team working for Ilya Gambashidze, head of the Moscow PR firm Social Design Agency. The United States imposed sanctions on Gambashidze last month for his involvement in “a persistent foreign malign influence campaign” at the Kremlin’s direction, including the creation of websites designed to impersonate legitimate media outlets in Europe, part of a campaign that Western officials have called “Doppelganger.” (Catherine Belton and Joseph Menn / Washington Post)

According to researchers at the AhnLab Security Intelligence Center (ASEC), threat actors increasingly use YouTube to distribute information stealer malware (infostealers) by appropriating legitimate channels and using their own video channels.

AEC found a growing number of cases in which malicious actors steal famous YouTube channels and repurpose them to distribute infostealers like Vidar and LummaC2. In one of the cases, the targeted channel had more than 800,000 subscribers.

In all cases discovered by ASEC, a download link was added in the description or the comment section of a video about the cracked version of a normal program such as Adobe.

The malware files are uploaded to MediaFire and compressed with password protection, a step the threat actors take to evade detection by security solutions.

When the compressed files are decompressed, malware strains disguised as installers are found. (Kevin Poireault / Infosecurity Magazine)

Related: ASEC, Cyber Security News

Russian prosecutors initiated a rare criminal case against two executives of a local flight booking platform, Leonardo, after hackers breached the company's systems last year.

According to the investigation, the suspects, Leonardo vice presidents Igor Roitman and Alexander Kalchuk, failed to protect the personal data of airline passengers. The court has banned them from working at the company.

The leaked data included information such as the airline company's name, the passenger’s city of departure and arrival, passport and birth certificate details, last name, first name, and time of booking the ticket.

Later in the same month, Leonardo was hit with a distributed denial-of-service (DDoS) attack that affected the operations of several of its customers, including Russian air carriers Rossiya Airlines, Pobeda, and flagship airline Aeroflot. The attack caused departures at Moscow's Sheremetyevo International Airport to be delayed by up to an hour.

It is not clear if the attacks are related. The Ukrainian IT Army hacktivist group claimed responsibility for the DDoS attack.

Russian state officials told local media that the attacks on Leonardo were likely carried out by hackers linked to Ukraine. (Daryna Antoniuk / The Record)

Related: Kommersant

According to researchers at Colorado State University, new worker safety regulations meant to log how many hours truckers are on the road may have inadvertently exposed millions of US 18-wheelers to hackers who could take control of entire fleets of vehicles.

The researchers found cybersecurity gaps in electronic logging devices, which track various data required for inspections. The devices are connected to the vehicle's control systems and are not currently required to carry cybersecurity precautions. In one example, the paper shows how hackers can manipulate trucks wirelessly and force them to pull over.

The researchers located the gaps by reverse-engineering one of the devices that third-party vendors produce. They also found that adding new electronics to trucks that don't go through a typical manufacturer's design process can introduce new vulnerabilities.

More than 14 million medium- and heavy-duty trucks that form the core of the US shipping sector may have been exposed. The researchers worked with the vendors to patch the flaws. (Eric Galatas / Public News Service)

Related: NDSS, Commercial Carrier Journal

Vincent Strubel, the head of France’s cybersecurity agency, ANSSI, said that the Summer Olympics and tensions over the war in Ukraine will likely make Paris a tempting target for various hacking attempts, including from adversarial countries.

Strubel said the Olympics face threats from adversarial countries, criminals wielding ransomware, and Russian-aligned “hacktivists” who use their computer skills to further their political messages.

French officials, including Strubel, are in Washington this week for consultations with cybersecurity officials.

Strubel said the Paris opening ceremony could also be the target of a cyberattack by a state actor. He did not name a country, but French President Emmanuel Macron said he had “no doubt whatsoever” that Russia would try to target the Paris Olympics.

In addition to the possibility of state-sponsored or state-aligned hacking efforts, France is preparing for ransomware attacks against businesses and organizations.

“We expect cybercrime, organized crime,” Strubel said. “To people who want to make money, the Olympics might be like Black Friday every day for two weeks. The pressure to pay ransoms will increase for all entities who expect to do a lot of business during the Olympics.” (Julian E. Barnes / New York Times)

Related: Inside the Games

Google is launching its upgraded Find My Device network in the US and Canada, emphasizing security.

The network will soon be available to Android users worldwide. Find My Device’s crowdsourced network of over a billion Android devices can help users find their misplaced devices and everyday items. Like Apple’s Find My network, the Find My Device network works with devices running Android 9+.

“Find My Device is secure by default and private by design,” Google’s VP of Engineering, Erik Kay, wrote in a blog post. “Multi-layered protections built into the Find My Device network help keep you safe and your personal information private, while keeping you in control of the devices connected to the Find My Device network. This includes end-to-end encryption of location data as well as aggregated device location reporting, a first-of-its-kind safety feature that provides additional protection against unwanted tracking back to a home or private location.” (Aisha Malik / TechCrunch)

Related: Google Security Blog, Google Blog, MacRumors, Bleeping Computer, Liliputing, ZDNet, Droid Life, The Verge, Business Insider, Tech Radar, Beta News, PYMNTS, Engadget

StrikeReady, an early-stage Silicon Valley startup working on technology to modernize cybersecurity command centers, announced it had raised $12 million in a Series A venture funding round.

33N Ventures led the round with participation from Hitachi Ventures, Monta Vista Capital, and industry leaders Brian NeSmith, executive chairman and former CEO at Arctic Wolf, and Rod Beckstrom, former CEO of ICANN and Founding Director of the US National Cybersecurity Center (now CISA). (Security Week)

Related: Dark Reading

Best Thing of the Day: SSH Problems Are Not New

Web application developer Matt Palmer recounts his own brush with an “xz-stential”-type threat sixteen years ago when the Debian OpenSSL package was generating entirely predictable private keys, which was a big deal at the time.

Worst Thing of the Day: This Is Why We Need SBOMs

A shadowy supply chain for Elon Musk-owned Starlink hardware is delivering the white pizza-box-sized devices into the hands of some American adversaries and accused war criminals.

Closing Thought