Only the two councils are impacted still.

Eastleigh are using Azure App Service, which collapsed for them. Azure App Service doesn't have any native anti-DDoS feature.

Trafford Council are using on prem webserver, which couldn't cope with load.

The problematic DDoS configs attached, $_1 is a variable for random gibberish - they basically stuff the search feature.

Today #NoName are upset with 6 orgs in Ukraine, 3 financial services orgs in the UK, BAE and 2 UK councils.

NoName’s config is still targeting those UK councils. Makes a change from bus shed websites.

Handala claim to have released 10gb of customer data for AGAS.

It does appear AGAS has a security incident going on. AGAS declined to comment when asked.

Announcement is out.

If any of the targeted councils want a hand give me a shout, I can give you the botnet config which will give you an idea what to block (you’ll need a WAF first).

Normally they recycle the same old, already mitigated config for the UK - they finally made a new one today.

Noname are upset at UK gov today, targets - they may have some success as most are new.

* www.mossley-council.co.uk
* oneonline.bradford.gov.uk
* www.bradford.gov.uk
* resident.dacorum.gov.uk
* www.keighley.gov.uk
* youraccount.salford.gov.uk
* www.tameside.gov.uk
* www.bury.gov.uk
* www.dacorum.gov.uk
* www.southampton.gov.uk
* www.liverpool.gov.uk
* my.trafford.gov.uk
* www.salford.gov.uk
* www.hertfordshire.gov.uk
* www.stalbans.gov.uk
* www.dudley.gov.uk

Handala claim to have hacked and wiped 74 servers at AGAS - https://www.agas.co.il - an Israeli MSP, MSSP and cloud reseller.

I’m not sure the size of the org stacks up with Handala’s claim. Also, 74 servers is not a lot.

I’ve reached out to AGAS to see if they want to comment.

Handala claim they are doing a “ultra big wipe”

Handala have deleted their previous message and replaced it with this.

Obviously, Handala are awake.

Change Healthcare say their data breach, caused by their lack of MFA on Citrix Netscaler and AlphV ransomware group, impacted 100m Americans, making it the largest healthcare breach to date. https://www.reuters.com/technology/cybersecurity/hack-unitedhealths-tech-unit-impacted-100-mln-people-2024-10-24/

The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”

That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.

Not having MFA on Citrix Netscaler is also called negligence.

TechCrunch has really good coverage: https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/

Change Healthcare didn’t use MFA on Citrix Netscaler. It was a bog standard ransomware incident.

One learning for the industry btw - I saw loads of threat intel channels circulating incorrect info about the incident. That’s fine, but some (eg the health info sharing authorities) reshared this wrong info.

The CEO says entry to Change Healthcare was via an unspecified Citrix vulnerability https://www.reuters.com/technology/cybersecurity/unitedhealth-hackers-took-advantage-citrix-vulnerabilty-break-ceo-says-2024-04-29/

This conflicts with a prior WSJ report saying lack of MFA. Although maybe lack of MFA on Netscaler was the vulnerability.

UnitedHealth says Change Healthcare ransomware threat actor stole health data on ‘substantial proportion of people in America’

Change Healthcare deal with the healthcare information of around half of Americans.

Wall Street Journal has a leak from the Change Healthcare ransomware incident

- Initial entry was via a remote access system without MFA
- Dwell time was 9 days
- They paid the ransom, then got held to ransom again and had data leaked anyway

https://www.wsj.com/articles/change-healthcare-hackers-broke-in-nine-days-before-ransomware-attack-7119fdc6

Ransomhub have dumped what they claim is some Change Healthcare sample data on their portal. Includes some patient data.

Ransomhub have provided Wired journalists with files from Change Healthcare - meaning they’re being held to ransom again. https://www.wired.com/story/change-healthcare-ransomhub-threat/

Ransomhub #ransomware group are claiming AlphV stole their money for Change Healthcare (this is believed to be true btw), and the operator has given them the data. So now they’re extorting Change Healthcare again.

Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

  • Reports have shown this vulnerability to be exploited in the wild.
  • The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

I’ve seen another ransomware group exploiting Qlik Sense. Currently it is a very low number of attacks so you might want to patch.

ArcticWolf are reporting "Qlik Sense Exploited in Cactus Ransomware Campaign" https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

Thread time as there's some additional detail I want to add: 🧵

Lyca Mobile have paid a ransom using a third party.

Lyca Mobile’s announcement page for their ransomware data breach is back, HT @carlypage

They confirm data exfil including customer details, passport scans and card payment information.

I can't see the announcement on their actual website frontpage, I might be missing it though.

I think it's a wake up call for telcos.
https://www.lycamobile.co.uk/en/update