In a high-stakes clash within the crypto verse, Kraken, a leading U.S. cryptocurrency exchange, has accused blockchain security firm Certik of illicitly siphoning $3 million from its treasury and attempting extortion. The dispute shows the significant tensions between ethical hacking practices and corporate responses and underscores the complexities and challenges within the bug bounty ecosystem.

Accusations from Kraken

Nick Percoco, Kraken's chief security officer, took to social media platform X (formerly known as Twitter) to accuse an unnamed security research firm of misconduct. According to Percoco, the firm - later revealed to be Certik - breached Kraken’s bug bounty program rules. Instead of adhering to the established protocol of promptly returning extracted funds and fully disclosing bug transaction details, Certik allegedly withheld the $3 million and sought additional compensation, Percoco claimed. Percoco claimed that "the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets." He said that after contacting the researchers, instead of returning the funds they "demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco said that in the decade-long history of Kraken’s bug bounty program, the company had never encountered researchers who refused to follow the rules. The program stipulates that any funds extracted during bug identification must be immediately returned and accompanied by a proof of concept. The researchers are also expected to avoid excessive exploitation of identified bugs. The dispute escalated as Certik reportedly failed to return the funds and accused Kraken of being “unreasonable” and unprofessional. Percoco responded that such actions by security researchers revoke their “license to hack” and classify them as criminals.

“As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.”

Certik's Response to Kraken

Following Kraken’s public accusations, Certik disclosed its involvement and countered Kraken’s narrative by accusing the exchange of making unreasonable demands and threatening its employees. Certik claimed Kraken demanded the return of a “mismatched” amount of cryptocurrency within an unfeasible timeframe without providing necessary repayment addresses. The company provided an accounting of its test transactions to support its claims. Certik shared its intent to transfer the funds to an account accessible to Kraken despite the complications in the requested amount and lack of repayment addresses.

“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.” - CertiK

CertiK’s Take on Kraken’s Defense Systems

Certik defended its actions and instead highlighted the inadequacy of Kraken’s defense systems. The firm pointed out that the continuous large withdrawals from different testing accounts, which were part of their testing process, should have been detected by Kraken’s security measures. Certik questioned why Kraken’s purportedly robust defense systems failed to identify such significant anomalies. “According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.” - CertiK The blockchain security firm said the fact behind their white hat operation is that “millions dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved” in these research activities. The firm also said that the dispute with the cryptocurrency exchange is actually shifting focus away from a more severe security issue at Kraken. “For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK,” it said. “The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions.” Regarding the money siphoned, Certik said, “Continuous large withdrawals from different testing accounts was a part of our testing.” With an aim of transparency, the security firm disclosed details of all testing deposit transactions and the timeline of how the bug bounty saga played out on X. [caption id="attachment_78192" align="aligncenter" width="698"] Timeline of the Kraken vs CertiK zero-day and bug bounty dispute (Source: CertiK on platform X)[/caption]

Disclosure of Product Flaws Treads a Fine Line

The news of the escalated dispute comes on the heels of another incident where a white hat hacker - after following bug bounty ethics - was threatened by the legal team of the company to “cease and desist.” Andrew Lemon, an offensive security expert, responsibly reported a critical vulnerability to an unnamed company that manufactured and sold a traffic control system. The vulnerability allowed a remote unauthenticated attacker to bypass security and gain full control of a traffic controller, giving them the ability to changing stoplights and modify traffic flow, Lemon explained in a LinkedIn post. But to Lemon’s surprise, instead of acknowledging and addressing the bug with the engineering team, its legal team threatened to sue him under the Computer Fraud and Abuse Act. “I Received a letter from a company's legal team instead of engineering after responsibly disclosing a critical vulnerability in a traffic control system I purchased from eBay,” he said. “The company's response? In order for them to acknowledge the vulnerability, hardware must be purchased directly from them or tested with explicit authorization from one of their customers, they threatened prosecution under the Computer Fraud and Abuse Act, and labeled disclosure as irresponsible, potentially causing more harm.” Security Engineer Jake Brodsky responded saying, “Legally they're not wrong for writing such a letter or even bringing a court case against the researcher. However, ethically, because it pits professional organizations against each other for no good reason, it is problematic.” Disclosure of product flaws treads a very fine line. On the one hand, nobody likes the publicity that follows. On the other hand, if nobody says anything, the only way we can improve is in the aftermath of an investigation where fortunes are lost and people get hurt.

Implications for the Bug Bounty Ecosystem

The Kraken-Certik dispute and the one highlighted by Andrew Lemon raises critical questions about the operational dynamics and ethical boundaries within bug bounty programs. These programs are designed to incentivize security researchers to identify and report vulnerabilities, offering financial rewards for their efforts. However, these cases reveal potential pitfalls when communication and mutual understanding between parties break down. The ethical framework of bug bounty programs relies on clear rules and mutual trust. Researchers must adhere to the program’s guidelines, including the immediate return of any extracted funds and full disclosure of their findings. On the other hand, companies must provide clear instructions and maintain professional interactions with researchers. There is a need for well-defined protocols and communication channels between companies and researchers. Ensuring transparency and clarity in expectations can prevent misunderstandings and conflicts, fostering a more cooperative environment for cybersecurity improvements.

Experts slammed the latest European Union proposals for chat control to prevent child sexual abuse, calling the proposals a front for mass surveillance that will undermine encryption standards. Meredith Whittaker, president of the Signal foundation that operates the end-to-end encrypted (E2EE) messaging application, criticized the latest European Union proposals for chat control to prevent child sexual abuse, calling it “an old wine repackaged in new bottle.” “For decades, experts have been clear: there is no way to both preserve the integrity of end-to-end encryption and expose encrypted contents to surveillance. But proposals to do just this emerge repeatedly,” Whittaker said.

“Either end-to-end encryption protects everyone, and enshrines security and privacy, or it’s broken for everyone.” – Meredith Whittaker

The Chat Control Proposal

Her statement comes in response to the European Council’s proposal for chat control, which lays down rules to monitor E2EE under the veil of preventing and combating child sexual abuse. “While end-to-end encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society, the European Union needs to ensure the effective prevention of and fight against serious crime such as child sexual abuse,” the proposal says. “It is crucial that services employing end-to-end encryption do not inadvertently become secure zones where child sexual abuse material can be shared or disseminated. Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of vetted technologies.” The proposal suggests that chat control could work in way that when any visual content is uploaded, the users be required to give explicit consent for a detection mechanism to be applied to that particular service. “Users not giving their consent should still be able to use that part of the service that does not involve the sending of visual content and URLs,” it said. “This ensures that the detection mechanism can access the data in its unencrypted form for effective analysis and action, without compromising the protection provided by end-to-end encryption once the data is transmitted.”

What Experts Say

However, Whittaker said that what the EU is proposing isn't possible without fundamentally undermining encryption and creating “a dangerous vulnerability in core infrastructure” that can have global implications beyond Europe. She called the proposal a “rhetorical game” of some European countries that have come up with the same idea under a new banner. Whittaker was referring to previous proposals under the name of “client-side scanning,” which is now being called “upload moderation.”

“Some are claiming that ‘upload moderation’ does not undermine encryption because it happens before your message or video is encrypted. This is untrue. We can call it a backdoor, a front door, or “upload moderation.” But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability."

Whittaker reiterated that mandating mass scanning of private communications fundamentally undermines encryption, “Full stop.”

Chaos Computer Club, German MP Also Opposed

The Chaos Computer Club (CCC) and Patrick Dreyer, Member of European Parliament for the German and the European Pirate Party, argued along similar lines. The proposal stipulates that users must actively agree to chat control, but the refusal to do so comes with a punishment: Those who do not agree are no longer allowed to send any pictures or videos at all, a severe restriction of the service. “There can be no talk of voluntary participation here,” commented Linus Neumann, spokesman for the Chaos Computer Club. [caption id="attachment_77633" align="aligncenter" width="1024"] Source: Patrick Dreyer[/caption] Dreyer urged Europeans to take immediate action against the Chat Control proposal and said the EU countries pushing the proposal are exploiting the short period after the European Elections during which there is less public attention and the new European Parliament is not yet formed. “If Chat Control is endorsed by Council now, experience shows there is a great risk it will be adopted at the end of the political process,” he said. Dreyer said the silver lining in the current situation is the fact that many EU governments have not yet decided whether to go along with this final Belgian push for Chat Control mass surveillance. The countries still considering the proposal are Italy, Finland, Czech Republic, Sweden, Slovenia, Estonia, Greece and Portugal. Only Germany, Luxembourg, the Netherlands, Austria and Poland are relatively clear that they will not support the proposal, but this is not sufficient for a “blocking minority,” Dreyer said. The proposal for chat control searches of private communications could be greenlighted by EU governments as early as Wednesday, June 19. Dreyer urged Europeans to press their governments to vote against this. “Demand a firm ‘No.’ Time is pressing. This may be our last chance to stop Chat Control!” Dreyer said.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMe’s October data breach, which leaked ancestry data of 6.9 million individuals worldwide. The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.

Focus of 23andMe Data Breach Investigation

The joint investigation will examine three key aspects:

• Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
• Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
• Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.

Edwards said the investigation was needed to garner the trust of people in organizations that handle sensitive personal data. He stated:

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. “No further comment will be made while the investigation is ongoing,” the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” a 23andMe spokesperson told The Cyber Express.

Genetic Testing Company 23andMe Data Breach Timeline

23andMe first disclosed details of the October data breach in an 8-K filing with the U.S. Securities and Exchange Commission. The genetic testing company said attackers scraped profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. This profiling feature connects users with genetic distant relatives - or other 23andMe users who share their bits of DNA. The attackers used credential stuffing attacks that affected 0.1% of user accounts, the company told SEC. Using these accounts as a launchpad, hackers were able to access “a significant number of files containing profile information about other users' ancestry.” Threat actors claimed on underground forums that they were able to siphon “20 million pieces of code” from 23andMe. The claimed data set included information DNA ancestry backgrounds belonging to more than 1.3 million Ashkenazi Jewish and Chinese users. By the end of October, another threat actor claimed compromise of 4 million genetic profiles, which the company also investigated. The genetic testing company 23andMe said it notified the affected 6.9 million users - 5.5 million DNA Relatives profiles and 1.4 million Family Tree profile – in December. The company told federal regulators that the data breach incident was set to incur between $1 million and $2 million in one-time expenses. The company faces at least 30 class action lawsuits in U.S.state and federal jurisdictions as well as in Canada. 23andMe blamed the customers’ poor security hygiene for the breach and has since made two-step verification a prerequisite for account logon. It also mandated customers to reset their passwords. *Update 1 (June 12 – 12:00 AM EST): Added response from the 23andMe spokesperson.

Switzerland has seen a notable increase in cyberattacks and disinformation campaigns as it prepares to host a crucial summit aimed at creating a pathway for peace in Ukraine. On Monday, the government reported these developments in a press conference, highlighting the challenges of convening a high-stakes international dialogue amidst rising digital threats. The summit, Summit on Peace in Ukraine is scheduled at a resort near Lucerne from June 15-16, and will gather representatives from 90 states and organizations. About half of the participants come from South America, Asia, Africa, and the Middle East. Notably, absent from the attendee list is Russia which was not invited due to its lack of interest in participating. However, the Swiss government emphasized that the summit’s goal is to "jointly define a roadmap" to eventually include both Russia and Ukraine in a future peace process. Swiss President Viola Amherd addressed the media, acknowledging the uptick in cyberattacks and disinformation efforts leading up to the event. These cyberattacks have targeted various facets of the summit, including personal attacks on President Amherd herself, particularly in Russian media outlets publicized within Switzerland. "We haven't summoned the ambassador," Amherd stated in response to these attacks. "That's how I wanted it because the disinformation campaign is so extreme that one can see that little of it reflects reality."

Switzerland Disruption Efforts and Cybersecurity

Foreign Minister Ignazio Cassis also spoke at the press conference, noting a clear "interest" in disrupting the talks. However, he refrained from directly accusing any particular entity, including Russia, when questioned about the source of the cyberattacks. This restraint highlights the delicate diplomatic balancing act Switzerland is attempting as host. Switzerland agreed to host the summit at the behest of Ukrainian President Volodymyr Zelenskyy and has been actively seeking support from countries with more neutral or favorable relations with Moscow compared to leading Western powers. This strategic outreach aims to broaden the coalition backing the peace efforts and mitigate the polarized dynamics that have characterized the conflict thus far.

Agenda and Key Issues

The summit will address several critical areas of international concern, including nuclear and food security, freedom of navigation, and humanitarian issues such as prisoner of war exchanges. These topics are integral to the broader context of the Ukraine conflict and resonate with the international community's strategic and humanitarian interests. Turkey and India are confirmed participants, though their representation level remains unspecified. There is still uncertainty regarding the participation of Brazil and South Africa. Switzerland noted that roughly half of the participating countries would be represented by heads of state or government, highlighting the summit's high profile and potential impact. The summit aims to conclude with a final declaration, which ideally would receive unanimous backing. This declaration is expected to outline the next steps in the peace process. When asked about potential successors to Switzerland in leading the next phase, Foreign Minister Cassis indicated ongoing efforts to engage regions beyond the Western sphere, particularly the Global South and Arabian countries. Such inclusion could foster a more comprehensive and globally supported peace initiative.

To Wrap Up

The summit represents a significant diplomatic effort to address the Ukraine conflict. However, the surge in cyberattacks on Switzerland and disinformation campaigns, highlights the complexities of such high-stakes international dialogue. In March 2024, Switzerland’s district court in the German-speaking district of March, home to around 45,000 residents, fell victim to a cyberattack. While details are scarce, the court’s website suggests it could potentially be a ransomware attack. As Switzerland navigates these challenges, the outcomes of this summit could set important precedents for future peace efforts and international cooperation.

The U.S. Attorney today announced charges against three UK nationals for their involvement in the “Evolved Apes” NFT fraud scheme. The United States Attorney for the Southern District of New York Damian Williams and James Smith, the Assistant Director of the New York Field Office of the FBI, announced the unsealing of an indictment charging three UK nationals: Mohamed-Amin Atcha, Mohamed Rilazh Waleedh, and Daood Hassan, with conspiracy to commit wire fraud and money laundering.

“Evolved Apes” Rug Pull Scam

The charges are in connection to their scheme of defrauding victims through the sale of non-fungible tokens (NFTs) from the “Evolved Apes” collection. According to the indictment, Atcha, Waleedh, and Hassan orchestrated a “rug pull” scam in the fall of 2021. In crypto vocabulary a rug pull is a type of exit scam in which developers first raise money from investors through the sale of tokens or NFTs and then abruptly shut down the project vanishing away with the raised funds. Evolved Apes was a collection of 10,000 unique NFTs. They advertised the NFT project in a way where the funds raised would be used to develop a related video game that would in turn increase the NFTs' value. The promised video game never materialized as the anonymous developer "Evil Ape" vanished a week after its launch, siphoning 798 ether [approximately $3 million at today's market price and $2.7 million at the time] from the project's funds. The trio then laundered the misappropriated funds through multiple cryptocurrency transactions to their personal accounts, the indictment said.

“As alleged, the defendants ran a scam to drive up the price of digital artwork through false promises about developing a video game. They allegedly took investor funds, never developed the game, and pocketed the proceeds. Digital art may be new, but old rules still apply: making false promises for money is illegal.” - Williams

Williams said thousands of people were tricked into believing in their false promises and thus bought these NFTs. But "NFT fraud is no game, and those responsible will be held accountable,” he stated. FBI Assistant Director James Smith called out the trio for "ghosting customers" and perpetrating the NFT scam "out of a selfish desire for a quick profit.”

"[This] not only reflects poor business integrity, it also violates the implicit trust buyers place in sellers when purchasing a product, no matter if that product is in a store or stored on a blockchain." - Smith

Atcha, Waleedh, and Hassan, all aged 23, are charged conspiracy to commit wire fraud and money laundering, both of which carries a maximum sentence of 20 years in prison. The actual sentences will be determined by a judge based on the U.S. Sentencing Guidelines and other statutory factors.

Rug Pulls and their Murky History

Rug pulls and cryptocurrency scams have reportedly cost people $27 billion till date. Total number of such incidents stands at 861 with the largest rug pull so far being that of OneCoin which was costed $4 billion in stolen funds. OneCoin, at its peak, was thought to have more than 3 million active members from across the globe. To date it is believed to be the most “successful” crypto scam as search continues for its perpetrator the “Cryptoqueen” Ruja Ignatova. She was added to the FBI’s ‘Ten Most Wanted Fugitive List’ in July 2022 - where she remains today.

The Missing Cryptoqueen was reported dead in unconfirmed reports but an investigation from the BBC team, whose results were published last week, said the investigating team received details on Ignatova’s various sightings and whereabout tip-offs even after her alleged murder took place. She allegedly has links with the Bulgarian underworld, whom she also entrusts with keeping her physically safe.

Ukrainian cyber defenders uncovered the resurgence of Vermin hackers after a two-year hiatus. The hacker group is targeting the country’s defense forces with spear-phishing emails that infect their systems with SPECTR malware, which acts as a remote access trojan (RAT). The Computer Emergency Response Team of Ukraine (CERT-UA) in collaboration with the Cybersecurity Center of the Armed Forces of Ukraine detected and investigated a spear-phishing campaign targeting the Ukrainian Defense Forces. The campaign was orchestrated by the Vermin hacker group, which CERT-UA tracks as UAC-0020. This cyber campaign, marking the return of the Vermin group after a prolonged absence, has been named “SickSync” for easier identification and reference. Ukraine attributes the Vermin hackers to the law enforcement agencies in the occupied Luhansk region. CERT-UA has earlier claimed that the server equipment of the Vermin group has been hosted at the technical site of a Luhansk cloud hosting provider vServerCo (AS58271) for many years. Palo Alto’s Unit 42 had tracked a similar campaign of the Vermin hackers in 2018 targeting Ukrainians with phishing lures related to the Ukrainian Ministry of Defense.

Vermin Hackers’ Latest Campaign Details

The latest attack that involves the use of SPECTR malware marks Vermin's first significant activity since March 2022. SPECTR, a malware known since at least 2018, was used extensively in the current campaign aimed at the Ukrainian defense forces. The attackers leveraged the legitimate Syncthing software’s synchronization functionality to download stolen documents, files, passwords and other sensitive information from compromised computers. Syncthing supports peer-to-peer connections, meaning it can sync files between devices on a local network or between remote devices over the Internet. It is a free and open-source synchronization application that supports Windows, macOS, Linux, Android, Solaris, Darwin and BSD operating systems. The Vermin hackers exploited this legitimate software for data exfiltration, the CERT-UA said. Ukrainian cyber defenders last month reported that Russian hackers were employing a similar tactic of using legitimate remote monitoring software to spy on Ukraine and and its allies.

Vermin Attack Vectors

The attack was initiated via a spear-phishing email containing a password-protected archive file named “turrel.fop.vovchok.rar.” This archive contained a RarSFX archive “turrel.fop.ovchok.sfx.rar.scr” with the following contents:

• pdf: a decoy file.
• exe: an EXE installer created using InnoSetup (a free installer for Windows programs), containing both legitimate Syncthing components and SPECTR malware files. The “sync.exe” file was modified to change directory names, scheduled tasks, and disable user notifications, embedding the SPECTR malware within the SyncThing environment.
• bat: a BAT file for initial execution.

RarSFX is a temporary installation files folder created by Bitdefender. It is used as Self Extracting Archives unpack site.

SPECTR Malware Components

SPECTR malware is loaded with the capabilities of a RAT and consists of the following modules:

1. SpecMon: Calls “PluginLoader.dll” to execute DLL files containing the "IPlugin" class.
2. Screengrabber: Takes screenshots every 10 seconds if certain program windows are detected (e.g., Word, Excel, Signal, WhatsApp).
3. FileGrabber: Uses “robocopy.exe” to copy files with specific extensions (e.g., .pdf, .docx, .jpg) from user directories to %APPDATA%\sync\Slave_Sync\.
4. Usb: Copies files from USB media with certain extensions using “robocopy.exe.”
5. Social: Steals authentication data from messengers like Telegram, Signal, and Skype.
6. Browsers: Steals browser data including authentication and session data from Firefox, Edge, Chrome and other Chromium-based browsers.

All this stolen information is stored in “%APPDATA%\sync\Slave_Sync\” location and transferred to the attacker’s computer using Syncthing's synchronization functionality. [caption id="attachment_75531" align="alignnone" width="1024"] Example of an email and the contents of a malicious installer of Vermin hackers (Source: CERT-UA)[/caption]

Network IoCs and Preventive Measures

To identify potential misuse of Syncthing, the CERT-UA recommended monitoring interactions with the Syncthing infrastructure, specifically “*.syncthing.net” domains. Users are also requested to implement the following preventive measures for enhanced protection against Vermin hackers: Email Security: Implement robust email filtering and phishing protection to prevent malicious attachments from reaching end users. Endpoint Protection: Utilize advanced endpoint detection and response (EDR) solutions to detect and block malware execution. Network Monitoring: Monitor network traffic for unusual peer-to-peer connections, particularly involving Syncthing infrastructure. User Awareness: Conduct regular cybersecurity training for employees to recognize and report phishing attempts.

Senator Ron Wyden (D-Ore.) is pressing the U.S. government to accelerate cybersecurity enhancements within the healthcare sector following the devastating Change Healthcare ransomware attack that exposed the protected health information of nearly a third of Americans. In a letter to Xavier Becerra, secretary of the U.S. Department of Health and Human Services, Wyden urged HHS to implement immediate, enforceable steps to improve “lax cybersecurity practices” of large healthcare organizations.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.

He stated that the sub-par cybersecurity standards have allowed hackers to steal patient information and disrupt healthcare services, which has caused “actual harm to patient health.”

MFA Could Have Stopped Change Healthcare Attack

The call from Wyden comes on the back of the ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group — which, according to its Chief Executive Officer Andrew Witty, could have been prevented with the basic cybersecurity measure of Multi-Factor Authentication (MFA). The lack of MFA on a Citrix remote access portal account that Change Healthcare used proved to be a key vulnerability that allowed attackers to gain initial access using compromised credentials, Witty told the Senate Committee on Finance in a May 1 hearing.

“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - Wyden

The use of MFA is a fundamental cybersecurity practice that HHS should mandate for all healthcare organizations, Wyden argued. He called for the implementation of broader minimum and mandatory technical cybersecurity standards, particularly for critical infrastructure entities that are designated as "systemically important entities" (SIE) by the U.S. Cybersecurity and Infrastructure Security Agency. “These technical standards should address how organizations protect electronic information and ensure the healthcare system’s resiliency by maintaining critical functions, including access to medical records and the provision of medical care,” Wyden noted. He suggested that HHS enforce these standards by requiring Medicare program participants to comply.

Wyden’s Proposed Cybersecurity Measures for HHS

Wyden said HHS should mandate a range of cybersecurity measures as a result of the attack. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Wyden argued. The Democratic senator proposed several measures to enhance cybersecurity in the healthcare sector, including:

• Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
• Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
• Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
• Technical Assistance: Provide technical security support to healthcare providers.

Wyden criticized HHS for its current insufficient regulatory oversight, which he believes contributes to the ongoing cyberattacks harming patients and national security. “The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said. He urged HHS to use all of its authorities to protect U.S. healthcare providers and patients from mounting cybersecurity risks.

The State of Ransomware in Healthcare

The healthcare sector was the most common ransomware target among all critical infrastructure sectors, according to FBI’s Internet Crime Report 2023. The number of attacks and individuals impacted have grown exponentially over the last three years. [caption id="attachment_75474" align="aligncenter" width="1024"] Ransomware attacks on healthcare in last three years. (Source: Emsisoft)[/caption]

“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - Emsisoft

A study from McGlave, Neprash, and Nikpay from the University of Minnesota School of Public Health found that in a five-year period starting in 2016, ransomware attacks likely killed between 42 and 67 Medicare patients. Their study further observed a decrease in hospital volume and services by 17-25% during the week following a ransomware attack that not only hit revenue but also increased in-hospital mortality among patients who were already admitted at the time of attack.

HHS Cybersecurity Response

HHS announced in December plans to update its cybersecurity regulations for the healthcare sector for the first time in 21 years. These updates would include voluntary cybersecurity performance goals and efforts to improve accountability and coordination. The Healthcare and Public Health Sector Coordinating Council also unveiled a five-year Health Industry Cybersecurity Strategic Plan in April, which recommends 10 cybersecurity goals to be implemented by 2029. Wyden acknowledged and credited the latest reform initiatives from HHS and the HSCC, but remains concerned about the lengthy implementation timeline, which he said requires urgency when it comes to the healthcare sector. The latest letter follows Wyden’s request last week to the SEC and FTC to investigate for any negligence in cybersecurity practices of UnitedHealth Group. HHS is currently investigating the potential UHG breach that resulted in the exposure of protected health information of hundreds of thousands of Americans.

The Australian privacy watchdog on Wednesday filed a lawsuit against Medibank, the country's largest private health insurer, for failing to protect its 9.7 million customers' personal information in a 2022 data breach incident.

The Australian Information Commissioner said in a civil penalty proceedings filed in the Federal Court that Medibank "seriously interfered" with the privacy of Australians by failing to take reasonable steps to protect their data from misuse and unauthorized access. These issues are allegedly in breach of the country's Privacy Act 1988, according to the OAIC.