Commit 11_14_2023: Different TTPs for different times

Dev Leigh / Unsplash

Welcome to Commit 11_14_2023! README senior editor Nathaniel Mott here with some of the leading security news of the week so far.

Reuters: The FBI has identified Scattered Spider members… but not arrested them

The FBI has identified “at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment,” according to Reuters, yet the law enforcement agency has reportedly decided not to make a single arrest even though at least some of the ne’er-do-wells are operating from inside the U.S.

The agency’s hesitation could be attributed to a number of factors, including affected companies’ unwillingness to share information with law enforcement, according to the report. But the group is said to have been linked to attacks on “roughly 230 organizations” since the beginning of 2022—at what point will enough of those orgs be willing to cooperate with the FBI so it can make a case against these hackers?

The Record: Feds warn that Royal might rebrand as ‘BlackSuit’

The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have said the Royal ransomware gang might be rebranding as BlackSuit. The Record noted that others have reported on the group’s plans to forge a new identity “following increased law enforcement scrutiny following its high-profile attack on the city of Dallas in May,” and the federal agencies’ guidance suggests that has been all but confirmed.

I always think it’s interesting when cybercriminals decide to adopt new monikers because it’s a reminder that, just like any other business, their reputation is important. (Not to mention the fact that making ransom payments to groups that have been sanctioned by the U.S. could create more problems than it solves.) I am kind of surprised that “BlackSuit” is the best the group could come up with, but that’s just a nitpick.

Proofpoint: TA402 mixes things up

Proofpoint today reported that TA402, “a Middle Eastern advanced persistent threat (APT) group that historically has operated in the interests of the Palestinian Territories and overlaps with public reporting on Molerats, Gaza Cybergang, Frankenstein, and WIRTE,” is “using a labyrinthine infection chain to target Middle Eastern governments with a new initial access downloader Proofpoint has dubbed IronWind.”

The company also noted in the report that TA402’s activity doesn’t seem to have changed since the start of the Israel-Hamas war, though it said “it remains possible that this threat actor will redirect its resources as events continue to unfold.” The rest of the report offers a breakdown of TA402’s modified exploit chains as well as information about the IronWind malware they’re being used to deliver.

WSJ: New York wants hospitals to take cyber seriously

The Wall Street Journal reported yesterday that New York has drafted new rules that “will require general hospitals to develop and test incident response plans, assess their cybersecurity risks and install security technologies such as multifactor authentication” in addition to developing “secure software design practices for in-house applications, and processes for testing the security of software from vendors.”

Now, as someone who’s needed to visit multiple hospitals throughout upstate New York over the years, I should note that I would directly benefit from these regulations. That said, I think it’s past time for healthcare organizations in any state to finally be forced to take cybersecurity more seriously. We trust these groups with our most personal information—of course they should be required to secure it.