Change Healthcare ransomware hackers already received a $22 million payment. Now a second group is demanding money, and it has sent WIRED samples of what they claim is the company's stolen data.

For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a _different_ ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.

Change Healthcare didn’t immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don't know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

Notchy’s post suggested that Change Healthcare faced an unprecedented situation: It had allegedly already paid a ransom, yet jilted partners of the gang extorting it still felt they were owed money—and still possessed Change Healthcare’s stolen data. RansomHub tells WIRED it is associated with notchy.

Now, RansomHub has claimed “the data remains with the affiliate,” and AlphV did not directly have the data originally. WIRED could not verify these claims. “For everyone speculating and theorizing on the situation, AlphV stole our share of the payment and performed an exit scam,” a RansomHub representative wrote to WIRED. “AlphV performed the exit scam before we get to the data deletion part.”

Callow says the incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. For example, when a global law enforcement operation disrupted the notorious LockBit ransomware group, in February, police said they discovered that the cybercriminals still had data that investigators had paid to be deleted.

“Sometimes they use the undeleted data to extort victims for a second time, and the risk of re-extortion will only increase as law enforcement up their disruption efforts and throw the ransomware ecosystem into chaos,” Callow says. “What were always unpredictable outcomes will now be even more unpredictable.”

Similarly, DiMaggio says victims of ransomware attacks need to learn they can’t trust cybercriminals. “Victims need to understand that paying a criminal who promises to delete their data permanently is a myth,” DiMaggio says. “They are paying to have their data taken off the public side of the ransomware attackers data leak site. They should assume it is never actually deleted.”

UnitedHealth Group’s website says it is continuing to “make progress in mitigating the impact” of the attack and expanding financial assistance to health care providers that have been impacted. However, the attack has sent long-lasting ripples across medical facilities in the United States, demonstrating how disruptive ransomware attacks can be and the difficulties in restoring services. Clinicians and patients alike have been impacted, with extra strain being placed upon medical business owners.

On Wednesday, the American Medical Association said “serious disruptions continue” across physician practices. A survey of AMA members, conducted between March 26 and April 3, found 80 percent of clinicians had lost revenue and many are using their own personal finances to cover a practice’s expenses. Medical practitioners responding to the survey said they were heading toward bankruptcy, were struggling to “manage pain care” for cancer patients, and that procedures had been delayed. “Practices will close because of this incident,” Jesse M. Ehrenfeld, the president of the AMA said in a statement, “and patients will lose access to their physicians.”

In a message to WIRED, the RansomHub contact claims—for whatever the word of a ransomware gang is worth—that they are different from other cybercriminals, and if Change Healthcare pays them, they wouldn’t try to extort it again. “We will delete the data,” they write. “This data is a bomb for us. If we can't get payment, we have no choice but to sell it. Of course, if we can reach an agreement, it will be better to delete the data and throw the bomb away.”

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

By Waqas
Cybercriminals using deepfakes to target businesses! LastPass narrowly avoids security breach after employee identifies fake CEO in WhatsApp call. Read how LastPass is urging awareness against evolving social engineering tactics.
This is a post from HackRead.com Read the original post: LastPass Dodges Deepfake Scam: CEO Impersonation Attempt Thwarted

Password management giant LastPass narrowly avoided a potential security breach after a company employee was targeted by a deepfake scam. The incident, detailed in a blog post by LastPass, involved an audio deepfake impersonating CEO Karim Toubba attempting to contact the employee via WhatsApp.

Deepfake technology, which can manipulate audio and video to create realistic forgeries, is increasingly being used by cybercriminals in elaborate social engineering schemes. In this instance, the scammer used a voice-altering program to impersonate Toubba’s voice, likely aiming to create a sense of urgency or trust with the employee.

Screenshot of actual WhatsApp scam and attempted contact using deepfake audio as part of LastPass CEO impersonation (Credit: LastPass)

However, not everyone is as fortunate as LastPass. In February 2024, an employee of a multinational company’s Hong Kong branch was tricked into paying out HK$200 million (approximately US$25.6 million) after scammers utilized an AI-generated CFO with deepfake technology.

In another incident reported in August 2022, scammers utilized an AI-generated deepfake hologram of Binance’s chief communications officer, Patrick Hillmann, to deceive users into participating in online meetings and to target Binance clients’ crypto projects.

As for LastPass, the company commended the employee’s vigilance in recognizing the red flags of the situation. The unusual use of WhatsApp, a platform not commonly used for official communication within the company, coupled with the impersonation attempt, encouraged the employee to report the incident to LastPass security. The company confirmed that the attack did not impact its overall security posture.

Toby Lewis, Global Head of Threat Analysis at Darktrace commented on the issue highlighting the risks of Generative-AI, _“_The prevalence of AI today represents new and additional risks. but arguably, the more considerable risk is the use of generative AI to produce deepfake audio, imagery, and video, which can be released at scale to manipulate and influence the electorate’s thinking._“_

_“_While the use of AI for deepfake generation is now very real, the risk of image and media manipulation is not new, with “photoshop” existing as a verb since the 1990s_,”_ Toby explained. _“_The challenge now is that AI can be used to lower the skill barrier to entry and speed up production to a higher quality. Defence against AI deepfakes is largely about maintaining a cynical view of material you see, especially online, or spread via social media,_“_ he advised.

Nevertheless, this attempted scam goes on to show how sophisticated cybercriminals have become in their attacks. On the other hand, LastPass emphasized the importance of employee awareness training in mitigating such attacks. Social engineering tactics often rely on creating a sense of urgency or panic, pressuring victims into making rushed decisions.

The incident also highlights the potential dangers deepfakes pose in the corporate domain. As the technology continues to develop, creating ever-more convincing fakes, companies will need to invest in robust security protocols and employee training to stay ahead of these sophisticated scams.

While deepfake scams targeting businesses are still relatively uncommon, the LastPass incident stresses the growing threat. The company’s decision to publicize the attempt serves as a valuable cautionary tale for other organizations, urging them to heighten awareness and implement preventative measures.

1.  AI Generated Fake Obituary Websites Hit Grieving Users
2.  Deepfakes are Circumventing Facial Recognition Systems
3.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
4.  Deepfake Attack Hits Russia: Fake Putin Message Broadcasted
5.  QR Code Scam: Fake Voicemails Hit Users, 1000 Attacks in 14 Days

LastPass Dodges Deepfake Scam: CEO Impersonation Attempt Thwarted

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

Phony call center company conducted online fraud and other Internet scams.

Source: JJ Gouin via Alamy Stock Photo

Law enforcement in Zambia this week raided a Chinese company that hired unsuspecting young Zambian citizens purportedly for positions at a call center that instead was a front for cybercrime and money laundering.

The so-called Golden Top Support services company directed the employees "with engaging in deceptive conversations with unsuspecting mobile users across various platforms such as WhatsApp, Telegram, chatrooms and others, using scripted dialogues," Nason Banda, director general of Zambia's Drug Enforcement Commission (DEC) told the BBC, which reported on the case. The DEC, law enforcement, immigration, and anti-terrorism units assisted in the investigation and arrests at the shell company.

A recent rise in bank fraud in Zambia raised alarms and led authorities there to investigate and ultimately raid the company. Banda said the "illicit operations extended beyond Zambia's borders," including victims in Singapore, Peru, the United Arab Emirates (UAE), and other parts of Africa.

Authorities found some 13,000 SIM cards, 11 SIM boxes for disguising the caller's location, and firearms, and 22 Chinese citizens were arrested. Banda said Zambian workers were charged and release in order to cooperate in the investigation.

**About the Author(s)**

Zambia Busts 77 People in China-Backed Cybercrime Operation

Microsoft has fixed 149 vulnerabilities, two of which are reportedly being exploited in the wild.

The April 2024 Patch Tuesday update includes patches for 149 Microsoft vulnerabilities and republishes 6 non-Microsoft CVEs. Three of those 149 vulnerabilities are listed as critical, and one is listed as actively exploited by Microsoft. Another vulnerability is claimed to be a zero-day by researchers that have found it to be used in the wild.

Let’s first have a look at the two zero-days. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs for these two vulnerabilities are:

CVE-2024-26234 (CVSS score 6.7 out of 10): a proxy driver spoofing vulnerability that Microsoft listed as “Exploitation detected” hours after it initially listed it as non-exploited.

In fact, the patch is a revocation of a Microsoft Windows Hardware Compatibility Publisher signature that was used to sign a file which contained a backdoor using an embedded proxy server to monitor and intercept network traffic on an infected Windows machine. Apparently, the software, designed to remote-control phones, was used to make them act like online bots, collectively liking posts, following people on social media, and posting comments.

CVE-2024-29988 (CVSS score 8.8 out of 10): a SmartScreen prompt security feature bypass vulnerability. Microsoft still has this listed as “Exploitation More Likely” and acknowledges the fact that functional exploit code is available. Which means that the exploit code works in most situations where the vulnerability exists.

One reason for the contradiction could be that the exploitation requires some form of user interaction. It requires an attacker to get the victim to click on a link or open a file. If the victim falls for that, the bug allows the attacker to bypass the SmartScreen security feature in Windows that’s supposed to alert users to any untrusted websites or other threats.

Researchers said that attackers are using the weakness to send targets exploits in a zipped file which bypasses the Mark of the Web (MotW) warnings, a warning message users should see when trying to open a file downloaded from the internet.

The exploit for the vulnerability was called “trivial” and “embarrassingly easy” by the researchers that wrote about it.

A few applications that deserve some of your attention if you’re using them are SQL Server (38 vulnerabilities), and Windows Remote Access Connection Manager (9).

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

The **Android** Security Bulletin for April 2024 contains details of security vulnerabilities for patch level 2024-04-05 or later.

Google also updated **Chrome** to patch a zero-day vulnerability.

**SAP** has released its April 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities 

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted

Apple Expands Spyware Alert System to Warn Users of Mercenary Attacks

Red Hat Security Advisory 2024-1722-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1722.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1722-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1722Issue date:         2024-04-09Revision:           03CVE Names:          CVE-2023-45234====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.Security Fix(es):* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45234References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1722-03

The Change Healthcare ransomware attack as suffered a third cruel twist.

The Change Healthcare ransomware attack has taken a third cruel twist. A new ransomware group, RansomHub, has listed the organisation as a victim on its dark web leak site, saying it has 4 TB of “highly selective data,” which relates to “all Change Health clients that have sensitive data being processed by the company.”

The announcement follows a series of events that require some unpacking.

Change Healthcare is one of the largest healthcare technology companies in the USA, responsible for the flow of payments between payers, providers, and patients. It was attacked on Wednesday February 21, 2024, by a criminal “affiliate” working with the ALPHV ransomware group, which led to huge disruptions in healthcare payments. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on.

American Hospital Association (AHA) President and CEO Rick Pollack described the attack as “the most significant and consequential incident of its kind against the US health care system in history.”

The notorious ALPHV ransomware group claimed responsibility, chalking up Change Healthcare as one of a raft of healthcare victims in what looked like a deliberate campaign against the sector at the start of 2024.

ALPHV used the ransomware-as-a-service (RaaS) business model, selling the software and infrastructure used to carry out ransomware attacks to criminal gangs known as affiliates, in return for a share of the ransoms they extorted.

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the attack, and that ALPHV had stolen the entirety of a $22 million ransom paid by Change Healthcare. Shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI.

ALPHV’s exit left Change Healthcare with nothing to show for its $22 million payment, a disgruntled affiliate looking for a ransom, and very possibly two different criminal gangs—ALPHV and its affiliate—in possession of a huge trove of stolen data.

Now, a month later, a newcomer ransomware group, RansomHub has listed Change Healthcare as a victim on its website.

Change Healthcare is listed as a victim on the RansomHub dark web leak site

While some have speculated that Change Healthcare has suffered a second attack, the RansomHub site itself makes the connection to the events surrounding February 21 quite clear:

> As an introduction we will give everyone a fast update on what happened previously and on the current situation.
> 
> ALPHV stole the ransom payment (22 Million USD) that Change Healthcare and United Health payed in order to restore their systems and prevent the data leak.
> 
> HOWEVER we have the data and not ALPHV.

RansomHub first appeared in late February and its arrival dovetails neatly with ALPHV’s disappearance in very early March, leading some to think they are the same group under two different names.

The statement also pours water on the idea that RansomHub is a rebrand of the ALPHV group with its suggestion that “we have the data and not ALPHV.” However, any public statement like this has to be tempered by the fact that ransomware groups are prolific liars.

It’s not uncommon for affiliates to work with multiple RaaS providers, so the most likely explanation is that having lost its money to ALPHV, the affiliate that ransacked Change Healthcare has paired up with a different ransomware group.

Whatever the reason, there is no comfort in it for Change Healthcare. Having apparently already paid a ransom thirty times greater than the average demand, it now has to decide whether it’s going to pay out again.

For everyone else, it’s a lesson in how devastating ransomware can be, and how badly things can go even when you pay a ransom.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 New ransomware group demands Change Healthcare ransom 

Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-47894

**Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 9, 2024

**Package**

maven org.apache.zeppelin:sap (Maven)

**Affected versions**

\>= 0.8.0, < 0.11.0

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Tag

#sap