Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Make an incident response plan
What would you do if you had a ransomware attack right now? According to a recent Shred-It survey, chances are 4 in 5 that you don’t have a plan in place. Take time to consider how you would respond in the event of a cyber attack on your business – or a third party you deal with. Build a plan and test it. Preparing today could reduce the impact of an incident tomorrow.
Need help building an incident response plan? ISA Cybersecurity is an industry leader in this service. Learn more.
Canadian arrest of suspected key figure in LockBit ransomware gang
A November 10 news release from the United States Department of Justice (DOJ) has identified a dual Russian-Canadian citizen recently arrested under suspicion of involvement with the LockBit ransomware gang.
Mikhail Vasiliev, 33, of Bradford, Ontario, is facing charges in connection with a cross-border ransomware investigation. Members of the Ontario Provincial Police (OPP) with assistance of the RCMP’s National Cybercrime Coordination Centre (NC3), executed a search warrant at Vasiliev’s home on October 26, according to an OPP bulletin issued after the arrest.
According to a Europol news article (posted November 10 but removed November 11), Vasiliev was arrested “following a complex investigation led by the French National Gendarmerie (Gendarmerie Nationale), with the support of Europol, the US Federal Bureau of Investigation (FBI) and the Canadian Royal Canadian Mounted Police (RCMP).”
Considered one of Europol’s “high-value targets due to his involvement in numerous high-profile ransomware cases,” the posting explained that “Vasiliev is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and large industrial groups across the world. He is known for his extortionate ransom demands ranging between €5 to €70 million.”
During the arrest, Canadian law enforcement seized two firearms, eight computers, 32 external hard drives, and some €400,000 in cryptocurrencies. The arrest is the follow-up of an action conducted in Ukraine in October 2021, which led to the arrests of two alleged accomplices in the LockBit enterprise.
“[The] successful arrest demonstrates our ability to maintain and apply relentless pressure against our adversaries,” said FBI Deputy Director Paul Abbate. “The FBI’s persistent investigative efforts, in close collaboration with our federal and international partners, illustrates our commitment to using all of our resources to ensure we protect the American public from these global cyber threat actors.”
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said U.S. Deputy Attorney General Lisa Monaco. “It is also a result of more than a decade of experience that FBI agents, Justice Department prosecutors, and our international partners have built dismantling cyber threats. Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account. With our partners, we will use every available tool to disrupt, deter, and punish cyber criminals.”
The criminal complaint against Vasiliev alleges he committed conspiracy to intentionally damage protected computers and to transmit ransom demands. He could face a maximum of five years in prison if convicted. The complaint also outlines a fascinating array of evidence discovered by Canadian law enforcement in separate searches of Vasiliev’s home in August and October of 2022, including alleged ties to LockBit attacks Canada, the United States, and Malaysia.
Vasiliev has been released on bail in relation to the weapons charges and is scheduled to appear before a judge in Orillia, Ontario on December 12 as he awaits extradition to the United States.
Citrix issues urgent patch bulletin, reminder regarding mandatory MFA
On November 8, Citrix announced patches for several of its customer-managed 12.x and 13.x versions of Citrix ADC and Citrix Gateway appliances. The patches close vulnerabilities that could allow a threat actor to take over a remote desktop session via a phishing or brute force login attack. One of the vulnerabilities (CVE-2022-27510) affects appliances operating as a gateway, and has been rated as a critical severity vulnerability with a base score of 9.8.
Customers using Citrix-managed cloud services do not need to take any action.
The bulletin also contained a reminder for customers that Citrix will be enforcing multi-factor authentication (MFA) for all Citrix properties starting on November 28, 2022. Customers that have not already enrolled in MFA are encouraged to register to “prevent disruption to your account.”
HC3 issues warning about Venus ransomware strain
On November 9, the Health Sector Cybersecurity Coordination Center (HC3) (part of the U.S. Department of Health and Human Services) issued an analyst note warning healthcare facilities (and, more broadly, all entities), about the emergence of a new strain of ransomware called Venus. According to the note, “Venus ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide,” targeting publicly-exposed remote desktop services. At least one healthcare organization in the United States has fallen victim already.
The note contains details of the attack pattern, indicators of compromise, reference materials, and various mitigation strategies.
HHS provides regular updates on threats to the healthcare sector, including threat briefs and sector alerts.