The temptation to “take the money and run” was apparently too much for the leadership of the AlphV ransomware crime ring. You may have heard of this group as being behind the breach of Change Healthcare, and causing payment problems for nearly the entire US Healthcare system. And that hack seems to be key to what’s happened this week.

It’s known that a $22 million payment made it through the bitcoin maze to the AlphV wallet on the 1st. It’s believed that this is a payment from Change Healthcare to recover ransomed files. An important detail here is that AlphV is a ransomware-as-a-service provider, and the actual hacking is done by “affiliates”, who use that service, and AlphV handles the infrastructure, maintaining the actual malware, and serving as a payment processor. That last one is key here.

A couple days after that big payment landed in the AlphV account, a seizure notice went up on the AlphV TOR site, claiming that it had been taken down by the FBI and associated agencies. There was something a bit odd about it, though. See, the FBI did seize the AlphV Tor site back in December. The seizure notice this time was an exact copy, as if someone had just done a “save page as”, and posted the copy.

There is precedent for a ransomware group to close up shop and disappear after hitting a big score. The disruption AlphV enabled in the US health care system painted a big target on them, and it didn’t take a tactical genius to realize it might be good to lay low for a while. Pocketing the entire $22 million ransom probably didn’t hurt either. The particularly nasty part is that the affiliate that actually pulled off the attack still claims to have four terabytes of sensitive data, and no incentive to not release it online. It’s not even entirely clear that Change Healthcare actually received a decryption key for their data. You do not want to deal with these people.

TeamCity Emergency

The confusingly named 2023.11.4 update to JetBrains TeamCity was released on March 4 of 2024, containing a pair of fixes for critical security vulnerabilities. The worst is a CVSS 9.8 authentication bypass issue. TeamCity is an on-premises Continuous Integration/Continuous Deployment server, and this exploit gives complete control over the machine, leading to some nasty potential for supply chain attacks and code stealing.

With the release of the details came active exploitation nearly immediately. And it’s not hard to see why. The flaw is a logic error in how HTTP/S request URLs are parsed in the case of a 404 response. A vulnerable request looks as simple as /hax?jsp=/app/rest/server;.jsp. Ouch.

VMWare Emergency

TeamCity is not the only headache you need to worry about, as VMware has issued an “emergency change” to fix a quartet of vulnerabilities. Three of them are in USB controller code, and the final is a sandbox escape to get out of the VMX process. To put them in perspective, these flaws allow for an attacker inside a virtual machine to run an exploit that breaks out of the VM, allowing arbitrary code execution on the underlying host system.

The workaround is to completely remove virtual USB controllers from all running VMs. A humorous note warns that this could degrade user experience — depending on the configuration and guest OS, this could disable mouse and keyboard input altogether. The kicker is that VMware guidance is to assume that all previous and unsupported versions of ESXi, Workstation, and Fusion are vulnerable. It seems like this bug has been lurking in the VMware codebase for a very long time.

Digital Markets Act

And here we have coverage of the intersection between security and politics. The noteworthy topic is the Digital Marketplace Act, an EU bill that mandates doors and windows be installed in locked garden ecosystems. The mandated changes are what you might expect: Opening devices to alternative app stores, allowing alternative payment systems, and even more choice screens on first boot of devices.

Does that matter for security? Apple has long maintained that the strict limitations of the App Store are essential for user security. It’s true that a sizable portion of mobile malware can be traced directly back to alternative app stores that serve shady apps, but Apple isn’t immune either. On the other hand, there are certainly reputable alternative app stores, like the open-source f-droid. And for most users, we just want a Google Chrome that isn’t re-skinned Safari, and a way to install Kodi without jailbreaking first.

Bits and Bytes

In a continuation of both the ransomware and geopolitics themes, the Swiss technology company, Xplain, suffered a ransomware attack in 2023, and the Swiss government has finally released an announcement about the severity of the breach. There were 1.3 million files released online, and about 65,000 were actually government documents.

The RT-Thread Real Time Operating System (RTOS) received an audit of sorts from [Marco Ivaldi] at HN Security. It’s not surprising that the low level code that makes up this RTOS has its fair share of buffer overflow flaws. Many of the vulnerabilities have received fixes, but some are still in progress.

And finally, there a .NET and Visual Studio vulnerability affecting the Microsoft FTP server. The problem is a relatively simple command injection flaw in the FTP command handling.

That’s it for this week, be sure to come let us know what security stories you’re following!