Hello! I’m Nick Hyatt, Director of Threat Intelligence here at Blackpoint Cyber. Welcome to the Adversary Pursuit Group’s Threat Digest for March 2024. We’ve got some interesting things to share for this month, so grab a drink and let’s dig in.

There were a lot of big stories at the end of February and the beginning of March, but one of the biggest was the ScreenConnect vulnerabilities. The whole MSP community took notice of the vulnerabilities, as ScreenConnect’s widespread install base covers many verticals. The triviality of the vulnerability combined with the quick release of proof-of-concept exploits combined to make this a very severe incident.

While ConnectWise was very quick about patching and communicating the issue, the rapid creation of exploits left little time for defenders to protect their environments. RMM tools, while useful, present a tremendous amount of risk to organizations as their inherent integration into environments also presents an attractive target to threat actors. Our first Annual Threat Report talks about exploitation of public-facing applications like RMM tools – threat actors love these tools, as it lets them blend in to environments.

Another story that’s been in the headlines since the end of February was the security incident at Change Healthcare. On February 21st, Change Healthcare, part of the United Healthcare network, experienced a cyber incident, later identified as ransomware. This caused massive disruption across the healthcare landscape, with patients not able to get prescriptions and wholesale disconnection of systems from the Change Healthcare network. While specific details about the attack are sparing, the financially motivated group BlackCat, also known as ALPHV, claimed responsibility for the attack.

The reality of these attacks is that if you look at the data regarding ransomware attacks, these groups are indiscriminate when they hit a target. Many of these groups are Ransomware-as-a-Service organizations, meaning the developers of the ransomware are different from the perpetrators of the attack. Risk mitigation is really the crux of the issue. Organizations should strive to understand their threat profile and ask some pretty difficult questions:

  • What systems do I have?
  • What controls do I have in place?
  • If I don’t control a system, how do I validate that it’s secure?
  • When I get breached, what will I do?
  • What precautions have I taken to limit the damage a cyberattack could cause?

Focusing on ensuring that basic security hygiene is in place – security awareness training, multifactor authentication, role-based access controls, a standardized patching routine, and an incident response plan are all the bare minimum to start. Additionally, have a threat assessment done – this will help you see clearly and be more proactive about threats to your environment.

Check back with us next month – until then, stay safe and do good work.

To learn more about gaining visibility through a personalized security threat assessment, click here.

Written and Recorded By:

Nick Hyatt, Director of Threat Intelligence 

Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.

Connect with Nick on LinkedIn.

The Blackpoint Brief

The Blackpoint Brief is our monthly e-newsletter that covers the latest APG research, SOC saves, sales resources, webinars, and in-person events. Stay up to date so that you can best protect your clients.