Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

ED Charge Sheet Maps Sriki's Darknet Crypto Laundering Network

  The Enforcement Directorate (ED) has filed a sprawling 3,500-page prosecution complaint before a special PMLA court in Bengaluru, laying o...

All the recent news you need to know

Romania’s Hospital Cyberattack Highlights Growing Ransomware Threats to Healthcare Systems

 

A large-scale ransomware attack that took place in the healthcare system of Romania in February 2024 makes for textbook material on how to respond to such incidents, as well as the challenges they present. The ransomware attack scenario started when criminals got hold of a hospital management system called Hippocrates and, using it as a vector, distributed BackMyData ransomware to encrypt data. 

One of the software’s main functions is processing and storing information on laboratory results, pharmacy claims, payroll, admission and discharge of patients, doctors, and other medical staff. After being locked, the hospitals had to pay nearly 160 thousand euros to decrypt the data, which is in Bitcoin. When some hospitals reported the ransomware attack, the National Computer Security Center (DNSC) took an extraordinary measure to order over a hundred facilities to disconnect from the internet to prevent the virus from spreading to other institutions. 

Consequently, the hospitals’ systems became unable to provide access to email, the Internet, and interconnected medical devices. To manage patients and keep the critical functions running, doctors and nurses used paper-based solutions to write down and manually input lab results, physician orders, and treatment plans. In parallel, hospital staff worked on taking down the ransomware and securing the system. 

Authorities eventually found out that the ransomware infection was confirmed in 26 hospitals, where the ransomware attack response team with the help of the system supplier isolated the contaminated systems from the network. After decrypting files and securing the system, the technicians returned the hospitals to the network and ensured there were no other problems. 

Throughout the ransomware incident, authorities provided the public with updates on the ransomware situation, telling the people to avoid visiting the facilities if possible and advising the hospitals not to give in to the attackers’ demands. Nevertheless, the response to the challenge was far from perfect, as Romania continues to face challenges with cybercrime. The patients complained about the inconvenience of standing in queues and having their tests processed manually, but the government did not go through with paying off the ransom. 

At the same time, it is worth noting that having up-to-date data backups allowed the hospitals to quickly restore their vital functions without having to wait for decrypting tools from hackers. Five days after the ransomware attack, most of the affected facilities had already returned to normal operations. At the same time, there were no reports of patient deaths or damage to health caused by the ransomware attack. Still, doctors and nurses had to manually enter a lot of the patient’s personal data, which took them several more weeks to finish, while some of the relevant information was lost altogether. 

So far, the ones behind the ransomware attack have not been revealed. Still, it has been reported that some of the suspects’ resources in Russia have been shut down by the police, while others are currently detained abroad. It is not yet known whether they will be brought to justice in Romania. The ransomware attack on the healthcare system of Romania serves as a reminder of how fragile our systems are and the importance of protecting them. 

In many ways, hospitals are a critical infrastructure component, meaning that potential attackers will always attempt to take advantage of them by holding vital functions hostage until they get a hefty ransom. Even though the ransomware response team handled the situation in Romania efficiently, the ransomware incidents in the UK and the US show that problems of that sort are far from being exclusive to Romania.

Business Threat Management: Moving from Isolated to Unified Approach


Shifting away from isolated, technical data, to a continuous risk lifecycle can assist organizations in balancing security controls with actual business impact.

A CVSS score of 9.5 may not be significant to a CFO, but when it demonstrates a flaw in a payment system processing $2 million, it becomes a big deal. Therefore, the data must be linked with information about operational barriers that can result in financial damages, product delays, or loop in regulatory agencies.

A robust risk lifecycle

Periodic risk lifecycle cannot keep up with the changing threat scenario, which if further impacted by an unstable geopolitical environment and rising technology like AI and quantum computing. Thus, information risk assessment must be a continuous process that links threats, supervising controls, and the possible repercussions for the business if the controls fail.

Different risks carry different impacts, stakeholder needs, and available data. This means that analysis also changes. You need two analysis tracks for this: qualitative analysis for quick decisions with limited data, and quantitative analysis for investment decisions when they need financial backing. 

The IRAM3 methodology unifies both tracks into a single framework that uses the same process and is built to be modular, so businesses can gain entry at any desirable phase they think fits their demands.

Moving towards business-aligned risk management

A linked risk lifecycle changes how businesses perceive organization threats. It also helps to keep activities such as interpreting threats, evaluating controls, and measuring exposure connected instead of treating each analysis as an isolated process.

Building business impact

Linked assets must be grouped by the business function they assist. This lets the teams conduct risk analysis that connect how the organization actually works and also helps in defining the risk appetite.

Assessing threat incidents

In this step, you identify the risks to your business, map related threats to critical assets, and predict how likely they will materialize. According to Security Week, “From a quantitative standpoint, a three-point frequency estimate—minimum, most likely, and maximum—is assigned instead of a rating. The number of loss events you would anticipate in a year is represented by this estimate.”

Testing control success

A business might have a MFA coverage, but if privileged accounts are not included as allowing MFA disrupted a legacy integration, the gap is a direct pathway into critical systems. Thus, these controls should be carefully mapped to particular threats, checked for implementation, and analyzed if they actually reduce risk. 

Phishing Campaign Targets Marketing Professionals Using Fake Job Interviews from Top Global Brands

 

A sophisticated phishing campaign is targeting marketing professionals by posing as recruiters from more than 30 globally recognized brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, and Marriott. The attackers aim to steal Google account credentials by luring victims into fake job interview processes.

According to cybersecurity intelligence and threat hunting company Team Cymru, the operation exploits legitimate cloud-based platforms such as PeopleForce, a human resources service, and domains linked to Salesforce Marketing Cloud before redirecting users to malicious websites. To make the scam appear authentic, the threat actors are also using the names and profile pictures of actual recruiters from the companies they impersonate.

Will Thomas, senior advisor at Team Cymru, investigated the campaign and found that the phishing emails present themselves as recruitment messages. As he noted, the emails appear to be from “a recruiter looking to hire people for marketing roles.”

The investigation revealed that attackers have registered at least 34 domains designed to mimic prominent organizations across multiple industries. These include airlines and travel companies such as American Airlines, Booking.com, Delta Air Lines, and United Airlines; food and beverage giants Coca-Cola, PepsiCo, and Red Bull; fashion and luxury brands Adidas, Louis Vuitton, Sephora, and Levi’s; consulting and technology firms including Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI; hospitality and marketing companies Marriott and Omnicom Group; as well as entertainment and sports brands like FIFA and Netflix.

Researchers found that the attackers rely on a technique known as nested redirects, where users are routed through several legitimate online services before ultimately reaching a fraudulent webpage. Although the phishing emails appear to originate from PeopleForce, the embedded links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of ExactTarget, now known as Salesforce Marketing Cloud.

From there, victims are redirected through Wise Agent, a cloud-based customer relationship management (CRM) platform for real estate professionals, before arriving at the phishing website.

BleepingComputer reported that the campaign has been active for at least five months. Earlier versions reportedly used Outlook email addresses carrying the names of the companies being impersonated.

In one example, a phishing email claiming to be from Adidas recruiter Paulina Manzo invited recipients to schedule a discussion regarding a potential job opportunity. Clicking the scheduling link redirected users to the fraudulent domain adidas-hiring[.]com.

To proceed with booking the interview, victims are instructed to sign in with their Google accounts. Selecting the “Continue with Google” option launches what appears to be a genuine Google authentication window. However, the pop-up is actually created using HTML and CSS within the phishing page itself, a deception technique known as browser-in-the-browser (BitB).

By leveraging modern web development methods, attackers can closely replicate legitimate authentication prompts, making it difficult for users to distinguish fake login windows from real ones.

Researchers emphasized that the misuse of legitimate platforms does not necessarily indicate those services have been compromised. Instead, threat actors may have created valid accounts specifically for the campaign or used compromised credentials to configure redirect chains and phishing pages.

A complete list of the malicious domains associated with the campaign has been published in Will Thomas' GitHub analysis.

Centre Orders Blocking of Battery Management Apps Exploited to Disable E-Rickshaws


After the Central Government discovered that seven battery management system (BMS) mobile applications were being misused to remotely disable batteries in electric vehicles and e-rickshaws, the Central Government has ordered the blocking of those applications. In multiple locations across India, this disruption disrupted services and enabled extortion. 


MeitY Secretary S. has directed Google and Apple to remove seven identified applications from their respective app stores on Android and iOS by the Ministry of Electronics and Information Technology (MeitY). In order to ensure applications that may threaten public safety or facilitate unlawful activities are not made available to users, Krishnan said app marketplaces must exercise due diligence. 

In response to reports that battery management apps primarily developed by Chinese companies for monitoring lithium-ion battery packs were being exploited by e-rickshaw drivers to shut down the vehicles while passengers were aboard. Authorities stated that while the applications are designed for proper battery management, they can be misused if battery systems are not properly protected by passwords or PINs. 

In the government's view, removing these apps from digital platforms will not eliminate the vulnerability completely, since Bluetooth connectivity is required in place of internet access to exploit this vulnerability. Thus, even after apps are blocked, unsecured battery management systems remain vulnerable to unauthorized access. Video clips circulated on social media showing e-rickshaws suddenly stopping on public roads attracted nationwide attention to this issue. 

The existing certification standards for e-rickshaws in India do not include cybersecurity requirements, which can result in potential misuse of connected battery systems. This vulnerability has already led to criminal activity. Police in Ujjain, Madhya Pradesh, arrested a suspect who has been accused of remotely disabling batteries from e-rickshaws and demanding compensation from their drivers. 

Local authorities claim the accused abused the flaw by deliberately immobilizing vehicles and charging drivers for assistance. A criminal offence involving intentionally disabling vehicles is considered to be an offence and can be prosecuted under applicable provisions of the Bharatiya Nyaya Sanhita (BNS) relating to criminal mischief. 

Concerns have been raised regarding the cybersecurity risk associated with connected electric vehicles and battery management systems following the incident. In order to prevent such misuse and safeguard public transportation operations, observers say stronger security controls are needed to prevent similar misuse, including authentication mechanisms and cybersecurity standards for electric vehicle components. 

A government intervention highlights the challenges facing connected electric mobility in terms of cybersecurity. Since software increasingly controls the functions of critical vehicle systems, stronger security standards, authenticated access controls, and continuous oversight will be critical in protecting drivers, passengers, and public infrastructure.

Researchers Expose Veil#Drop: A Stealthy Malware Chain Delivering PureLog Stealer via Blogspot

 

 
Threat researchers at Securonix have identified an advanced, multi-layered malware delivery operation that leans on hacked websites and social-engineering tactics to plant information-stealing malware on victims' systems.

Tracked under the name Veil#Drop, the campaign chains together JavaScript launchers and PowerShell download routines to fetch and run malicious code hosted on Blogspot — a platform sitting on Google's reputable infrastructure, which helps the activity blend in with legitimate traffic.

The attack kicks off when a target opens a JavaScript file disguised to look like an ordinary document. Once triggered, the script fires off PowerShell commands built to slip past execution-policy restrictions, then reaches out to attacker-run Blogspot pages to pull down further payloads.

Those Blogspot-hosted stages carry out several actions at once: they show a decoy document to keep the victim unaware, shut down certain running processes, and decrypt hidden content. The unpacked code then spins up more Blogspot links and runs the next payloads straight from memory, leaving little behind on disk.

According to Securonix, a follow-on loader stores XOR-scrambled .NET assemblies inside oversized embedded data blocks. These are rebuilt and unscrambled only while the malware is running, a technique that frustrates static inspection and weakens signature-based defenses.

The operation is also engineered with redundancy in mind, relying on backup execution paths and misusing legitimate, Microsoft-signed Windows binaries (living-off-the-land binaries, or LOLBINs) to run code while sidestepping security tools. Securonix notes that the mix of compromised sites, files masquerading with multiple extensions, trusted cloud hosting, obfuscated payloads, reflective in-memory .NET loading, and LOLBIN abuse reflects a calculated push to dodge conventional antivirus products, minimize forensic traces, and stay hidden throughout the intrusion.

The endgame is infection with PureLog Stealer, a .NET-based data thief. Once installed, it profiles the compromised machine and begins scraping data from a wide range of browsers, including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and other Chromium-based options.

Its targets include saved credentials, cookies, autofill entries, session tokens, and browsing history, and it actively hunts for cryptocurrency wallet data on the device. Beyond browsers, PureLog Stealer can pull information from messaging apps, email clients, remote-access utilities, FTP tools, cloud-storage software, developer applications, and password managers. Everything it collects is bundled up and transmitted to attacker-controlled servers in encrypted form.

Because the stealer casts such a wide net, Securonix warns that compromising a single endpoint could open the door to a much larger breach, depending on the secrets — credentials, tokens, and keys — stored on that machine. In corporate settings, the firm points out, info-stealers often serve as the opening move in bigger campaigns, with harvested logins later fueling ransomware deployment, data-theft operations, business email compromise, or drawn-out espionage.

India Considers Separate AI Regulatory Framework as Government Signals Policy Shift

 

The Indian government is considering a law to govern artificial intelligence (AI) systems, signaling a shift from its previous approach of relying solely on existing information technology laws. Senior officials from the Ministry of Electronics and Information Technology (MeitY) stated that the current developments in this space are so significant that they require legislation. 

Speaking at an industry event this week, MeitY Secretary S. Krishnan said that consultations on laws governing AI had already begun. Both Krishnan and Union IT minister Ashwini Vaishnaw had previously stated that the government would consider separately legislating for AI at an appropriate time, and he added that the moment appeared to be now. 

Existing laws were largely sufficient to address deepfakes or AI-manipulated media, as well as misinformation, fraud, and other issues, he argued, but this was no longer the case as AI became more sophisticated and started to be integrated into critical industries. The new framework would provide guidance on the development of these systems while also protecting citizens, businesses, and critical infrastructure. 

While the government did not set a deadline for legislation, Krishnan noted that MeitY could begin drafting proposals for approval, with the framework then being debated and approved by Parliament. India is not alone in this endeavor as policymakers globally are considering steps to govern AI. A growing number of countries have been looking at laws and policies that seek to address potential risks to privacy, national security, intellectual property, and more while also encouraging innovation. 

The move also marks a notable shift in approach for India, which has largely promoted a lax regulatory environment for technology and adopted a voluntary approach to AI governance, with laws and policies focusing on promoting innovation and adopting existing frameworks for oversight. 

A separate law could add another layer of oversight while also supporting India’s broader ambitions in this space, including IndiaAI Mission, as it looks to promote and bolster its AI ecosystem alongside its digital transformation initiatives. 

Industry stakeholders will also be able to contribute to the process as the government considers its proposals. The law would promote responsible innovation and address risks posed by increasingly ubiquitous and sophisticated AI systems, officials added.

Featured