Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Telegram
Android App Safety APK Files Cyber Attacks ESET ESET Research Malicious Apps Telegram

EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

 

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older. ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024. Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched. While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The EvilVideo zero-day exploit specifically targeted Telegram for Android. It allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appeared as embedded videos. ESET believes the exploit used the Telegram API to programmatically create a message showing a 30-second video preview. The channel participants received the payload on their devices once they opened the conversation. 

For users who had disabled the auto-download feature, a single tap on the video preview was enough to initiate the file download. When users attempted to play the fake video, Telegram suggested using an external player, which could lead recipients to tap the “Open” button, executing the payload. Despite the threat actor’s claim that the exploit was “one-click,” the multiple clicks, steps, and specific settings required for a successful attack significantly reduced the risk. ESET tested the exploit on Telegram’s web client and Telegram Desktop and found that it didn’t work on these platforms, as the payload was treated as an MP4 video file. 

Telegram’s fix in version 10.14.5 now correctly displays the APK file in the preview, preventing recipients from being deceived by files masquerading as videos. Users who recently received video files requesting an external app to play via Telegram are advised to perform a filesystem scan using a mobile security suite to locate and remove any malicious payloads.
Read more »
Software
Cyber Attacks Cyber Victim CyberCrime Cybersecurity CyberThreat Ransomware Threat Software

California's Major Trial Court Falls Victim to Ransomware Attack

 


It has been reported that the computer system at the largest trial court in this country has been infected by ransomware, causing the system to crash. Superior Court officials said they were investigating the incident. As soon as the court learned that the computer network systems had been hacked, the systems were disabled, and they are expected to remain down until the weekend at the very least. 

Following the statement, a preliminary investigation revealed no evidence that the user's data had been compromised in any way. According to officials with the Superior Court of Los Angeles County, the nation's largest trial court was closed Monday as a ransomware attack shut down its computer system late last week, resulting in a shutdown of its library and many other departments. 

As soon as the court became aware of the cyberattack early Friday morning, its computer network was disabled, and the system remained offline throughout the weekend due to the attack. There will be no courthouse operations on Monday, despite reports that the county's 36 courthouses will all remain open to the public on Friday. According to a statement released by the FBI on Friday morning, officials do not believe the cyberattack related to the faulty CrowdStrike software update that has disrupted airlines, hospitals, and governments worldwide is related to the security breach. 

Once the court was made aware of the attack, all computer systems connected to its computer network were disabled. An initial investigation has revealed no evidence that the data of users has been compromised, according to the statement released by the company. KCAL, the CNN affiliate based in Los Angeles, reported Monday that the judicial system continues to be closed as it tries to recover. 

As the largest court system in the United States that serves a broad range of services to more than 10 million residents in 36 courthouses, the Superior Court of Los Angeles County is the largest unified court system in the country. The number of cases filed in 2022 is expected to reach nearly 1.2 million, and there will be almost 2,200 jury trials. According to the Presiding Judge Samantha P. Jessner, "The Court has been experiencing a cyber-attack which has resulted in almost all of our network systems being shut down. 

Companies have contained the damage to their network, ensured data integrity and confidentiality, and ensured future network stability and security" during an unprecedented cyber-attack on Friday. The court has reopened all 36 courthouses tomorrow, July 23, following the tireless dedication of the staff and security experts required to assist in restoring the court to full operation," according to a statement published on the court's website. Court users need to be aware that there will be delays and potential impacts due to limitations in functionality.
Read more »
VMware ESXi
Cyber Attacks Linux Ransomware VMware VMware ESXi

Play Ransomware Group is Targeting VMWare ESXi Environments

 

Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.

While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma. 

After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted. 

The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.

Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.
Read more »
Operational Technology
Canada oil and gas sector Canadian Centre for Cyber Security Cyber Attacks Cybersecurity Threats Digital Transformation Operational Technology

Canada’s Oil and Gas Sector Faces Rising Cybersecurity Threats Amid Digital Transformation

 

Canada’s oil and gas sector, a vital part of its economy, contributes approximately $120 billion, or about 5% of the country’s Gross Domestic Product (GDP). This industry not only drives economic growth but also supports essential services such as heating, transportation, and electricity generation, playing a crucial role in national security. However, the increasing digital transformation of Operational Technology (OT) within this sector has made it more vulnerable to cyber threats, according to a report by the Canadian Centre for Cyber Security.

A survey conducted by Statistics Canada revealed that around 25% of all Canadian oil and gas organizations reported experiencing a cyber incident in 2019. This is the highest rate of reported incidents among all critical infrastructure sectors, highlighting the urgent need for improved cybersecurity measures in Canada. While the digital transformation of OT systems enhances management and productivity, it also expands the attack surface for cyber actors, exposing these systems to various cyber threats.

The Canadian Centre for Cyber Security's report indicates that medium- to high-sophistication cyber threat actors are increasingly targeting organizations indirectly through their supply chains. This tactic enables attackers to gain valuable intellectual property and information about the target organization’s networks and OT systems. The reliance of large industrial asset operators on a diverse supply chain—including laboratories, manufacturers, vendors, and service providers—creates critical vulnerabilities that cyber actors can exploit to access otherwise protected IT and OT systems.

The report emphasizes that cybercriminals driven by financial gain pose the most significant threat to the oil and gas sector. Business Email Compromise (BEC) schemes and ransomware attacks are particularly prevalent. Although BEC is more common and costly, ransomware remains a primary concern due to its potential to disrupt the supply of oil and gas to customers.

The evolving cybercriminal ecosystem, including ransomware-as-a-service (RaaS) models, allows even less skilled attackers to launch sophisticated attacks, resulting in an increase in successful incidents targeting the sector. The report cites the Colonial Pipeline ransomware attack in May 2021 as a stark example of the potential consequences of such cyber incidents. This attack forced the shutdown of a major fuel pipeline in the U.S., leading to significant disruptions, panic buying, and price spikes. Similar incidents could occur in Canada, jeopardizing the supply of essential products and services.

Financial Implications of Data Breaches

The report also highlights the financial implications of cyber threats. The cost of a data breach can vary significantly, with estimates suggesting it can reach millions of dollars depending on the organization's size and nature. The potential for disruption or sabotage of OT systems poses a costly threat to owner-operators of large OT assets, impacting national security, public safety, and the economy.

The Canadian Centre for Cyber Security notes that the oil and gas sector attracts considerable attention from financially motivated cyber threat actors due to the high value of its assets. Cybercriminals target not only operational systems but also valuable intellectual property, business plans, and client information. Protecting these assets is crucial, as the disruption of operations could have far-reaching consequences.

In light of these threats, the report urges organizations within the oil and gas sector to prioritize cybersecurity investments and adopt a proactive approach to risk management. Continuous training and awareness programs for employees are essential to mitigate risks associated with human error, a significant factor in successful cyber attacks.

The Canadian Centre for Cyber Security stresses the need for collaboration between public and private sectors to combat cyber threats effectively. By sharing information and best practices, organizations can better prepare for and respond to cyber incidents.

Overall, the findings from the Canadian Centre for Cyber Security highlight the pressing need for enhanced cybersecurity measures within Canada’s oil and gas sector. With cyber threats on the rise, it is imperative for organizations to take proactive steps to safeguard their operations and ensure the resilience of this critical infrastructure. The time to act is now, as the stakes have never been higher in the fight against cybercrime
Read more »
Smishing Exposed
Cyber Attacks Cyber Scams CyberCrime CyberThreat Smishing Exposed

Smishing Exposed How to Recognize Report and Prevent Text Message Scams

 


In cybersecurity, SMS phishing is intercepting a user's text message through a mobile device. Phishing refers to a scam whereby victims are tricked into providing sensitive information to an attacker disguised as someone they trust. To carry out SMS phishing, malware or fraudulent websites can assist attackers. Several mobile platforms support text messaging, as well as non-SMS channels and mobile apps that use data for texting. 

A cyberattack occurred earlier this year, in which hackers stole the personal information, including health information, of more than 13 million Australians, making it one of the country's biggest cyberattacks. This may not seem like much, but keeping your phone's operating system up-to-date protects it from getting infected with malware by preventing it from becoming infected in the future. It is important to keep calm if this message seems to have an urgent feel to it. 

Users should be wary of receiving urgent messages from unknown numbers and approach them calmly so they recognize it is probably not a person looking out for their best interest. An answer given by a two-digit number is most likely to be from a scammer whose real phone number is disguised through email to text services that scammers use to conceal their real numbers: It is unlikely that a credible business, or their friends and family, would be using such a service to contact their customers.

The best way to protect your account is to use two-factor or multi-factor authorization whenever it is possible to do so. In this way, users can have their data secure from unwanted prying eyes, which increases their security. Providing a password via a text message is never a good idea. Entering the password or account recovery code directly into the official app or website that is supposed to be used for entering the password or account recovery code can help users.  

There has been a theft of customer data from MediSecure over the past couple of weeks, according to the company's announcement on Thursday, with an unknown number of such records being uploaded to the dark web. After being alerted to the breach on April 13 by suspicious ransomware being discovered on a server containing sensitive personal health data, the company publically confirmed the breach in May, almost a month after it was first discovered. 

To ensure that the information is kept safe, one of the best methods is to contact the company that is supposed to be the sender of the text. This is especially useful if the user has a bank account. If that's the case, they should contact their bank directly to get this information. A bill or statement can normally contain a direct phone number to call so that a human representative can be contacted if any questions or concerns arise. 

Please do not click on any links that may be mentioned in the text, and do not respond to any of the questions as well. Certainly! Here's a formal and expanded version of the information provided: Phishing, a form of cyberattack through SMS, relies on deceptive tactics and technological manipulation to exploit victims' trust and gather sensitive information. 

This method mirrors traditional email phishing but leverages the immediacy and personal nature of text messaging to lower recipients' defences. The approach begins with the attacker sending text messages, often personalized with the recipient's name and location, to create a sense of familiarity and legitimacy. These messages typically contain links to malicious websites or apps designed to extract private information or install malware on the victim's smartphone. 

To enhance credibility, attackers may use spoofing techniques to conceal their identity by displaying false sender information or utilizing email-text services to obfuscate their phone numbers. This masking helps them appear as legitimate entities such as banks, government agencies, or well-known organizations, thereby increasing the likelihood that recipients will comply with their requests. Social engineering plays a pivotal role in smishing attacks by exploiting human psychology and emotions. 

Attackers craft messages that evoke urgency, fear, or curiosity, prompting recipients to act hastily without due skepticism. By manipulating these emotions, attackers override critical thinking and persuade victims to divulge sensitive information or click on malicious links. The success of a smishing attack hinges on the recipient's response to the initial bait message. Once a victim interacts with the malicious link or provides personal details, attackers proceed to exploit this information for financial gain or identity theft purposes. 

Common objectives include unauthorized access to bank accounts, fraudulent credit card applications, or the unauthorized disclosure of sensitive corporate data. Mitigating the risk of smishing involves maintaining awareness of common tactics used by attackers and adopting security best practices. These include avoiding clicking on links from unknown or suspicious sources, verifying the authenticity of messages through official channels, and refraining from disclosing sensitive information via text messages. 

Furthermore, enabling two-factor authentication (2FA) wherever possible adds a layer of security by requiring a secondary form of verification before accessing accounts or services. By remaining vigilant and informed about the tactics employed by smishing attackers, individuals and organizations can better protect themselves against these increasingly sophisticated cyber threats.
Read more »
US Government
Conti Conti Ransomware CrowdStrike outage Cyber Attacks healthcare sectors OFAC ransomware attacks US Government

U.S. Government Escalates Sanctions to Combat Rising Cybersecurity Threats

 

In a significant move to combat rising cyber threats, the U.S. government has intensified its use of sanctions against cybercriminals. This escalation comes in response to an increasing number of ransomware attacks and other cybercrimes targeting American infrastructure, businesses, and individuals. The latest sanctions target hackers and cyber groups responsible for some of the most severe breaches in recent history. 

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has spearheaded these efforts. By freezing assets and prohibiting transactions with designated individuals and entities, OFAC aims to disrupt the financial networks that support these cybercriminal operations. This strategy seeks not only to punish those directly involved in cyber attacks but also to deter future incidents by raising the financial and operational costs for would-be hackers. 

One of the key targets of these sanctions is the notorious ransomware group, Conti. This group has been linked to numerous high-profile attacks, including the devastating breach of Ireland’s Health Service Executive in 2021, which disrupted healthcare services nationwide. By imposing sanctions on Conti and associated individuals, the U.S. government aims to dismantle the group’s operational capabilities and limit its reach. 

In addition to Conti, the sanctions list includes individuals connected to Evil Corp, a cybercrime syndicate known for deploying Dridex malware. This malware has been used to steal financial information and execute large-scale ransomware attacks. The sanctions against Evil Corp reflect a broader strategy to target the infrastructure and personnel behind such sophisticated cyber threats. The increase in sanctions also aligns with international efforts to tackle cybercrime. The U.S. has collaborated with allies to coordinate sanctions and share intelligence, creating a united front against global cyber threats. 

This cooperation underscores the recognition that cybercrime is a transnational issue requiring a collective response. Despite these aggressive measures, the fight against cybercrime is far from over. Cybercriminals continually evolve their tactics, finding new ways to bypass security measures and exploit vulnerabilities. The U.S. government’s approach highlights the need for ongoing vigilance, robust cybersecurity practices, and international collaboration to effectively combat these threats. 

In addition to sanctions, the U.S. government is investing in enhancing its cyber defenses. This includes increasing funding for cybersecurity initiatives, promoting public-private partnerships, and encouraging the adoption of best practices across critical sectors. These efforts aim to build resilience against cyber attacks and ensure that the country can swiftly respond to and recover from incidents when they occur. The impact of these sanctions is already being felt within the cybercriminal community. Reports indicate that some groups are experiencing difficulties in accessing funds and recruiting new members due to the increased scrutiny and financial restrictions. 

While it is too early to declare victory, these sanctions represent a significant step in disrupting the operations of major cyber threats. In conclusion, the U.S. government’s use of sanctions against cybercriminals marks a critical development in the fight against cyber threats. By targeting the financial networks that sustain these operations, the government aims to weaken and deter cybercriminals. However, the dynamic nature of cybercrime necessitates continuous adaptation and international cooperation to protect against evolving threats. 
Read more »
data security
Bounty CERT-In Crypto Funds cryptocurrency cryptocurrency theft Customer Information Cyber Attacks data security

WazirX Responds to Major Cyberattack with Trading Halt and Bounty Program

 

In the wake of a significant cyberattack, WazirX, one of India’s foremost cryptocurrency exchanges, has taken drastic measures to mitigate the damage. The exchange announced a halt in trading and introduced a bounty program aimed at recovering stolen assets. This attack has severely impacted their ability to maintain 1:1 collateral with assets, necessitating immediate action. 

In a series of posts on X, WazirX detailed their response to the breach. They have filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. Co-founder Nischal Shetty emphasized the urgency of the situation, stating that the exchange is reaching out to over 500 other exchanges to block the identified addresses associated with the stolen funds. This broad collaboration is essential as the stolen assets move through various platforms. 

To further their recovery efforts, WazirX is launching a bounty program to incentivize individuals and entities to help freeze or recover the stolen assets. This initiative is part of a broader strategy to trace the stolen funds and enhance the security measures of the exchange. The team is also consulting with several expert groups specializing in cryptocurrency transaction tracking to provide continuous monitoring and support during the recovery process. The exchange expressed gratitude for the support from the broader Web3 ecosystem, underscoring the need for a collective effort to resolve the issue and maintain the integrity of the Web3 community. 

Shetty mentioned that the team is conducting a thorough analysis to understand the extent of the damage caused by the attack. This analysis is crucial for developing an effective recovery plan and ensuring that all possible measures are taken to protect customer funds. In addition to their internal efforts, WazirX is working closely with forensic experts and law enforcement agencies to identify and apprehend the perpetrators. This collaboration aims to ensure that those responsible are brought to justice and that as many stolen assets as possible are recovered. 

The cyberattack has resulted in a substantial loss of approximately $235 million, making it one of the largest hacks of a centralized exchange in recent history. Crypto investigator ZachXBT revealed that the main attacker’s wallet still holds over $104 million in funds, which have yet to be offloaded. 

This highlights the ongoing challenges and complexities of securing digital assets in the ever-evolving cryptocurrency landscape. WazirX’s proactive measures and the support from the broader community will be crucial in navigating this crisis and reinforcing the security frameworks essential for the future of cryptocurrency exchanges.
Read more »
Malware Attack
APK CloudSEK Cyber Attacks Hacking Attack Hacking WhatsApp Indian Cyber Security Malware Attack

Vietnamese Hackers Target Indian Users with Fake WhatsApp E-Challan Messages

 

A highly technical Android malware campaign orchestrated by Vietnamese hackers is currently targeting Indian users via fake traffic e-challan messages on WhatsApp. Researchers from CloudSEK, a cybersecurity firm, have identified this malware as part of the Wromba family. So far, it has infected over 4,400 devices, resulting in fraudulent transactions amounting to more than ₹16 lakh by just one scam operator. 

Vikas Kundu, a threat researcher at CloudSEK, reported that these scammers send messages impersonating Parivahan Sewa or Karnataka Police, tricking recipients into downloading a malicious app. Once the link in the WhatsApp message is clicked, it leads to the download of a harmful APK disguised as a legitimate application. This malware then requests excessive permissions, including access to contacts, phone calls, SMS messages, and even the ability to become the default messaging app. By intercepting OTPs and other sensitive messages, the attackers can log into victims’ e-commerce accounts, purchase gift cards, and redeem them undetected. 

Kundu explained that once the app is installed, it extracts all contacts from the infected device, enabling the scam to propagate further. Additionally, all SMS messages are forwarded to the attackers, allowing them access to various e-commerce and financial apps. The attackers cleverly use proxy IPs to avoid detection and maintain a low transaction profile. The report indicates that the attackers have accessed 271 unique gift cards, conducting transactions worth ₹16,31,000. 

Gujarat has been identified as the most affected region, followed by Karnataka. To guard against such malware threats, CloudSEK advises users to stay vigilant and adopt security best practices. These include installing apps only from trusted sources like the Google Play Store, regularly reviewing and limiting app permissions, maintaining updated systems, and enabling alerts for banking and sensitive services. This campaign underscores the growing sophistication of cyber threats and the importance of robust cybersecurity measures. 

As cybercriminals continue to develop new methods to exploit vulnerabilities, it is crucial for users to remain cautious and proactive in protecting their personal and financial information. Collaboration between cybersecurity firms and users is essential to effectively combat these evolving threats and safeguard against future incidents. By staying informed and adopting best practices, users can significantly reduce their risk of falling victim to such malicious campaigns.
Read more »
US Healthcare
Ascensions Health System cyber attack Cyber Attacks Personal Data Sensitive data US Healthcare

Ascension Health System Hit by Cyberattack, Personal Data Likely Compromised

 



In a recent cybersecurity incident, Ascension, a major health system, has disclosed that cybercriminals stole files potentially containing personal information. This comes about a month after Ascension initially reported falling victim to a ransomware attack.

Ascension revealed that the attackers managed to extract files from seven of its 25,000 file servers. While the investigation is ongoing, preliminary findings suggest that these files may include protected health information and personally identifiable information. However, Ascension has yet to determine the exact data compromised or the specific patients affected.

Despite the breach, Ascension reported no evidence indicating that data from its electronic health records were stolen. The attack was traced back to an employee inadvertently downloading a malicious file, mistaking it for a legitimate document.

In response to the attack, Ascension is offering free credit monitoring and identity theft protection services to patients and employees. Those interested in these services can call 1-888-498-8066 to enrol. 

The attack, discovered on May 8, caused paradigm altering disruptions across Ascension’s network. Some elective surgeries and appointments were postponed, and one hospital in Illinois temporarily redirected ambulances to other facilities. Nurses at several hospitals faced challenges, such as difficulties in accessing doctors’ orders for medications and tests, and issues with their standard procedures for medication administration.

Ascension Illinois has recently restored its primary technology for electronic patient documentation, allowing hospitals and doctors' offices to resume electronic documentation, charting, and order sending. This restoration marks a crucial step in returning to normal operations.

This incident at Ascension is part of a troubling trend of cyberattacks targeting healthcare institutions. Earlier this year, Lurie Children’s Hospital in Chicago and the University of Chicago Medical Center also faced cyber incidents. Healthcare systems are prime targets for cybercriminals due to their size, reliance on technology, and the vast amounts of sensitive data they handle, according to the U.S. Department of Health and Human Services.

As cyber threats expand their territory, healthcare systems must remain vigilant and enhance their cybersecurity measures to protect sensitive patient information. The Ascension attack underscores the critical need for robust security protocols and employee awareness to prevent future breaches.


Read more »
Sensitive Data Leak
Cyber Attacks data security Healthcare Healthcare Industry Patient Data Personal Data Breach Sensitive Data Leak

Cyberattack Exposes Patient Data in Leicestershire

 

A recent cyberattack has compromised sensitive patient data in Leicestershire, affecting several healthcare practices across the region. The breach, which targeted electronic patient records, has led to significant concerns over privacy and the potential misuse of personal information. Those impacted by the attack have received notifications detailing the breach and the measures being taken to secure their data and prevent further incidents.  

Healthcare providers in Leicestershire are collaborating with cybersecurity experts and law enforcement agencies to investigate the breach, identify the perpetrators, and implement enhanced security measures. The goal is to protect patient information and prevent similar incidents in the future. Patients are advised to be vigilant, monitor their personal information closely, and report any suspicious activity to the authorities. The exposed data includes names, contact details, and medical records, all of which are highly sensitive and valuable to cybercriminals. The breach underscores the growing threat of cyberattacks in the healthcare sector, where such information is frequently targeted. 

In response, affected practices have taken immediate steps to bolster their cybersecurity protocols and provide support to those impacted. In addition to enhancing security measures, healthcare providers are committed to maintaining transparency and keeping patients informed about the investigation’s progress and any new developments. This commitment is crucial in rebuilding trust and ensuring that patients feel secure in the handling of their personal information. The healthcare sector has increasingly become a prime target for cyberattacks due to the vast amounts of sensitive data it holds. This incident in Leicestershire serves as a stark reminder of the vulnerabilities within our digital systems and the importance of robust cybersecurity measures. The breach has highlighted the need for constant vigilance and proactive steps to protect sensitive information from cyber threats. 

In the aftermath of the breach, healthcare providers are focusing on not only addressing the immediate security concerns but also on educating patients about the importance of cybersecurity. Patients are being encouraged to take measures such as changing passwords, enabling two-factor authentication, and being cautious about sharing personal information online. As the investigation continues, healthcare providers are committed to working closely with cybersecurity experts to strengthen their defenses against future attacks. 

This collaborative effort is essential in safeguarding patient data and ensuring the integrity of healthcare systems. The Leicestershire data breach is a significant event that underscores the critical need for heightened security measures in the healthcare sector. It calls for a concerted effort from both healthcare providers and patients to navigate the challenges posed by cyber threats and to work together in creating a secure environment for personal information. 

By taking proactive steps and fostering a culture of cybersecurity awareness, the healthcare sector can better protect itself and its patients from the ever-evolving landscape of cyber threats.
Read more »
Hacker attack
Bank Data Bank Hacking Credit Card hack Cyber Attacks Cyberhacking data security Hacker attack

Hacker Subscription Service Exposes 600,000 Bank Card Details

 

A disturbing new hacker subscription service has emerged, offering access to 600,000 stolen bank card details for a fee of just £120. This service, identified by cybersecurity researchers from Flare, is named “Breaking Security” and allows its subscribers to exploit stolen bank card information for various illicit activities, including unauthorized transactions and identity theft. 

The service provides subscribers with detailed information about the compromised cards, including card numbers, expiration dates, and CVV codes. This data enables hackers to make online purchases or even clone the cards for physical transactions. The subscription service’s affordability and extensive database make it particularly dangerous, as it lowers the barrier for individuals seeking to engage in cybercrime. Flare’s researchers have highlighted the significant threat posed by Breaking Security, noting that such services are part of a growing trend in the cybercrime industry. These services make it easier for less technically skilled individuals to access sophisticated tools and data, leading to a rise in cybercrimes. 

The availability of such a service underscores the evolving nature of cyber threats and the increasing sophistication of criminal networks. Authorities are currently investigating Breaking Security to identify and apprehend the perpetrators behind the service. Law enforcement agencies are working to mitigate the impact on the affected individuals and prevent further exploitation of the stolen card data. The investigation is focused on tracking down the source of the data breach and the infrastructure supporting the subscription service. This incident highlights the critical importance of robust cybersecurity measures for both individuals and organizations. 

For individuals, it is crucial to regularly monitor bank statements for unauthorized transactions and to use security features such as two-factor authentication wherever possible. Organizations, on the other hand, must invest in comprehensive security solutions to protect sensitive data and detect breaches promptly. The emergence of Breaking Security also points to a broader issue within the cybercrime ecosystem. As long as there is a market for stolen data, cybercriminals will continue to find innovative ways to monetize their activities. 

This calls for a coordinated effort between law enforcement, cybersecurity experts, and financial institutions to dismantle such operations and safeguard against future threats. In conclusion, the discovery of the Breaking Security subscription service represents a significant threat to financial security and privacy. The service’s ability to provide extensive access to stolen bank card details for a relatively low cost is alarming. It underscores the need for enhanced vigilance and proactive measures to combat the growing menace of cybercrime. 

As investigations continue, it is essential for individuals and organizations to remain vigilant and take necessary steps to protect themselves from such sophisticated threats.
Read more »
Mule Accounts Menace
Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Money Laundering Mule Accounts Menace

Unveiling the Mule Accounts Menace in Modern Money Laundering

 


In a recent statement, a member of the RBI's board of governors has urged banks to step up efforts against mule accounts. According to Piyush Shukla, money mules in India do much more than move money. A MULE ACCOUNT IS a bank account that receives funds from illegal activities and then transfers those funds to other accounts, thus serving as a bridge for money laundering and other illegal practices to take place. 

It is not uncommon in India to come across people who are opening mule accounts based on their bank accounts that they are offering in place of money as payment. The account holder's onboarding process is not automated in this way, which makes it more difficult to detect such accounts. Even though there are ways to put a stop to these accounts, the right controls and monitoring of the user's behaviour throughout the lifecycle of the account can be employed to give the user the greatest protection. 

Last November it was reported about the arrests of six people in Bengaluru about the alleged operation of 126 mule accounts. There has been raised concern by the Reserve Bank of India (RBI) earlier this week regarding certain banks having a huge number of fraudster accounts used for fraudulent transactions and loan evergreening by their customers. In a move to curb digital fraud, Shaktikanta Das, the governor of the Reserve Bank of India, has directed banks to crack down on the use of mule accounts as well as increase customer awareness and education initiatives.

Money mules can be generally categorized into five different kinds based on their level of complicity in a money laundering scheme and the way they are employed. A victim mule is a person who is unaware, for example, that his account has been compromised and that it is being abused by a fraudster who wants to launder money through his account. An incident of data breach most likely resulted in the victim's account details being leaked. 

Money mules can also come in the shape of misled parties, who are misled into sending and receiving money on behalf of fraudsters, believing that the money they are sending and receiving is clean. It is not uncommon for mules to respond to job advertisements they find interesting, and they respond to one or more of them that involve them executing transactions on behalf of the employers. One of the most common types of money mules is the deceiver. He or she opens new accounts by using stolen or synthetic identities to send and receive stolen funds. 

One way in which money is mulled is through the use of "peddlers", or people who sell their information to fraudsters, who then use that information to send and receive stolen funds. Mules can also be accomplices, who can open a new account in his name or use an existing one to send and receive funds at the direction of a fraudster, who instructs him to do so. In the study conducted by BioCatch, a digital fraud detection company, it was revealed that nine out of ten accounts were undetected as mule accounts by one of its Indian partners. 

During the first month of documented mule account activity, 86% of the sessions that were posted from within India were documented, however after a month those numbers dropped to just 20%, and 16% of those sessions were using a VPN to access such accounts. Although most of the activity in mule accounts happens in Bhubaneswar—15% —Lucknow and Navi Mumbai are each responsible for 3.4% of the activity. Two cities in West Bengal, Bhagabatipur and Gobindapur, recorded 1.7% and 2.6% of mule account activity, respectively. In comparison, Mumbai and Bengaluru reported 2.2% and 1.8% of such activity, respectively. 

To help customers prevent their bank accounts from becoming mule accounts, the following practices are recommended: 
1. Treat all unexpected communications, especially those offering lucrative, effortless jobs, with scepticism. 
2. Unrealistically high payments for straightforward tasks should raise alarms. 
3. Be wary of job offers with ambiguous descriptions and responsibilities, particularly if money transfers are involved. 
4. Scammers often pressure customers into making swift decisions, such as hurriedly confirming their identity or claiming a reward. Customers must pause and assess their demands carefully. 
5. Be extremely cautious while using unconventional payment methods, such as gift cards or virtual currencies. 

 In October 2023, the Reserve Bank of India (RBI) tightened the customer due diligence (CDD) norms by instructing banks and regulated entities to adopt a risk-based approach for periodic updating of know-your-customer (KYC) data. According to the latest Master Directions, the risk-based approach for periodic updating of KYC has been amended to state: “Registered Entities (REs) shall adopt a risk-based approach for periodic updating of KYC, ensuring that the information or data collected under CDD is kept up-to-date and relevant, particularly where it is high-risk.” 

Furthermore, the Master Directions emphasize that instructions on opening accounts and monitoring transactions should be strictly adhered to, to minimize the operations of money mules. These mules are used to launder the proceeds of fraud schemes, such as phishing and identity theft, by criminals who gain illegal access to deposit accounts. 

Banks are required to undertake diligence measures and meticulous monitoring to identify accounts operated as money mules, take appropriate action, and report suspicious transactions to the Financial Intelligence Unit.
Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
Rasomware Attack
Banks Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Rasomware Attack

Major Ransomware Attack Targets Evolve Bank, Impacting Millions

 


An Arkansas-based financial services organization confirmed the incident on July 1 shortly after the ransomware gang published data it claimed had been stolen during the attack and published it on its website. According to the company, there was no payment made to the ransom demand, so the stolen data was leaked online due to the failure to pay the ransom. 

Additionally, the bank also reported that the attackers had exfiltrated personal information from some of the bank's customers, including their names, Social Security numbers, and the bank account numbers associated with their accounts, along with their contact information. One of the nation's largest financial institutions, Evolve Bank & Trust, has shared the news of a data breach posing a massive threat to all 7.64 million individuals impacted by the data breach. 

After a period of system outages started occurring at the Arkansas-based bank in late May, officials initially thought that a "hardware failure" had caused the outages, but an investigation revealed that the outages were caused by a cyberattack. It was confirmed by Evolve that hackers infiltrated the company's network as early as February. This could have had a significant impact on sensitive customer data. 

Understandably, the official notification letter filed with the Maine Attorney General avoids specific details. Still, it is worth noting that the bank has acknowledged that it has lost names, social security numbers, bank account numbers, and contact information. The Maine Attorney General's Office was informed by one of the financial institutions on Monday that the personal information about 7,640,112 individuals was compromised in the attack and that it would provide them with 24 months of credit monitoring and identity protection due to the breach. 

Also on Monday, Evolve Bank started sending out written notifications to the impacted individuals, explaining that the ransomware attack occurred on May 29 and that the attackers had access to its network since at least February. Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners. 

There are several partners in this list, including Affirm, which recently made a statement assuring customers that the Evolve breach "may have compromised some personal information and data" of its customers." Evolve's partner Mercury, which offers fintech solutions to businesses, made a statement on X in regards to the data breach that affected "some account numbers, deposit balances, and business owner names as well as emails" that were exposed. 

The money transfer company Wise (formerly TransferWise) confirmed last week that there may have been an issue with the confidentiality of some of its customers' personal information. A statement by Evolve confirmed this week that the intrusion was the result of a ransomware attack that was instigated by the Russia-linked LockBit group. LockBit's administrator, who was disrupted earlier this year by a multigovernmental operation, is still at large. 

When the bank discovered the hacker had accessed its systems in May, it was able to identify the intrusion as an attack by hackers. It's no secret that LockBit made a deal with hackers to release the compromised data on its dark web leak site, which has since been revived after Evolve refused to pay the ransom demand.  This letter, sent to customers, expresses Evolve's concern over the hacking of its customer database and a file-sharing system during February and May 2024, during which data about customers was accessed and downloaded. 

RaaS groups, like this one, often deploy misinformation or disinformation campaigns alongside cyberattacks as part of their tactics to cause confusion and add maximum impact to their operations. As a result of the breach at Evolve, financial institutions can be reminded of the critical need for them to take robust cybersecurity measures to prevent data breaches in the future. 

A growing number of open banking platforms are on the rise and several RaaS attacks are ever-present, as well as a growing warning about data security threats. Institutions need to prioritize data security and implement strong access controls, encryption, and incident response protocols to ensure that their data is secure.
Read more »
VPN security
CISA Cyber Attacks Ivanti Ivanti security flaws Ivanti VPN Exploitation Security Breach VPN VPN security

Lessons from the Ivanti VPN Cyberattack: Security Breaches and Mitigation Strategies

 

The recent cyberattack on Ivanti’s VPN software has prompted swift action from the Cybersecurity and Infrastructure Security Agency (CISA). This incident not only highlights the need for stronger cybersecurity measures but also raises important questions about exploit techniques, organizational responses to security breaches, and the escalating costs associated with downtime. 

The vulnerabilities in Ivanti’s VPN gateway allowed threat actors to bypass authentication and gain unauthorized access. Attackers could send maliciously crafted packets to infiltrate the system without needing to steal credentials, giving them access to user credentials, including domain administrator credentials. A second vulnerability enabled the injection of malicious code into the Ivanti appliance, allowing attackers to maintain persistent access, even after reboots or patches. Security researchers, including Mandiant, identified that Ivanti’s initial mitigations were insufficient. 

CISA warned that Ivanti’s interim containment measures were not adequate to detect compromises, leaving systems vulnerable to persistent threats. This uncertainty about the effectiveness of proposed mitigations necessitated CISA’s prompt intervention. The ability of attackers to gain persistent access to a VPN gateway poses significant risks. From this trusted position, attackers can move laterally within the network, accessing critical credentials and data. The compromise of the VPN allowed attackers to take over stored privileged administrative account credentials, a much more severe threat than the initial breach. In response to the breach, CISA advised organizations to assume that critical credentials had been stolen. 

Ivanti’s failure to detect the compromise allowed attackers to operate within a trusted zone, bypassing zero-trust principles and exposing sensitive data to heightened risks. The severity of the vulnerabilities led CISA to take the unusual step of taking two of Ivanti’s systems offline, a decision made to protect the most sensitive credentials. Despite later clarifications from Ivanti that patches could have been applied more discreetly, the miscommunications highlight the importance of clear, open channels during a crisis. Mixed messages can lead to unnecessary chaos and confusion. System-level downtime is costly, both in terms of IT resources required for shutdown and recovery and the losses incurred from service outages. 

The exact cost of Ivanti’s downtime remains uncertain, but for mission-critical systems, such interruptions are extremely expensive. This incident serves as a warning about the costs of addressing the aftermath of a cyberattack. CISA’s decision to shut down the systems was based on the potential blast radius of the attack. The trusted position of the VPN gateway and the ability to export stored credentials made lateral movement easier for attackers. 

Building systems based on the principle of least privilege can help minimize the blast radius of attacks, reducing the need for broad shutdowns. The Ivanti VPN cyberattack underscores the pressing need for robust cybersecurity measures. Organizations must adopt proactive infrastructure design and response strategies to mitigate risks and protect critical assets. Reducing the number of high-value targets in IT infrastructure is crucial. Privileged account credentials and stored keys are among the highest value targets, and IT leaders should prioritize strategies and technologies that minimize or eliminate such targets. 
Read more »
Ransomware
cyber attack Cyber Attacks Digital Security Finland NATO Ransomware

NoName Ransomware Group Allegedly Targets Denmark and Finland Over NATO Support


 

The ransomware group NoName has reportedly launched cyberattacks against key institutions in Denmark and Finland, citing their support for NATO as the provocation. The alleged attacks targeted Denmark’s digital identification system MitID, the Finland Chamber of Commerce, and Finland’s largest financial services provider, OP Financial Group.

On a dark web forum, NoName announced these attacks, positioning them as a reaction to Denmark and Finland's recent military and infrastructural actions favouring NATO. The group specifically called out Denmark for training Ukrainian specialists in F-16 fighter jet maintenance:

"Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark.”

They also criticised Finland for infrastructure upgrades intended to support NATO troops:

“Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work.”

NoName concluded their message with a warning, suggesting that Denmark and Finland's governments had not learned from past mistakes and threatened further actions.

Potential Impact on Targeted Entities

MitID: Denmark's MitID is a crucial component of the country's digital infrastructure, enabling secure access to various public and private services. An attack on this system could disrupt numerous services and damage public trust in digital security.

Finland Chamber of Commerce: The Chamber plays a vital role in supporting Finnish businesses, promoting economic growth, and facilitating international trade. A cyberattack could destabilise economic activities and harm business confidence.

OP Financial Group: As the largest financial services group in Finland, OP Financial Group provides a range of services from banking to insurance. A successful cyberattack could affect millions of customers, disrupt financial transactions, and cause significant economic damage.

Despite the claims, the official websites of MitID, the Finland Chamber of Commerce, and OP Financial Group showed no immediate signs of being compromised. The Cyber Express Team has reached out to these institutions for confirmation but has not received any official responses as of the time of writing, leaving the allegations unconfirmed.

The timing of these alleged cyberattacks aligns with recent military and infrastructural developments in Denmark and Finland. Denmark's initiative to train Ukrainian specialists in F-16 maintenance is a significant support measure for Ukraine amidst its ongoing conflict with Russia. Similarly, Finland's infrastructure enhancements in Lapland for NATO troops reflect its strategic alignment with NATO standards following its membership.

The NoName ransomware group's alleged cyberattacks on Danish and Finnish institutions highlight the increasing use of cyber warfare for political and military leverage. These attacks aim to disrupt critical infrastructure and send a strong message of deterrence and retaliation. The situation remains under close scrutiny, with further updates expected as more information or official responses become available.


Read more »
User Data
Automotive Industry CNIL Cyber Attacks Data Compromise data security Email Account Compromise Phishing Attack User Data

FIA Confirms Cyberattack Compromising Email Accounts

 

The Fédération Internationale de l’Automobile (FIA), the governing body overseeing Formula 1 and other major motorsports worldwide, recently disclosed a significant cyberattack. This breach resulted from phishing attacks that compromised personal data within two FIA email accounts, exposing vulnerabilities in the organization’s cybersecurity measures. 

In a brief statement, the FIA confirmed the incidents, detailing that swift action was taken to cut off unauthorized access and mitigate the issue. The organization promptly reported the breach to the French and Swiss data protection regulators, the Commission Nationale de l’Informatique et des Libertés (CNIL) and the Préposé Fédéral à la Protection des Données et à la Transparence, respectively. 

However, the FIA did not disclose specific details regarding the nature of the stolen data, the number of affected individuals, or the identity of the attackers. It also remains unclear whether the hackers demanded any ransom for the compromised data. The FIA, when approached for further information, clarified that these incidents were part of a broader phishing campaign targeting the motorsport sector, rather than a direct and targeted attack on the FIA’s systems. Founded in 1904 in Paris, France, the FIA plays a crucial role in governing numerous prestigious auto racing events, including Formula One, the World Rally Championship, the World Endurance Championship, and Formula E. 

In addition to its sports governance role, the FIA is also an advocate for road safety and sustainable mobility through various programs and campaigns. The organization boasts 242 member organizations across 147 countries, emphasizing its global influence and reach. This incident underscores the persistent cybersecurity threats that organizations face globally. Phishing attacks, in particular, remain a significant threat, as they exploit human vulnerabilities to gain unauthorized access to sensitive information. The FIA’s prompt response to this breach demonstrates its commitment to protecting personal data and maintaining the integrity of its operations. 

However, the incident also highlights the need for ongoing vigilance and robust cybersecurity measures. Cybersecurity experts emphasize the importance of comprehensive security protocols, including regular employee training to recognize and respond to phishing attempts. Organizations must also implement advanced security technologies, such as multi-factor authentication and encryption, to safeguard their digital assets. The evolving nature of cyber threats necessitates a proactive approach to cybersecurity, ensuring that organizations remain resilient against potential attacks. As cyber threats continue to evolve, the FIA and other organizations must remain vigilant and proactive in their cybersecurity efforts. 

The lessons learned from this incident will undoubtedly inform future strategies to protect sensitive information and maintain the trust of stakeholders. The FIA’s experience serves as a reminder of the critical importance of cybersecurity in today’s interconnected digital landscape.
Read more »
Window System
Cyber Attacks Ransomware Threat Landscape VMware ESXi Window System

Eldorado Ransomware is Targeting Windows, VMware ESXi VMs

 

Eldorado, a new ransomware-as-a-service (RaaS), was released in March and has locker variations for VMware ESXi and Windows. The gang has already claimed 16 victims, the majority of whom are in the United States and work in real estate, education, healthcare, and manufacturing. 

Researchers at cybersecurity firm Group-IB monitored Eldorado's activity and discovered its operators advertising the malicious service on RAMP forums and looking for skilled affiliates to join the affiliate programme. Eldorado also maintains a data leak site that lists victims, although it was unavailable at the time of writing.

Eldorado is a Go-based ransomware that can encrypt Windows and Linux platforms using two unique variations with numerous operational similarities. The researchers acquired an encryptor from the developer, along with a user manual indicating that 32/64-bit variations are available for VMware ESXi hypervisors and Windows. According to Group-IB, Eldorado is a unique development that does not rely on previously available builder sources. 

The malware encrypts each locked file with the ChaCha20 algorithm, generating a unique 32-byte key and 12-byte nonce. The keys and nonces are then encrypted with RSA under the Optimal Asymmetric Encryption Padding (OAEP) scheme. 

After encryption, files are added with the ".00000001" extension, and ransom notes named "HOW_RETURN_YOUR_DATA.TXT" are placed in the Documents and Desktop folders. Eldorado additionally encrypts network shares using the SMB communication protocol to expand its impact and deletes shadow volume copies from compromised Windows machines to prevent recovery. 

To avoid the system from becoming unbootable/unusable, the ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories associated with system boot and basic operation. Finally, it is configured by default to self-delete in order to avoid detection and analysis by response teams. 

Researchers from Group-IB, who infiltrated the group, claim that affiliates have the ability to customise their attacks. On Windows, for example, attackers can choose which directories to encrypt, skip local files, target network shares on particular subnets, and prevent the malware from deleting itself. However, Linux customisation parameters only allow threat actors to encrypt the directories.
Read more »
medical records
Cancer Patient Cyber Attacks Data Leak London Hospitals medical records

Qilin Attack On London Hospitals Leaves Cancer Patient With No Option

 

The latest figures suggest that nearly 1,500 medical operations have been cancelled at some of London's leading hospitals in the four weeks following Qilin's ransomware attack on pathology services provider Synnovis. But perhaps no one was more severely impacted than Johanna Groothuizen. Hanna, as she goes by, is now without her right breast after having her skin-sparing mastectomy and immediate breast reconstruction surgery swapped with a simple mastectomy at the last minute.

In late 2023, the 36-year-old research culture manager at King's College London—a former health sciences researcher—was diagnosed with HER2-positive breast cancer. It's an aggressive form that requires immediate medical attention as it spreads more quickly and recurs more often. After receiving her diagnosis, Hanna promptly began a course of chemotherapy until she was well enough to undergo what is hoped to be the first and only major surgery to cure the disease. 

She had been informed repeatedly between then and the operation, which was set for June 7—four days after the ransomware attack—that the planned procedure was a skin-sparing mastectomy, allowing surgeons to reconstruct her right breast cosmetically right away.

How the ordeal unfolded, however, was an entire different story. Doctors gave Hanna less than 24 hours to make the difficult decision of accepting a simple mastectomy or postponing a life-changing treatment until Synnovis' systems were back up. The decision was thrust upon her on Thursday afternoon, prior to her Friday surgery. 

This came after she was compelled to track down the medical staff for updates on whether or not the procedure would even take place. Hanna was informed on Tuesday of that week, the day after Qilin's attack, that regardless of the situation, the staff at St Thomas' Hospital in London intended to proceed with the skin-sparing mastectomy as previously agreed. 

Hanna requested details on Thursday, and it was strongly suggested that the procedure would be cancelled. The hospital deemed the reconstruction part of the procedure too dangerous because Synnovis was unable to sustain blood transfusions until its systems were fully operational.

The ransomware attack was difficult for hospitals to deal with. The situation was so serious that blood supplies were running low barely a week after the attack, prompting an urgent need for O-type blood donations. For Hanna, however, this meant having to make a difficult decision between the surgery she wanted and the surgery that would present her the best chance of survival. The mother with two young kids, aged four and two, felt she had no choice but to undergo a routine mastectomy, leaving her with only one breast. 

Qilin's attack on Synnovis, a pathology services partnership involving Synlab, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust, occurred about five weeks ago as of this writing. According to the most recent NHS bulletin, service disruption remains evident throughout the region, however some services, such as outpatient appointments, are returning to near-normal levels.
Read more »
ransomware incident
Cyber Attacks Cybersecurity Crisis Financial Security phishing ransomware incident

Behind the Scenes: How Patelco Responded to the Ransomware Threat


Patelco Credit Union, a prominent financial institution based in Dublin, has been thrust into the spotlight due to a crippling ransomware attack. 

With over half a million members affected, the situation underscores the critical importance of robust cybersecurity measures for financial institutions. In this blog post, we delve into the details of the attack, its implications, and the lessons we can learn from Patelco’s experience.

Patelco Credit Union Ransomware Attack

Four days after a ransomware attack disabled its systems, Patelco Credit Union could not inform its members when banking activities would resume.

The Dublin-based credit union has yet to provide additional information on the security incident that has prevented members from making electronic payments, deposits, or transfers since last weekend.

Customers continued to wait in lines to use bank ATMs on Tuesday, forcing them to visit Patelco locations around the state to withdraw cash, even though they can still not view their statement balances or any other information about their online banking.

The Attack Unfolds

The Lockdown: Patelco’s online banking services ground to a halt as the attack unfolded. Members were unable to make electronic payments, access their account balances, or conduct transactions. The situation escalated rapidly, leaving customers frustrated and anxious.

Phishing Email as the Gateway: Cybersecurity experts suspect that the attackers gained entry through a phishing email. These deceptive emails trick recipients into revealing sensitive information or clicking on malicious links. In Patelco’s case, an unwitting employee may have inadvertently provided the attackers with a foothold.

Encryption and Ransom Demand: Once inside Patelco’s systems, the hackers encrypted critical data, effectively locking the credit union out of its own infrastructure. The term “ransomware” aptly describes their next move: they demanded payment in cryptocurrency in exchange for decrypting the files.

The Response

Member Disruptions: Patelco’s half a million members faced significant disruptions. Unable to check balances, transfer funds, or pay bills online, they turned to ATMs and physical branches. The inconvenience was palpable, highlighting the importance of uninterrupted digital services.

Assets and Vulnerabilities: Patelco manages a substantial $9 billion in assets across its 37 branches. The attack raises questions about the security posture of financial institutions. Are credit unions like Patelco adequately protected? Or are they, as some experts suggest, “soft targets” compared to larger banks?

Transparency and Communication: Patelco responded swiftly by creating a dedicated website to keep members informed. Regular updates on the security breach, restoration efforts, and collaboration with cybersecurity experts demonstrate transparency and a commitment to resolving the crisis.

What can be done

  • Invest in Cybersecurity: Financial institutions, regardless of size, must prioritize robust cybersecurity measures. Regular employee training on recognizing phishing attempts, network segmentation, and incident response plans are essential.
  • Backup and Recovery: Regular data backups and tested recovery procedures can mitigate the impact of ransomware attacks. Patelco’s ability to restore services promptly will depend on its preparedness in this area.
  • Third-Party Collaboration: Patelco’s engagement with external cybersecurity experts is commendable. Collaborating with specialists who understand the evolving threat landscape is crucial.

Read more »
Subscribe to: Posts (Atom)