Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberattack. Show all posts
Ransomware attack
Cyber Attacks Cyberattack elective procedures Interlock gang Kettering Health Ohio hospitals Ransomware attack

Ransomware Attack Disrupts Kettering Health Network, Elective Procedures Canceled Across 14 Ohio Facilities

 

A ransomware incident has caused a significant “system-wide technology outage” at a network of over a dozen medical centers in Ohio, resulting in the cancellation of both inpatient and outpatient elective procedures. This information comes from a statement released by the health system and a ransom note obtained by CNN.

Kettering Health, which serves a substantial portion of Ohio and employs more than 1,800 physicians, confirmed in a statement that the cyberattack began Tuesday morning and has created “a number of challenges” across its 14 facilities. The disruption has also affected the network’s call center. Despite this, emergency rooms and outpatient clinics remain operational and continue to treat patients.

“Inpatient and outpatient procedures have been canceled for today,” the network said in its statement. “Scheduled procedures at Kettering Health medical centers will be rescheduled.” It added that contingency protocols are in place “for these types of situations” to maintain safe and high-quality patient care.

Internally, Kettering Health's IT teams and executives are working to limit the damage from the ransomware attack. According to the ransom note reviewed by CNN, hackers deployed ransomware on the network’s computer systems.

“Your network was compromised, and we have secured your most vital files,” the note reads. It warns that the attackers may release allegedly stolen data online unless negotiations for a ransom payment begin.

The note includes a link to an extortion platform tied to the ransomware group known as Interlock, which surfaced in late 2023. Since then, the group has reportedly targeted various sectors including technology, manufacturing, and government organizations, as per Cisco’s cyber-intelligence division, Talos.

A spokesperson for Kettering Health did not offer additional details beyond the network’s official statement.

Typically, major cyber incidents affecting U.S. healthcare providers involve responses from the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA). CNN has reached out to all three agencies for comment.

Cybercriminals have long targeted the U.S. healthcare sector, viewing hospitals as particularly vulnerable and likely to pay ransoms to prevent disruptions in patient care. Last year, healthcare organizations reported more than 440 ransomware incidents and data breaches to the FBI—more than any other critical infrastructure sector.

In the past 18 months, a string of high-profile cyberattacks on major health providers has directly affected patient care nationwide, prompting growing concern among lawmakers and federal authorities about the resilience of U.S. healthcare cybersecurity systems.

One such attack last year on Ascension, a nonprofit health system based in St. Louis with operations across 19 states, left nurses at some hospitals working without access to electronic health records, compromising patient safety, according to what two nurses told CNN. Similarly, a February 2024 ransomware attack on a UnitedHealth Group subsidiary disrupted pharmacy services across the country and exposed sensitive data belonging to a large number of Americans.
Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
Power Outage
Cyber Defenses Cyber Security Cyber Threats Cyberattack Hacker attack Hacking Portugal Cyber Army Portugese Power Grids Power Outage

Spain Investigates Cybersecurity of Power Suppliers After Widespread Grid Outage

 

Spain is investigating the cybersecurity practices of its power suppliers following a major power outage that affected much of the Iberian Peninsula at the end of April. While initial assessments by Spanish and Portuguese grid operators ruled out a cyberattack, authorities are now questioning whether smaller, independent energy producers may have inadvertently opened vulnerabilities within the national power infrastructure. 

The outage disrupted electricity supply across both Spain and Portugal, with most regions regaining power after ten hours. However, it took nearly a full day—23 hours—for Spain’s grid to be fully restored. Although no immediate signs of hacking were found, the duration and scale of the disruption raised alarms, prompting deeper scrutiny into the resilience of Spain’s decentralized energy network. According to a report from the Financial Times, Spain’s National Cybersecurity Institute (INCIBE) has reached out to various smaller renewable energy producers, asking whether they experienced any unusual activity before the blackout on April 28. 

The inquiries also covered their use of recent security patches and whether their systems could be remotely accessed, signaling a broader concern over cybersecurity readiness among these suppliers. This line of investigation is significant given Spain’s heavy reliance on renewable energy, much of which is generated by smaller, less centralized plants. The concern is that these entities, though critical to Spain’s green transition, may lack the robust cyber defenses maintained by larger grid operators. 

While this doesn’t point to renewable energy as unreliable, it highlights how a fragmented supplier ecosystem could pose a collective security risk. Cybersecurity experts have also weighed in. A blog post by security firm Specops Software compared the Spanish outage to known cyberattacks on power grids, such as those in Ukraine in 2015 and 2016. While Specops acknowledged the Spanish grid operators’ conclusion that no breach was detected through their internal monitoring systems, the firm noted similarities in how the shutdown unfolded. 

However, Barracuda Networks’ regional director Miguel López suggested that if a cyberattack had indeed compromised critical systems, it would have taken significantly longer to recover, casting doubt on hacking as the root cause. Still, the possibility that attackers exploited a less secure third-party provider has not been ruled out. This renewed scrutiny comes amid global concerns over cyber threats to critical infrastructure. 

The U.S. and U.K. have both issued alerts about increased activity by pro-Russian hacktivists targeting industrial control systems. With recent research showing that 95% of critical infrastructure organizations experienced a data breach in the past year, Spain’s situation underscores the urgent need for improved cyber vigilance across all levels of the energy supply chain.
Read more »
ScatteredSpider
Cyberattack Cybersecurity Data Breach DragonForce Extortion Hacking Ransomware Retail ScatteredSpider

Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

 

Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.

Described by ITPro as “the name on every security practitioner's mind right now,” Scattered Spider has gained notoriety for its aggressive tactics and global reach.

“Scattered Spider is one of the most dangerous and active hacking groups we are monitoring,” said Graeme Stewart of Check Point to Sky News.

Believed to be composed mainly of young, English-speaking individuals based in the UK and US, the group has reportedly executed over 100 cyberattacks since emerging in 2022. These attacks span sectors like telecommunications, finance, retail, and gaming.

One of their most prominent exploits occurred in 2023, when they severely disrupted two leading casino operators. Caesars Entertainment reportedly paid about $15 million to recover access, while MGM Resorts suffered estimated damages of around $100 million due to compromised customer data.

What makes Scattered Spider particularly elusive is its decentralized structure and independence from state backing. “They operate more like an organised criminal network, decentralised and adaptive,” Stewart added. Even after multiple arrests in the US and Europe, the group continues to rebound swiftly. “This is not a loose group of opportunistic hackers,” he emphasized.

Rather than relying solely on software flaws, Scattered Spider frequently exploits human error. The M&S and Co-op attacks, for example, were the result of “social engineering,” where attackers manipulated employees into revealing credentials.

Their tactics include mimicking corporate emails, sim swapping (cloning a phone number to hijack accounts), and building convincing fake login portals. “This is akin to ‘breaking down the front door’ of networks,” Paul Cashmore, CEO of Solace Cyber, told The Times. Once inside, Scattered Spider typically partners with ransomware gangs to carry out the final blow.

In these recent cases, the group appears to have collaborated with DragonForce, a ransomware cartel. Initially known as a pro-Palestinian hacktivist group based in Malaysia, DragonForce now operates a “ransomware-as-a-service” model. According to Bleeping Computer, they allow affiliates to use their tools and infrastructure in exchange for 20-30% of ransom payments.

The core motivation is financial gain. DragonForce reportedly reached out to the BBC claiming the Co-op breach was more severe than disclosed, hinting at an extortion attempt.

Organizations like the Co-op, which house personal data of millions, are prime targets. Once a system is locked, hackers demand large ransoms in return for decryption tools and promises to delete stolen data. “If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site,” Bleeping Computer explained.

Whether or not to pay remains a complex dilemma. “Paying may provide a quick way to restore operations, protect customer data and limit immediate financial and reputational damage,” noted The Times. However, it also risks emboldening cybercriminals and marking companies as future targets.
Read more »
Pakistan
Cyberattack Cybersecurity Cyberwarfare Data Breach DDoS defacement Hacktivists India Pakistan

Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack

 

kAs tensions continue to rise in the wake of the Pahalgam terror attack and India's subsequent launch of Operation Sindoor, a fierce cyber confrontation has simultaneously unfolded in the digital realm. Hacktivist groups aligned with both India and Pakistan have been engaged in a sustained virtual clash.

A cyber threat intelligence assessment by Kochi-based cybersecurity firm Technisanct highlights how pro-Pakistan and Bangladeshi hacktivist groups have launched a wave of cyberattacks on Indian institutions. While not all incidents were listed in the public report, Technisanct noted key Indian targets including BSNL, the Income Tax Department, Hindustan Aeronautics Ltd, various state government websites, and Indian Railways. In retaliation, pro-India hacktivists focused their attacks on Pakistani establishments such as the Pakistan Air Force, Punjab Emergency Service Department, the Bank of Punjab, Ministry of Finance, and Jinnah International Airport.

The report identifies more than 200 cyber incidents between April 22—the day of the Pahalgam attack—and May 8, just after Operation Sindoor was launched. This data, compiled using threat intelligence sources like falconfeeds.io, Technisanct’s monitoring tools, public disclosures, and threat actor communications across Telegram and X, signals the heightened scale of this cyber offensive.

Among the reported incidents, 111 were DDoS (Distributed Denial of Service) attacks, which aim to overwhelm target servers and disrupt online services. DDoS attacks made up 55.5% of the total. Other forms of attacks included website defacements (35.5%), general cyber alerts (11%), data breaches (7.5%), unauthorized access attempts (2%), and data leaks (1.5%). For context, there were only 147 DDoS attacks in India between February and April, while 112 DDoS cases were recorded from May 1 to 9 alone.

Government and public sector entities bore the brunt of the offensive, accounting for 52% of incidents (104 cases). Educational institutions followed with 43 attacks (21.5%), and technology or IT service firms recorded 13 attacks (6.5%). The focus on essential public sectors and IT infrastructure signals a calculated effort to disrupt public services and potentially compromise broader networks.

"The targeting of technology & IT services organisations could indicate an attempt to leverage these entities for further attacks or to compromise supply chains," the report noted.

Technisanct identified 36 pro-Pakistan hacktivist groups responsible for the digital assaults, with 14 Indian groups retaliating. Leading the offensive from the Pakistani side were:
  • Nation of Saviors (34 incidents)
  • Keymous+ (26)
  • Electronic Army Special Forces (25)
  • KAL EGY 319 (16)
  • GARUDA ERROR SYSTEM (15)
  • AnonSec (14)
  • Sylhet Gang-SG (13)
  • Mr Hamza (11)
  • Dark Cyber Gang (9)
  • INDOHAXSEC (8)
"These groups have aggressively pursued ideologically motivated cyber operations targeting Indian government domains, military assets, and financial platforms. Their tactics largely revolve around DDoS attacks, defacement campaigns, and selective data leaks, often coordinated through Telegram, X and other encrypted channels. The prominence of these actors underscores an organised and sustained campaign against Indian interests in cyberspace, leveraging real-world conflicts to justify digital aggression," the report states.

Technisanct CEO Nandakishore Harikumar told Onmanorama,

"The physical war is highly proportional to digital war. When a single missile is launched in the physical space, thousands of missiles can be launched in the cyber space. The intention is to hit services directly. I believe that, gradually, maybe in the next 50 years, 50 per cent of the war will be fought in the digital space. Even the flood of fake news and misinformation we see is kind of a warfare. We started seeing a huge pattern of this during the Ukraine-Russian crisis, followed by the Israel-Palestine clash."

The report concluded that the cyber activities post-Pahalgam represent a major and evolving national threat.

“The high volume of incidents, the increasing number of participating threat actors, the focus on critical sectors, and the escalating daily activity underscore the urgent need for a robust and comprehensive national cybersecurity strategy that explicitly addresses both cyberattacks and related disinformation, while also considering the dynamics of cyber conflict escalation.”
Read more »
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
Terrorism
Banking CERT-In Cybe Security Cyberattack DDoS defacement Digital Finance India Infrastructure Misinformation Pahalgam SocialMedia surveillance Terrorism

India Strengthens Cybersecurity Measures Amid Rising Threats Post-Pahalgam Attack

 

In response to a surge in cyberattacks targeting Indian digital infrastructure following the Pahalgam terror incident, the Indian government has directed financial institutions and critical infrastructure sectors to enhance their cybersecurity protocols. These instructions were issued by the Computer Emergency Response Team (CERT-In), according to a source familiar with the development, Moneycontrol reported.

The precautionary push isn’t limited to government networks — private sector entities are also actively reinforcing their systems against potential cyber threats. “We have been extra alert right from the Pahalgam attack, in terms of ensuring cyber security speedily not just by government agencies but also by the private sector,” the source stated.

CERT-In, India’s central agency for cyber defense, has released advisories to banking institutions and other essential sectors, urging them to tighten their digital safeguards. In addition, the government has engaged with organizations like NASSCOM to facilitate a collaborative cyber alert framework.

Recent attacks primarily involved DDoS, or distributed denial-of-service incidents, which overwhelm servers with excessive traffic, rendering websites inaccessible and potentially causing financial damage. Attempts to deface websites — typically for political messaging — were also reported.

This intensified focus on digital defense follows India’s military action against terrorist hideouts in Pakistan, occurring nearly two weeks after the Pahalgam incident, which resulted in the deaths of Indian tourists in Kashmir.

Moneycontrol previously highlighted that cyber surveillance across India's vital digital infrastructure is being ramped up following the Pahalgam attack and the subsequent Operation Sindoor. Critical sectors and strategic installations are under strict scrutiny to ensure adherence to robust cybersecurity practices.

Amid these developments, misinformation remains a parallel concern. Daily takedown requests under Section 69A of the IT Act have surpassed 1,000, as the government works with social media platforms to curb the spread of fake news, the source noted.
Read more »
Ransomware
Cyberattack Data Breach DaVita Healthcare Interlock Ransomware

Interlock Ransomware Gang Claims DaVita Cyberattack, Leaks Alleged Data Online

 

jThe Interlock ransomware group has taken credit for a recent cyberattack on DaVita, a leading U.S. kidney care provider. The group claims to have exfiltrated a significant amount of data, which it has now leaked on the dark web.

DaVita, a Fortune 500 company, operates over 2,600 dialysis centers across the U.S., employs around 76,000 people in 12 countries, and generates more than $12.8 billion in annual revenue. On April 12, the healthcare giant informed the U.S. Securities and Exchange Commission (SEC) that it had been hit by a ransomware incident that disrupted some operations. At the time, the company said it was assessing the impact.

Earlier today, the Interlock group publicly listed DaVita as a victim on its data leak site (DLS) hosted on the dark web. The cybercriminals claim to have stolen approximately 1.5 terabytes of data, including around 700,000 files containing sensitive information—ranging from patient records and user account data to insurance documents and financial details.

The leaked files were released following what appears to be a failed negotiation between Interlock and DaVita. The authenticity of the exposed files has not been independently verified by BleepingComputer.

In response to the data leak, a DaVita spokesperson told BleepingComputer: "We are aware of the post on the dark web and are in the process of conducting a thorough review of the data involved."

"A full investigation regarding this incident is still underway. We are working as quickly as possible and will notify any affected parties and individuals, as appropriate."

"We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future."

Patients who have received care at DaVita facilities are advised to remain alert for phishing attempts and report any suspicious activity to authorities.

Interlock emerged in the ransomware scene in September last year, primarily targeting Windows and FreeBSD systems. Unlike many groups, Interlock does not collaborate with affiliates but has demonstrated increasing activity and sophistication.

A recent report by cybersecurity firm Sekoia highlighted a shift in Interlock’s approach. The group is now using “ClickFix” techniques to deceive victims into deploying info-stealers and remote access trojans (RATs)—a method that paves the way for ransomware deployment.
Read more »
Subscribe to: Posts (Atom)