Tag: Attack | SpinSafe

Keeping the lights on after a ransomware attack • Graham Cluley

April 24, 2024/in Internet Security

Smashing Security podcast #369: Keeping the lights on after a ransomware attack

Leicester City Council suffers a crippling ransomware attack, and a massive data breach, but is it out of the dark yet? And as election fever hits India we take a close eye at deepfakery.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Warning: This podcast may contain nuts, adult themes, and rude language.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Episode links:

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

Thanks:

Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Source…

Hackers Were in Change Healthcare 9 Days Before Attack

April 23, 2024/in Internet Security

Hackers were reportedly in the networks of UnitedHealth Group’s Change Healthcare unit for days before launching their ransomware strike.

They gained entry to the networks on Feb. 12, using compromised credentials on an application that allows staff to remotely access systems, The Wall Street Journal (WSJ) reported Monday (April 22).

During the nine days they were in the system before launching the attack on Feb. 21, they may have been able to steal “significant” amounts of data, Seeking Alpha reported Monday, citing a WSJ article.

Change Healthcare posted its first update reporting connectivity issues Feb. 21, saying that “some applications are currently unavailable” and that the company was triaging the issue.

On April 16, UnitedHealth Group CEO Andrew Witty said during an earnings call that the cyberattack cost the company $872 million.

Witty said that the incident “was straight out an attack on the U.S. health system and designed to create maximum damage,” adding: “I think we’ve got through that very well in terms of the remediation and the build back to functionality.”

In the wake of that attack, the federal government announced it is offering a $10 million reward to help identify the people behind the organization that launched the attack: the ransomware-as-a-service group ALPHV BlackCat.

In addition, U.S. Sen. Mark R. Warner, D-Va., introduced a bill that would accelerate Medicare payments to healthcare providers that have suffered a cyberattack.

The bill, the “Health Care Cybersecurity Improvement Act of 2024,” is meant to incentivize cybersecurity in the healthcare industry.

“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game,” Warner said in a March 22 press release announcing the introduction of the bill. “This legislation would provide some important financial incentives for providers and vendors to do so.”

PYMNTS Intelligence has found that 82% of eCommerce merchants endured cyber or data breaches in the last year. Forty-seven percent of those merchants said the breaches resulted in both lost revenue and lost…

Source…

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

April 21, 2024/in Computer Security

Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725.

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks — Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence.

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access.

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

Russian Hackers Hit…

Source…

Hong Kong private hospital given 4 weeks to submit report over US$10 million ransomware attack

April 20, 2024/in Internet Security

Hong Kong health authorities have told a private hospital it has four weeks to submit a detailed report after it was hit by a malicious cyberattack and refused to pay a US$10 million ransom.

The Department of Health said on Saturday that it was investigating the incident at Union Hospital in Tai Wai, with its initial findings showing the ransomware attack had not compromised any patient data or medical services.

“Our initial understanding is that it did not involve [the release of] patients’ data nor did it affect the service security of the hospital,” it said. “The Department of Health has requested the hospital to hand in a detailed report in four weeks.”

Health authorities said they had also notified law enforcement agencies, including police and the city’s privacy commissioner.

Union Hospital revealed on Thursday that it had fallen prey to the ransomware attack on Monday morning, resulting in some “operational disruptions”.

“In response to the attack, the hospital has activated the emergency response system and stepped up cyber security measures to block further intrusion … Union Hospital condemns any form of cyberattack,” the hospital said.

“A team of cybersecurity experts has been appointed to conduct thorough system inspection and recovery in order to ensure medical service continuity.”

The hospital stressed that its staff had been vigilant over cybersecurity threats and ensured that all patient records were encrypted and password-protected.

“The leakage of patient data is unfounded as of now. An investigation into the attack is in progress,” it said.

Record 73% of Hong Kong companies hit by cyberattacks in past year: watchdog poll

The institution said it had reported the case to the department, the privacy commissioner and police, adding that patients with concerns could contact them at [email protected].

Hackers reportedly used ransomware called “LockBit” to target the hospital and demand the US$10 million ransom, which the latter refused to pay.

Police said they received a report from a hospital employee on Monday over abnormalities in the hospital’s network system including some computer files going missing, but no personal data was involved.

Source…

Tag Archive for: Attack