Ransomware affects medical, educational, shipping, government contracting sectors. Fancy Bear sighting. Disinformation notes.

Universal Health Systems suffers disruptive cyberattack.

Universal Health Services (UHS), a major hospital chain based in the US, sustained a suspected ransomware attack on Sunday that NBC News calls "one of the largest medical cyberattacks in United States history." The company stated on Tuesday, "The cyber attack occurred early Sunday morning, at which time the company shut down all networks across the U.S. enterprise. We have no indication at this time that any patient or employee data has been accessed, copied or misused. The company's UK operations have not been impacted." The Wall Street Journal reports that the company took down systems at all two-hundred-fifty of its facilities in the US to prevent the attack from spreading, and the incident forced some hospitals to divert ambulances and reschedule surgeries.

BleepingComputer cites UHS employees as saying the attack involved the Ryuk ransomware. TechCrunch notes that Ryuk's operators were not among the handful of ransomware gangs that pledged to avoid targeting hospitals earlier this year.

Many outlets, Threatpost and WIRED among them, are drawing the obvious comparison between the UHS attack and the ransomware incident earlier this month in Düsseldorf that forced an ambulance diversion that cost a patient her life. There are no known lethal consequences of the UHS incident, so far at any rate, and reversion to manual systems appears to have enabled the hospitals to continue their operations, albeit in an impeded fashion.

Tyler Technologies urges password resets.

Tyler Technologies, which suffered a ransomware attack last week, warned last Saturday that two of its customers had reported suspicious logons to their systems using Tyler credentials. The company stated, "Given this new information, and if you haven't already done so, we strongly recommend that you reset passwords on your remote on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable. Although we do not have enough information to know whether this evening's reports of suspicious activity are related to the ongoing investigation of unauthorized access to Tyler's internal systems, we believe precautionary password resets should be implemented."

Given Tyler's extensive work with the US public sector, ZDNet notes that "the ransomware attack on this company's network might quietly become one of the biggest cyber-attacks of the year, if indeed attackers gained access to passwords for customer networks."

Shipping giant hit by ransomware. Other maritime targets suffer unspecified disruptions.

French container shipping giant CMA CGM was hit by Ragnar Locker ransomware over the weekend, and the company now thinks it likely that data were stolen. According to Splash 247, CMA CGM stated on Wednesday, "We suspect a data breach and are doing everything possible to assess its potential volume and nature." The company's sluggishness in acknowledging that the incident was a ransomware attack has been criticized by some observers; the shipping giant initially disclosed only that it was dealing with an IT event. CMA CGM's e-business website was still down as of Friday, although the company says it's offering alternative solutions to customers.

The Loadstar notes that many observers have drawn comparisons to Maersk's experience with NotPetya in 2017. Shipping expert Lars Jensen stated on LinkedIn yesterday, "This is day 5 of the cyber attack on CMA CGM with no additional news since 30 September. It indicates that they remain in the process of getting an overview of what happened and how to fix it. It means that the manual stop-gaps to bridge the gap remains in place and their organization is under strain to keep business running while trying to fix the problem. We do not know yet how this match against the attack on Maersk in 2017 but given the fact that we are now on day 5 it would be safe to conclude that in terms of overall impact we are looking at something similar."

Two other targets in the maritime sector were hit over the course of the week in independent incidents. The International Maritime Organization, a UN regulatory body concerned with the shipping industry, disclosed Thursday that ia cyberattack that significantly disrupted its IT systems. The nature of the attack isn’t yet known, and it represents an administrative and business problem as opposed to a direct threat to safety of navigation. 

On a smaller irritating scale, Maritime Executive reports that the British ferry service Red Funnel, which operates between Southampton and the Isle of Wight, has suffered a cyberattack that disrupted online ticket sales.

More ransomware news.

The Wall Street Journal reports that the Clark County School District in Nevada refused to pay its extortionists after suffering a Maze ransomware infestation in late August, and the criminals have now retaliated by releasing students' Social Security numbers, grades, home addresses, and other personal information. Threatpost says around 25 gigabytes of data have been posted publicly online. The district has about 320,000 students.

And the effects of the ransomware attack against Blackbaud continue to make themselves felt, and those effects are now known to be more serious than previously thought. BleepingComputer reports that Blackbaud has determined that attackers accessed some customers' bank account information, Social Security numbers, and login credentials. A Form 8-K the company filed with the US Securities and Exchange Commission states, "After 16 July, further forensic investigation found that for some of the notified customers, the cyber criminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support. We expect our Security Incident investigation and security enhancements to continue for the foreseeable future."

Blackbaud maintains that the attackers deleted the stolen data after receiving the ransom payment, but BleepingComputer observes that there's no way to be completely certain that the criminals kept their word. Emsisoft threat analyst Brett Callow told Computing, "To my mind, these incidents should be treated as data breaches from the get-go and customers and business partners immediately notified so they can take steps to minimise their risks."

Finally, the REvil ransomware-as-a-service gang has posted $1 million worth of Bitcoin to a Russophone hacker forum in a bid to recruit new affiliates, BleepingComputer reports. The money was deposited to a Bitcoin wallet hosted by the forum as a way to put their money where their mouth is. "For your peace of mind and confidence, we have made a deposit of one million US dollars," the crooks said.

For more, see the CyberWire Pro Privacy Briefing.

Fancy Bear suspected in US Federal agency hack.

A unit of Russia's GRU (tracked as APT28 or Fancy Bear) appears to be a likely suspect in the successful hacking of a US Federal agency disclosed by the US Cybersecurity and Infrastructure Security Agency (CISA) last week. According to WIRED, Dragos researcher Joe Slowik noticed that some of the attackers' IP addresses highlighted in CISA's advisory match those listed in an FBI notification concerning an APT28 campaign in May 2020. Additionally, another IP address was also found in a 2019 Department of Energy report on ATP28. Slowik told WIRED, "Based on the infrastructure overlap, the series of behaviors associated with the event, and the general timing and targeting of the US government, this seems to be something very similar to—if not a part of—the campaign linked to APT28 earlier this year."

Slowik notes that some of the IP addresses have also been used in criminal malware campaigns, but he believes this is probably an instance of nation-state threat actors reusing criminal infrastructure to cover their tracks.

Gadolinium accounts shut down.

Microsoft has taken down eighteen Azure Active Directory accounts that were being used by Gadolinium (also known as APT40, Leviathan, or Kryptonite Panda), a Chinese government threat actor that’s most active against the maritime and healthcare sectors. Microsoft explains, "over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost."

SlothfulMedia targets a range of countries.

US Cyber Command warned on Thursday that a new remote access Trojan ("SlothfulMedia") has been detected in attacks against targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine. Details are on Cyber Command's VirusTotal page. The US Cybersecurity and Infrastructure Security Agency (CISA), which cooperated with Cyber Command in developing the alert, describes SlothfulMedia as an information stealer. There's no public attribution beyond calling the attacker a "sophisticated cyber actor." A Cyber Command spokesperson told CyberScoop that the malware "is in use in successful ongoing campaigns."

Disinformation is playing both sides of the ideological divide.

US authorities say they've seen no particular evidence of a serious attempt to disrupt or manipulate 2020 voting itself, but they do see two real problems at least: the possibility that denial-of-service attacks could render reliable information about next month's elections unavailable, and that successful disinformation could undermine public confidence in the integrity of the vote. The threats are mutually reinforcing: any friction introduced into the system will be likely to slow the count, and an unusual delay in announcing results would be likely to be read as suspicious, possibly as evidence of a conspiracy. You know, the kind of conspiracy you heard about on the Internet. As Foreign Policy describes one aspect of the problem, "It doesn’t matter if Russia actually sways the vote. What matters is whether Americans think it did."

Russian operators have so far been noted for a surge in trolling, often with sincerely committed writers hired to push their line idiomatically, on the progressive side of the American political divide. Reuters reported today that the FBI is looking into the nominally right-wing Newsroom for American and European Based Citizens (NAEBC), which appears to be a cat's paw for the St. Petersburg-based Internet Research Agency, the troll farm that attracted so much attention during the 2016 elections.

For more, see the CyberWire Pro Disinformation Briefing.

Microsoft sees cyberattacks growing more sophisticated.

Microsoft's Digital Defense Report concludes that "threat actors have rapidly increased in sophistication over the past year."

New ransomware group targets Russian organizations.

Group-IB describes "OldGremlin," a new Russian-speaking ransomware gang that strangely chooses to target organizations within Russia. Group-IB classes the group as a "big-game hunting" ransomware actor, since it uses sophisticated techniques to launch targeted attacks against large organizations. OldGremlin has been active since at least March 2020, and uses sophisticated spearphishing attacks to gain entry to victims' networks. The gang deploys its own ransomware, dubbed "TinyCryptor" (also known as "Decr1pt"), as well as custom-made backdoors called "TinyPosh" and "TinyNode." The group also leverages the Cobalt Strike penetration testing software once they gain a foothold within the network.

OldGremlin's first successful attack occurred in August, targeting "a large medical company with a network of regional branches." After lurking in the company's networks for several weeks, the attackers wiped the victim's backups and, "In just a few hours on [a] weekend, they spread their ransomware TinyCryptor across hundreds of computers on the corporate network." Group-IB says "the company's regional branches were paralyzed and unable to operate." The attackers set the ransom at $50,000 worth of cryptocurrency.

OldGremlin's targeting of Russian organizations is highly unusual. Group-IB's Oleg Skulkin notes, "OldGremlin is the only Russian-speaking ransomware operator that violates the unspoken rule about not working within Russia and post-Soviet countries. They carry out multistage targeted attacks on Russian companies and banks using sophisticated tactics and techniques similar to those employed by APT groups."

In any case, BleepingComputer suspects the group "is currently operating at smaller scale to fine-tune their tools and techniques before going global."

For more, see the CyberWire Pro Research Briefing.

McAfee files for IPO and Palantir goes public.

McAfee has filed for an IPO with the US Securities and Exchange Commission, ZDNet reports. The company first went public in 1999, but went private in 2011 after being acquired by Intel. McAfee hasn't yet determined the financial details for its new offering, but the Motley Fool observes that "The underwriting syndicate is quite large, implying a sizable IPO." McAfee stated, "Morgan Stanley and Goldman Sachs & Co. LLC are acting as lead book-running managers and representatives of the underwriters for the offering. TPG Capital BD, LLC, BofA Securities, Citigroup, RBC Capital Markets, Deutsche Bank Securities, UBS Investment Bank, HSBC and Mizuho Securities will also serve as joint-bookrunning managers for the proposed offering. Evercore ISI, Piper Sandler and Stifel are acting as co-managers for the offering."

And Palantir began trading on Wednesday with a direct listing on the New York Stock Exchange under the ticker symbol PLTR. According to TechCrunch, Palantir reached a valuation of $24.8 billion on its first day of trading.

For more business news, including executive moves, see the CyberWire Pro Business Briefing.

Patch news.

Microsoft has published clarification of its patching and mitigation guidance for the Zerologon vulnerability. As the company has said before, a more comprehensive patch is in the works, and is due to be released this coming February 9th, when the fix moves to its “Enforcement” phase. For now, Microsoft wants users to understand that they should respond to the vulnerability in four steps:

• "UPDATE your Domain Controllers with an update released August 11, 2020 or later.
• "FIND which devices are making vulnerable connections by monitoring event logs.
• "ADDRESS non-compliant devices making vulnerable connections.
• "ENABLE enforcement mode to address CVE-2020-1472 in your environment."

Crime and punishment.

The latest round of extradition hearings for Huawei CFO Meng Wanzhou began on Monday, the BBC reports. Ms. Meng remains under house arrest in Canada. She's accused by the US of committing bank fraud by causing HSBC to unknowingly violate US sanctions against Iran.

Courts and torts.

On Thursday the US Treasury Department's Office of Foreign Assets Control (OFAC) issued a reminder that companies who decide to pay ransomware extortionists risk civil penalties for any related transgression of OFAC-administered sanctions. The notice specifically mentions the risk to “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” 

Policies, procurements, and agency equities.

The Guardian reports that the head of the UK’s Strategic Command, General Sir Patrick Sanders, says Prime Minister Johnson has directed him to ensure that the UK remains a "leading full-spectrum cyber power," and that includes deploying significant offensive capability.

StateScoop reports that the US state of Iowa announced yesterday that it will be working with white-hat hackers at Bugcrowd to test state-operated election, business, and victim outreach websites for vulnerabilities. The crowdsourcing security company has already uncovered multiple minor issues.

For more, see the CyberWire Pro Policy Briefing.