Therapy patients blackmailed after data breach. Ransomware attacks against hospitals. Tracking Turla.

Therapy patients blackmailed after data breach.

Finnish Psychotherapy Center Vastaamo has suffered a data breach with loss of patient information, and extortionists have begun targeting individual patients with demands for hundreds of euros in exchange for keeping their data private. The incident is notable for its cruelty: private notes from the therapeutic sessions of about 2,000 patients have already been posted online, and the victims themselves are being asked to pay to have their information taken down.

Details of the breach remain sparse, but Computing reports that some 40,000 patients' data were compromised. Around 15,000 victims have already filed criminal reports, and the incident has received attention at the highest levels of Finland’s government. The Guardian quotes Robin Lardot, director of Finland’s National Bureau of Investigation, as saying, "We are investigating an aggravated security breach and aggravated extortion, among other charges."

Yle Uutiset reports that Vastaamo sustained two breaches—one in 2018 and one in 2019. The company has dismissed its CEO after concluding he’d been aware of the second breach for more than a year without disclosing it. CyberScoop says the attackers initially approached Vastaamo itself last month with a demand for around €450,000, which the company refused to pay. The criminals then began going after patients directly.

Victim Support Finland has advice for those affected.

Ransomware attacks against hospitals.

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued a joint statement warning that healthcare organizations are under an "increased and imminent" threat from ransomware. The strains deployed are usually Conti and (especially) Ryuk; the perpetrators are Russophone gangsters, not spies. NBC News reports that at least twenty hospitals have been hit in a recent wave of ransomware, with at least six occurring this past week. Many of the attacks were preceded by infestations of Trickbot or the related strain BazarLoader.

The majority of these incidents have been attributed to an Eastern European gang tracked as "Wizard Spider" or "UNC1878," which operates the Ryuk ransomware. Recorded Future's Allan Liska told Reuters, "This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country. While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor." MIT Technology Review on Thursday quoted Scope Security's Mike Murray as saying, "I think we’re at the beginning of this story. These guys are moving very fast and very aggressively. These folks seem to be trying to collect as much money as possible very quickly. I think it will be tomorrow or over the weekend before the real scale of this is understood. Compromises are still ongoing."

FireEye's Mandiant unit has also been tracking increased ransomware activity against healthcare institutions. The malware families facilitating these attacks are tracked by Mandiant as KEGTAP, SINGLEMALT, and WINEKEY (also known as BazarLoader or Team9), which CISA says were likely developed by the Trickbot gang. Mandiant's researchers say they are "directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment."

Mandiant adds, "The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life." Charles Carmakal, SVP and CTO of Mandiant, commented that the Eastern European gang behind Ryuk in particular is "one of most brazen, heartless, and disruptive threat actors I’ve observed over my career."

For more, see the CyberWire Pro Privacy Briefing.

Turla uses updated malware against European government entity.

Researchers at Accenture say the Russian cyberespionage group Turla is using updated custom malware to target government organizations. The threat actor used its HyperStack backdoor and remote access Trojans Kazuar and Carbon to compromise an unnamed European government entity. Accenture says the group has been using some of these tools for more than a decade and it "will likely continue to maintain and rely on this ecosystem, and iterations of it, as long as the group targets Windows-based networks." HyperStack is a newer tool, first spotted in 2018. It's a "remote procedure call (RPC)-based backdoor" that's used for moving laterally and communicating with other systems on the local network.

The Estonian government and others have associated Turla with Russia’s Federal Security Service (FSB), according to CyberScoop. Accenture observes that, like other threat actors, Turla is abusing legitimate web services for command-and-control. In this case, Turla used a Pastebin project to serve commands to its Carbon RAT. BleepingComputer notes that Turla is known for its resourcefulness; in the past, the group has used comments on Britney Spears's Instagram photos to point to its command-and-control server.

CISA also this week issued Malware Analysis Reports on two strains of Russian state-sponsored malware. One concerns ComRAT, a PowerShell backdoor and infostealer currently being used by Turla, while the other describes Zebrocy, a backdoor that BleepingComputer says has been attributed to the Russian GRU's APT28 (also known as Fancy Bear).

Charming Kitten targets conference attendees.

Microsoft says the Iranian threat actor Phosphorus (also known as APT35 or Charming Kitten) sent spearphishing emails to influential people thought likely to attend the Munich Security Conference and the Think 20 (T20) Summit. The phishing emails were well-crafted phony invitations to the events, and they succeeded in tricking several recipients. The victims included "former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries."

The phishing emails asked recipients to reply with their photo and bio, which the attackers would add to a PDF containing a URL. They'd then send this PDF to the victim and instruct them to click on the link, which led to a credential-harvesting site. Once the attackers gained access to an email account, they set up email-forwarding rules so they could continue receiving new emails even if they were locked out of the account. Finally, they exfiltrated a copy of the victim's entire mailbox and contact list.

"We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain," Microsoft says. "As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these. For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise."

Outlining Kimsuky's activity.

CISA, the FBI, and US Cyber Command on Tuesday issued an alert detailing the TTPs being used by North Korea’s Kimsuky group, a cyberespionage operation of Pyongyang's Hidden Cobra outfit. The agencies assess that:

• "The Kimsuky APT group has most likely been operating since 2012.
• "Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
• "Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
• "Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
• "Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
• "Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
• "Kimsuky specifically targets: Individuals identified as experts in various fields, Think tanks, and South Korean government entities.
• "CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training."

"Perception hacks" in the US elections' endgame.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have steadily and credibly maintained that they've discerned no foreign success at compromising US election infrastructure, and indeed Foreign Affairs argues that, with the level of preparation seen at the Federal and state level, these elections may be the most secure in US history. Disinformation and misinformation, however, continue to be distributed (much of it at this point, the Washington Post says, arriving by text or email).

If, as has long been the case with Russian disinformation, and more recently with Iranian disinformation, the goal is to increase friction, to undermine the adversary's civil society by increasing mistrust in its institutions, then no actual successful cyberattack may be necessary at all. "Perception hacks," they're calling them in SecurityWeek and New York Times reports. Getting people to think the process is corrupt, or broken, is just as good as actually corrupting or breaking it.

Countering such perception hacks is a principal purpose of CISA's rumor control page. And CISA Director Krebs has been tweeting advice and reassurance about election security in the few remaining days before voting concludes on Tuesday. Among the points he makes is that website defacements like the one the Trump campaign briefly sustained (apparently, TechCrunch says, at the hands of alt-coin scammers) are just petty larceny noise, of very little consequence.

For more, see the CyberWire Pro Disinformation Briefing.

Sophisticated botnet targets CMS vulnerabilities.

Researchers at Imperva describe KashmirBlack, a well-designed botnet that exploits known vulnerabilities in popular CMS platforms. Imperva believes the botnet has been active since November 2019, and it's used for at least five purposes: "crypto mining, spamming, defacement, spreading and, pending bot." The defacement element led the researchers to suspect that the botnet is controlled by a member of the Indonesian hacking group "PhantomGhost."

Imperva emphasizes that KashmirBlack's developers and operators appear to be more sophisticated than most botnet groups. In a second blog post, the researchers outline the technical aspects of the botnet's infrastructure that make it complex, resilient, and easily expandable.

For more, see the CyberWire Pro Research Briefing.

Arctic Wolf secures $200 million in Series E round.

SOC-as-a-service provider Arctic Wolf has raised $200 million in a Series E round led by Viking Global Investors, with participation from DTCP and existing investors. The company also announced that it's moving its global headquarters from Sunnyvale, California, to Eden Prairie, Minnesota, explaining that, "Over the last four years, Arctic Wolf’s office in Minnesota has been at the center of the company’s corporate growth strategy, with the team in Eden Prairie growing to over 200 employees." Arctic Wolf stated that it plans to use the funding "to make significant investments in its new headquarters by the end of 2021 with addition of over 150 new jobs and the construction of the company’s third security operations center (SOC)."

More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.

Crime and punishment.

There have been three more guilty pleas this week in the bizarre cyberstalking case involving former senior eBay employees harassing a Massachusetts couple who ran a mom-and-pop online newsletter that was sometimes mildly critical of the online auction giant. The US Justice Department announced that Phillip Cooke, a former supervisor of security operations for eBay’s European and Asian offices (and a former police captain in Santa Clara, California), pleaded guilty to conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. Brian Gilbert, a former Senior Manager of Special Operations for eBay’s Global Security Team, and Stephanie Stockwell, the former manager of eBay’s Global Intelligence Center, pleaded guilty to the same charges as Cooke. This brings the total of guilty pleas to five; two other former eBayers in the case have yet to plead.

To recap the incident, the Justice Department’s statement on the guilty pleas says that "Members of eBay's executive leadership team followed the newsletter's posts, often taking issue with its content and the anonymous comments underneath the editor's stories." The charges allege a harassment campaign that included "anonymous and disturbing deliveries" to the home of the couple that ran the small newsletter. These included adult material, a bloody pig mask, and a book of advice on how to cope with grief after the death of a spouse. The accused are also alleged to have sought various interactions with the Natick, Massachusetts, police department to first, discredit the targeted couple and, second, to deflect suspicion of responsibility for the harassment campaign away from themselves and on to other third parties.

Courts and torts.

The CEOs of Google, Twitter, and Facebook on Wednesday testified before the US Senate Commerce Committee concerning Section 230 of the Communications Decency Act, although TechCrunch notes that "The actual law being considered for revision was mentioned only a handful of times in the nearly four-hour hearing, the balance being taken up by partisan bickering."

IT Pro reports that online retail giant Amazon suffered a data leak in which an employee passed customer email addresses on to an unidentified external party. Though Amazon did send a general notification about the incident to customers, it seems the vague nature of the message has done more to worry customers than to alleviate their fears. Amazon did disclose that they've terminated the employee and notified law enforcement, but they haven't confirmed how many customers were affected or where the data were leaked.

Policies, procurements, and agency equities.

ZDNet reports that Slovakia, Kosovo, Bulgaria, and North Macedonia have signed 5G security agreements under the United States's Clean Network initiative, which is aimed at preventing Chinese companies from providing technology to be used in the 5G infrastructure of the US and its allies. The Bulgaria-US joint declaration is representative:

"To promote a vibrant and robust 5G ecosystem, the United States and the Republic of Bulgaria believe that a rigorous evaluation of suppliers and supply chains should take into account the rule of law; the security environment; ethical supplier practices; and a supplier’s compliance with security standards and best practices. Specifically, countries’ evaluations, while respecting their national legislation rules and competences, should include especially the following elements:

• "Whether the network hardware and software suppliers are subject, without independent judicial review, to control by a foreign government;
• "Whether the network hardware and software suppliers have transparent ownership, partnerships, and corporate governance structures and are subject to a legal regime that enforces transparent corporate practices;
• "Whether the network hardware and software suppliers are committed to innovation and respect for intellectual property rights; and
• "Whether the network hardware and software suppliers have a record of ethical corporate behavior.

"The United States and the Republic of Bulgaria also believe that the objective evaluation should be applied to foreign direct investments in critical communication infrastructure, be it physical or virtual, through a dedicated screening mechanism. Further, the United States and the Republic of Bulgaria recognize the need to raise awareness of the importance of 5G security and intend to promote it within the North Atlantic Treaty Organization and the European Union."

For more, see the CyberWire Pro Policy Briefing.