By the CyberWire staff
At a glance.
- Ransomware attack delayed thousands of appointments at London hospitals.
- CDK Global attack disrupts auto dealership sales.
- Biden administration bans Kaspersky products in the US.
- NHS Dumfries and Galloway notifies patients of data breach.
- SneakyChef targets government entities with SugarGh0st RAT
- Chinese threat actor deploys malware on unpatched F5 BIG-IP appliances.
- RansomHub ransomware expands targeting to ESXi servers.
- T-Mobile denies breach claims.
- New malware uses emoji-based command protocol.
Ransomware attack delayed thousands of appointments at London hospitals.
London hospitals were forced to reschedule more than 3,000 appointments following a ransomware attack against pathology service provider Synnovis earlier this month, the BBC reports. The NHS stated, "Trusts are working hard to make sure any procedures are rearranged as quickly as possible, including by adding extra weekend clinics. Patients will be kept informed about any changes to their treatment by the NHS organisation caring for them. This will be through the usual contact routes including texts, phone and letters. Any patient with a planned appointment at these Trusts, who has not been contacted, should attend their appointment as normal."
The NHS is still asking "O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England over the next few weeks, to boost stocks of O type blood following the cyber incident."
The attack was claimed by the Qilin ransomware gang. A Qilin spokesperson told the Register they were aware that the attack would cause a healthcare crisis in London, stating, "That was our goal."
The Qilin gang Thursday night published 400 gigabytes of data allegedly stolen from Synnovis after the company refused to pay a $50 million ransom, the Register reports. NHS England told the BBC that it had "been made aware that the cyber criminal group published data last night which they are claiming belongs to Synnovis and was stolen as part of this attack." The NHS added, "We understand that people may be concerned by this and we are continuing to work with Synnovis, the National Cyber Security Centre and other partners to determine the content of the published files as quickly as possible. This includes whether it is data extracted from the Synnovis system, and if so whether it relates to NHS patients."
CDK Global attack disrupts auto dealership sales.
CDK Global, a company that provides sales management software to nearly 15,000 car dealerships across the US, has sustained a major cyberattack that forced the company to take most of its systems offline, CBS News reports. The company sustained an initial attack Tuesday evening, followed by a second incident late Wednesday night. After the second event, the company told its customers, "Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems. We are currently assessing the overall impact and consulting with external 3rd party experts. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available at a minimum on Thursday, June 20th."
The nature of the attack is unclear, but BleepingComputer cites rumors that ransomware was involved.
Cloud Investigations in 5 Min! Exploring the Pitfalls of EDR for Cloud
An attack can execute in the cloud in as little as 10 minutes. Security teams must accelerate cloud investigation to combat these fast-moving threats. But how? On June 25, hear from cloud security experts - firsthand - as they discuss the industry’s ONLY cloud security benchmark (/555) and why it’s critical to achieve this milestone for cloud detection and response. Further, learn methods to streamline investigations and reduce manual effort for your SecOps team! Secure your spot!
Biden administration bans Kaspersky products in the US.
The Biden administration will ban Kaspersky from selling its products in the US beginning July 20th, Axios reports. Current Kaspersky customers will stop receiving security updates on September 29th. The US Commerce Department's Bureau of Industry and Security said in a statement, "Today’s Final Determination and Entity Listing are the result of a lengthy and thorough investigation, which found that the company’s continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations—that could not be addressed through mitigation measures short of a total prohibition. Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage."
NHS Dumfries and Galloway notifies patients of data breach.
NHS Dumfries and Galloway, part of NHS Scotland, says approximately 150,000 people should assume their data has been leaked following a data extortion attack the organization sustained in February, the Register reports. The NHS board is sending breach notifications to everyone in the Dumfries and Galloway region, stating, "This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else’s data." The breached data includes "xrays, test results and correspondence between health and social care teams, correspondence between our teams and patients, and complaints letters."
NHS Dumfries and Galloway refused to meet the criminals' extortion demands, and the crooks published the stolen data online on May 6th.
Attention all security professionals! Want real-time IP intelligence at your fingertips?
Sign up for Scout Insight's free trial today! Get immediate insights into threats, search any IP with no training required, and enjoy intuitive graphical results. Whether you need to identify compromised hosts or enrich Splunk queries, Scout Insight has you covered. Don’t wait – accelerate your threat response now. Visit team-cymru.com/cyberwire to start your free trial!
SneakyChef targets government entities with SugarGh0st RAT
Cisco Talos describes a campaign by the suspected Chinese threat actor "SneakyChef" that used the SugarGh0st RAT to target government entities in Angola, India, Kazakhstan, Latvia, Saudi Arabia, and Turkmenistan. The malware was delivered via phishing emails with well-crafted decoy documents that impersonated various government organizations. The researchers note, "The threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script."
Chinese threat actor deploys malware on unpatched F5 BIG-IP appliances.
Sygnia has published a report outlining a sophisticated attack against a major organization by the Chinese threat actor Velvet Ant. The threat actor maintained persistence within the organization's network for three years while conducting cyberespionage. Sygnia explains, "The threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the victim company’s environment. One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control." The researchers note that the compromised F5 appliance was "running an outdated, vulnerable, operating system."
RansomHub ransomware expands targeting to ESXi servers.
The RansomHub ransomware-as-a-service operation is using a Linux encryptor to target VMware ESXi environments, BleepingComputer reports. Recorded Future's Insikt Group notes that this feature "significantly expands the range of potential victims." The researchers add, "RansomHub’s ESXi version employs a unique tactic by creating a file named /tmp/app.pid to prevent multiple instances from running simultaneously. Modifying this file can halt the ransomware’s operations, presenting a potential mitigation strategy for affected systems."
Secure your legacy apps at scale — with zero coding and zero hassle.
Modernize your identity infrastructure and get rid of technical debt without sacrificing your complex access policies. Use Strata to integrate non-standard apps with any identity service while using any vendor, standard, or app architecture. Or use it to migrate away from outdated identity providers and consolidate IDPs. It’s seamless, simple and code-free. Share your top identity security priorities, and receive a pair of complimentary AirPods Pro.
T-Mobile denies breach claims.
T-Mobile has denied being breached following claims by the IntelBroker threat actor to have stolen source code from the telecommunications giant, BleepingComputer reports. The company stated, "We are actively investigating a claim of an issue at a third-party service provider. We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor's claim that T-Mobile's infrastructure was accessed is false."
BleepingComputer cites a source as saying that the screenshots posted as proof by IntelBroker are "actually older screenshots of T-Mobile's infrastructure posted to a third-party vendor's servers, where it was stolen."
New malware uses emoji-based command protocol.
Volexity says the Pakistan-aligned threat actor UTA0137 is targeting Indian government entities with a new strain of Linux malware dubbed "DISGOMOJI." Notably, the malware uses an emoji-based protocol to receive commands from Discord. For example, a "Man Running" emoji is sent to run a command, while a camera emoji is used to take a screenshot.
The researchers note, "The use of Linux malware for initial access paired with decoy documents (suggesting a phishing context) is uncommon, as the attacker would only do this if they know the target is a Linux desktop user. Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Patch news.
VMware by Broadcom has released patches for two critical vulnerabilities (CVE-2024-37079 and CVE-2024-37080) affecting vCenter Server, SecurityWeek reports. The company states, "A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution." The flaws have been assigned CVSSv3 scores of 9.8.
Crime and punishment.
Spanish police have arrested a 22-year-old British man who's accused of being the ringleader of the Scattered Spider cybercrime group, KrebsOnSecurity reports. The man was arrested as part of an ongoing investigation by the US FBI. Vx-underground says the suspected is allegedly a SIM swapper who "is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider." Murcia Today cites the Palma police as saying the individual at one point controlled $27 million worth of bitcoin.
An international law enforcement operation coordinated by Europol has seized thirteen websites operated by terrorist groups, GBHackers reports. Europol said in a press release, "This joint effort, known as Operation HOPPER II, targeted key assets in the online dissemination of terrorist propaganda, including those of the so-called Islamic State, al-Qaeda and its affiliates, and Hay’at Tahrir al-Sham. The operation specifically targeted terrorist-operated websites used to disseminate terrorist propaganda, thereby limiting the ability of terrorist organisations to recruit, radicalise, and mobilise recruiters online."
Courts and torts.
California Attorney General Rob Bonta announced that software provider Blackbaud will pay $6.75 million as part of a settlement over a data breach the company sustained in May 2020, the Record reports. Blackbaud is a South Carolina-based company that provides data management software to nonprofit organizations.
Bonta stated, "Blackbaud’s failure to implement reasonable data security led to a data breach in 2020. Blackbaud then made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public. These actions violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security. Under today’s settlement, which is subject to court approval, Blackbaud must pay $6.75 million in penalties and comply with requirements to strengthen its data security and breach notification practices."