By the CyberWire staff
At a glance.
- Ransomware attack disrupts US blood donation nonprofit.
- American Hospital Association and Health-ISAC issue threat bulletin on ransomware.
- Russian hackers freed in prisoner swap.
- Dark Angels ransomware group received a $75 million payment.
- Ransomware gangs are exploiting VMware ESXi flaws.
- CISA warns of actively exploited ServiceNow vulnerabilities.
- DDoS attack brings down Microsoft services.
- New Android RAT steals money before wiping devices.
Ransomware attack disrupts US blood donation nonprofit.
OneBlood, a major nonprofit blood donation organization operating in the southeastern US, has sustained a ransomware attack that's disrupting its ability to provide blood to hospitals, the Record reports. Susan Forbes, OneBlood's senior vice president of corporate communications, said in a statement, "We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability. In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being."
OneBlood added, "To help augment their supply the national blood community is rallying to assist OneBlood and the hospitals and patients it serves. Blood centers across the country are sending blood and platelets to OneBlood, and the AABB Disaster Task Force is coordinating national resources to assist with additional blood products being sent to OneBlood. All blood types are needed, but there is an urgent need for O Positive, O Negative and Platelet donations."
According to CBS News, OneBlood serves 355 hospitals across Florida, Georgia, and the Carolinas.
American Hospital Association and Health-ISAC issue threat bulletin on ransomware.
The American Hospital Association (AHA) and Health-ISAC on Thursday issued a joint threat bulletin regarding ransomware attacks in the healthcare industry, citing recent attacks against Octapharma, Synnovis, and OneBlood. While these attacks "appear to be unrelated and have been conducted by separate Russian-speaking ransomware groups," the report states that "the unique nature and proximity of these ransomware attacks - targeting aspects of the medical blood supply chain within a relatively short time frame, is concerning."
The AHA and Health-ISAC say "these incidents provide ample reason and impetus for HDOs, hospitals, and health systems to review contingency plans for possible disruption to the blood supply chain and other mission and life-critical medical supplies." The report recommends reviewing single points of failure and incorporating "multiple suppliers of these critical supplies into their supply-chain strategy to create redundancy in the event that one mission-critical supplier becomes inoperable as a result of a cyberattack."
Synnovis, a pathology lab provider in the UK that sustained a ransomware attack in June, doesn't expect to fully recover until early autumn.
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
Russian hackers freed in prisoner swap.
The US government has released two cybercriminals as part of a prisoner swap with Russia, CyberScoop reports. The deal secured the release of sixteen people from Russia, including three American citizens and one American green-card holder. Moscow received eight citizens in exchange, including convicted cybercriminals Vladislav Klyushin and Roman Seleznev. Klyushin had been serving nine years for his role in "an elaborate hack-to-trade scheme that netted approximately $93 million through securities trades based on confidential corporate information stolen from U.S. computer networks." Seleznev was serving fourteen years for his involvement in a $50 million identity theft and credit card fraud operation.
Dark Angels ransomware group received a $75 million payment.
Zscaler's ThreatLabz 2024 Ransomware Report found that the Dark Angels ransomware group received a $75 million payment from a single victim, nearly double the amount of the next highest known ransom payment ever made. The Dark Angels group typically focuses on a single large company at a time, in contrast to other ransomware gangs' opportunistic approaches. Zscaler notes, "The Dark Angels ransomware group’s strategy of targeting a small number of high-value companies for large payouts is a trend worth monitoring. Zscaler ThreatLabz predicts that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high-value targets and increasing the significance of data theft to maximize their financial gains."
87% of executives use personal devices with zero security.
What’s the easiest way for cybercriminals to get around your company’s defenses? By attacking executives at home. Once executives leave your network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at-home security gap with BlackCloak Concierge Cybersecurity & Privacy™. Award-winning day-and-night protection for executives and their families. Learn more
Ransomware gangs are exploiting VMware ESXi flaws.
Microsoft has warned that several ransomware actors are exploiting a vulnerability (CVE-2024-37085) in ESXi hypervisors that can be used to obtain full administrative permissions. VMware has issued patches for the flaw. Microsoft stated, "Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named 'ESX Admins' in the domain and adding a user to it."
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to apply patches by August 20th.
CISA warns of actively exploited ServiceNow vulnerabilities.
CISA has also added two critical ServiceNow vulnerabilities (CVE-2024-4879 and CVE-2024-5217) to its KEV Catalog, requiring FCEB agencies to patch the flaws by August 19th, the Record reports. ServiceNow issued patches for the vulnerabilities in May and June, and threat actors have been attempting to exploit them since a proof-of-concept exploit was released earlier this month.
According to Resecurity, the vulnerabilities "enable unauthenticated remote attackers to execute arbitrary code within the Now Platform, potentially leading to compromise, data theft, and disruption of business operations."
DDoS attack brings down Microsoft services.
Microsoft sustained a DDoS attack yesterday that disrupted a range of Azure services, as well as Microsoft 365 and Microsoft Purview services, BleepingComputer reports. Notably, Microsoft's DDoS mitigation mechanisms actually exacerbated the attack. The company stated, "While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it." The company hasn't offered details on how this occurred, but says it will publish a post-incident review within two weeks.
D.C.’s Premier Gathering of Cybersecurity Visionary Leaders
N2K CyberWire is proud to partner with DMV Rising 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, and provide a unique opportunity to foster new connections and innovative ideas. Join us on September 12, 2024 to experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
New Android RAT steals money before wiping devices.
Researchers at Cleafy have published an analysis of "BingoMod," a new family of Android malware designed to gain access to bank accounts and initiate fraudulent transfers. After stealing a victim's money, the malware wipes the infected device to prevent forensic analysis. BingoMod is distributed via smishing, and impersonates an antivirus application.
Phishing campaign abused Proofpoint email relay servers.
Proofpoint has disrupted a campaign that abused its email protection platform to send an average of three million "perfectly spoofed" phishing emails per day, the Register reports. The company says a single threat actor exploited weak configurations in Proofpoint enterprise customers’ email infrastructures to impersonate Disney, Nike, IBM, Coca-Cola, and other major companies. Guardio Security, which discovered the campaign, notes that all the phishing emails were DKIM-signed and SPF-approved. The campaign ran from January to June 2024. The phishing emails were designed to trick users into handing over their credit card information.
Proofpoint stated, "The commonality shared between all the customers whose email infrastructures were being abused was a modifiable configuration setting that allowed outbound messages to be relayed from Microsoft 365. Spammers can therefore abuse any email infrastructure that allows messages to be relayed from email hosting services through their infrastructure. This specific email routing configuration abused by the spammer allowed outbound messages to be sent from a customer’s Microsoft 365 tenant for relay through their infrastructure, but it did not limit the Microsoft tenants allowed to relay."
Upcoming webinar: Unpacking the 2024 Ransomware Landscape
Join David Bittner and Deepen Desai, Chief Security Officer at Zscaler, on August 22nd for an exclusive deep dive into the latest findings from the Zscaler ThreatLabz 2024 Ransomware Report. In this discussion, we will highlight critical insights into the most targeted industries and regions, uncover the dynamics behind a record ransom payout, discuss emerging ransomware families to watch, and share predictions for the upcoming year. Register now to secure your spot.
Threat actors abuse TryCloudflare to deliver RATs.
Researchers at Proofpoint warn that threat actors are abusing the TryCloudflare free service to distribute malware. The researchers note, "In June and July, nearly all observed campaigns delivered Xworm, but previous campaigns also delivered AsyncRAT, VenomRAT, GuLoader, and Remcos. Some campaigns will lead to multiple different malware payloads, with each unique Python script leading to the installation of a different malware."
Proofpoint adds, "Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally. In addition to English, researchers observed French, Spanish, and German language lures. Xworm, AsyncRAT, and VenomRAT campaigns are often higher volume than campaigns delivering Remcos or GuLoader. Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries, and taxes."
Patch news.
Bitdefender has patched a critical flaw affecting its GravityZone Update Server, GB Hackers reports. The vulnerability (CVE-2024-6980) could allow an unauthenticated attacker to cause a server-side request forgery. The issue "only affects GravityZone Console versions before 6.38.1-5 running only on premise."
Courts and torts.
CrowdStrike's shareholders have filed a lawsuit against the company over last week's outage, accusing CrowdStrike of making "false and misleading" statements about its software testing, the BBC reports. CrowdStrike has denied the allegations and says it will defend itself.
Delta Air Lines is also planning to sue CrowdStrike for compensation, CNBC reports. Delta estimates that the outage cost the airline up to $500 million after 7,000 flights were canceled. The company has hired high-profile attorney David Boies to handle the suit.