Cyber Attacks and Hacking

RTH10260 · #201

London NHS hospitals revert to paper records after cyber-attack
Disruption has affected wider range of health providers than first thought, including GPs and community and mental health services

Denis Campbell and Dan Milmo
Wed 5 Jun 2024 21.39 CEST

A cyber-attack thought to have been carried out by a Russian group has forced London NHS hospitals to resurrect long-discarded paper records systems in which porters hand-deliver blood test results because IT networks are disrupted.

Guy’s and St Thomas’ trust (GSTT) has gone back to using paper, rather than computers, to receive the outcome of patients’ blood tests.

Synnovis, which analyses blood tests for GSTT, is still undertaking the work, despite being hit on Monday by a large-scale ransomware attack that has caused serious problems for the NHS.

A GSTT clinical staff member said: “Since the attack, Synnovis have had to print out the blood test results when they get them from their laboratories, which are on site at Guy’s and St Thomas.

“Porters collect them and take them up to the ward where that patient is staying or [to the] relevant department which is in charge of their care. The doctors and nurses involved in their care then analyse them and decide on that person’s treatment, depending on what the blood test shows.

“This is happening because Synnovis’s IT can’t communicate with ours due to the cyber-attack. Usually blood test results are sent electronically, but that’s not an option just now.”

The disclosure came as more details emerged about the impact of the latest hacking incident to hit the NHS, which Ciaran Martin, the former chief executive of the National Cyber Security Centre, said had been perpetrated by Russian cybercriminals.

https://www.theguardian.com/society/art ... ber-attack

RTH10260 · #202

Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs

Jun 05, 2024
NewsroomCyber Attack / Online Security

Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform.

The development was first reported by Semafor and Forbes, which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to click or interact with it.

The exploit has been found to take advantage of a zero-day vulnerability in the messaging component that allows malicious code to be executed as soon as the message is opened.

It's currently unclear how many users have been affected, although a TikTok spokesperson said that the company has taken preventive measures to stop the attack and stop it from happening again in the future.

The company further said that it's working directly with impacted account holders to restore access and that the attack only managed to compromise a "very small" number of users. It did not provide any specifics about the nature of the attack or the mitigation techniques it had employed.

This is not the first time security issues have been uncovered in the widely-used service. In January 2021, Check Point detailed a flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity.

https://thehackernews.com/2024/06/celeb ... mised.html

RTH10260 · #203

Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

DEEBA AHMED
JUNE 3, 2024

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP Statistics and LiteSpeed! Learn how these attacks work, the impact they have, and how to fortify your site with a multi-layered defence.

WordPress, the globally used content management system (CMS) powering millions of websites, is being abused in attacks exploiting unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities, warns cloud security provider Fastly. The company discovered active exploitation attempts targeting three high-severity vulnerabilities in popular WordPress plugins.

According to Fastly’s blog post, attackers are injecting malicious scripts and backdoors into websites to create new admin accounts, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets. The malicious payloads were referenced in five domains and with two additional tracking-based domains previously associated with WordPress plugin exploitation.

Vulnerable plugins include WP Meta SEO, and the popular WP Statistics and LiteSpeed Cache plugins, boasting over 600,000 and 5 million active installations respectively, were found vulnerable to attacks, with malicious payloads injected via URL search parameters and scripts disguised as admin notifications, potentially leading to widespread compromise.

https://hackread.com/popular-wordpress- ... or-attack/

RTH10260 · #204

Lost in the Fog: A New Ransomware Threat

June 4, 2024
by Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown and Arctic Wolf Labs Team
Summary

On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.

We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.

About Fog Ransomware

Starting in early May, the Arctic Wolf Incident Response team began investigating cases involving the deployment of the Fog ransomware variant against US organizations in the education and recreation sectors.

We refer to Fog as a ransomware variant rather than a group to distinguish between the entities responsible for creating the encryptor software and those conducting the hands-on-keyboard attacks against victims. This is a critical distinction because ransomware groups sometimes project an image of being a singular group when they are in fact composed of independent affiliate groups. At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown.

In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.

Early in one of the cases, pass-the-hash activity was observed against administrator accounts which were subsequently used to establish RDP connections to Windows Servers running Hyper-V and Veeam. In another case, evidence of credential stuffing was observed, which was thought to facilitate lateral movement throughout the environment. In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts.

On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors. Threat actors were observed encrypting VMDK files in VM storage and deleting backups from object storage in Veeam. Threat actors left behind ransom notes on affected systems and deployed a functionally identical ransomware payload in all cases. Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site.

RTH10260 · #205

MACs no longer a "protected species" when it comes to hacking

Fake Meeting Software Spreads macOS Infostealer

18 JUN 2024
Kevin Poireault Reporter, Infosecurity Magazine

Insikt Group, cybersecurity provider Recorded Future’s threat intelligence service, has observed a widespread malicious campaign targeting cryptocurrency users and involving Vortax, a fake virtual meeting software.

Vortax has a presence on social media and is marketed as a cross-platform and in-browser enterprise-focused alternative to other video chat services that leverages artificial intelligence to generate meeting summaries and action items and suggest questions or comments with its “MeetingGPT” product.

It maintains a Medium blog (medium[.]com/@vortax) with approximately 22 suspected AI-generated articles published between December 7 and 16, 2023. On X (formerly Twitter), the Vortax account even has a gold tick, meaning it is designated as a ‘Verified Organization.’

However, once installed, Vortax delivers three information stealers (infostealers) in cross-platform attacks (Rhadamanthys, Stealc and Atomic macOS Stealer, or AMOS) in an extensive campaign aimed at cryptocurrency theft.

The third infostealer, AMOS, is of particular importance to the researchers because it’s a rare occurrence of a macOS infostealer, which is less common than its Windows counterparts.

Rise in macOS Infostealers

Upon further investigation of the Vortax application, its network of associated accounts, and the malware it deployed, Insikt Group identified 23 other malicious macOS applications masquerading as legitimate. Most of these were targeting virtual meeting software and cryptocurrency users.

Insikt Group researchers also identified connections between the Vortax campaign and a previous infostealer campaign targeting web3 gaming projects.

“Based on these findings, we are confident that the two campaigns are affiliated with the same threat actor – previously identified by Insikt Group as using the AMOS UserID ‘markopolo’,” the researchers wrote.

“This scaled campaign is likely indicative of a widespread credential harvesting operation, which could imply that markopolo acts as an initial access broker (IAB) or ‘log vendor’ on a dark web shop, such as Russian Market or 2easy Shop; however, we have no evidence to make that assessment, as of this writing.”

In the previous report, Insikt Group also observed that mentions of macOS malware and exploit kits increased by 79% between 2022 and 2023 - a trend likely accelerated by increased use of the AMOS infostealer.

“Given its tight-knit community, we assess that other operators of AMOS will likely model future campaigns after the success of markopolo. This may result in a wider proliferation of AMOS in the wild, accompanied by diverse and wide-ranging campaigns attributed to individual threat actors, exacerbating the long-term threat of a less secure landscape for macOS users,” the researchers concluded.

https://www.infosecurity-magazine.com/n ... fostealer/

RTH10260 · #206

UK

Records on 300m patient interactions with NHS stolen in Russian hack
Exclusive: Health service scrambling to set up helpline after Qilin gang put stolen data into public domain overnight

Denis Campbell and Dan Milmo
Fri 21 Jun 2024 14.34 CEST

Russian hackers have stolen records covering 300m patient interactions with the NHS, including the results of blood tests for HIV and cancer, the Guardian can reveal.

The amount and sensitive nature of the data obtained by the Qilin hacking gang has caused alarm among NHS bosses, who are scrambling to set up a helpline to deal with inquiries from what could be a large number of worried patients and also health service staff.

Seven hospitals run by two NHS trusts were affected by the attack, which targeted Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage if the hack involves only hospitals in the trusts or is more widespread.

The NHS’s anxiety about the impact of the attack increased on Friday after Qilin acted overnight on a threat to put stolen NHS data into the public domain, an indication that Synnovis has refused to pay a reported $50m (£40m) ransom.

It is as yet unclear exactly what data, or how much of the haul, the ransomware group has made public. But the stolen data includes details of the results of blood tests conducted on patients having many types of surgery, including organ transplants, or suspected of having a sexually transmitted infection, or who have had a blood transfusion, well-placed sources have disclosed.

In a development that will cause anxiety among patients who have received private healthcare in recent years, Qilin’s haul is understood to include records of tests that people have had at multiple private healthcare providers. It is not clear which private healthcare firms Synnovis – a joint venture between the pathology firm Synlab and two major London acute hospital trusts – works for.

The number of test results in the data that Qilin seized in the hack on 3 June is so huge because it covers tests that patients have had going back a significant number of years, sources say.

https://www.theguardian.com/society/art ... ssian-hack

RTH10260 · #207

HealthEquity data breach exposes protected health information

By Bill Toulas
July 3, 2024 03:34 PM 0

Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner's account was compromised and used to access the Company's systems to steal protected health information.

The Company says it detected the compromise after detecting 'anomalous behavior' from a partner's personal device and launched an investigation into the incident.

The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity's systems and, later, exfiltrate sensitive health data.

"The investigation concluded that the Partner's user account had been compromised by an unauthorized third party, who used that account to access information," reads the SEC filing.

"The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members."

"The investigation further concluded that some information was subsequently transferred off the Partner's systems."

HealthEquity specializes in providing health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.

It is one of the largest HSA custodians in the United States, managing millions of HSA, FSA, HRA, and other benefit accounts, and working with numerous employers and health plans.

The exact impact and number of people affected by the security incident haven't been disclosed, though HealthEquity says it has begun notifying impacted individuals.

https://www.bleepingcomputer.com/news/s ... formation/

RTH10260 · #208

A Hacker Stole OpenAI Secrets, Raising Fears That China Could, Too
A security breach at the maker of ChatGPT last year revealed internal discussions among researchers and other employees, but not the code behind OpenAI’s systems.

By Cade Metz
July 4, 2024

Early last year, a hacker gained access to the internal messaging systems of OpenAI, the maker of ChatGPT, and stole details about the design of the company’s A.I. technologies.

The hacker lifted details from discussions in an online forum where employees talked about OpenAI’s latest technologies, according to two people familiar with the incident, but did not get into the systems where the company houses and builds its artificial intelligence.

OpenAI executives revealed the incident to employees during an all-hands meeting at the company’s San Francisco offices in April 2023 and informed its board of directors, according to the two people, who discussed sensitive information about the company on the condition of anonymity.

But the executives decided not to share the news publicly because no information about customers or partners had been stolen, the two people said. The executives did not consider the incident a threat to national security because they believed the hacker was a private individual with no known ties to a foreign government. The company did not inform the F.B.I. or anyone else in law enforcement.

For some OpenAI employees, the news raised fears that foreign adversaries such as China could steal A.I. technology that — while now mostly a work and research tool — could eventually endanger U.S. national security. It also led to questions about how seriously OpenAI was treating security, and exposed fractures inside the company about the risks of artificial intelligence.

After the breach, Leopold Aschenbrenner, an OpenAI technical program manager focused on ensuring that future A.I. technologies do not cause serious harm, sent a memo to OpenAI’s board of directors, arguing that the company was not doing enough to prevent the Chinese government and other foreign adversaries from stealing its secrets.

https://www.nytimes.com/2024/07/04/tech ... -hack.html

RTH10260 · #209

Ransomware Eruption: Novel Locker Malware Flows From ‘Volcano Demon'
Attackers clear logs before exploitation and use "no caller ID" numbers to negotiate ransoms, complicating detection and forensics efforts.

Elizabeth Montalbano, Contributing Writer
July 3, 2024

A double-extortion ransomware player has exploded onto the scene with several attacks in two weeks, wielding innovative locker malware and a slew of evasion tactics for covering its tracks and making it difficult for security experts to investigate.

Tracked as "Volcano Demon" by the researchers at Halcyon who discovered it, the newly discovered adversary is characterized by never-before-seen locker malware, dubbed LukaLocker, that encrypts victim files with the .nba file extension, according to a blog post published this week.

The attacker's evasion tactics include the installation of limited victim logging and monitoring solutions prior to exploitation and the use of "threatening" phone calls from "No Caller ID" numbers to extort or negotiate a ransom.

"Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks," the Halcyon Research Team wrote in the post. Volcano Demon also has no leak site for posting data it steals during its attacks, though it does use double extortion as a tactic, the team said.

In its attacks, Volcano Demon used common administrative credentials harvested from the networks of its victims to load a Linux version of LukaLocker, then successfully locked both Windows workstations and servers. Attackers also exfiltrated data from the network to its own command-and-control server (C2) prior to ransomware deployment so it could use double extortion.

A ransom note instructs victims to contact attackers through the qTox messaging software and then wait for technical support to call them back, making it difficult to track the communication between the parties, according to Halcyon.

https://www.darkreading.com/cyberattack ... cano-demon

RTH10260 · #210

SUPER-GAU

AT&T says hackers stole call records of ‘nearly all’ wireless customers
The information could provide a roadmap for criminals who could impersonate a friend or relative to trick a victim, experts warned.

By Joseph Mennand Aaron Gregg
Updated July 12, 2024 at 3:52 p.m. EDT|Published July 12, 2024 at 8:37 a.m. EDT

Hackers stole records detailing the phone contacts of almost all AT&T Wireless customers in one of the most serious breaches of sensitive consumer data in recent years, the company disclosed in a securities filing Friday.

The cache includes the numbers called or texted by more than 100 million customers between May 1 and Oct. 31, 2022, as well as one day in January 2023. It contains the numbers themselves as well as the frequency and combined durations of the interactions, but not the customer names or the content of those communications, AT&T said.

Since most numbers can be tied to real names, such records illuminate who is close to whom. That would provide a road map for criminals who could impersonate a friend or relative to trick a victim. Texts from financial institutions could be mimicked to get an account holder to divulge passwords, and workplace relationships could reveal the identity of U.S. spies.

“This data could be used by spies, scammers and other bad actors to target specific people or to improve the feasibility of scams by impersonating the numbers of people you regularly call,” said technologist Cooper Quintin of the Electronic Frontier Foundation.

The ability of U.S. intelligence to access similar calling records was one of the most alarming and impactful revelations by federal contractor Edward Snowden a decade ago. Now a large swath of it might be for sale to criminals and other governments.

AT&T said it had not detected the material being made public, and it said one person had been arrested. The company said it learned of the theft in April but delayed disclosing it — as required under recently adopted Securities and Exchange Commission regulations — at the request of law enforcement, for national security or public safety reasons, the first time such a delay has been disclosed.

Justice Department spokesman Joshua Stueve confirmed that the FBI had invoked the legal provision allowing the delay, and said AT&T had aided the investigation. He did not say how the breach could have impacted national security. The Federal Communications Commission said it was also investigating.

While Social Security and credit card numbers were not included in the breach, the identity of cell towers for an undisclosed number of customers was, and those would point to their physical locations.

Even without that location data, hackers could work out relationship webs, experts warned. Someone targeting a criminal prosecutor or police officer might be able to identify a close relative and then use that number to find out where they live. Spurned romantic partners could do the same.

https://www.washingtonpost.com/business ... ta-breach/
Share link https://wapo.st/4bND1zW