Here are the latest updates on the major hacks and attacks this week that will keep you abreast of the recent threat factors and help plan your phishing prevention strategies.


Conti Ransomware Gang Attacks Sandhills Global

US-based information processing firm Sandhills Global recently underwent a ransomware attack that disrupted its business operations and brought down all hosted websites. Its trade magazines include Truck Paper, TractorHouse, RentalYard, Machinery Trader, AuctionTime, Machinery Trader Auction Results, Charter Hub, Controller, and Executive Controller. Users who visited the Sandhills website during this downtime received a Cloudflare Origin DNS error page. In the interim, Sandhills Global’s phones were un-operational as well.

It is suspected that the Conti ransomware gang is responsible for the attack. To protect against phishing and prevent the malware from spreading, the firm had to bring down its IT systems. The Conti gang operators usually steal files before encrypting systems; however, its approach in the Sandhills attack remains undisclosed.

Sandhills shared its data breach notification to customers where it mentioned that it had employed cybersecurity experts to look into the matter and help restore operations at the earliest. Further, the company apologizes for any delay in responses and reassures customers that their safety is a priority to Sandhills Global, and they’d do anything to keep that intact.


MoneyLion Informs Customers of Credential Stuff Attack

Famous fintech company MoneyLion is sending out breach notification letters to customers informing them of credential stuffing attacks that took place in June-July this year. The company is quite sure that its systems were not attacked and believes that the attack was targeting many user accounts, the details of which were probably leaked from another online site where the customers must have used the same password.

However, MoneyLion immediately began an investigation which revealed that account compromise attempts were made twice between 13-16th July and 27-30th July. These compromise attempts did not apply to all MoneyLion customers, and MoneyLion’s systems at large remain unaffected. Further, there is no evidence of the leak of the driver’s license numbers, social security numbers, bank, and other details of the targeted users. As part of its measures to ensure protection from phishing attacks, MoneyLion enabled multi-factor authentication for all customer accounts and forced them to reset their passwords.


Cyberattack Hits Two Indiana Hospitals

Cyberattacks hit two Indiana hospitals last week, which affected their IT systems. Consequently, the hospitals had to delay procedures or direct patients to other hospitals, but both managed to provide uninterrupted healthcare services to patients amidst their security crisis. Franklin-based Johnson Memorial Health and Seymour-based Schneck Medical are the two hospitals targeted by this (suspected) ransomware attack.

Johnson Memorial Health is working with external cybersecurity experts and the FBI to investigate the breach and posted about the same on their website. The hospital has adopted all necessary anti-phishing measures and is trying its best to restore the computer operations at the earliest. The hospital further updated that no surgeries or appointments had to be canceled, but it asked the patients with appointments to arrive early so that the slowed-down procedures do not harm anyone’s schedule.

On the other hand, Schneck Medical Center learned about the unauthorized access of its servers on 29th September and brought down all its IT applications as a phishing attack prevention measure. The medical center has hired external security experts to investigate the breach and restore its systems ASAP.


Ransomware Hits Marketing Firm Fimmick

Hong Kong-based marketing firm Fimmick recently underwent a ransomware attack that brought down its website. Some of Fimmick’s popular clients include Coca-Cola, Asus, McDonald’s, and Shell. Investigations into the breach revealed that the REvil ransomware gang was responsible for the attack where several Fimmick databases were stolen and encrypted. These databases stored details of some popular global brands such as Kate Spade, Coca-Cola, Cetaphil, and Hana-Musubi.

Researchers suggest that attackers frequently target marketing firms as they contain a lot of information on their clients, usually big enterprises themselves. Hacking into one marketing firm is the gateway to many other firms, and therefore marketing firms must always have a robust plan to prevent phishing attacks.


Former Employee Launches Attack on Secondary School

Leicestershire, UK-based secondary school Welland Park Academy recently wiped out its data and system passwords changed by a malicious former employee. The 29-year-old IT technician of the school –  Adam Georgeson, had a lot of resentment towards his former employers, and therefore, he used his admin rights to change the school systems’ passwords and wipe data. This inconsiderate action of Georgeson disrupted pupils’ remote learning during the Covid-19 pandemic.

Georgeson launched the retaliatory attack on the school on 16th January. Shortly after, he was employed by a Rutland-based IT company where, once again, he used his privileged access to change passwords and lock users out of the system in his new workplace. Consequently, he was arrested and pleaded guilty to two cybercrimes.  He might now be sentenced to up to 10 years in prison. This decision awaits to be taken next year on 27th January. Georgeson’s attacks on the two institutions are proof that organizations need to adopt phishing prevention best practices and closely monitor employee access to systems and files.


Google Sends Attack Warnings To 14k Gmail Users

Google’s head of the Threat Analysis Group (TAG) – Shane Huntley, recently pointed out that Russian government-sponsored hackers might have accessed the user accounts of over 14,000 users. The company released several warnings for users but nowhere did it call the incident a compromise of information. Huntley specified that the Russian state-sponsored hacker group APT 28 targeted many Gmail users using spam emails. Gmail could trace these malicious emails and immediately sent attacker warnings to the targeted users.

Google often detects such emails from APT groups, and warnings are regularly sent to targeted users, but this time, 14,000 users were targeted by a single group, which is a cause of concern. In addition, this attack attempt wasn’t confined to a particular place or region; it targeted people across the globe, including NGO members, journalists, and think tanks. This incident suggests two things – the Russian government hackers are spying on people irrespective of their stature, and Google is on the right path towards ensuring phishing protection for users.


Cyberattack Hits Engineering Firm Weir

The Glasgow, Scotland-based engineering firm Weir recently underwent a cyberattack that brought down its IT systems and cost it millions. Consequently, some of its operations were interrupted, delaying shipments exceeding £50m in revenue. So far, Weir has not found any evidence of the loss or encryption of any personal data.

Instead of negotiating with the adversaries, Weir is working with regulators and cybersecurity experts to respond to this sophisticated attack. The company has adopted necessary anti-phishing protection measures and is striving hard to restore all affected systems on a priority basis. Several disruptions in manufacturing, engineering, etc., have emerged because of the attack and the recovery process, but Weir knows better than to comply with ransom demands.


LockBit 2.0 Ransomware Hits EMIT Aviation Consulting Ltd.

EMIT Aviation Consulting Ltd. is an Israeli Aerospace & Defense firm recently hit by the LockBit 2.0 ransomware gang. The adversaries are now threatening to leak the data stolen from the firm on the dark web if it doesn’t comply with the ransom demands.

So far, the adversaries haven’t leaked any files as proof-of-the-attack. The roots of the attack also remain unidentified. From its looks, LockBit 2.0 used a ransomware-as-a-service model, like all of its other attacks. Since ransomware ads were removed from hacking forums, the LockBit operators have set up their site to advertise the LockBit 2.0 affiliate program. Customers and associates of EMIT Aviation Consulting Ltd. are advised to adopt measures to protect themselves from phishing attacks since the extent of the attack is yet to be investigated.