Staying updated on cybersecurity news means not just knowing about the latest data breaches. It also requires understanding the steps organizations take to minimize the effects of a data breach. Furthermore, it helps security managers and CISOs ensure their teams are aware and well-informed of emerging threats. Following are the latest trends in the cybersecurity threat landscape covering phishing, data breaches and other cyber threats.
France: Cyberattack on a Hospital Center, its Services Severely Disrupted
The Corbeil-Essonnes located South Francilien Hospital Center (CHSF) became the victim of a cyberattack seriously disrupting its activity, a press release from the establishment said.
The Center shifted some patients to public hospitals in Île-de-France. The attack made most of the hospital’s business software inaccessible, including the information system and the storage systems (medical imaging) related to patient admissions. According to sources, threat actors demanded a ransom of 10 million dollars from the hospital center.
The hospital quickly seized the National Authority for the Security and Defense of Information Systems (ANSSI) about the crisis and the measures it had taken to take charge of the patients.
- Patients requesting access to the technical platform were redirected to the public hospitals in Ile-de-France.
- Those arriving at the emergency room were assessed and sent to the Sud Francilien hospital’s medical care center.
- The medico-technical services (medical biology) were working in a degraded mode for patients hospitalized at the CHSF.
The establishment said the situation “can have a significant impact on the operating room’s activity.”
Google: Iranian Hackers Using Latest Tool to Steal Emails From Targets
Charming Kitten, the state-sponsored Iranian hacking group, is using a new tool to download emails from targeted Microsoft Outlook, Gmail and Yahoo accounts.
They are using the Hyperscraper utility, and like most threat actor tools, it is not very sophisticated. In a recent technical report, Google’s Threat Analysis Group (TAG) shared that Hyperscraper’s functionality is under active development.
According to TAG, the Iranian-backed group is also known as Phosphorus and APT35, and the earliest sample dates from 2020. The researchers analyzed Hyperscraper using a test Gmail account, with the following findings:
- Hyperscraper is an instrument that helps malicious actors steal email data and save it on their computers after accessing the victim’s email account.
- It has an embedded browser that spoofs the user agent and offers the Gmail account’s basic HTML view.
- After logging in, the tool modifies the account’s language to English and iterates through the inbox contents, downloading messages as .eml files individually and marking them unread.
- After the exfiltration, Hyperscraper restores the language settings to the original and deletes the security alerts from Google.
Greek Gas Operator Refuses Negotiation With Ransomware Group After Cyberattack
DESFA, Greece’s national natural gas operator, confirmed that it became the target of a cyberattack, but it will not negotiate with the attackers. DESFA is responsible for developing, exploiting, operating and managing Greece’s natural gas system.
The ransomware group Ragnar Locker added the DESFA to its leak site and mentioned that no one had responded to their demands. Furthermore, DESFA confirmed the impact on the availability of a few systems and the leakage of some directories and files.
The company’s statement read, “We have managed to continue the operation of the NNGS (National Natural Gas System) reliably and safely. NNGS management continues to operate efficiently DESFA will continue to supply natural gas on the country’s all entry and exit points safely and adequately.” Furthermore, it added that “DESFA will remain firm in its non-negotiating position with cybercriminals.” After the attack, DESFA deactivated most of its IT services and is slowly bringing everything back on.
Experts Find Backdoors in Budget Android Devices that Target Whatsapp and Whatsapp Business Apps
Doctor Web researchers recently discovered backdoors in the system partition of budget Android devices and counterfeit versions of famous models. The malware targets WhatsApp and WhatsApp Business apps and allows attackers to conduct various malicious activities like:
- Interception of chats.
- Theft of confidential information.
- Execute spam campaigns and various scam schemes.
According to Doctor Web, these are not the sole risk factor for users. These devices claim they have installed a secure and modern Android OS version, which is far from the truth. They run an obsolete Android version, subject to various vulnerabilities.
The experts noticed that the affected devices mimicked famous brand-name models; their names were similar to models produced by popular manufacturers. However, they were running outdated Android OS versions (Android 4.4.2) instead of installing the latest OS versions.
Estonia Says it Thwarted a Major Cyber-Attack After Removing Soviet Monuments
After it removed several Soviet monuments in an ethnic Russian majority, Estonia said they have repelled “the most extensive cyber-attack since 2007.” Russian hacker group Killnet stated on its Telegram account that it had denied access to over 200 state and private Estonian institutions, like the online citizen identification system and claimed responsibility for the attack.
Killnet, which claimed to execute a similar attack against Lithuania in June, mentioned it acted after Estonia moved a Soviet Tu-34 tank from public display in the Narva town to a museum. In a DDoS attack, attackers flood a network with high data traffic volumes to paralyze it so it cannot cope with the scale of requested data.
Estonia started taking cyber security measures in 2007 after suffering extensive attacks on private and public websites that it blamed on Russians. It said they were angry at removing a Soviet-era statue, The Red Army monument, that was moved from a Tallinn square. The incident followed two nights of riots by ethnic Russians.
The Estonian government had ordered the swift removal of all public Soviet memorials in Narva, the majority Russian-speaking town, citing rising tensions and accusing Russia of exploiting the past to divide Estonian society.
LockBit Leaks Data from a Data Breach on Security Giant Entrust
Starting in early June, Entrust began telling its customers that they had suffered a data breach and data got stolen from internal systems. The communique from the company said, “As we continue our investigations, we will directly contact you if there is information which we think will affect the security of services and products we offer to your organization.”
Entrust claimed that while investigations were ongoing, there was no indication that the data breach affected the security or operation of their products and services. They run in air-gapped, separate environments from their internal systems and are completely operational.
However, the ransomware group LockBit recently created a dedicated data leak webpage for Entrust, stating they will publish all the stolen files soon. When ransomware groups publish data on their data leak websites, they usually leak it over time to scare the target into returning to the negotiation table.
Since LockBit states they will publish all data, it is possible that Entrust did not negotiate with the attackers or refuses to give in to their demands.
Cisco Patches a High-Severity Bug in its Web Protection Solution
Cisco recently announced patches for an escalation of privilege vulnerability (high-severity) in AsyncOS for the Cisco Secure Web Appliance. Cisco’s Secure Web Appliance, formerly Web Security Appliance (WSA), is an enterprise protection solution that provides application visibility and control and blocks risky websites.
Tracked as CVE-2022-20871, hackers could remotely exploit the newly addressed flaw to escalate privileges to root by injecting commands. However, it required authentication for successful exploitation.
Cisco said that the security bug existed because of the non-validation of the user-supplied input for the web interface. After authenticating to the system and forwarding a crafted HTTP packet to the targeted device, the cybercriminal could easily exploit the vulnerability. A successful exploit allowed the cybercriminal to execute arbitrary commands and elevate privileges to root.
Cisco confirmed that it had resolved the vulnerability with the AsyncOS for the Secure Web Appliance 14.5.0-537 release and planned to release the 12.5 and 14.0 updated versions of the appliance.
35 “Clearly Malicious” Apps Found in the Google Play Store
Researchers warned that over two million Android users had downloaded a few malicious apps that bypassed security protections and got into the Google Play app store.
After installation, the apps used malicious techniques to hide from the victim to avoid getting removed while bringing up malicious ads that link directly to malware. Cybersecurity researchers at Bitdefender discovered 35 “clearly malicious” apps in the Google Play store, many of which tricked victims into downloading them.
If users download any apps, researchers recommend they immediately find and delete them. Some malicious apps like Image Warp Camera, Personality Charging Show, and Animated Sticker Finder got downloaded over 100,000 times.