Select Page
Slide 1

Weekly

Ransomware Roundup

Jan 23 - 27, 2023

CommonSpirit Facing Two Class Actions Post-Breach Law Suits

CommonSpirit, a hospital chain, is facing two federal class action lawsuits filed after a ransomware attack in 2022. The lawsuits allege that CommonSpirit failed to protect sensitive health information, affecting more than 623,000 patients. The plaintiffs claim that CommonSpirit's negligence led to the ransomware attack and data breach, which resulted in incorrect medication doses being given to patients and difficulties in scheduling appointments. Additionally, the lawsuits assert that CommonSpirit did not establish adequate safeguards for the confidentiality and security of patient data and failed to notify authorities for over two months after the intrusion. This negligence put individuals at risk for identity theft and fraud. Read more

Cybercriminals Use OneNote Attachments in Phishing Emails to Deploy RATs

Cybercriminals are using OneNote attachments in phishing emails to infect victims with remote access malware, steal passwords and cryptocurrency wallets. The attachments, posing as DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings and shipping documents, infect the victim's device when double-clicked. This gives the attacker remote access to steal files, passwords, screenshots, and even videos recorded through the webcam. Confirmed by cybersecurity researchers, the OneNote attachments contain remote access trojans Quasar, AsyncRAT, and XWorm. Read more

Vulnerability in Popular Online Course Plugin Exposes 75,000 WordPress Websites

Multiple critical-severity flaws were discovered in LearnPress, a WordPress online course plugin, from November 30 through December 2, 2022 by researchers who then notified the vendor. The vulnerabilities, identified as CVE-2022-47615, CVE-2022-45808, and CVE-2022-45820, can be exploited through SQL injection and local file inclusion to display local files stored on a web server, reveal sensitive information like authorization tokens and API keys, modify data, and execute arbitrary code. LearnPress users are advised to upgrade to version 4.2.0 or disable the plugin until a security update is available. Read more

DragonSpark Hacker Group Uses Golang Source Code Interpreter for Evasion

The DragonSpark hacking group is using Golang interpretation to evade detection in their cyber espionage attacks on East Asian organizations. They steal sensitive data and execute remote commands and lateral network movement using the open-source tool SparkRAT. The group has targeted China, Taiwan, and Singapore, exploiting vulnerabilities in MySQL database servers exposed online. The threat actors use webshells to deploy SparkRAT, executing PowerShell commands, manipulating Windows functions, and stealing system information. The Golang source code interpretation allows the malware to execute embedded Go scripts, evading detection by most security software. DragonSpark also employs SharpToken, BadPotato, and GotoHTTP to escalate privileges and establish persistence on compromised systems. Read more

How is Ransomware Affecting the Healthcare Industry

Healthcare providers must store confidential data such as patient information and medical records, which is highly valuable in the black market and makes healthcare organizations a prime target for hackers. Recent research shows a 94% increase in ransomware attacks on healthcare organizations. To understand the impact of ransomware on healthcare institutions and how to protect against it, read further.

New Malware is Targeting Windows with Stealthy Python RATs

Researchers have discovered a new Python-based malware named PY#RATION that communicates with the C2 server and steals data from the victim host using the WebSocket protocol. PY#RATION is spread via phishing using password-protected ZIP file attachments containing two shortcut .LNK files disguised as images. Upon launch, they execute malicious code and download two .TXT files, which are later renamed to BAT files for malware execution. The malware establishes persistence by adding a batch file to the startup directory. PY#RATION can perform network enumeration, file transfers, keylogging, shell commands, host enumeration, extract passwords and cookies from web browsers, and steal data from the clipboard.
Read more

Promo
210TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $14,995

210TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $14,995

Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For appliance demos, specifications, and quotes contact us.

Slide 1

Weekly

Ransomware Roundup

Jan 16 - 20, 2023

Hackers Claim to Have Breached ODIN Intelligence's Website

ODIN Intelligence, a company that provides tools and technology to law enforcement, has suffered a cyberattack. The SweepWizard app, which enables police to manage and coordinate raids with multiple agencies, had a serious security vulnerability that exposed personal information about police suspects and sensitive details about upcoming police operations to the public. Hackers left a note "all data and backups have been shredded," suggesting that the data may have been erased. The note pointed to three large archives relating to ODIN and included data on sex offenders and the SweepWizard app. An Amazon Web Services key belonging to ODIN, which holds sensitive information about law enforcement and police, was also defaced. Read more

Ransomware Attacks on Two Specialty Care Providers Affect 600,000 Individuals

Nearly 600,000 people have been affected by separate ransomware attacks on two specialty medical care companies. Approximately 124,000 Texan residents were affected by the Dallas-based Home Care Providers of Texas (HCPT) breach, and 461,200 individuals, including 68 Maine residents, were affected by the Pennsylvanian Maternal and Family Health Services (MFHS) incident. In the HCPT incident, hackers accessed HCPT systems between June 15 and June 29, 2022. The MFHS systems were breached from Aug 21, 2021, till April 4, 2022. Hackers stole names, birthdates, addresses, driver's license numbers, Social Security numbers, financial information, usernames, passwords, medical information, and information about health insurance. Read more

Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware

PyPI has been compromised by a threat actor using three malicious packages - colorslib,' 'httpslib,' and 'libhttps, to carry malware that steals information from developers. These packages have detailed descriptions that trick developers into believing they are genuine. A malicious 'setup.py' file in all three packages runs a PowerShell and downloads the 'Oxyz.exe,' executable that steals information from the browser and spreads as a free Discord Nitro generator. Several other files are dropped, including the SearchProtocolHost.exe that steals browser data, authentication tokens, and other personal information, including Discord tokens. All three executables have low detection rates, allowing them to slip past multiple security agents. Read more

Control Web Panel Vulnerability Exploited After PoC Publication

A critical Control Web Panel (CWP) vulnerability - CVE-2022-44877, is being exploited after the publication of a proof-of-concept code. The vulnerability allows unauthenticated attackers to execute remote code on target systems and to insert commands that execute on the server due to a misconfiguration in functionality. The NIST advisory shows that login/index.php in CWP 7 before version 0.9.8.1147 can be exploited using arbitrary OS commands using the shell metacharacters in the login parameter. Read more

What are Immutable Backups, and Why are they Necessary

Organizations must be prepared for cyberattacks from ransomware groups, competitors, disgruntled employees, hacktivists and ransomware. Most malware are programmed to infect all connected systems, servers, shared storage devices, and even backup systems. This leads to disruption, financial and reputational losses – not to mention potential lawsuits. To effectively protect sensitive information from these cyberthreats, backup strategies need to evolve beyond the conventional approach. This is why immutable backups are a necessary component of a reliable backup strategy. Read more to discover why immutable storage is needed to create a secure backup infrastructure.

'Dark Pink' APT Targets Government and Military Organizations

APT threat actor 'Dark Pink' is targeting government and military organizations in Asia and Europe. Dark Pink successfully breached military and government agencies, religious organizations, and non-profit organizations between June and December 2022. The malware is triggered by file-type associations and sideloading DLLs. It uses PowerShell scripts to infect USB drives, custom information stealers Cucky and Ctealer, and the Telegram API to communicate with infected devices. The malware can perform corporate espionage, steal documents, capture sound from infected devices' mics, and exfiltrate data from messengers.
Read more

Promo
98TB Fully Air-Gapped & Immutable Veeam Backup and DR Appliance for $8,995

98TB Veeam Backup and disaster recovery appliance with policy-based immutability using built-in network & power management controller and automated physical and logical air-Gapped vault for $8,995.

10th Gen, 8-bay 2U Rackmount unit with 7x14TB (98TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For appliance demos, specifications, and quotes contact us.

Slide 1

Weekly

Ransomware Roundup

Jan 9 - 13, 2023

Colonoscopy Prep Retail Website Breach – Customer Information Stolen

Captify Health was breached, and the personal data, payment information, among other personal details of 244,300 patients was compromised in a data security incident involving its online retail business for colonoscopy prep kits. The company may face a Class Action Law Suit as, according to PCI-DSS data security standards, CVV numbers, or security codes, shouldn’t be stored. Captify Health falls under HIPAA regulations as a business associate of medical practices requiring it to report the breach within 60 days, but nothing has been reported yet for 23 months which may incur a PCI DSS fine of 21 months. Read more

Kubernetes Clusters Exploited by Kinsing via PostgreSQL

Kinsing operators have been exploiting vulnerabilities in container images and misconfigured PostgreSQL databases to hack Linux servers. The malware targets containerized environments to mine cryptocurrencies, exploiting the compromised server's hardware resources and image vulnerabilities to push their payloads via remote code execution flaws. Threat actors exploit vulnerabilities in Liferay, PHPUnit, WordPress and Oracle WebLogic for initial access and scan a wide range of IP addresses for open ports matching the default WebLogic port. The hackers also exploit misconfigured PostgreSQL servers 'trust authentication' that lets anyone with access to the database connect to the server. Kinsing also performs ARP poisoning to spoof apps. Read more

Govt Networks Targeted Exploiting Fortinet SSL-VPN Zero-Day Vulnerability

Several government entities have been targeted by unknown attackers exploiting a FortiOS SSL-VPN zero-day vulnerability to install malware as a trojanized version of the FortiOS IPS Engine. An unauthenticated attacker could crash FortiOS SSL-VPN remotely and gain remote code execution by exploiting the security flaw CVE-2022-42475. The attackers install malware that patches FortiOS logging processes to remove specific log entries and kill the processes to maintain persistence and evade detection. It also interferes with the Intrusion Prevention System (IPS) and manipulates log files. The threat actor can also reverse-engineer FortiOS' operating system. Read more

RAT Malware Campaign Evades Detection by Smuggling Malware in Polyglot Files

The StrRAT and Ratty remote access trojans (RATs) can now evade detection with polyglot MSI/JAR and CAB/JAR files. A JAR file can be run by the Java runtime, and MSI and CAB files as windows executables. A polyglot file can be run as both due to the dual format. As JARs aren't executables, anti-virus tools don't check them as rigorously. As a result, they can hide malicious code and trick the threat detection software into scanning only the MSI/CAB part of the file. Hackers are using these files to hide malicious code, confuse security solutions, and bypass protections. Microsoft’s signature-based detection system cannot detect the exploitation of polyglot files. Read more

How to Calculate and Minimize Downtime Cost

What do you do when your applications, data and services are unavailable, business gets disrupted, customers become unhappy, and regulatory authorities fine you? Besides the financial hit, the true cost of unplanned downtime goes beyond just lost revenue. So how do you calculate your actual downtime costs? Read this blog to find out!

Vice Society Ransomware Attacks Australian Firefighting Service

The Vice Society ransomware gang claims responsibility for a data breach at Australia's Fire Rescue Victoria. Email systems and internal servers were affected by the incident. Aside from disrupting the agency's IT system, the hackers also stole personally identifiable information about current and former employees, secondees, contractors, and job applicants. The ransomware gang announced it would leak stolen data and a link to alleged stolen data appeared on Vice Ransomware's Tor data leak site on January 10th. Read more

Promo
80TB Veeam Backup and DR appliance Fully Air Gapped & Immutable

80TB Fully Air Gapped and Immutable Veeam Backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery - last 3 Units on half price!

It is 2U, 8 Bay Rackmount unit with 8x10TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 128GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

This powerful 80TB DR365-V site in a box leverages Veeam-integration using the built-in Air-Gapped network, power management controller repository and storage controller using fully automated and Veeam integrated isolation technology.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Jan 2 - 6, 2023

CISA Disclosed Several Vulnerabilities in Rockwell Automation Controllers

CISA published three advisories addressing four vulnerabilities in Rockwell Automation controllers. The flaw CVE-2022-3156 affects the Studio 5000 Logix Emulate controller emulator that grants elevated permissions to users and executes code remotely. A second vulnerability, CVE-2022-3166, is a clickjacking issue that can cause a DoS condition for the webserver application if an attacker has access to the device's network. The CVE-2022-3157 is another DoS vulnerability in CompactLogix, GuardLogix and ControlLogix controllers that allows causing DoS attacks by sending specially crafted CIP requests. The fourth vulnerability, CVE-2022-46670, affects MicroLogix PLCs 1100 and 1400 and can be exploited for remote code execution using cross-site scripting. Read more

Cybercriminals Exploit Google Ads and Phishing Websites to Spread Malware

Google Ads are being exploited in malicious campaigns to spread malware by impersonating popular software websites. The malicious websites are promoted via Google Ad campaigns. Upon clicking the advertisement, the victims land on a malicious cloned copy of the original website. When users click on the download button, trojanized versions of the software are downloaded, containing Raccoon Stealer, Vidar Stealer and IcedID malware loaders. The payload is downloaded from trusted file-sharing and code-hosting services like GitHub, Dropbox, and Discord's CDN to evade detection. The campaigns have impersonated Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, OBS, Ring, AnyDesk, LibreOffice, Teamviewer, Thunderbird, and Brave. Read more

CISA Reports JasperReports Vulnerabilities Exploited by Nation State Actors

CISA has listed two JasperReports flaws in its ‘Known Exploited Vulnerabilities’ catalog. The most critical vulnerability is CVE-2018-18809, a directory traversal flaw in JasperReports library that allows users to access host-side data and credentials. The flaw affects IBM products that utilize the JasperReports library. The second vulnerability is tracked as CVE-2018-5430, an information disclosure flaw that facilitates read-only access to arbitrary files. Authenticated users can access web application configuration files containing the server's credentials and affect the external systems accessed by JasperReports server. Both vulnerabilities are publicly disclosed and have proof-of-concept exploits. Read more

Flaws in Citrix and Netgear Servers – Critical Advisories Issued

Citrix has issued security advisors about two critical flaws being actively exploited by nation-state hackers, while Netgear has also warned its customers regarding a DoS vulnerability. The CVE-2022-27510 flaw in Citrix servers permits unauthorized access, while the CVE-2022-27518 allows remote arbitrary code execution. Nation-state actors are exploiting this to gain unauthorized access to vulnerable devices through malicious modifications of Citrix ADC binaries. The Netgear vulnerability is identified as PSV-2019-0104, which allows an attacker to cause a denial of service on vulnerable devices. Read more

How is Ransomware Affecting the Healthcare Industry

The Healthcare sector is a prime target for ransomware attacks. With a 94% increase in ransomware attacks in the health sector, it makes it all the more necessary for the healthcare sector to prepare and protect sensitive information and systems using ransomware-proof backup and disaster recovery. Read on to find out the impact of ransomware on healthcare institutions and how healthcare organizations can protect themselves against the menace of ransomware. Read more

BitRAT Uses Stolen Bank Data as Lures for Phishing Campaigns

Cybercriminals are using stolen information from Colombian bank customers in phishing emails that infect targets with the BitRAT remote access trojan. The breached servers contained 418,777 records containing sensitive customer information, including names, email addresses, phone numbers, national IDs, addresses, and payment records. An Excel file delivers the BitRAT malware, which drops and executes a highly obfuscated macro encoded within the INF file. The BitRAT payload is then downloaded using the WinHTTP library and executed using WinExec on the compromised device. The RAT malware then moves its loader to the Windows startup folder and automatically restarts after the system restarts. Read more

Promo
128TB Veeam, Rubrik, HYCU, Commvault Immutable and
Air-gapped Object Storage Appliance $8,995

128TB Veeam, Rubrik, HYCU, Commvault Immutable and Air-gapped Fully Integrated SAN, NAS and S3 Object Storage Appliance with Ransomware protection for $8,995.

It is 2U, 8 Bay Rackmount unit fully populated with 8x16TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email