In this week’s Cyber Weekly Digest we take a look at some of the biggest cyber security stories from around the world including recent ransomware attacks targeting French healthcare and the Iranian APT carrying out supply-chain attacks in the diamond industry. Keep reading to stay up to date on the latest cyber security news.
The FBI and CISA revealed in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransom as of August 2022 after breaching more than 100 victims worldwide. This is a follow-up to another advisory issued one year ago, which warned that the cybercrime group compromised dozens of organisations from US critical infrastructure sectors, making over $40 million since it started targeting US companies. The FBI and CISA added that the ransomware gang has expanded its tactics, techniques, and procedures since the start of the year and had been linked to the RomCom Remote Access Trojan and Industrial Spy ransomware. However, the gang is not very active, which means the attacks that are taking place are causing massive amounts of potential damage. Organisations at risk of being targeted by this ransomware operation are advised to prioritise patching known exploited vulnerabilities, train their employees and users to spot and report phishing attacks and enforce multi-factor authentication across their environment.
An Internet Explorer zero-day vulnerability has been actively exploited by a North Korean threat actor to target South Korean users by capitalising on the recent Itaewon Halloween crowd crush to trick users into downloading malware. Google’s threat analysis group reported that the ScarCruft group, which is also called APT37, InkySquid, Reaper, and Ricochet Chollima, is behind these attacks. The new findings show the threat actor's continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin. Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.
The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening. According to the co-chairman of the hospital’s supervisory board, the adversaries of this attack have demanded a ransom, however he states that they have no intention of paying it. Currently, the hospital only accepts walk-ins and consultations as it had to partially cancel operations. It was also forced to transfer six patients from its neonatal and intensive care units to other healthcare facilities, according to France’s Minister of Health and Prevention. The cyberattack is now being investigated by ANSSI, The French national authority for Security and Defence of Information Systems, which has also opened up a preliminary investigation into hacking state data and attempted extortion after the André-Mignot filed a formal complaint. The operation behind the attack is currently unknown, but there are many ransomware operations such as Daxin Team, Venus, and Hive that actively target Healthcare entities.
In early October, Amnesty International’s Canadian branch disclosed a security breach linked to a Threat group that was likely sponsored by China. The international human rights NGO says it first detected the breach in October when it spotted suspicious activity on its IT Infrastructure. After detecting the attack, the NGO hired the services of a cyber security firm to investigate the attack and secure its systems. The firm detected the attack to be originating possibly from a Chinese-sponsored threat actor, and that they used state-of-the-art tools associated with specific Advanced Persistent Threat groups. The NGO reported the security breach to relevant law enforcement authorities and notified staff, donors, and other stakeholders about the incident. The attack comes as no surprise, given Amnesty International’s reports and commentary on the Chinese government’s ongoing abuse of human rights.
An Iran-based APT group known as Agrius has been carrying out supply chain-focused attacks against the diamond industry across three continents. Agrius has been using a new data wiper malware named Fantasy in these attacks. Security researchers noted that Agrius typically exploits known vulnerabilities in internet-facing applications to install webshells, the group then goes on to conduct internal reconnaissance before moving laterally and deploying its malicious payloads. In the new attacks, the group has been targeting companies in South Africa, Israel and Hong Kong.