Cyware Daily Threat Intelligence
Daily Threat Briefing • Nov 2, 2021
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Nov 2, 2021
Healthcare systems have been an easy nut to crack for threat actors due to legacy issues and lack of sufficient cyber defenses. However, since the onset of the COVID-19 pandemic, attackers have taken a special interest in the sector. The last 24 hours witnessed cyberattacks on healthcare facilities in Canada and California. A healthcare network in the Canadian province of Newfoundland was disrupted, while the CMC headquartered in Stockton, California, potentially lost the data of thousands of patients in another attack.
In other news, the FBI released a flash warning against the HelloKitty ransomware group that is now threatening to conduct DDoS attacks on its victims who refuse to pay the ransom. Spearphishing emails aimed at Office 365 users now come in a different flavor as scammers donned the identity of security firm Kaspersky in a new campaign.
Top Breaches Reported in the Last 24 Hours
Ransomware hits TTC
This weekend, the Toronto Transit Commission (TTC) was hit by a ransomware attack that incapacitated its email system and compelled conductors to resort to the radio. The public transportation system is investigating the matter further and claimed that employee and customer safety has not been disrupted. The threat actor is yet unknown.
Californian health network suffers breach
Hackers gained partial access to Community Medical Centers (CMC) networks that contained the PHI of 656,047 patients. The accessed data may include names, medical information, dates of birth, mailing addresses, social security numbers, and demographic details.
Cyberattack on Canadian healthcare services
An alleged cyberattack disrupted the healthcare system in Newfoundland and forced authorities to cancel some appointments. The attack resulted in the loss of systemic functionality across regional health authorities and an investigation is underway.
NBP suffers cyberattack
The National Bank of Pakistan (NBP) suffered a devastating cyberattack that crippled the bank’s backend systems and servers interconnecting the bank’s branches, mobile apps, and backend infrastructure associated with the ATM network. However, no funds or data have been reported missing.
Ransomware attack on Las Vegas hospital
The Las Vegas Cancer Center was the victim of a ransomware attack over Labor Day Weekend. The threat actor gained access to a business server and encrypted the data, implying that they may have data such as patient names, dates of birth, medical records, insurance information, and social security numbers. Around 3,000 people are being notified of the breach.
Top Malware Reported in the Last 24 Hours
Cring continues its rampage
The Cring ransomware gang is attacking aging ColdFusion servers and VPNs. The group is infamous for exploiting older vulnerabilities in its attacks. While Cring mostly uses Mimikatz to gain credentials, it has also been observed native Windows process - making the detection process challenging. In addition to this, Cring operators religiously use Cobalt Strike beacons to manage the post-exploitation phase.
FBI warns against HelloKitty
The FBI and CISA issued a flash alert to warn private industry partners of the activities of HelloKitty ransomware. The ransomware gang has added DDoS attacks to its extortion strategy. The alert states that HelloKitty would take down its victims’ websites if the ransom demand wasn’t paid.
Top Vulnerabilities Reported in the Last 24 Hours
Android November patch released
The Android November 2021 security update, released by Google, addresses 18 bugs in the Framework and System components and 18 in vendor and kernel components. One of the vulnerabilities—CVE-2021-1048—is a local privilege escalation flaw and is being exploited in the wild.
Attackers abuse critical RCE bug
A critical RCE vulnerability in GitLab’s web interface is being actively exploited in the wild. Tracked as CVE-2021-22205, the flaw is related to improper validation of user-provided images, resulting in arbitrary code execution. The vulnerability exists in versions starting from 11.9 and has been fixed in versions 13.8.8, 13.9.6, and 13.10.3.
Top Scam Reported in the Last 24 Hours
Office 365 phishing campaign
Spearphishing emails targeted at Office 365 users have witnessed a surge and some of the emails pretended to have been sent from a Kaspersky email address. The attackers stole the firm’s Amazon Simple Email Service (SES) token to send the emails. Advisory released by Kaspersky states that the theft didn’t cause any damage.
New GLS spam campaign
A new GLS spam campaign involved emails sent to targeted users, asking them to fill up some details for a particular shipment. This sophisticated campaign leverages advanced obfuscation methods, including NLP dodging, to evade common spam filters. The IP address used by the scammers originates from the U.S.