This Week in Cybersecurity: Feb 12th – Feb 16th, Ransomware Attack Takes 18 Romanian Hospitals Offline

Written by Mitchell Langley

February 16, 2024

This Week in Cybersecurity: Feb 12th - Feb 16th, Ransomware Attack Takes 18 Romanian Hospitals Offline

Ransomware Attack Takes 18 Romanian Hospitals Offline

A ransomware attack encrypted the database of the Hipocrate Information System, a medical services management platform used by 18 hospitals in Romania, taking the hospitals offline. The Ministry of Health provided a list of affected facilities including regional centers and cancer treatment centers. Cybersecurity experts are investigating but no group has claimed responsibility or if patient data was exposed. The software provider has not commented. Read more

CISA Confirms New Fortinet RCE Bug Being Actively Exploited

CISA confirms exploitation of an RCE vulnerability (CVE-2022-48618) in Fortinet’s FortiOS. The bug allows remote execution via HTTP requests. CISA directed government agencies to secure devices within 7 days through a binding order by February 16th. Timely patches are needed as Fortinet RCE vulnerabilities are commonly leveraged in cyber attacks against networks. Read more

Raspberry Robin Malware Uses One-Day Exploits to Target Windows

Raspberry Robin malware utilized one-day Windows exploits (CVE-2023-36802, CVE-2023-29360) likely from dark web sources or an external developer, to bypass security tools and escalate privileges. It disguises C2s using Tor, downloads payloads via Discord instead of PsExec, terminates processes, and detects API hooks to evade analysis. Operators actively pursue zero-days and connect to an exploit developer but do not self-develop. Read more

Black Basta Ransomware Attack Hits Hyundai Motor Europe

Hyundai Motor Europe experienced a Black Basta ransomware attack in January 2024. Attackers claimed to steal 3TB of data from Windows domains including legal, sales, HR and IT. Hyundai initially referred to IT issues but later confirmed the cyberattack. Hyundai had a previous data breach affecting customers in Europe. The nature of stolen data from this incident remains unclear. Read more

New Fortinet RCE flaw in SSL VPN Exploited in the Wild

Fortinet warned of an RCE flaw (CVE-2024-21762) in FortiOS SSL VPN, rated 9.6 severity. It is an out-of-bounds write vulnerability allowing unauthorized remote code execution via crafted requests. Fortinet recommends upgrading devices to latest versions to patch. Disabling SSL VPN can also mitigate risk. No details on exploitation provided. Prompt updates are strongly recommended due to risk of exploitation. Read more

Free Rhysida Ransomware Decryptor Released for Windows

South Korean researchers analyzed the Rhysida ransomware encryptor and discovered a flaw in its random number generator that derives a 32-bit seed value predictably from system time. This allows guessing the seed and regeneration of encryption keys. They created an automated decryptor tool for Windows exploiting its intermittent encryption pattern. The decryptor precisely recreates keys to decrypt files without the attacker’s private key. Read more

Bank of America Data Breached: Customers Warned After Vendor Hacked

Bank of America notified customers of a data breach after a security incident at one of its service providers, Infosys McCamish Systems (IMS). Personal information of 57,028 customers was compromised, including names, addresses, SSNs, DOBs and financial account details. IMS systems were hacked in November 2023 by the LockBit ransomware gang, which claimed to have encrypted over 2,000 systems. The breach exposed data for Bank of America’s deferred compensation plans handled by IMS. Read more

Roundcube Email Server Bug Actively Exploited in Attacks: CISA Issues Advisory

CISA issued an advisory warning of active exploitation of CVE-2023-43770, a persistent XSS bug in Roundcube email servers before versions 1.4.14, 1.5.x-1.5.4 and 1.6.x-1.6.3. CISA added it to the Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch within 3 weeks. Another Roundcube bug, CVE-2023-5631, was exploited by Russian APT Winter Vivern group in October to steal emails from European government servers via malicious SVG files. Read more

What is the SLAM Method? Identify Phishing Emails with SLAM Method

The SLAM method is a 4-step framework (Stop, Look, Ask, Manage) for identifying phishing emails. It involves double checking the Sender address, Links, Attachments and Message details. STOP means pause before taking actions in emails. LOOK means closely examine sender address for spoofing and inspect email body for suspicious requests. ASK means get a second opinion from IT if unsure. MANAGE means properly handle identified phishing emails according to policies and report to IT. Following this systematic process makes it harder for phishing schemes to succeed when used consistently across an organization, along with technical controls and user training. Read more

Hackers Mint $290 Million PLA Tokens from PlayDapp Gaming Platform

Hackers allegedly stole a private key to generate 200M PLA tokens from the PlayDapp gaming platform worth $36.5M. PlayDapp notified users and froze assets. They offered a $1M bounty if hackers returned stolen items by a date, but hackers instead created 1.59B more tokens worth $253.9M. PlayDapp took measures like suspending trading and withdrawals. The attack style resembles previous hacks by the North Korean Lazarus Group. Read more

Prudential Financial Breached in a Cyberattack, Hackers Stole Sensitive Data

Financial giant Prudential notified of a breach affecting systems on Feb 4-5. They promptly secured compromised systems within a day and informed authorities. An investigation is underway on extent of unauthorized access. No customer data appears compromised so far. Prudential reports no material impact from this incident on their operations or finances currently. Read more

Bumblebee Malware Attacks Re-Emerge After a 4 Month Pause, Target US Organizations

Proofpoint revealed that the Bumblebee malware had resurfaced in a new campaign after a 4 month absence, aligning with the return of other threats post-winter. The February 2024 campaign used VBA macros in phishing emails sent to US organizations pretending to be a voicemail. Opening the attached files launched a PowerShell command pulling the next stage from a remote server which downloaded and executed the Bumblebee DLL. While attribution is uncertain, techniques aligned with past TA579 group activities. Read more

LockBit Ransomware Claims Cyberattack on Fulton County, Georgia

The LockBit ransomware group claimed responsibility for a cyberattack on Fulton County, Georgia that caused IT outages. Fulton County, with over 1 million people including Atlanta, still has phone, court, and tax disruptions 3 weeks later. LockBit published evidence of accessing systems and sensitive citizen data, threatening a leak by February 16th unless paid. While authorities haven’t confirmed LockBit, the claims prompted a statement that a ransomware attack occurred but no specifics on the actor were provided. Fulton County is exploring insurance to recover compromised systems. Read more

Trans-Northern Pipelines Hit by ALPHV Ransomware Attack

Trans-Northern Pipelines (TNPI), which transports fuel through pipelines in Ontario-Quebec and Alberta, confirmed experiencing a November 2023 cyber attack impacting internal systems. The ALPHV/BlackCat ransomware group claims stealing 183GB of TNPI documents and publishing employee contact data. TNPI is investigating these claims while safely operating pipelines. Read more

Microsoft Critical Exchange Bug Exploited as ‘zero-day’

Microsoft issued an advisory for a critical vulnerability (CVE-2024-21410) in Exchange Server that allows remote NTLM relay attacks to escalate privileges. The bug enables impersonating network devices via compromised credentials. Microsoft addressed it in Exchange 2019 CU14 which enables NTLM Relay Protections (Extended Protection) by default. Admins can enable EP on previous Exchange versions via a PowerShell script to protect servers not yet patched. Read more

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

 

Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!