[Security Weekly] French Hospital Network Cuts Internet After Cyberattack and Data Breach
May 2022, Issue I
1. French hospital network cuts internet after cyberattack and data breach
GHT Coeur Grand Est. Hospitals and Health Care, a French hospital network consisting of nine hospitals, was forced to cut off internet connectivity in two of its hospitals following a cyberattack that stole sensitive administrative and patient information on April 19.
GHT first revealed the incident on April 25, stating that the attackers successfully gained access to the networks of its Vitry-le-Francois and Saint-Dizier hospitals. To contain the attack from spreading further, GHT disabled internet connectivity for both hospitals.
GHT mentioned that sensitive administrative data were stolen. Yet, sources at Bleeping Computer added that the patients’ personal data, including passport scans, social security information, banking information, emails, and phone numbers, were stolen by the hackers. Nearly 30 GB of data were posted on the dark web for sale.
Since the attack did not affect the hospitals’ OT systems, healthcare services continued to operate as usual. However, online booking services were temporarily shut down. The impacted hospitals are now urging their patients to stay aware of social engineering and phishing attacks.
Sources: Infosecurity, Bleeping Computer
2. Hive ransomware exploits ProxyShell flaws in Microsoft Exchange Server
During a ransomware case investigation, forensic experts at Varonis discovered that the Hive ransomware gang has been actively exploiting the ProxyShell vulnerabilities in Microsoft Exchange Servers to deploy ransomware. A ransomware-as-a-service (RaaS) provider first spotted in 2021, Hive affiliates have been actively targeting the financial and healthcare sectors.
ProxyShell contains a set of three critical vulnerabilities that allow remote code execution and authentication bypass. The Hive affiliate in the investigated case used the ProxyShell code to insert four web shells in an accessible Exchange directory, opening a backdoor to the server. It then launched Mimikatz – a credential-stealing malware – to steal system admin accounts, before exfiltrating sensitive data and deploying ransomware.
ProxyShell was patched by Microsoft in 2021 and has been exploited by operators of Conti, Babuk, BlackByte, and many other threat actors. The latest discovery shows that attackers are still actively exploiting the vulnerabilities one year after patches were released, showing the importance of keeping software and devices up to date.
3. Emotet malware adopts new deployment technique in latest campaign
According to researchers at Proofpoint, the Emotet malware is now back again after a ten-month silence period, with a new deployment technique combined with highly targeted phishing campaigns.
Attributed to threat actor TA542, the latest campaign occurred between April 4 and 19. Millions of phishing emails were sent to infect devices to be controlled by the botnet. However, different from previous attacks, where the attackers attached Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macro, in this new campaign, a OneDrive URL was shown in the email body, containing ZIP files that contained Windows shortcut files (LNK) with a similar name to the email subject line. These LNK files contained PowerShell commands, of which when triggered, Emotet would be executed onto the machine.
Researchers said the change in tactics is likely because Microsoft disabled Microsoft Office macros by default in early 2022, forcing the attackers to look for a new attack pattern. Countries most affected by the latest campaign included Japan, Italy, Canada, Mexico, and Turkey.
Sources: Threatpost, TechRepublic
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security