[Security Weekly] Italian COVID-19 Vaccine Booking Portal Knocked Offline in Ransomware Attack
1st Week of August 2021
1. Italian COVID-19 vaccine booking portal knocked offline in ransomware attack
Italy’s Lazio regional government issued a notification on August 1 stating that it had suffered the most serious cyberattack ever. Home to the nation’s capital Rome, Lazio is the second-most populous region of Italy.
According to Lazio’s President, all IT systems, including servers for the COVID-19 vaccine booking portal, were impacted by the attack and taken offline immediately. Nearly all files in the databases were said to have been encrypted. Vaccine booking was expected to be suspended for several days while vaccination could be delayed. Crucial services like emergency medical care were temporarily recovered using external cloud servers. Fortunately, authorities reassured that financial and health data were safe.
Sources at Bleeping Computer and CNN linked the attack to the RansomExx ransomware gang, who left a ransom note that led to a payment negotiation page. As of now, there is no sign suggesting that the attackers extracted any data prior to deploying the ransomware.
2. US DoJ confirms 27 US Attorney offices breached by SolarWinds hackers
The US Department of Justice confirmed in early August that the hackers behind the SolarWinds supply chain attack were able to breach the Microsoft Office 365 email accounts of employees working at 27 US Attorney offices. Each district had at least one email account compromised.
Among the 27 districts impacted, four districts in New York were affected the most, with 80% of all employees’ email accounts accessed by the hackers for a six-month period between May 7 and December 27, 2020. All of the sent, received, and archived emails, including attachments, were compromised.
Earlier in the year, the US government officially attributed the SolarWinds attack to Russian intelligence. There are a number of reasons why foreign intelligence may be interested in sensitive legal files. One of them being that controversial information could be leaked at crucial times to impact public opinion and decision-making.
3. Iran’s transportation ministry suffers attack by novel wiper, trains affected
In early July, Iran’s transportation ministry reportedly suffered a cyberattack that disrupted its train service and took down its website. Digital information displays were defaced by the attackers, showing the phone number of the office of the Supreme Leader of Iran.
Researchers at cybersecurity firm SentinelOne were able to reconstruct the attack with the help of local forensic experts. The result showed that the attackers used a new type of wiper named “Meteor”. However, the attack pattern could not be linked to any existing hacker group.
The wiper was unique because it contained three independent components with different functionalities. The main component encrypted the data. An “nti.exe” file was executed to corrupt the MBR. Another executable “mssetup.exe” was deployed to encrypt the systems.
Even though a significant amount of data were recovered, the identity of the attackers remains a mystery.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security