Sandworm Cyberattacks Target 20 Vital Organizations in Ukraine
Recent reports from the Ukrainian Computer Emergency Response Team (CERT-UA) reveal that the notorious Russian hacker group Sandworm, also known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44, has directed its efforts towards disrupting operations at approximately 20 critical infrastructure entities in Ukraine. These cybercriminals, believed to be affiliated with Russia’s GRU, have a history of conducting cyberespionage and destructive attacks. In March 2024, CERT-UA documented Sandworm’s operations aimed at disrupting information and communication systems within energy, water, and heating suppliers across ten Ukrainian regions. The attackers exploited software vulnerabilities in supply chains and software providers, employing a combination of previously identified malware and newly developed malicious tools like BIASBOAT and LOADGRIP for Linux. Poor cybersecurity practices among the targets facilitated these breaches, prompting CERT-UA to undertake extensive counter-cyberattack measures, including informing affected enterprises, malware removal, and security enhancements. Sandworm’s actions are suspected to amplify the impact of potential Russian missile strikes on these critical infrastructure facilities. Additionally, recent revelations by Mandiant have linked Sandworm to hacktivist groups involved in attacks on infrastructure in Europe and the U.S., further underscoring the significance of the CERT-UA’s findings.
Synlab Italia Halts Operations Following Ransomware Incident
Synlab Italia has ceased all medical diagnostic and testing operations following a ransomware attack that crippled its IT systems. A vital part of the Synlab network spanning 30 countries, Synlab Italia operates 380 laboratories and medical centers across Italy, boasting an annual revenue of $426 million and conducting 35 million analyses yearly.
The security breach, occurring in the early hours of April 18, prompted an immediate shutdown of all corporate computers to mitigate further damage, as per the company’s IT security protocols. While Synlab Italia has not confirmed, there are concerns that sensitive medical data might have been compromised.
Consequently, all laboratory services, including sample collection and analysis, have been suspended indefinitely, with customers instructed to contact Synlab via phone due to inactive email services. Efforts are underway to sanitize the IT infrastructure and restore operations, although no specific timeline has been provided. Synlab encourages customers to monitor their website and social media channels for updates.
Microsoft Warns of APT28 Exploiting Windows Vulnerability
Microsoft issues a cautionary alert regarding the exploitation of a Windows Print Spooler vulnerability by the Russian APT28 threat group. This flaw enables the escalation of privileges, facilitating the theft of credentials and data through a newly identified hacking tool named GooseEgg.
APT28 has reportedly utilized GooseEgg to exploit the CVE-2022-38028 vulnerability since at least June 2020, possibly as early as April 2019. Despite Microsoft’s patch in October 2022, the company has yet to officially acknowledge the exploitation in its advisory.
The malicious actors, affiliated with Russia’s Main Intelligence Directorate of the General Staff (GRU), deploy GooseEgg to execute additional payloads, issue commands with SYSTEM-level privileges, and persist within compromised systems. Their tactics involve dropping post-compromise tools such as ‘execute.bat’ and ‘servtask.bat,’ as well as embedding malicious DLL files within the PrintSpooler service to facilitate lateral movement and remote code execution.
Microsoft identifies targets spanning Ukrainian, Western European, and North American government sectors, among others, emphasizing GooseEgg’s capacity to support diverse malicious objectives. This warning underscores the ongoing threat posed by APT28, known for its history of sophisticated cyber attacks across various geopolitical domains.
Leveraging Antivirus Updates for Malware Distribution
Exploiting the update mechanism of eScan antivirus, hackers deploy GuptiMiner malware across corporate networks. This advanced threat, equipped with DNS manipulation and DLL sideloading capabilities, infiltrates systems through a cleverly disguised DLL file within legitimate update packages. Despite eScan’s efforts to patch vulnerabilities, ongoing infections suggest potential weaknesses in client systems.
Researchers also draw parallels between GuptiMiner and the North Korean APT group Kimsuki, noting similarities in information-stealing functions and domain usage. The attackers deploy a range of malware tools, including enhanced backdoors and the XMRig Monero miner, demonstrating a comprehensive approach to cyber infiltration.
While eScan has implemented measures to mitigate the vulnerability, ongoing infections highlight the persistent threat landscape. This underscores the importance of proactive defense strategies and continuous vigilance against evolving cyber threats.
U.S. Government Sanctions Iranians Linked to Cyberattacks
The Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned four Iranian individuals for participating in cyberattacks against the U.S. government, defense contractors, and private companies. Additionally, two front companies—Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA)—associated with the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) have been sanctioned. These measures aim to freeze U.S.-based assets and interests linked to the designated individuals and entities, including those owned by them. Transactions involving their assets are prohibited without OFAC authorization, and dealing with them risks exposure to sanctions or enforcement actions. The State Department offers rewards of up to $10 million for information leading to the capture of key individuals and entities involved in these cyber activities.
CoralRaider Exploits CDN Cache for Malware Distribution
CoralRaider, a threat actor, utilizes a content delivery network (CDN) cache to distribute information-stealing malware, targeting systems in the U.S., the U.K., Germany, and Japan. The group delivers LummaC2, Rhadamanthys, and Cryptbot info stealers through malware-as-a-service platforms, with Cisco Talos attributing the campaign to CoralRaider based on past attack similarities.
Victims receive archives containing malicious Windows shortcut files (.LNK), triggering PowerShell commands to download and execute an obfuscated HTML Application (HTA) file from an attacker-controlled CDN subdomain. This tactic allows CoralRaider to bypass network defenses and evade detection. The malware targets databases for password managers and authenticator apps, posing significant risks, especially with Cryptbot’s enhanced capabilities. CoralRaider, active since at least 2023 and possibly based in Vietnam, has expanded its global reach beyond Asian countries in its latest campaign.
Ring Customers Receive $5.6 Million in Privacy Breach Settlement
The Federal Trade Commission (FTC) is distributing $5.6 million in refunds to Ring users affected by privacy breaches, where private video feeds were accessed without consent by Amazon employees and contractors, or due to insufficient security protections leading to account and device hacking.
The settlement follows a complaint from May 2023, alleging Ring’s failure to implement adequate security measures. Ring, an Amazon subsidiary, offers smart home security products like video doorbells and security cameras.
FTC’s original complaint highlighted Ring’s employee access policies and the absence of basic security measures like multi-factor authentication until 2019, facilitating unauthorized access. Payments are being sent via PayPal to over 117,000 affected customers, who must redeem the funds within 30 days. The FTC identified eligible customers based on provided data and advises referring to their FAQ page for further details.
ArcaneDoor Hackers Exploit Cisco Zero-Days for Government Network Breaches
Cisco has issued a warning regarding a state-backed hacking group exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. Known as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers launched a cyber-espionage campaign dubbed ArcaneDoor, targeting vulnerable edge devices worldwide.
The vulnerabilities—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—allowed threat actors to deploy previously unknown malware and maintain persistence on compromised devices. One implant, Line Dancer, facilitated remote access and packet exfiltration, while Line Runner served as a persistent backdoor with defense evasion mechanisms.
A joint advisory by cybersecurity agencies highlights the malicious actors’ capabilities, urging users to upgrade their devices and monitor for suspicious activities. Cisco emphasizes the importance of patching, logging, and implementing strong authentication measures across all network equipment.
WP Automatic Plugin Targeted by Millions of SQL Injection Attacks
Hackers are exploiting a critical vulnerability in the WP Automatic plugin for WordPress, allowing them to create administrative user accounts and install backdoors for persistent access. The vulnerability, CVE-2024-27956, rated 9.9/10 in severity, was disclosed by PatchStack researchers on March 13. It affects WP Automatic versions prior to 3.9.2.0 and enables SQL injection attacks via the plugin’s user authentication mechanism.
Since the disclosure, over 5.5 million attack attempts have been observed by WPScan, with attackers creating backdoors and obfuscating code to evade detection. Attackers also rename the vulnerable file “csv.php” to prevent others from exploiting the same issue. WPScan advises administrators to update the plugin to version 3.92.1 or later and regularly backup their sites to mitigate the risk of compromise.
Phishing Attack
The Los Angeles County Department of Health Services (DHS) has reported a data breach after a recent phishing attack compromised the personal and health information of thousands of patients. The breach affected 23 employees whose credentials were stolen in a February phishing attack, leading to unauthorized access to patients’ data stored in their email inboxes.
Approximately 6,085 individuals’ information may have been impacted by the breach, according to DHS. The compromised data included patients’ personal details, medical records, and health plan information. However, Social Security Numbers and financial information were not compromised.
Following the discovery, DHS took measures to secure the affected accounts, reset employee devices, and raised awareness among staff about phishing threats. While no evidence of misuse was found, affected patients are advised to verify their medical records with healthcare providers. The breach has been reported to relevant authorities for further investigation.
Conclusion
Sandworm cyberattacks targeting vital organizations in Ukraine, Synlab Italia halting operations due to a ransomware incident, and Microsoft warning of APT28 exploiting Windows vulnerabilities underscore the persistent threat of cybercrime. Amidst all these challenges, our expertise in ransomware recovery and cybersecurity shines. We offer specialized services like Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization needs assistance in recovering from a ransomware attack or strengthening its cybersecurity defenses, contact us today.
