Keytronic Faces $17 Million Loss Following Ransomware Attack
Keytronic, a leading electronic manufacturing services provider, recently revealed losses exceeding $17 million due to a ransomware attack that occurred in May 2024. Originally known for manufacturing keyboards and mice, Keytronic has grown into one of the largest global producers of printed circuit board assemblies (PCBA).
The ransomware attack severely impacted its U.S. and Mexico operations, resulting in over $2.3 million in unexpected expenses and a $15 million revenue loss in the fourth quarter. While the company expects to recover most of these orders by 2025, the attack also led to the theft of sensitive data, including employee and customer information.
This incident underscores the growing threat posed by Ransomware-as-a-Service (RaaS), a model where ransomware tools are leased to cybercriminals. Although Keytronic has not identified the specific threat actor, the notorious Black Basta ransomware group later claimed responsibility for the breach.
North Korean Hackers Exploit VPN Update Flaw to Deploy Malware
South Korea’s National Cyber Security Center (NCSC) has issued a warning about North Korean state-sponsored hackers exploiting vulnerabilities in VPN software updates to install malware and infiltrate networks. This cyberattack is linked to North Korea’s broader effort to steal trade secrets, particularly in light of the industrial modernization initiative announced by Kim Jong-un in 2023. Two advanced persistent threat (APT) groups, Kimsuky (APT43) and Andariel (APT45), both tied to the notorious Lazarus Group, are behind these operations. In one instance, Kimsuky compromised a South Korean construction trade organization’s website, distributing trojanized software updates that captured sensitive data. In another case, Andariel leveraged a flaw in a domestic VPN’s communication protocol to push out malicious updates, deploying the DoraRAT malware to steal large files like machinery design documents. This attack illustrates the growing threat posed by Ransomware-as-a-Service (RaaS) and other sophisticated cyber-espionage tactics.
Ransomware Gang Targets IT Workers with SharpRhino Malware
The Hunters International ransomware group is actively targeting IT professionals with a newly developed C# remote access trojan (RAT) known as SharpRhino. This malware is strategically designed to breach corporate networks by achieving initial infection, escalating privileges on compromised systems, executing PowerShell commands, and ultimately deploying ransomware. The malware is distributed through typosquatting sites mimicking legitimate tools like Angry IP Scanner, deceiving IT workers into downloading it.
Once installed, SharpRhino modifies the Windows registry for persistence and uses PowerShell scripts to execute malicious actions stealthily. Hunters International, a group suspected to be a rebranded version of the notorious Hive ransomware operation, has already carried out 134 attacks in 2024. To safeguard against such threats, IT teams should implement a robust backup plan, ensure network segmentation, and keep all software updated to minimize the risk of privilege escalation and lateral movement within their networks.
Google Fixes Android Kernel Zero-Day Exploited in Targeted Attacks
Google’s latest Android security update addresses a critical zero-day attack, exploiting a vulnerability in the Linux kernel, tracked as CVE-2024-36971. This zero-day flaw, a use-after-free (UAF) issue within the network route management of the Android kernel, has been actively exploited in targeted attacks.
The vulnerability allows attackers with System execution privileges to manipulate network behavior and execute arbitrary code on unpatched devices. Discovered by Google’s Threat Analysis Group (TAG), this zero-day attack highlights the severe risks posed by previously unknown vulnerabilities being exploited in the wild, particularly by state-sponsored threat actors. Google has responded quickly, releasing patches as part of its August security updates.
However, while Pixel devices receive immediate protection, other Android devices may remain vulnerable until their manufacturers complete additional testing and roll out the updates. This delay underscores the importance of promptly addressing zero-day attacks to minimize exposure to such critical threats.
McLaren Hospitals Disrupted by INC Ransomware Attack
McLaren Health Care, a non-profit healthcare system operating 13 hospitals across Michigan, faced major IT and phone system disruptions on Tuesday due to an attack linked to the INC Ransom ransomware operation. This attack has compromised access to critical patient information databases, leading McLaren to advise patients to bring detailed records of their medications to appointments and potentially reschedule non-emergent procedures out of caution.
While McLaren has not officially confirmed the specifics of the incident, employees at McLaren Bay Region Hospital reported receiving a ransom note indicating that the hospital’s systems were encrypted and that stolen data would be published if a ransom wasn’t paid. This incident is particularly concerning given that the ALPHV/BlackCat ransomware group previously claimed responsibility for a July 2023 attack on McLaren, which led to a data breach impacting nearly 2.2 million people. The persistent threats from groups like INC Ransom and ALPHV/BlackCat highlight the ongoing risk of zero-day attacks in the healthcare sector.
New CMoon USB Worm Targets Russians in Data Theft Attacks
A new self-propagating worm named ‘CMoon’ has been targeting Russian users since early July 2024, spreading via a compromised gas supply company website. According to Kaspersky researchers, CMoon is designed to steal account credentials and other sensitive data, with capabilities including loading additional malware, taking screenshots, and launching distributed denial of service (DDoS) attacks.
The worm’s distribution began when the threat actors replaced legitimate document links on the company’s website with malicious executables. These were delivered as self-extracting archives, containing both the original documents and the CMoon payload. Although the compromised files were removed from the website in late July, CMoon’s self-replication mechanisms could allow it to continue spreading autonomously.
CMoon specifically targets high-value entities rather than random internet users, reflecting the sophisticated nature of the operation. The worm also monitors for connected USB drives, replacing files with shortcuts to its executable while exfiltrating interesting data to an external server. Despite the targeted nature of this campaign, CMoon’s ability to spread autonomously raises concerns about broader, unintended impacts.
FBI Confirms BlackSuit Ransomware Behind Over $500 Million in Ransom Demands
The FBI and CISA have confirmed that the Royal ransomware group has rebranded as BlackSuit ransomware, demanding over $500 million from victims since its emergence. This revelation, shared in an update to a joint advisory, highlights that BlackSuit has been active since September 2022, with roots tracing back to the notorious Conti cybercrime syndicate. Initially operating under the Royal name, the group rebranded after deploying their new Zeon encryptor, following high-profile attacks like the one on the City of Dallas in June 2023.
The BlackSuit ransomware, which shares numerous coding similarities with its predecessor Royal, has targeted over 350 organizations, with ransom demands ranging from $1 million to $10 million, including a staggering $60 million in one instance. The FBI and CISA’s advisory links BlackSuit to significant incidents, such as the recent CDK Global IT outage that disrupted operations at over 15,000 car dealerships across North America. This attack forced CDK to shut down IT systems, demonstrating the severe impact of zero-day attacks and the relentless evolution of ransomware threats.
SEC Ends Probe into MOVEit Attacks Impacting 95 Million People
The SEC has concluded its investigation into Progress Software’s handling of the massive data breach caused by a zero-day vulnerability in the MOVEit Transfer software, which exposed the personal data of over 95 million people. In a recent FORM 8-K filing, Progress Software disclosed that the SEC’s Division of Enforcement will not recommend any enforcement action regarding the incident.
The breach, which occurred during the 2023 Memorial Day holiday weekend, was orchestrated by the notorious Clop ransomware gang. Exploiting the zero-day flaw in MOVEit Transfer, Clop launched a large-scale data theft campaign targeting organizations worldwide, affecting government agencies, financial institutions, healthcare providers, airlines, and educational institutions. According to Emsisoft, the Clop gang was projected to earn between $75-100 million in ransom payments from this attack, which compromised the data of more than 2,770 companies.
Despite the SEC’s decision, Progress Software continues to face hundreds of class-action lawsuits, now consolidated in Massachusetts federal courts, stemming from the extensive fallout of the Clop ransomware gang’s actions.
Conclusion
In conclusion, the increasing sophistication of cyber threats, from ransomware attacks to zero-day exploits, underscores the critical need for robust cybersecurity measures. The growing prevalence of attacks like those on Keytronic, McLaren Health Care, and others highlights the importance of being prepared to respond quickly and effectively.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization is facing a ransomware incident or needs to strengthen its defenses, contact us today.