Cyber Security News - 15 March - 25 April

A Cyberattack on the Cornwall Community Hospital in Ontario is Causing Treatment Delays

The hospital pointed out that its clinical Electronic Health Record has not been impacted by the cyber attack. The users were not able to access MyChart due to the ongoing attack.

The Cornwall Community Hospital has yet to provide details about the attack, but the problems it is facing suggest it has suffered a ransomware attack.

Unfortunately, hospitals are easy targets for ruthless cybercriminals, in early February, the Tallahassee Memorial HealthCare (TMH) hospital has taken its IT systems offline and suspended non-emergency procedures after a cyberattack.

Nexx Bugs Allow to Open Garage Doors, and Take Control of Alarms and Plugs

The researchers reported the issues to the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), which assigned the following five CVEs:

Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 8.6)
Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)

A Flaw in the Kyocera Android Printing App Can Be Abused to Drop Malware

According to the company, its Mobile Print’s application class allows data transmission from malicious third-party mobile apps, which could allow downloading of malicious payloads.

“A security vulnerability has been identified in KYOCERA Mobile Print for Android provided by KYOCERA Document Solutions” - reads the advisory published by the vendor.

“KYOCERA Mobile Print’s application class allows data transmission from malicious third-party mobile applications, which could result in malicious files being downloaded. And, by using the KYOCERA Mobile Print web browser functionality, malicious sites can be accessed and malicious files can be downloaded and executed, which can lead to the acquisition of internal information on mobile devices”.

Cybersecurity in the Energy Sector: Risks and Mitigation Strategies

No industry has been untouched by digital transformation. With the Industrial Internet of Things (IoT), and Artificial Intelligence (AI) powering more sophisticated forms of automation, the use of cyber-physical systems will only grow.

The technological infrastructure of most companies in the manufacturing and supply industry (including energy utilities) can be separated into two categories:

- Plant IT Systems
- ICS

Cybercriminals usually have a different approach to how they attack each system, although there are some commonalities.

For instance, a cybercriminal may use ransomware to seal or steal data from its owners to blackmail them before restoring access.

Similarly, a cybercriminal may use a Distributed Denial Of Service (DDOS) attack to halt ICS operations and only restore them when a fee is paid or a condition is met. 

New Android Malicious Library Goldoson Found in 60 Apps +100M downloads

The collected data is sent to the C2 server every two days, but the cycle depends on the remote configuration.

The level of data collection depends on the permissions granted to the app using the malicious library.

McAfee discovered that even in recent Android versions, Goldoson was able to gather sensitive data in 10% of the apps.

Experts Found the First LockBit Encryptor that Targets macOS Systems

The experts pointed out that the archive has been bundled as March 20, 2023, it also includes builds for PowerPC CPUs, which are used in older macOS systems.

One of the encryptors developed by Lockbit, named ‘locker_Apple_M1_64’, can encrypt files of Mac systems running on the Apple silicon M1.

Aloha PoS Restaurant Software Downed by Ransomware Attack

The Aloha PoS website lists a raft of restaurants, including Mad Mex and Chipotle, among its customers.

"BlackCat/ALPHV claimed responsibility for the attack and stated that they didn't steal any data but did take credentials that they are using as leverage to receive a ransom payment" - says Timothy Morris, chief security adviser at Tanium.

"It isn’t known how the attacker got initial access".

AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds

With the advent of, and more importantly, rapid and successful adoption of AI tools such as ChatGPT, DALL-E, and Runway, it has become increasingly clear that the value proposition of such tools extends beyond what their developer intended it to be.

ChatGPT is already used for malicious tasks like developing malware and generating phishing emails and campaigns.

Passwords are still the most popular authentication method. Naturally, this begs the question: ‘Can an artificial intelligence-driven tool crack user passwords?

PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022

Citizen Lab noticed that NSO Group, for a brief period, targeted devices with iOS 16’s Lockdown Mode feature enabled.

The owners of these devices received real-time warnings when the threat actors attempted to use the PWNYOURHOME exploit against their devices.

The bad news is that NSO Group may have improved its exploit to avoid the real-time warning, and the researchers have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled.

Trigona Ransomware targets Microsoft SQL servers

The analysis of the log from AhnLab’s ASD shows the MS-SQL process sqlservr.exe installing Trigona under the name svcservice.exe.

When svcservice.exe is executed as a service, it executes the Trigona ransomware and also creates and executes svchost.bat used to execute the ransomware. The svchost.bat registers the Trigona binary to the Run key to maintain persistence.

The svchost.bat also deletes volume shadow copies and disables the system recovery feature to prevent victims from recovering the encrypted files.

Multinational ICICI Bank Leaks Passports and Credit Card Numbers

On February 1, the Cybernews research team discovered a misconfigured and publicly accessible cloud storage – Digital Ocean bucket – with over 3.6 million files belonging to ICICI Bank. Files exposed sensitive data of the bank and its clients.

Among the leaked clients’ data, there were bank account details, credit card numbers, full names, dates of birth, home addresses, phone numbers, and emails.