Swedish national grocer stung by Cactus
The grocery chain Coop, which has 800 stores in Sweden. has appeared on the Tor leak site of the Cactus Group, with company ID cards published as proof of a hack. According to Bleeping Computer, this happened due to a third-party software provider, Visma, that manages payment systems for the supermarket chain. Visma had confirmed that they were affected by the Kaseya cyberattack which was a REvil encryption operation. The Cactus operation became known in May of last year.
Flaw in Black Basta decryptor allows recovery of victims’ files – temporarily
Researchers at Security Research Labs (SRLabs) found the weakness in the encryption algorithm used by the Black Basta gang. It allows the one-file-at-a-time recovery of files over 5K in size, and allegedly works on files encrypted between November 2022 and December 2023. Bleeping Computer has learned however, that Black Basta’s developers have fixed the bug, preventing this decryption technique from being used in newer attacks.
Cyberattack hits Boston area hospital
The Anna Jaques Hospital, an independent, not-for-profit community hospital about 35 miles north of Boston, remained open to patients after suffering the latest in a wave of cyberattacks against hospitals. This incident occurred on December 24, disabling their electronic health records system and causing the facility to turn away ambulances on December 25. No mention has been made regarding the nature of the attack.
New York hospitals sue cloud provider for return of data
Two New York hospitals – also not-for-profits – are seeking a court order to force the Boston-based cloud storage company Wasabi Technologies to “return stolen data stored on one of its servers by the LockBit ransomware gang.” According to Bleeping Computer, the Carthage Area Hospital and Claxton-Hepburn Medical Center were attacked in September, with the LockBit affiliate renting cloud storage at Wasabi to store stolen data. The hospitals are requesting the court to “force Wasabi to provide and delete the data from their servers.”
Huge thanks to this week’s episode sponsor, NetSPI
New DLL search order hacking technique can bypass Windows protections
In a report shared with The Hacker News, the security firm Security Joes says this new technique could give threat actors the ability to run malicious code on Windows 10 and 11 machines. They said, “the approach leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique,” thus removing the need for elevated privileges. A link to the report is available in the show notes to this episode.
(The Hacker News and Security Joes)
Terrapin flaw threatens SSH Protocol security
The flaw, which is being tracked as CVE-2023-48795, allows attackers to downgrade a connection’s security by breaking the integrity of the secure channel. Researchers at Ruhr University Bochum who discovered it stated, “by carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary number of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.” In their analysis of the vulnerability, Qualys has stated, “in a real-world scenario, an attacker could exploit this vulnerability to intercept sensitive data or gain control over critical systems using administrator privileged access.” They continued, “this risk is particularly acute for organizations with large, interconnected networks that provide access to privileged data.”
(The Hacker News and Qualys)
INC Ransom claims Xerox breach
The ransomware group has added the document management company to its Tor leak site, publishing a handful of documents, invoices, and emails as proof. No mention has been made by the gang regarding the size of the breach. INC Ransomware is known to the cybersecurity community and reports show that it has been responsible for up to 40 attacks since emerging in July of last year.