In today’s cybersecurity news…
New ransomware uses Windows BitLocker to encrypt victim data
The new ransomware, called ShrinkLocker, “encrypts victim data using the BitLocker feature built into the Windows operating system.” As described in Ars Technica, “BitLocker is a full-volume encryptor that debuted in 2007 with the release of Windows Vista. Users employ it to encrypt entire hard drives to prevent people from reading or modifying data in the event they get physical access to the disk.” Researchers from Kaspersky found a threat actor using BitLocker to encrypt data. “The researchers named the new ransomware ShrinkLocker, both for its use of BitLocker and because it shrinks the size of each non-boot partition by 100 MB and splits the newly unallocated space into new primary partitions of the same size.
Sav-Rx discloses data breach impacting 2.8 million Americans
A&A Services is a pharmacy benefit management (PBM) company that does business under the brand name Sav-RX. It has issued a warning that it has seen the personal data of 2.8 million Americans stolen in a cyberattack last October. The company’s IT systems were brought back on line the next business day following the attack, but investigations into a possible data breach took eight months, both to minimize interruption to patient care, and to strive for as accurate results.
New ATM malware poses significant global threat
According to notifications posted on a dark web news site, a threat actor is advertising a new malware that it claims is able to compromised 99% of ATM devices in Europe and 60% of ATMs worldwide. The announcement claims it can target machines made by the world’s leading ATM manufacturers including Diebold Nixdorf, Bank of America, NCR, and Hitachi. The malware can operate automatically or with manual oversight, and interested parties are being offered a three day trial using a test payload.
Phishing campaign hits finance companies with Minesweeper clone
Code from a Python clone of Microsoft’s famous game is being used to hide malicious scripts which install SuperOps – a legitimate remote management software tool – in order to give threat actors direct access to the compromised systems. The main targets currently are European and U.S. financial organizations. Once again, this attack starts with an email that impersonates a medical center with the subject “Personal Web Archive of Medical Documents.” This prompts a victim to download an SCR file from a Dropbox link. The malicious code is hidden inside the Minesweeper game code which comes along as part of the download – to avoid scrutiny.
Thanks to today’s episode sponsor, Vanta
With the largest network of Trust Centers, Vanta can help you streamline security reviews to win customer trust, save time, and close deals fast.
Proactively demonstrate security by showcasing key resources like your SOC 2 or ISO 27001 and provide real-time evidence for passing controls. And when a security questionnaire is required, Vanta takes the first pass for you.
Visit vanta.com/ciso to take a tour.
High-severity vulnerability hits Cisco Firepower Management Center
Cisco is warning of a vulnerability with a CVSS score 8.8 within the web-based management interface of the Firepower Management Center (FMC) Software. This vulnerability is an SQL injection issue which can be exploited for an attacker who has at least Read Only user credentials. There are currently no workarounds for this vulnerability, but Cisco has confirmed that it does not affect Adaptive Security Appliance (ASA) Software or Firepower Threat Defense (FTD) Software.
Kaspersky’s threat landscape for industrial automation systems report
For the first quarter of 2024, Kaspersky says “the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 percentage points from the previous quarter to 24.4 percent, which is 1.3 pp year over year. The building automation industry leads the way in terms of the percentage of ICS computers on which malicious objects were blocked, and the internet, email clients, and removable storage devices remain the primary sources of threats to computers in an organization’s operating technology infrastructure. The report adds that malicious objects that are used for initial infection of computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents. A link to the report is available in the show notes to this episode.
Ascension’s recovery highlights the less visible effects of a healthcare cyberattack
The healthcare network’s 140 member hospitals and senior care centers are coming back online following a major cyberattack earlier this month, but certain scars remain. The sudden loss of technology left nurses and physicians exasperated. The need to use fax machines to order prescriptions, lab work and imaging was something they described as dangerous, as one nurse described a case where they had to wait four hours for head CT (scan) results on somebody having a brain bleed. They “struggled to know what blood tests or medications correspond to which patients, and resorted to their own text messaging threads, along with asking patients to bring in their own documentation. Some health workers have “criticized Ascension ordering them not to explain the situation to patients who become angry when they are told that tests cannot be done or the wrong medication was delivered.” Ascension is also facing a class action lawsuit as a result of the theft of confidential patient information.
Courtroom recording software compromised with backdoor installer
Justice AV Solutions (JAVS) is a technology used to record lectures, court hearings and council meetings, and is also used widely in courtrooms, jails, and prisons. According to The Record, “it has now been has been compromised by hackers, allowing them to gain full control of a system through a backdoor implanted in an update to the tool.” There are more than 10,000 installations of JAVS technologies worldwide, and the company has announced that it identified a security issue with a previous version of its JAVS Viewer software, numbered 8.3.7. Security company Rapid7 said the malicious versions of the software were signed by “Vanguard Tech Limited.” They added, uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate,” they wrote.