RaidForums hacker marketplace shut down in cross-border law enforcement operation
The operation, named Tourniquet, was coordinated by Europol in support of independent investigations conducted by the U.S., UK, Sweden, Portugal, and Romania, and led to the arrest of the RaidForums’ administrator and two accomplices. It followed a year of meticulous planning and information sharing between investigators from the different national police forces within the Joint Cybercrime Action Taskforce (J-CAT) framework. RaidForums started out in 2015, and is thought to be one of the world’s biggest hacking forums. It has more than half a million users, and has sold access to millions of pieces of data stolen through high-profile data breaches in recent years\. Last week, on Cyber Security Headlines, we reported on the disappearance of RaidForum and the immediate actions by hacker “pompompurin” to poach its members.
Sandworm hackers fail to take down Ukrainian energy provider
Sandworm, the Russian state-sponsored hacking group, attempted on Friday to disable a large Ukrainian energy provider “by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) which had been customized to target high-voltage electrical substations.” They then tried to erase their footprints by executing CaddyWiper and other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems. “Researchers at ESET, collaborating with the Ukrainian Computer Emergency Response Team say that they do not know how the attacker compromised the environment or how they managed to move from the IT network into the ICS environment,” but that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. as of now, destruction of the power system has been prevented.
(Bleeping Computer and Wired)
CISA warns of Russian state hackers exploiting WatchGuard bug
Impacting WatchGuard Firebox and XTM firewall appliances, this is another action by Sandworm, which has developed “Cyclops Blink” out of WatchGuard Small Office/Home Office network devices. CISA has rated the bug with a critical threat level, explaining that it allows a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. It is only possible to exploit the flaw if it is configured to allow unrestricted management access from the Internet. All WatchGuard appliances are configured for restricted management access. CISA has given Federal Civilian Executive Branch Agencies until May 2nd, to secure their networks against the vulnerability.
Critical bug allows attacker to remotely control medical robot
Mobile robot maker Aethon has patched a collection of vulnerabilities in its Tug hospital robots that, if exploited, could allow remote control of thousands of medical machines. The five bugs are collectively called JekyllBot:5, and they need no special privileges or user interaction, to allow an attacker to access user credentials and medical records, lock down elevators and doors, spy on facilities, disrupt patient care and meds, and launch further cyberattacks. The vulnerabilities were discovered by healthcare security firm Cynerio. They have CVSS severity ratings between 7.7 and 9.8. It appears none of these vulnerabilities were exploited in the wild, since the affected hospital had not yet connected its Tug robots to the internet.
Thanks to our episode sponsor, Code42
Half a million people impacted by email breach at Illinois healthcare firm
Christie Business Holdings Company (Christie Clinic), a major medical practice in Illinois, is now contacting 500,000 individuals that their PII has possibly been compromised through a data breach. No other systems, electronic medical records, or the firm’s patient portal were compromised, they said. “The investigation indicated that the purpose of the unauthorized access was to intercept a business transaction between Christie Clinic and a third party vendor. This investigation was unable to determine to what extent email messages in the account were actually viewed or accessed by an unauthorized actor,” the company said in a data breach notice on its website.
Microsoft takes down domains used in cyberattack against Ukraine
Microsoft has seized seven domains that it says were part of ongoing cyberattacks by Strontium, also known as APT28, Sofacy, Fancy Bear and Sednit, which were targeting Ukrainian-related digital assets. Microsoft obtained court orders to take control of the domains, since it says the attackers were using the domains “to target Ukrainian media organizations, government institutions and foreign policy think tanks based in the U.S. and Europe.”
Only half of organizations reviewed security policies due to the pandemic
New research from the Ponemon Institute suggests that only half of organizations worldwide reviewed their cybersecurity policies during the COVID-19 pandemict. The report, commissioned by Intel, said that “only 53% of respondents said they refreshed their existing strategies due to the pandemic, and this could indicate a disconnect between spending the cash and applying it correctly to the modern workplace.” This despite the growing number of work-from-home employees. 85% of respondents said that hardware & firmware-based security solutions are now a “high” or “very high” priority when it comes to security solution applications. In addition, 64% of those surveyed said that their companies were trying to boost security at the hardware level, with cloud, data centers, edge computing, and security operations centers (SOC) in mind.
(ZDNet)
Remembering healthcare security expert Mike Murray
Quoting Dark Reading directly, “the cybersecurity industry is grieving the loss of longtime community contributor and healthcare security executive Michael Murray, founder and CEO of startup Scope Security, who passed away suddenly on April 6. Murray was a pioneer in healthcare cybersecurity, joining GE Healthcare in 2014 at a time when medical equipment and systems increasingly were becoming Internet-connected and concerns over both cyber- and physical risks were rising. The term “industrial IoT” had not yet caught on, but Murray was among a small group of cybersecurity experts who decided to bring their white-hat hacking chops to industrial and consumer IoT firms as well as corporate businesses in dire need of cyberskills to defend their products from nefarious hackers.”