The weekly cybersecurity bulletin brings you the top cybersecurity news from around the world, highlighting Microsoft’s cyberattack winter warning, the arrest of Florida’s SIM swapper, Google’s 9th zero day, a ransomware attack on French healthcare, the CryWiper ransomware and data wiper, and Columbia’s Keralty hospital suffering a ransomware attack. Let us get started.
Microsoft’s Warning: Cyberattack Winter by Russia
Microsoft warns that the winter months are going to be full of Russian-sponsored cyberattacks targeting the infrastructure of Ukraine and its NATO (North Atlantic Treaty Organization) allies.
With continued patterns of targeted attacks on Ukrainian infrastructures by Sandworm, a Russian military intelligence group, and the campaign against Western support for the country, Microsoft released a blog outlining the Russian cyber offensive against Ukraine. Microsoft says that the country and its allies should prepare for several Russian cyberattacks seeking to exploit cracks and undermine the country’s resilience.
With cyberattacks targeting influence operations, Russia will also try to impair the military and humanitarian aid to Ukraine. Sandworm is an elite Russian hacker group that has been around for over two decades and has been linked to the Ukrainian blackouts of 2015 and 2016, the Not Petya ransomware, and the KillDisk wiper attacks on Ukraine’s financial structure.
Russia’s cyberattacks have stepped up and are focused on obtaining sensitive information from NATO countries, and a new wave called Ransom Boggs is already being discovered on multiple Ukrainian networks.
Microsoft also pointed out how Sandworm was behind the Prestige ransomware attacks that targeted the Ukrainian supply chains. Google’s TAG (Threat Analysis Group) also discovered a email phishing campaign on NATO and European military entities by the Russian COLD RIVER cybercriminal group.
Florida’s SIM Swapper Sentenced to 18 Months
Nicholas Truglia, a man from Florida, has been convicted for his involvement in fraudulent schemes and the theft of $23.8 million in cryptocurrency.
Nicholas and his conspirators initiated a SIM swap attack in January 2018 that allowed the cybercriminals to hijack the victim’s phone number and transfer the crypto amount from his wallet into Truglia’s online account. Nearly $24 million in cryptocurrency were stolen from Michael Terpin, a cryptocurrency investor. The 25-year-old was found guilty and sentenced to 18 months with 3 more years of supervised release.
Furthermore, the SIM swapper has also been ordered to forfeit $983,010.72. Truglia has to pay a total of $20,379,007 to Terpin, with $12.1 million due before the end of the year and the remaining amount to be paid before 30 January 2023. The SIM swap gang’s then-leader, a 15-year-old, also reached a deal with the victim last month and paid Terpin $22 million.
SIM swapping, including hijacking, jacking, or splitting of SIMs, is becoming prominent and allows cybercriminals to take control of the victim’s phone numbers. It is recommended to set a PIN code on all mobile carrier accounts to stay safe and follow the FTC’s (Federal Trade Commission) guidelines.
Another Zero Day for Google: Count Reaches 9
Following 8 zero-day vulnerabilities, Google has released its latest version once more, this time its 9th zero-day exploit of the year, which has been found not even 15 days ahead of its 8th zero day vulnerability, the CVE-2022-4135 of 25 November.
The high-severity flaw was released with a blog. Tracked as the CVE-2022-4262, the zero-day exploit is a highly severe type of confusion weakness in the Chrome browser’s V8 JavaScript engine. Google’s latest zero-day was reported by Clement Lecigne of Google’s Threat Analysis Group on 2022-11-29.
Google has not revealed the details of the attack, but these security flaws lead to crashes and allow threat actors to execute arbitrary code or read and write memory using buffer bounds. Google has clarified that access to the zero-day vulnerability’s details will be restricted until most of its customers have updated the browser.
The updated Google Chrome browser is available for Mac, Linux, and Windows. It is recommended to update the browser as soon as possible by navigating to the Help Menu > About Google Chrome. You can also protects your email program and account from unauthorized use by using SMTP.
French Hospital Suffers Ransomware, Forced to Transfer Patients
Paris’ André-Mignot teaching hospital had to shut down all its computer systems due to a ransomware attack.
A ransomware attack hit André-Mignot on Saturday, i.e., 3 December 2022, infecting its computer systems and telecommunications. The hospital took multiple countermeasures to limit the degree of the attack and the individuals affected.
The Minister Delegate in charge of Digital Transition and Telecommunications, Jean-Noël Barrot, clarified that the hospital isolated all its infected systems to limit the spread of the malware.
Furthermore, the hospital also alerted the French National ANSSI (Authority for Security and Defense of Information Systems), who are still investigating the cyberattack. The details of the attack and how it took place have not surfaced yet, but the Paris prosecutor’s office is investigating the hacking of state data and attempted extortion. The attack is a first in the region that has impacted any health facility to this extent.
Cybercriminals have already made their ransom demand, as revealed by André-Mignot co-chairman Richard Delepierre.The hospital has been significantly affected, accepting only walk-ins due to the partial cancellation of its operations following the cyberattack. The hospital also had to transfer six of its neonatal and ICU (Intensive Care Unit) patients to other hospitals and has assured that all professionals will ensure the care of patients.
Russian Courts and Mayor Offices targeted by Data Wiper
CryWiper, a new data wiper that has been masquerading as ransomware, was recently brought to light. The data wiper is advanced with data destruction capabilities, making data recovery impossible.
Kaspersky discovered the CryWiper data wiper that attacked the Russian mayor’s offices and courts. Previously thought to be malware, the malicious wiper contained a data-wiping function, a purposeful tactic to destroy the victim’s data. CryWiper is a C++ written Windows executable that schedules tasks that run every 5 minutes and contacts the threat actor’s C2 (Command and Control) server that responds with “run” or “do not run” commands to activate the data wiper or let it remain dormant on the victim’s machine up to 4 days before the attack.
The data wiper halts critical MySQL, MS SQL database, MS Exchange, and MS Active Directory servers and services, modifies the Windows Registry, and corrupts all files, skipping system, windows, boot directories, and executables. After wiping the data, the data wiper leaves ransom notes on the victim’s machine asking for 0.5 Bitcoin for data decryption, which is another false promise.
Ransomware coupled with a data wiper is a sophisticated tool and not associated with any other data wipers found in 2022.
Columbia’s Healthcare Targeted by Ransomware Attack
Columbia’s healthcare giant, Keralty, suffered a ransomware attack that disrupted its international network of 12 hospitals and over 370 Latin American, Spanish, American, and Asian medical centers.
Keralty and its subsidiaries suffered disruption in IT operations and its websites, resulting in patients waiting in lines for over 12 hours for medical attention. Keralty issued a statement outlining that its computer servers suffered a cyberattack that generated technical failures and that the organization has initiated criminal investigations and countermeasures.
Keralty suffered a RansomHouse ransomware attack, previously known as the White Rabbit ransomware. The threat actors behind the ransomware attack claim a whopping data theft of 3 TB. They have also conducted data theft against AMD and ADATA, and a copy of the ransomware note of the latest one against Keralty has also surfaced online.
With a workforce of over 24,000, nearly 10,000 medical doctors, and millions of patients worldwide, the ransomware attack against Keralty is a significant one that could put the digital lives of all these individuals at risk.