Cybercrime

Ransomeware group involved in cyberattack to London hospitals declares political motives

A ransomware group known as Qilin has recently come under fire for its involvement in a cyberattack that caused significant disruptions at London hospitals. In a surprising turn of events, the group expressed remorse for the harm caused by the attack but vehemently denied any responsibility. Instead, the group framed the incident as a form of political protest. The group engaged in a conversation with the BBC via an encrypted chat service, qTox, where they attempted to justify their actions as a retaliatory measure against the UK government’s involvement in an unspecified war.

Despite Qilin’s claims of seeking revenge, cybersecurity experts, including Jen Ellis from the Ransomware Task Force, remain skeptical of the group’s motives, explaining cyber gangs often lie. Above all, she emphasises that the consequences of the attack carry more weight than understanding the reasons behind the attack. The cyberattack resulted in the postponement of more than 1,000 operations and appointments, prompting the healthcare system to declare a critical incident. The disruption caused by the attack has raised serious concerns about the vulnerability of critical infrastructure to malicious cyber activities in the country.

Qilin, believed to be operating from Russia, has refrained from disclosing specific details about its location or political affiliations. The lack of transparency has added to the complexity of the situation, as authorities and cybersecurity experts work to understand the group’s objectives and the potential future attack vectors. This represents the group’s first declaration of a political motivation behind their cyber intrusions. Qilin has been under observation since 2022, during which time it has executed targeted attacks at educational establishments, medical facilities, corporations, governmental bodies, and healthcare organisations.

Why does it matter?

The aftermath of the cyberattack demonstrates the urgent need for cybersecurity  preparedness within critical sectors such as healthcare. As organisations strive to recover from such incidents, the focus remains on safeguarding sensitive data, restoring disrupted services, and preventing future attacks. The evolving nature of cybercrime, as seen with groups like Qilin, shows the ongoing challenges faced by cybersecurity professionals in protecting critical infrastructure from malicious actors.

Financial sector faces phishing attacks targeting Microsoft 365 accounts

According to a recent report by BleepingComputer, organisations within the financial sector have been targeted in a sophisticated attack campaign since February, where employees’ Microsoft 365 accounts were compromised using the ONNX phishing-as-a-service platform, suspected to be a revamped version of the Caffeine phishing kit. 

The attackers, posing as human resources departments, sent deceptive emails regarding salary updates with PDF attachments containing QR codes. Upon scanning these codes, recipients were redirected to a counterfeit Microsoft 365 login page undetected by standard phishing protections. EclecticIQ’s findings reveal that login credentials and two-factor authentication tokens entered on these fake pages were extracted by the attackers for subsequent email account hijacking and data theft activities. 

The ONNX PhaaS platform, accessible through Telegram, not only offers customisable Microsoft Office 365 phishing templates and various webmail services but also employs encrypted JavaScript code, Cloudflare services, and a bulletproof hosting service to evade detection.

Key player in semiconductor industry targeted in major data breach

The infamous threat actor Intelbroker has purportedly masterminded a data breach targeting Advanced Micro Devices (AMD), a prominent player in the semiconductor industry. The alleged breach of AMD’s systems was disclosed on BreachForums alongside detailed information about the intrusion and various data samples.

In response to these claims, AMD officials have issued a statement acknowledging the reported data breach by a cybercriminal group. The company stated that it is collaborating with law enforcement authorities and a third-party hosting partner to investigate the alleged breach and assess the nature and impact of the compromised data.

Intelbroker asserts that the leaked AMD data includes a wide range of sensitive information stolen from AMD’s databases. The data includes technical specifications, product details, and internal communications allegedly sourced from AMD’s secure servers. These disclosures not only point towards the possible extent of the breach but also raise concerns about potential vulnerabilities within AMD’s cybersecurity infrastructure.

The following incident is not the first cybersecurity challenge faced by AMD. In 2022, the company reportedly fell victim to the RansomHouse hacking group. Following the 2022 breach and the current incident, AMD initiated thorough investigations to evaluate the breach’s implications and in turn enhance its defences against cyber threats. These disclosures can potentially compromise AMD’s competitive edge and raise concerns about intellectual property theft and corporate espionage.

Who is Intelbroker?

Intelbroker, the alleged perpetrator behind the recent AMD data breach, has a track record of targeting critical infrastructure, major tech companies, and government contractors. The hacker operates as a lone wolf and employs sophisticated tactics to exploit vulnerabilities and access sensitive information. Previous breaches include infiltrations at Los Angeles International Airport (LAX) and US federal agencies via Acuity, emphasising the widespread impact of their activities.

The motives driving Intelbroker’s cyber campaigns range from financial gain through the sale of stolen data on dark web platforms to potential geopolitical agendas aimed at disrupting critical infrastructure and corporate operations. 

Philippine Maritime Authority hit by system breach

The Maritime Industry Authority (MARINA) in Philippines, a government agency responsible for integrating the development, promotion, and regulation of the maritime industry in the country, acknowledged on Monday that its online platforms encountered a security breach during the weekend. The breach impacted four of MARINA’s systems, prompting an immediate response from the agency to ensure the security of its data.

Upon detecting the attack, MARINA swiftly deployed personnel to its central office in Manila’s Port Area on Sunday. The agency highlighted its quick actions in implementing protective measures. Presently, MARINA’s IT team is working in conjunction with the Department of Information and Communications Technology-Cybercrime Investigation and Coordinating Center (DICT-CICC) to probe the breach and mitigate potential risks to sensitive information.

While MARINA did not disclose the specific systems affected or the extent of the breach, these systems handle crucial data such as vessel registrations, seafarers’ information documents, and record books. As the regulatory body overseeing maritime activities, MARINA aims to have its systems fully operational by Tuesday to resume normal processing of applications.

This security incident adds to a string of cyberattacks targeting Philippine government entities. In May, the Philippine National Police (PNP) halted its online services following breaches that impacted its Logistics Data Information Management System and the Firearms and Explosives Office. Furthermore, in October 2023, a ransomware attack compromised the data of over 13 million members of the Philippine Health Insurance Corp.

UnitedHealth discloses potential theft of data from one-third of Americans

The Centres for Medicare and Medicaid Services have announced the discontinuation of a program designed to assist Medicare providers and suppliers impacted by disruptions at UnitedHealth’s technology division, Change Healthcare. 

Initiated in response to a hack at Change Healthcare on February 21st by threat actor ‘BlackCat’, the program will now cease accepting new applications as of July 12. It has distributed over $2.55 billion in expedited payments to 4,200 providers such as hospitals and $717.18 million to suppliers including doctors, non-physician practitioners and durable medical equipment suppliers, with a significant portion of these funds already recovered. Providers are now able to effectively submit claims to Medicare.

The cyber incident in February affected a key player in processing medical claims. The US Change Healthcare handles approximately half of all medical claims in the United States, serving about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, adding to the growing cyber threat posed to the healthcare industry.

Mediabank faces legal action in Australia over massive data breach

Following the 2022 Mediabank’s cyber incident, the Office of the Australian Information Commissioner has initiated legal proceedings against the company, alleging the significant data breach impacted a vast number of customers, including 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers, totalling 9.7 million individuals. 

While Mediabank initially blamed a third party contractor and a ‘misconfigured firewall’ for the incident, a federal court case in Australia has revealed that the breach originated from an IT service desk operator at Medibank who stored multiple account credentials on his work computer which provided a gateway for a hacker to illicitly access Medibank’s systems. The hacker exploited this access for nearly two months and managed to extract a substantial amount of personal data, estimated at around 520GB.

The breach was aggravated by the absence of multi-factor authentication on Medibank’s Global Protect VPN, a security loophole that had been previously flagged in reports by KPMG and Datacom in 2020 and 2021. The Office of the Australian Information Commissioner has criticised Medibank for failing to promptly address these known security vulnerabilities. Legal action has been taken against Medibank in response to the breach. Moreover, the government has identified the alleged perpetrator as a Russian citizen named Aleksandr Gennadievich Ermakov and will be imposing sanctions against him under the new autonomous sanctions law. The incident stresses the critical importance of proactive risk mitigation strategies to safeguard sensitive customer information from malicious cyber threats.

Report uncovers hackers now use emojis to command malware

Researchers from the cybersecurity firm Volexity have uncovered a sophisticated cyber threat that uses the popular Discord messaging service for command and control (C2) purposes. That was discovered during a targeted cyber attack on the Indian government this year, where a malicious software named Disgomoji was deployed. The attack was attributed to a suspected Pakistani threat actor known as UTA0137. The group uses emojis for C2 communication on the Discord platform, showcasing a new covert approach to conduct espionage campaigns against Indian government entities.

The Disgomoji malware, tailored to target Linux systems, specifically the custom BOSS distribution used by the Indian government is highly sophisticated in its design and execution. Initial access to the targeted systems was believed to have been gained through phishing attacks, leveraging decoy documents as bait. Once infiltrated, the malware established dedicated channels within Discord servers, with each channel representing an individual victim. That setup allowed the threat actor to interact with each victim separately, enhancing the precision and effectiveness of the attack.

Upon activation, Disgomoji initiated a check-in process, transmitting crucial system information such as IP address, username, hostname, operating system details, and current working directory to the attacker. The malware exhibited persistence mechanisms which ensured its survival through system reboots and allowed it to maintain a covert presence within the compromised systems. Communication between the attacker and the malware was facilitated through an emoji-based protocol or in other words, with commands issued via emojis. For instance, as Disgomoji executes the command, it responds with a “⏰” emoji, and upon completion, it shows the “✅.”

Why does it matter?

The malware’s capabilities extended beyond basic communication, including advanced functionalities such as network scanning using tools like Nmap, network tunnelling through Chisel and Ligolo, and data exfiltration via file sharing services. Disgomoji also employed deceptive tactics, masquerading as a Firefox update to deceive victims into sharing sensitive information like passwords. 

Volexity’s attribution to a Pakistan-based threat actor was supported by various indicators, including Pakistani time zones in the malware sample, infrastructure links to known threat actors in Pakistan, the use of the Punjabi language, and the selection of targets aligned with Pakistan’s strategic interests. The detailed analysis stresses the evolving sophistication of cyber threats and the critical importance of robust cybersecurity measures to safeguard against such malicious activities.

FCC names Royal Tiger as first official AI robocall scammer gang

The US Federal Communications Commission (FCC) has identified Royal Tiger as the first official AI robocall scammer gang, marking a milestone in efforts to combat sophisticated cyber fraud. Royal Tiger has used advanced techniques like AI voice cloning to impersonate government agencies and financial institutions, deceiving millions of Americans through robocall scams.

These scams involve automated systems that mimic legitimate entities to trick individuals into divulging sensitive information or making fraudulent payments. Despite the FCC’s actions, experts warn that AI-driven scams will likely increase, posing significant challenges in protecting consumers from evolving tactics such as caller ID spoofing and persuasive social engineering.

While the FCC’s move aims to raise awareness and disrupt criminal operations, individuals are urged to remain vigilant. Tips include scepticism towards unsolicited calls, utilisation of call-blocking services, and verification of caller identities by contacting official numbers directly. Avoiding sharing personal information over the phone without confirmation of legitimacy is crucial to mitigating the risks posed by these scams.

Why does it matter?

As technology continues to evolve, coordinated efforts between regulators, companies, and the public are essential in staying ahead of AI-enabled fraud and ensuring robust consumer protection measures are in place. Vigilance and proactive reporting of suspicious activities remain key in safeguarding against the growing threat of AI-driven scams.

International Criminal Court investigates cyberattacks on Ukraine as possible war crimes

The International Criminal Court (ICC) is examining alleged Russian cyberattacks on Ukrainian civilian infrastructure as potential war crimes, marking the first instance of such an investigation by international prosecutors. According to sources, this could lead to arrest warrants if sufficient evidence is collected. The investigation focuses on cyberattacks that have endangered lives by disrupting power and water supplies, hindering emergency response communications, and disabling mobile data services used for air raid warnings.

Ukraine is actively gathering evidence to support the ICC investigation. Although the ICC prosecutor’s office has declined to comment on specific details, it has previously stated its jurisdiction over cybercrimes and its policy of not discussing ongoing cases. It should also be noted that since the invasion began, the ICC has issued four arrest warrants against senior Russian officials, including President Vladimir Putin, for war crimes related to the deportation of Ukrainian children to Russia. Russia, which is not a member of the ICC, has rejected these warrants as illegitimate. Despite not being a member state, Ukraine has granted the ICC jurisdiction over crimes committed within its borders.

In April, the ICC issued arrest warrants for two Russian commanders accused of crimes against humanity for their roles in attacks on civilian infrastructure. The Russian defense ministry did not respond to requests for comment. Sources indicated that at least four major attacks on energy infrastructure are being investigated.

Why does it matter?

The ICC case could set a significant precedent in international law. The Geneva Conventions prohibit attacks on civilian objects, but there is no universally accepted definition of cyber war crimes. The Tallinn Manual, a 2017 handbook on the application of international law to cyberwarfare, addresses this issue, but experts remain divided on whether data can be considered an ‘object’ under international humanitarian law and whether its destruction can be classified as a war crime. Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual initiative, emphasised the importance of the ICC’s potential ruling on this issue. He argued that the cyberattack on Kyivstar could be considered a war crime due to its foreseeable consequences for human safety.

Qilin group claims responsibility for the cyberattack on London hospitals

The Qilin ransomware group has claimed responsibility for a cyberattack on Synnovis labs, a key partner of the National Health Service (NHS) in England. The attack, which began on Monday, has severely disrupted services at five major hospitals in London, including King’s College Hospital and Guy’s and St Thomas’ NHS Foundation Trust. The NHS declared the situation a ‘critical incident,’ noting that the full extent and impact of the attack on patient data remain unclear.

Synnovis, a prominent pathology service provider, runs over 100 specialised labs offering diagnostics for various conditions. Due to the ransomware attack, several critical services, such as blood testing and certain operations, have been postponed, prioritising only the most urgent cases. NHS England has deployed a cyber incident response team to assist Synnovis and minimise patient care disruption, though longer wait times for emergency services are expected.

The Qilin group, operating a ransomware-as-a-service model, typically targets victims via phishing emails. The attack on Synnovis has raised significant concerns about the security of healthcare systems and the reliance on third-party providers. Kevin Kirkwood from LogRhythm emphasised that the attack causes operational disruptions and undermines public trust in healthcare institutions. He called for robust security measures, including continuous monitoring and comprehensive incident response plans, to protect healthcare infrastructure better and ensure patient safety.