Brief #11: US Hospital Cyberattack, Stealthy MacOS Malware

TL;DR

The threat actor known as Midnight Blizzard (previously Nobelium) has been conducting highly targeted social engineering attacks using Microsoft Teams.
The actor uses compromised Microsoft 365 tenants of small businesses to create new domains that appear as technical support entities, and then sends phishing lures via Teams messages to steal credentials.
The campaign has affected fewer than 40 unique global organizations, with targets indicating specific espionage objectives directed at government, NGOs, IT services, technology, discrete manufacturing, and media sectors.
Midnight Blizzard is a Russia-based threat actor attributed by the US and UK governments as the foreign intelligence service of the Russian Federation, also known as the SVR.

Microsoft's threat intelligence has identified a series of highly targeted social engineering attacks conducted by the threat actor known as Midnight Blizzard. This actor, previously tracked as Nobelium, has been using Microsoft Teams to send phishing lures as part of a credential theft campaign. The actor compromises Microsoft 365 tenants owned by small businesses to create new domains that mimic technical support entities. Using these domains, Midnight Blizzard sends Teams messages that attempt to steal credentials from targeted organizations by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.

The campaign has affected fewer than 40 unique global organizations, with the targets suggesting specific espionage objectives directed at government, NGOs, IT services, technology, discrete manufacturing, and media sectors. Midnight Blizzard is a Russia-based threat actor attributed by the US and UK governments as the foreign intelligence service of the Russian Federation, also known as the SVR. Their operations often involve the compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack.

Nationwide Cyberattack Disrupts US Hospital Systems

A cyberattack disrupted hospital computer systems across the United States, causing emergency rooms in several states to close and ambulances to be diverted.
The attack began at facilities operated by California's Prospect Medical Holdings, affecting hospitals and clinics in California, Texas, Connecticut, Rhode Island, and Pennsylvania.
The company took its systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists.
The attack caused chaos in medical facilities in several states, with elective surgeries, outpatient appointments, blood drives, and other services suspended.

A widespread cyberattack has caused significant disruption to hospital computer systems across the United States. The attack, which began at facilities operated by California's Prospect Medical Holdings, has affected hospitals and clinics in several states, including California, Texas, Connecticut, Rhode Island, and Pennsylvania. In response to the attack, the company took its systems offline to protect them and initiated an investigation with the assistance of third-party cybersecurity specialists.

The cyberattack has led to the closure of emergency rooms in several states, with ambulances being diverted to other facilities. The attack has also resulted in the suspension of elective surgeries, outpatient appointments, blood drives, and other services. The extent of the disruption varies by state, with some hospitals reporting more significant impacts than others.

This incident underscores the increasing threat of cyberattacks on critical infrastructure, including healthcare facilities. It also highlights the need for robust cybersecurity measures to protect sensitive data and ensure the continuity of essential services. The investigation into the attack is ongoing, with experts working to determine the extent of the problem and resolve it.

Researchers Use ChatGPT to Identify Stealthy MacOS Malware

A new MacOS malware, Hidden Virtual Network Computing (HVNC), is being sold on the dark web.
HVNC operates covertly, gaining access without requesting user permission and survives system reboots.
The malware is designed to steal sensitive information, including login credentials, personal data, and financial information.
The discovery suggests an imminent surge in cyberattacks against MacOS users.

In a recent development, cybersecurity researchers have discovered a new MacOS malware being sold on the dark web. The malware, known as Hidden Virtual Network Computing (HVNC), operates covertly, gaining access to systems without requesting user permission. It's being sold at a lifetime price of $60,000, with additional malicious capabilities available as add-ons.

The discovery was made possible by leveraging the power of AI, specifically ChatGPT, to identify potential MacOS threats lurking on the dark web.

HVNC is designed to steal sensitive information, including login credentials, personal data, and financial information. It can also survive system reboots and other attempts at removal, making it a persistent threat. The malware has been available since April 2023, with updates made as recently as July 13, and was tested on a wide array of MacOS versions from 10 through 13.2.

The discovery of this malware, along with the recent emergence of the ShadowVault malware, suggests an imminent surge in cyberattacks against MacOS users. Small and medium-sized enterprises (SMEs), who once considered MacOS as the safer option, should exercise caution and prepare themselves for the impacts of this changing threat landscape.

Canon Printers Expose Wi-Fi Data

Over 200 Canon inkjet printer models fail to properly erase Wi-Fi configuration settings.
The issue could potentially lead to the exposure of sensitive information.
Canon recommends users to perform a full reset of all settings before sending the device to repair or disposing of it.
New firmware to address this issue will be released as soon as it is available.

Canon, the Japanese imaging and optical products giant, has issued a warning about a security risk associated with more than 200 of its inkjet printer models. The issue lies in the printers' inability to properly erase Wi-Fi configuration settings, which could potentially lead to the exposure of sensitive information. This vulnerability affects both home and office printer series.

When sending the device for repair or disposing of it, printer owners are advised to delete the Wi-Fi settings from the printer’s memory. However, due to the flaw in these models, the information is not properly erased, leaving it vulnerable to extraction by third parties. This could potentially be exploited for unauthorized access to internal networks.

Canon has provided a list of the affected printer models, which includes approximately 60 large-format inkjet printers typically used by businesses. The company recommends that users perform a full reset of all settings, then turn the wireless LAN on and reset all settings once more. For models that lack the ‘reset all settings’ function, users should reset LAN settings, enable wireless LAN, and then reset those settings again.

Canon has stated that new firmware will be released to address this issue as soon as it is available. This proactive alert to customers is a crucial step in ensuring the security of their networks and the safe use of Canon's products.

Advanced Persistent Threats: APT31 Targets Air-Gapped Systems

APT31, a nation-state actor linked to China, is suspected of attacking industrial organizations in Eastern Europe.
The attacks aimed to extract data from air-gapped systems using sophisticated modular malware.
The malware infects removable drives, capturing keystrokes and screenshots, and plants second-step malware on newly connected drives.
The threat actors have also been observed using dedicated implants for gathering local files and exfiltrating data from air-gapped systems.

Cybersecurity company Kaspersky has attributed a series of attacks against industrial organizations in Eastern Europe to APT31, a hacking group linked to China. The attacks, which took place last year, aimed to extract data from air-gapped systems. The threat actors used over 15 distinct implants and their variants to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.

One of the implant types was a sophisticated modular malware designed to profile removable drives and contaminate them with a worm. This worm was used to exfiltrate data from the isolated or air-gapped networks of industrial organizations in Eastern Europe. Another implant type was designed to steal data from a local computer and send it to Dropbox.

The threat actors were able to evade detection by hiding encrypted payloads in their own binary files and using DLL hijacking to embed the malware in the memory of authorized apps. This level of sophistication underscores the advanced tactics employed by APT31. The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of tools that upload stolen data to the command and control server (C2).