Brief #11: US Hospital Cyberattack, Stealthy MacOS Malware

Mandos Brief, Week 31 2023: A nationwide cyberattack on US hospitals, the discovery of a stealthy MacOS malware, Canon printers exposing Wi-Fi data and more.

6 min read
mandos brief #11 - week 30 2023


Russian State Actor Midnight Blizzard Uses Microsoft Teams for Targeted Social Engineering Attacks

Microsoft's threat intelligence has identified a series of highly targeted social engineering attacks conducted by the threat actor known as Midnight Blizzard. This actor, previously tracked as Nobelium, has been using Microsoft Teams to send phishing lures as part of a credential theft campaign. The actor compromises Microsoft 365 tenants owned by small businesses to create new domains that mimic technical support entities. Using these domains, Midnight Blizzard sends Teams messages that attempt to steal credentials from targeted organizations by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.

The campaign has affected fewer than 40 unique global organizations, with the targets suggesting specific espionage objectives directed at government, NGOs, IT services, technology, discrete manufacturing, and media sectors. Midnight Blizzard is a Russia-based threat actor attributed by the US and UK governments as the foreign intelligence service of the Russian Federation, also known as the SVR. Their operations often involve the compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack.

Nationwide Cyberattack Disrupts US Hospital Systems

A widespread cyberattack has caused significant disruption to hospital computer systems across the United States. The attack, which began at facilities operated by California's Prospect Medical Holdings, has affected hospitals and clinics in several states, including California, Texas, Connecticut, Rhode Island, and Pennsylvania. In response to the attack, the company took its systems offline to protect them and initiated an investigation with the assistance of third-party cybersecurity specialists.

The cyberattack has led to the closure of emergency rooms in several states, with ambulances being diverted to other facilities. The attack has also resulted in the suspension of elective surgeries, outpatient appointments, blood drives, and other services. The extent of the disruption varies by state, with some hospitals reporting more significant impacts than others.

This incident underscores the increasing threat of cyberattacks on critical infrastructure, including healthcare facilities. It also highlights the need for robust cybersecurity measures to protect sensitive data and ensure the continuity of essential services. The investigation into the attack is ongoing, with experts working to determine the extent of the problem and resolve it.

Researchers Use ChatGPT to Identify Stealthy MacOS Malware

In a recent development, cybersecurity researchers have discovered a new MacOS malware being sold on the dark web. The malware, known as Hidden Virtual Network Computing (HVNC), operates covertly, gaining access to systems without requesting user permission. It's being sold at a lifetime price of $60,000, with additional malicious capabilities available as add-ons.

The discovery was made possible by leveraging the power of AI, specifically ChatGPT, to identify potential MacOS threats lurking on the dark web.

HVNC is designed to steal sensitive information, including login credentials, personal data, and financial information. It can also survive system reboots and other attempts at removal, making it a persistent threat. The malware has been available since April 2023, with updates made as recently as July 13, and was tested on a wide array of MacOS versions from 10 through 13.2.

The discovery of this malware, along with the recent emergence of the ShadowVault malware, suggests an imminent surge in cyberattacks against MacOS users. Small and medium-sized enterprises (SMEs), who once considered MacOS as the safer option, should exercise caution and prepare themselves for the impacts of this changing threat landscape.

Canon Printers Expose Wi-Fi Data

Canon, the Japanese imaging and optical products giant, has issued a warning about a security risk associated with more than 200 of its inkjet printer models. The issue lies in the printers' inability to properly erase Wi-Fi configuration settings, which could potentially lead to the exposure of sensitive information. This vulnerability affects both home and office printer series.

When sending the device for repair or disposing of it, printer owners are advised to delete the Wi-Fi settings from the printer’s memory. However, due to the flaw in these models, the information is not properly erased, leaving it vulnerable to extraction by third parties. This could potentially be exploited for unauthorized access to internal networks.

Canon has provided a list of the affected printer models, which includes approximately 60 large-format inkjet printers typically used by businesses. The company recommends that users perform a full reset of all settings, then turn the wireless LAN on and reset all settings once more. For models that lack the ‘reset all settings’ function, users should reset LAN settings, enable wireless LAN, and then reset those settings again.

Canon has stated that new firmware will be released to address this issue as soon as it is available. This proactive alert to customers is a crucial step in ensuring the security of their networks and the safe use of Canon's products.

Advanced Persistent Threats: APT31 Targets Air-Gapped Systems

Cybersecurity company Kaspersky has attributed a series of attacks against industrial organizations in Eastern Europe to APT31, a hacking group linked to China. The attacks, which took place last year, aimed to extract data from air-gapped systems. The threat actors used over 15 distinct implants and their variants to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.

One of the implant types was a sophisticated modular malware designed to profile removable drives and contaminate them with a worm. This worm was used to exfiltrate data from the isolated or air-gapped networks of industrial organizations in Eastern Europe. Another implant type was designed to steal data from a local computer and send it to Dropbox.

The threat actors were able to evade detection by hiding encrypted payloads in their own binary files and using DLL hijacking to embed the malware in the memory of authorized apps. This level of sophistication underscores the advanced tactics employed by APT31. The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of tools that upload stolen data to the command and control server (C2).

Share This Post

Check out these related posts

Brief #56: Patch Critical Microsoft Flaw, AI Cybersecurity Market Booms, Outcome-Driven Metrics for CISOs, Cybersecurity Career Progression

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #55: Snowflake Breach, AI-Powered Malware, CISO AI Pressures, Cybersecurity Talent Shortage

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #54: Fortinet Zero-Day, OpenAI AI Safety, Security Leaders Focus on High-Impact, Cybersecurity Skills in Demand

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read