company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Linux

VMWare

Royal Ransomware

loading..
loading..
loading..

Royal Ransomware: Latest Threat to Encrypt Linux Devices

Royal Ransomware Goes Cross-Platform, Targets Linux & VMware ESXi Virtual Machines

06-Feb-2023
3 min read

Related Articles

loading..

Hospital

A cyberattack on a French hospital exposed 750K patient records, highlighting se...

The medical records of approximately 750,000 patients at an unnamed French hospital were exposed following a threat actor’s successful intrusion into its electronic patient record (EPR) system. This breach has far-reaching implications for data privacy, healthcare cybersecurity, and patient safety, highlighting systemic vulnerabilities in handling sensitive medical information. --- ### Overview of the Incident A cybercriminal known as 'nears' (formerly 'near2tlg') claimed responsibility for the attack, boasting of access to over 1.5 million patient records across multiple healthcare facilities in France. The hacker specifically targeted MediBoard, a widely deployed EPR solution by Softway Medical Group, which serves numerous healthcare institutions across Europe. Despite initial concerns about the software's integrity, Softway Medical Group confirmed that the breach was not due to a flaw in MediBoard itself but rather stemmed from the misuse of stolen credentials tied to a privileged account within the affected hospital's infrastructure. ### Key Timeline of Events November 19, 2024: The cyberattack was detected within the hospital's MediBoard system. November 20, 2024: Softway Medical Group clarified the breach origin, distancing their software from direct responsibility. November 21, 2024: Further investigation revealed that all compromised hospitals were part of the Aléo Santé healthcare group. --- ### Nature of the Breach The stolen data, now offered for sale on dark web forums, includes highly sensitive and personally identifiable information (PII): Full Name Date of Birth Gender Home Address Phone Number Email Address Physician Details Prescriptions Health Card History Such data, if exploited, could lead to targeted phishing campaigns, identity theft, and other malicious activities, further endangering affected individuals. --- ### Exploitation Tactics The attacker's modus operandi reveals a sophisticated understanding of healthcare systems and cybersecurity: 1. Target Selection: Focus on healthcare facilities known to utilize MediBoard software, specifically those under the Aléo Santé umbrella. 2. Credential Theft: Compromise a privileged account within the hospital's infrastructure, bypassing external defenses like software vulnerabilities or misconfigurations. 3. Monetization: Offer stolen patient records for sale to interested buyers while promoting unauthorized access to MediBoard platforms across French hospitals. ### Implications of Selling MediBoard Access The hacker claimed to provide buyers with administrative access to: Patient healthcare and billing records. Appointment scheduling and modification systems. Sensitive operational data of multiple hospitals, including Centre Luxembourg, Clinique Alleray-Labrouste, Clinique Jean d'Arc, and others. --- ### Softway Medical Group's Response In an official statement to media outlets, Softway Medical Group emphasized: The breach was not due to any inherent vulnerability or misconfiguration within their MediBoard software. A privileged account within the hospital's infrastructure was exploited by the attacker. They continue to work closely with impacted healthcare institutions to mitigate the fallout. ### Softway’s email further clarified: > _"We can confirm that our software is not responsible, but rather, a privileged account within the client’s infrastructure was compromised by an individual who exploited the standard functions of the solution."_ --- ### Impact on Aléo Santé The connection to Aléo Santé underscores a systemic weakness within the group’s centralized infrastructure. With multiple hospitals using MediBoard under the same administrative framework, compromising a single privileged account granted the attacker sweeping access to all affiliated entities. This interconnected nature of healthcare IT systems, while improving operational efficiency, also creates a high-value target for cybercriminals, amplifying risks from a single point of failure. --- ### Potential Consequences For Affected Patients The exposure of such sensitive data increases risks of: Phishing Attacks: Cybercriminals can impersonate healthcare providers to extract further information or financial details. Social Engineering: Fraudsters may exploit the data to manipulate victims. Identity Theft: Misuse of PII for financial or legal fraud. ### For Healthcare Institutions Regulatory Penalties: Violations of GDPR could result in significant fines and reputational damage. Operational Disruption: Unauthorized access to appointment systems and medical records could impact day-to-day functions. Erosion of Trust: Patients may lose confidence in the institution’s ability to protect their data. --- ### Improving System Architecture Segregate Access: Minimize interconnected privileges across multiple entities under a shared framework like Aléo Santé’s. Limit Privileged Access: Employ a zero-trust model, granting users access only to necessary resources. Anomaly Detection: Deploy advanced monitoring tools to identify unusual activity within EPR systems. ### Collaborative Efforts - Establish clear protocols between software vendors and client hospitals for breach response. - Educate staff on recognizing and mitigating cyber threats, particularly social engineering tactics.

loading..   22-Nov-2024
loading..   4 min read
loading..

Phobos

Russian Phobos Ransomware Mastermind Extradited: Global Cybercrime Alert...

The extradition of Russian national Evgenii Ptitsyn, an alleged administrator of the notorious Phobos ransomware, marks a major victory in the global fight against ransomware. Ptitsyn was brought to the United States from South Korea, which played a key role in his extradition due to their strong cooperation in cybersecurity, to face multiple charges, including wire fraud and extortion. This successful extradition underscores the importance of international cooperation in combating cybercrime, showcasing the collective resolve of multiple nations to bring cybercriminals to justice and deter future threats. ## **Who Is Evgenii Ptitsyn and What Is Phobos Ransomware?** Evgenii Ptitsyn, who is said to have operated under the online aliases "derxan" and "zimmermanx," was allegedly instrumental in administering and coordinating the Phobos ransomware-as-a-service (RaaS) operation. Derived from the Crysis ransomware family, Phobos has been an active threat since 2019, becoming a favorite tool for cybercriminals due to its ease of deployment and effectiveness in compromising both public and private sectors. Phobos ransomware, like other RaaS models, is managed by a central developer who supplies the malicious payload to affiliates for executing targeted attacks. The affiliates receive a share of the ransom payments, with a portion directed to the administrators—a relationship that incentivizes the widespread and aggressive deployment of this malicious software. According to the U.S. Department of Justice, Ptitsyn played a pivotal role in overseeing the sale, distribution, and operation of this ransomware. ## **Scope of Phobos Attacks** The Justice Department estimates that the Phobos ransomware gang is linked to breaches in over 1,000 entities globally, ranging from major corporations like healthcare conglomerates, educational institutions such as public school districts, hospitals including critical care centers, and even a federally recognized tribe. Between November 2020 and November 2024, Phobos attacks contributed to an estimated $16 million in ransom payments. Phobos affiliates gained unauthorized access to victims' networks, stole sensitive data, and encrypted critical systems, leaving their targets with few options other than to pay the ransom or risk having their information exposed. Between May and November 2024, Phobos accounted for approximately 11% of submissions to the ID Ransomware service, highlighting its popularity among cybercriminals. The use of stolen credentials to infiltrate networks, the deployment of sophisticated payloads, and the extortion of ransom payments via calls and emails have been hallmarks of the Phobos group’s methods. ## **Legal Consequences for the Phobos Ransomware Admin** Following his extradition, Ptitsyn now faces a 13-count indictment, including charges of wire fraud, conspiracy to commit computer fraud, and extortion related to hacking activities. If convicted, he could face significant prison sentences: up to 20 years for each count of wire fraud, 10 years for each count of computer hacking, and five years for conspiracy charges. Nicole M. Argentieri, the head of the Justice Department's Criminal Division, emphasized the seriousness of the offenses, stating, 'The Phobos ransomware group demonstrated a callous disregard for human welfare by targeting not only large corporations but also vulnerable institutions like hospitals and schools, putting lives and essential services at risk.' This ransomware campaign did not discriminate, often striking at critical infrastructure—an alarming aspect of Ptitsyn’s alleged activities. ## **Global Effort Behind the Arrest** The successful extradition of Ptitsyn from South Korea is the result of extensive international collaboration. U.S. law enforcement agencies, working in tandem with their counterparts in South Korea, Japan, the United Kingdom, and several European nations, were crucial in bringing Ptitsyn to justice. The FBI and the Department of Justice lauded these efforts, underlining the importance of global partnerships in tackling the most severe cyber threats. Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, commented on the case, stating, “The arrest and extradition of Ptitsyn underscore our commitment to ensuring that cybercriminals—both developers and affiliates—face the consequences of their actions. Strong partnerships between domestic and international law enforcement are essential to disrupt cybercriminal networks.” ## **Understanding the Phobos Affiliate Structure** Cisco Talos Intelligence has conducted an in-depth analysis of the Phobos ransomware affiliate structure, which has provided insights into the common variants and tactics employed by these cybercriminals. Notably, five prolific variants—Eking, Eight, Elbie, Devos, and Faust—have been identified. Each affiliate appears to utilize similar tactics, including targeting high-value servers and employing various hacking tools like Process Hacker, Automim, and IObit File Unlocker to achieve lateral movement within networks and maximize damage. Furthermore, evidence suggests that Phobos might be closely managed by a central authority, as all observed campaigns used a consistent public RSA key for encryption, implying that only one private key exists for decryption. This supports the assessment that Phobos functions as a RaaS, with its affiliates reliant on the central authority for decryption keys and other services. ## **Implications for Cybersecurity** The arrest of Ptitsyn serves as a critical reminder of the growing complexity and evolving tactics of cyber threats. Phobos ransomware specifically demonstrates how attackers are increasingly focusing on vital sectors, such as healthcare, education, and critical infrastructure, to maximize disruption and potential payouts. For example, in 2022, a major hospital network in the United States experienced a Phobos ransomware attack that disrupted critical medical services for weeks, while an educational institution in Europe faced significant data loss and operational downtime due to a similar attack. Instead of generic precautions, organizations need to tailor cybersecurity measures to industry-specific threats. For example, the healthcare industry faces threats like data breaches targeting patient information, while the financial sector deals with phishing attacks aimed at compromising financial records. Educational institutions are particularly vulnerable to attacks on personal data, given the large amounts of student and staff information stored online. For example, healthcare facilities should prioritize network segmentation to protect patient data, while educational institutions must enhance access control protocols to guard against unauthorized access. Ransomware attacks now often use double extortion tactics—encrypting data while also threatening to leak sensitive information—adding pressure for victims to pay up. Authorities recommend adopting proactive and targeted security practices. These include regularly updating software, implementing industry-specific threat detection measures, and maintaining effective data backup strategies to mitigate the impact of such attacks. For instance, in 2023, a major healthcare provider successfully thwarted a ransomware attack by using multi-factor authentication, maintaining offline backups, and employing rapid incident response, allowing them to recover their data without paying a ransom. To further understand how to protect against threats like Phobos, visit StopRansomware.gov, which offers detailed resources such as step-by-step guides, best practices for ransomware prevention, and recovery tools for identifying and preventing ransomware incidents. Organizations are also encouraged to engage in proactive threat-hunting practices, maintain effective incident response plans, and foster a culture of cybersecurity awareness. The extradition and charges against Evgenii Ptitsyn represent a crucial moment in the ongoing battle against ransomware. The Phobos ransomware gang has been a persistent threat, targeting a wide range of entities and causing significant financial harm. This case highlights the power of international cooperation in the fight against cybercrime and serves as a stark warning to those involved in similar activities—cybercriminals will be caught and brought to justice. Moving forward, a concerted effort is required from governments, private organizations, and the public to stay vigilant and prepared in the face of increasingly complex cyber threats.

loading..   21-Nov-2024
loading..   7 min read
loading..

GeoVision

Zero Day

Mirai botnet exploits zero-day vulnerability in GeoVision devices, affecting ove...

A dangerous malware botnet has been detected exploiting a zero-day vulnerability (CVE-2024-11120) in end-of-life GeoVision video surveillance devices, potentially compromising over 17,000 systems worldwide. The Mirai botnet variant, known for Distributed Denial of Service (DDoS) and cryptomining attacks, is exploiting this critical flaw to install malware on outdated devices, posing a significant security risk. ### **Critical Vulnerability Details** The flaw, CVE-2024-11120, was uncovered by Piort Kijewski of The Shadowserver Foundation and has a severity score of 9.8 (CVSS v3.1), highlighting its critical impact. This is an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on the device, potentially seizing control. "Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT (TWCERT). The organization has already received numerous reports of this vulnerability being actively exploited in the wild, signaling an urgent need for mitigation. According to TWCERT, the vulnerability (TVN-202411014) is highly exploitable and poses severe consequences, requiring immediate attention. The vulnerability has been exploited in multiple instances, highlighting the need for swift action to mitigate the risks. ### **Impacted GeoVision Models** The vulnerability affects several discontinued GeoVision models, grouped by functionality: #### **Video Servers:** - **GV-VS12**: A two-channel H.264 video server designed for converting analog video to digital streams. - **GV-VS11**: A single-channel video server used for digitizing analog video signals. ### **License Plate Recognition System:** - **GV-DSP LPR V3**: A Linux-based system dedicated to license plate recognition. #### **Mobile Surveillance DVRs:** - **GV-LX4C V2 / GV-LX4C V3**: Compact digital video recorders (DVRs) developed for mobile surveillance applications. These models are end-of-life products and are no longer receiving security updates, making them particularly vulnerable to attack. ### **Global Exposure** According to The Shadowserver Foundation, approximately 17,000 GeoVision devices are currently exposed online and vulnerable to exploitation by CVE-2024-11120. Most of these devices (over 9,100) are located in the United States, with Germany, Canada, Taiwan, Japan, Spain, and France also reporting significant numbers of vulnerable devices. Piort Kijewski, the researcher who uncovered the issue, has identified the botnet as a variant of Mirai—a notorious malware strain often used for DDoS attacks and cryptomining operations. With thousands of exposed devices left defenseless, the potential for large-scale disruptions is high. ### **Symptoms and Mitigation Steps** Infected devices may show symptoms such as excessive heating, slower response times, and unexpected configuration changes due to increased resource usage from unauthorized activities. If any of these symptoms are observed, it is critical to perform a factory reset, change the default admin password to something strong, disable remote access, and isolate the device behind a firewall. For organizations unable to replace these end-of-life devices, network administrators should place them on a dedicated local area network (LAN) or subnet, away from critical infrastructure, and closely monitor their activity for any signs of compromise. **How to Protect Against Mirai Botnet Attacks** The following steps are recommended to mitigate the impact of this vulnerability: 1. **Device Replacement**: Replace outdated GeoVision devices with supported models that continue to receive security patches. 2. **Password Management**: Immediately change default credentials to strong, unique passwords. 3. **Access Restrictions**: Disable remote management interfaces and place devices behind firewalls to limit exposure. 4. **Network Segmentation**: Isolate vulnerable devices to prevent them from compromising other parts of the network. 5. **Firmware Updates**: Ensure that any devices still supported receive the latest firmware updates to minimize risk. Note: Prioritizing mitigation steps based on the organization's resources and device importance can help in effective risk management. GeoVision devices' end-of-life status leaves them highly susceptible to attacks, and no security patches are expected. As such, users and administrators must take immediate action to secure these devices or consider their replacement to mitigate the risk. The exploitation of CVE-2024-11120 by a Mirai botnet highlights the risks associated with using unsupported, vulnerable hardware. With thousands of GeoVision devices exposed globally, the threat of these devices being compromised for malicious purposes, such as DDoS attacks or cryptomining, is significant. Users should take all available precautions to mitigate these risks, including restricting access and ensuring strong password practices.

loading..   19-Nov-2024
loading..   4 min read