SAN MATEO, CA, February 20, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- FBI investigating hack attempt against computer system
- GoDaddy targeted by hackers in “multi-year campaign”
- CISA’s ESXi recovery script rendered useless after ESXiArgs ransomware update
- New Havoc command and control framework spotted in the wild
- Clop ransomware gang exploits zero-day flaw in GoAnywhere MFT, data on one million patients exposed
- North Korean M2RAT steals data from wireless devices connected to infected Windows computers
- Researchers uncover stealthy new Beep malware
- New MortalKombat ransomware beating up US financial targets
- CISA: North Korean hackers set sights on healthcare sector
- Cyberattack on New Jersey hospital exposes data of 617,000 patients
- Killnet hackers disrupt Turkey-Syria relief efforts with NATO DDoS attack
FBI investigating hack attempt against computer system
A hacking attempt has reportedly targeted the FBI. The cyberattack reportedly involved the agency’s New York Field Office and set its sites on a computer system used to investigate child predators. Information regarding what systems have been affected and what sort of attack was waged has not yet been officially disclosed, although the “isolated incident” is said to be “contained.” Read more.
GoDaddy targeted by hackers in “multi-year campaign”
Web host GoDaddy has disclosed that it experienced a data breach in which malware had been installed on its servers and the source code was stolen. GoDaddy suffered additional breaches in 2020 and 2021 and the company now believes that all three are part of a multi-year campaign carried out by a currently unknown threat actor. According to GoDaddy, evidence suggests that the campaign also targeted other hosting platforms as hackers engaged in phishing scams and other malicious activity. GoDaddy is working with international authorities to determine the cause of the breach and who is responsible. Read more.
CISA’s ESXi recovery script rendered useless after ESXiArgs ransomware update
A script issued by CISA last week designed to defend VMWare ESXi systems from a current wave of targeted attacks has only enjoyed a few days of effectiveness, as an ESXArgs ransomware variant modified to render it useless has been deployed and observed in the wild. The script exploited flaws within the ransomware, allowing victims to recover their data without ever having to pay a ransom or communicate with threat actors. The new ESXArg variant, however, has sealed up the cracks. Victims can tell which variant they have been attacked with because the older one that CISA provided a remedy for lists a Bitcoin address in its ransom note, whereas the new variant does not. Read more.
New Havoc command and control framework spotted in the wild
According to observations by security researchers, hackers are ditching paid options Cobalt Strike and Brute Ratel in favor of Havoc, a new open-source command and control framework. Havoc is modular, allowing threat actors to use it to perform a wide range of malicious functions. It is cross-platform and can bypass Microsoft Defender even on current Windows 11 devices. A currently unknown threat actor recently deployed Havoc against an undisclosed government organization and signals hackers seeking alternatives to well-known and more easily defended penetration tools. Read more.
Clop ransomware gang exploits zero-day flaw in GoAnywhere MFT, data on one million patients exposed
The Clop ransomware gang has claimed credit for exploiting a zero-day flaw found in Fortra’s widely used GoAnywhere MFT file transfer software. Clop has claimed that it used the exploit to steal data from 130 organizations. While this number has yet to be confirmed, Community Health Systems (CHS), one of the US’ largest healthcare providers, has stated that data belonging to up to one million patients has been exposed and potentially stolen in the attack. Researchers expect more organizations to report breaches as the extent of Clop’s damage comes into focus. Fortra has released an emergency patch for GoAnywhere and CISA has mandated that all federal agencies update by March 3rd. Read more.
North Korean M2RAT steals data from wireless devices connected to infected Windows computers
M2RAT is a new malware strain researchers have observed being used by RedEyes, a North Korean cyber espionage collective believed to be backed by the country’s government. M2RAT leaves “very few operational traces” on targeted Windows computers and has been distributed via phishing attacks that force a victim to download a JPEG laced with malicious code. M2RAT acts “as a basic remote access trojan that performs keylogging, data theft, command execution, and taking screenshots from the desktop.” M2RAT also scans for any wireless phones or tablets connected to the computer and then copies content to the machine, where it can be exfiltrated. Read more.
Researchers uncover stealthy new Beep malware
Security experts have reported a new malware called Beep that appears to be specifically designed to feature “as many anti-debugging and anti-VM (anti-sandbox) techniques” as developers could fit into it. Made up of a dropper, a PowerShell script and an information-stealing payload, Beep has also been observed to have several unfinished features, which implies that it is a work in progress. After Beep embeds itself into a system, it can also be used to deliver ransomware. Read more.
New MortalKombat ransomware beating up US financial targets
A new ransomware called MortalKombat has been identified targeting US victims. MortalKombat is based on the Xorist commodity ransomware, a foundation that threat actors can customize to suit their needs. It has been observed being launched along with the Lapels clipper, devised to steal crypto. The ransomware is said to be unsophisticated, lacking some fine tuning that prevents it from becoming unstable. It is unclear if MortalKombat is being launched by a lone actor or being sold to hacker groups. Read more.
CISA: North Korean hackers set sights on healthcare sector
According to CISA and the FBI, North Korean cyber operations are heavily targeting the healthcare industry in continued efforts to fund espionage with illegally acquired funds. A joint advisory issued by the two agencies, alongside the US Department of Health and Human Services and South Korean intelligence agencies, did not specify that a new push or campaign had been identified. However, guidance tips regarding attacks from state-sponsored actors have been updated, which may indicate that North Korean hackers are continuing to advance and diversify their attacks against targets they deem lucrative. Read more.
Cyberattack on New Jersey hospital exposes data of 617,000 patients
New Jersey’s CentraState Medical Center fell victim to a late December cyberattack that caused procedure cancellations, a switch to paper record keeping and disruption of medical and hospital services. CentraState has not revealed what type of attack they succumbed to, as details about the incident have been minimal. No payment information was compromised in the attack. However, they did reveal that 617,000 patients had their “name, address, date of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, doctor notes, information on care received at CentraState and prescription information” exposed. Read more.
Killnet hackers disrupt Turkey-Syria relief efforts with NATO DDoS attack
A DDoS attack against NATO impacted the organization’s ability to communicate with military aircraft providing aid to Turkey and Syria as the countries grapple with the aftermath of an earthquake that reportedly killed more than 28,000 people. Pro-Moscow hacker collective Killnet, having targeted numerous countries supporting Ukraine, has claimed credit for “carrying out strikes” against NATO but has not officially made any other statements. Most security professionals describe Killnet’s DDoS attacks as a nuisance and most of their victims are back up and running within hours. Read more.