TimisoaraHackerTeam (THT) attacked an unnamed US cancer center with malware in June, demanding a ransom of 10 bitcoins ($300,176). The Central European, possibly Romanian-based group (named after a Romanian town), was uncovered in 2018 and was last tracked to an April 2021 attack on a French hospital. The malware vectors in using legitimate software from Microsoft Bitlocker and Jetico’s BestCrypt. Reports state that it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests. THT may be linked to other malefactors such as DeepBlueMagic and China-based APT41 based on software used and style in notes. DeepBlueMagic disabled an Israeli medical center, Hillel Yaffe, in October 2021.
The cancer center and Heimdal Security were able to reclaim the hacked records through the use of decryption software as they were only partially encrypted, avoiding the ransomware payment. HHS’ Office of Critical Infrastructure Protection has issued its notification with details on the attack here (PDF). SC Magazine, Healthcare Dive
KillNet, the Russia-based agglomeration of anti-Western hacktivist groups, has a possible new member in the interestingly named Anonymous Sudan. Their modus operandi is to use distributed denial of service (DDoS) attacks in response to the anti-Islamic views or actions of Western, to date 24 Australian, organizations, but the DDoS claims are smokescreens that not only tie up cyberdefense resources and generally spread panic and disinformation, but also gain publicity for the group. Cyber researchers CyberCX noted that their DDoS attacks have been intense, but unusual in that Sudan (the country) apparently has not instigated the attacks nor have the attacks been monetized. SC Magazine
Surprise, surprise–infostealers using malware to get into ChatGPT accounts. Once into the accounts, the malware infects browsers to collect saved credentials, bank card details, crypto wallet information, cookies, browsing history, and other information. Most of the affected devices are in Asia-Pacific. The malware is for sale on the dark web, with most of the 101,134 accounts tallied by Group-IB were breached by Raccoon/RecordBreaker (78,348), while the remainder were hit by Vidar (12,984) and RedLine (6,773). ChatGPT is being downloaded individually and often introduced into enterprise systems from personal devices without the usual IT security and vetting. LLM models for now are unsecured and for hackers, it’s ‘happy time’. SC Magazine
But sometimes the bad actors get caught and dragged back to New Jersey. The FBI finally caught up to Russian national Ruslan Magomedovich Astamirov, who is accused of being part of the ransomware gang dubbed LockNet. The two counts filed in the Federal District of New Jersey center on conspiracy to commit fraud and related activity in connection with computers, plus the ever-popular conspiracy to commit wire fraud for the usual extortion of money and property between 2020 and 2023. The attacks were on businesses based in West Palm Beach, France, Tokyo, and Virginia, and received about $90 million in ransom payments. Astamirov sent emails and owned IP addresses, including Amazon and Microsoft accounts used in the fraud. NJ was chosen as the location for the Court since there was one LockBit victim in Essex County. SC Magazine, Criminal Complaint filed against Astamirov (PDF)