Ireland's Healthcare System Hit by a 'Significant' Ransomware Attack
Popular hacking forum stops accepting ransomware ads, Chemical distribution company Brenntag paid $4.4M ransom to Darkside, Some Rapid7 source code repos impacted by Codecov breach, more
For the latest on the Colonial Pipeline situation, please check out our special report from this morning. To help your organization stay up-to-date on all infosec developments, please consider becoming a bulk subscriber for 50% savings per reader.
Just as the crisis in the U.S. caused by the Darkside gang’s ransomware attack on Colonial Pipeline begins to recede, Ireland’s healthcare system has shut down its IT networks in the face of what has been described as a “significant” ransomware attack.
Ireland's health minister, Stephen Donnelly, said the incident was having "a severe impact on [the] health and social care services,” with many hospitals reporting service disruptions with all of the computers “switched off.” Health authorities are working with security firms and law enforcement authorities to manage the situation. (BBC News)
Related: Reddit-hacking, Silicon Republic, RTE, teiss, The Seattle Times, Associated Press Technology, BBC News, Sky News, The Record by Recorded Future, Graham Cluley, Gizmodo, DIGIT, RT News, POLITICO EU, Silicon Republic, Mashable, WashingtonExaminer.com, Forescout, ABC News
A popular hacking forum, the XSS forum, previously known as DaMaGeLab, one of the two major sites where ransomware gangs advertised their wares, has prohibited ads for ransomware affiliate models and the sale or rental of ransomware strains.
In a message, the XSS admin team said it decided to avoid unwanted scrutiny, claiming that their forum’s main purpose was always “knowledge” and not to serve as a marketplace for criminal gangs. (Catalin Cimpanu / The Record)
Related: Bleeping Computer
Catalin Cimpanu @campuscodiScoop: XSS, the hacking forum where the Darkside gang was recruiting affiliates, has banned ransomware ads earlier today (via @ddd1ms) https://t.co/qe3A8b0I4f https://t.co/gq1GfdpsCp
While the world focuses on the Darkside ransomware gang, a new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.
Michael Gillespie of ID Ransomware says that the Lorenz ransomware encryptor is the same as a previous operation known as ThunderCrypt. However, it’s not clear if it’s the same group or if Lorenz has merely purchased the encryptor. The Lorenz data leak site currently lists twelve victims, with data released for ten of them. (Lawrence Abrams / Bleeping Computer)
According to an anonymous source, chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.
At the beginning of May, the DarkSide ransomware group claimed to have stolen 150GB of data during their attack and began leaking some of the data from that theft from its data leak page. (Lawrence Abrams / Bleeping Computer)
Cybersecurity firm Rapid7 said that some source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool.
Rapid 7 has notified a "small subset of customers" potentially impacted by this breach to take measures to mitigate any potential risks. The company said that the Codecov tools compromised in last month's supply-chain attack were not used to work with production code. (Sergiu Gatlan / Bleeping Computer)
Researchers at Anomali say that threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and information-stealing malware filelessly as part of an ongoing campaign.
The attackers pushed Remcos RAT, Quasar RAT, and RedLine Stealer payloads onto their victims' computers last month in attacks that were still active Tuesday. (Sergiu Gatlan / Bleeping Computer)
Related: Anomali Blog
Computer hardware maker MSI issued a warning about malicious software being disguised as the official MSI Afterburner software.
"The malicious software is being unlawfully hosted on a suspicious website impersonating as MSI’s official website with the domain name https://afterburner-msi[.]space," the company wrote, noting that MSI has no relationship with the site. (Lorenzo Franceschi-Bicchierai / Motherboard)
After Motherboard revealed that U.S. special military forces were purchasing location data, Senator Ron Wyden (D-OR) sent a letter to the Department of Defense requesting detailed information about its data purchasing practices.
Some of the answers the DoD provided were given in a form that blocks Wyden's office from legally publish specifics on the surveillance with one answer, in particular, classified. Wyden is now pressing Secretary of Defense Lloyd Austin to release the answers regarding the “Department of Defense's (DoD) warrantless surveillance of Americans.” (Joseph Cox / Motherboard)
Fabian Bräunlein, the co-founder of Positive Security, devised a way to use Apple’s Find My Network to monitor iOS and macOS devices.
He developed a proof of concept using a microcontroller and a custom macOS app that can broadcast data from one device to another via Bluetooth Low Energy (BLE). When connected to the internet, the device can forward the data to an attacker-controlled Apple iCloud server. (Elizabeth Montalbano / Threatpost)
Code security company BluBracket announced it had raised $12 million in a Series A venture funding round.
The round was led by Evolution Equity Partners, which was joined by all existing investors, including Unusual Ventures, Point72 Ventures, SignalFire, and Firebolt Ventures. (Maria Deutscher / SiliconAngle)
Related: Venture Beat
Risk defense start-up SpecTrust announced that it had raised $4.3 million in a seed funding round with its public launch.
Cyber Mentor Fund led the round, which also included participation from Rally Ventures, SignalFire, Dreamit Ventures, and Legion Capital. (Mary Ann Azevedo / TechCrunch)