Ireland's Healthcare System Hit by a 'Significant' Ransomware Attack

Popular hacking forum stops accepting ransomware ads, Chemical distribution company Brenntag paid $4.4M ransom to Darkside, Some Rapid7 source code repos impacted by Codecov breach, more

For the latest on the Colonial Pipeline situation, please check out our special report from this morning. To help your organization stay up-to-date on all infosec developments, please consider becoming a bulk subscriber for 50% savings per reader.

Just as the crisis in the U.S. caused by the Darkside gang’s ransomware attack on Colonial Pipeline begins to recede, Ireland’s healthcare system has shut down its IT networks in the face of what has been described as a “significant” ransomware attack.

Ireland's health minister, Stephen Donnelly, said the incident was having "a severe impact on [the] health and social care services,” with many hospitals reporting service disruptions with all of the computers “switched off.” Health authorities are working with security firms and law enforcement authorities to manage the situation. (BBC News)

Related: Reddit-hacking, Silicon Republic, RTE, teiss, The Seattle Times, Associated Press Technology, BBC News, Sky News, The Record by Recorded Future, Graham Cluley, Gizmodo, DIGIT, RT News, POLITICO EU, Silicon Republic, Mashable, WashingtonExaminer.com, Forescout, ABC News

HSE Ireland @HSELive

There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.

May 14th 2021

617 Retweets1,097 Likes

A popular hacking forum, the XSS forum, previously known as DaMaGeLab, one of the two major sites where ransomware gangs advertised their wares, has prohibited ads for ransomware affiliate models and the sale or rental of ransomware strains.

In a message, the XSS admin team said it decided to avoid unwanted scrutiny, claiming that their forum’s main purpose was always “knowledge” and not to serve as a marketplace for criminal gangs. (Catalin Cimpanu / The Record)

Related: Bleeping Computer

Chris Krebs @C_C_Krebs

Good reporting here. The market is responding to stress in the system.

Catalin Cimpanu @campuscodi

Scoop: XSS, the hacking forum where the Darkside gang was recruiting affiliates, has banned ransomware ads earlier today (via @ddd1ms) https://t.co/qe3A8b0I4f https://t.co/gq1GfdpsCp

May 14th 2021

47 Retweets226 Likes

While the world focuses on the Darkside ransomware gang, a new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.

Michael Gillespie of ID Ransomware says that the Lorenz ransomware encryptor is the same as a previous operation known as ThunderCrypt. However, it’s not clear if it’s the same group or if Lorenz has merely purchased the encryptor. The Lorenz data leak site currently lists twelve victims, with data released for ten of them. (Lawrence Abrams / Bleeping Computer)

🆉3🆁🅾 🅵🆄🅲🅺🆂 🆂🅴🅲🆄🆁🅸🆃🆈, 🅸🅽🅲. @z3r0trust

"Another interesting characteristic not seen in other data leak sites is that Lorenz sells access to the victim's internal network along with the data." Meet Lorenz — A new ransomware gang targeting the enterpriseA new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.bleepingcomputer.com

May 13th 2021

1 Like

According to an anonymous source, chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.

At the beginning of May, the DarkSide ransomware group claimed to have stolen 150GB of data during their attack and began leaking some of the data from that theft from its data leak page. (Lawrence Abrams / Bleeping Computer)

Related: Databreaches.net

Cybersecurity firm Rapid7 said that some source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool.

Rapid 7 has notified a "small subset of customers" potentially impacted by this breach to take measures to mitigate any potential risks. The company said that the Codecov tools compromised in last month's supply-chain attack were not used to work with production code. (Sergiu Gatlan / Bleeping Computer)

Related: CBSNews.com, TechTarget, SecurityWeek, Cyberscoop, Rapid7

Researchers at Anomali say that threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools (RATs) and information-stealing malware filelessly as part of an ongoing campaign.

The attackers pushed Remcos RAT, Quasar RAT, and RedLine Stealer payloads onto their victims' computers last month in attacks that were still active Tuesday. (Sergiu Gatlan / Bleeping Computer)

Related: Anomali Blog

Computer hardware maker MSI issued a warning about malicious software being disguised as the official MSI Afterburner software.

"The malicious software is being unlawfully hosted on a suspicious website impersonating as MSI’s official website with the domain name https://afterburner-msi[.]space," the company wrote, noting that MSI has no relationship with the site. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: PC World, Slashdot, MSI

After Motherboard revealed that U.S. special military forces were purchasing location data, Senator Ron Wyden (D-OR) sent a letter to the Department of Defense requesting detailed information about its data purchasing practices.

Some of the answers the DoD provided were given in a form that blocks Wyden's office from legally publish specifics on the surveillance with one answer, in particular, classified. Wyden is now pressing Secretary of Defense Lloyd Austin to release the answers regarding the “Department of Defense's (DoD) warrantless surveillance of Americans.” (Joseph Cox / Motherboard)

Related: Slashdot, PogoWasRight.org

Fabian Bräunlein, the co-founder of Positive Security, devised a way to use Apple’s Find My Network to monitor iOS and macOS devices.

He developed a proof of concept using a microcontroller and a custom macOS app that can broadcast data from one device to another via Bluetooth Low Energy (BLE).  When connected to the internet, the device can forward the data to an attacker-controlled Apple iCloud server. (Elizabeth Montalbano / Threatpost)

Related: Macworld, The Register, The Mac Security Blog, VICE News, Malwarebytes, iMore, iMore, Softpedia News, Positive Security

Code security company BluBracket announced it had raised $12 million in a Series A venture funding round.

The round was led by Evolution Equity Partners, which was joined by all existing investors, including Unusual Ventures, Point72 Ventures, SignalFire, and Firebolt Ventures. (Maria Deutscher / SiliconAngle)

Related: Venture Beat 

Risk defense start-up SpecTrust announced that it had raised $4.3 million in a seed funding round with its public launch.

Cyber Mentor Fund led the round, which also included participation from Rally Ventures, SignalFire, Dreamit Ventures, and Legion Capital. (Mary Ann Azevedo / TechCrunch)

Nate Kharrl @nate_kharrl

I couldn't be more proud of this team and the passion they bring to this fight. Allons-y! SpecTrust raises millions to fight cybercrime with its no-code platform – TechCrunchRisk defense startup SpecTrust is emerging from stealth today with a $4.3 million seed raise and a public launch. Cyber Mentor Fund led the round, which also included participation from Rally Ventures, SignalFire, Dreamit Ventures and Legion Capital. SpecTrust aims to “fix the economics of fighting …techcrunch.com

May 13th 2021

2 Likes

Photo by Natanael Melchor on Unsplash