Hello and welcome to GlobalSign's weekly review of the week in cybersecurity news. As always, it's been an eventful week.
We begin with a story out of Boston. During a speech on Wednesday at Boston College, FBI Director Christopher Wray disclosed it thwarted an attack on Boston Children's Hospital last summer. In the speech, Wray explained it received a tip from an intelligence partner about the hack. With the help of the FBI, the hospital was able to mitigate it. Wray called the attack "despicable" and put the blame squarely on the Iranian government. According to this article from CNN, a spokesperson for Iran's Permanent Mission to the United Nations, called the FBI claim a "baseless allegation" and "an example of psychological warfare against Iran and thus of no value."
As if the situation in Costa Rica could not get worse, on Tuesday all of the computer systems on the network of the country's public health service (known as Costa Rican Social Security Fund or CCCS) were knocked offline following a Hive ransomware attack. This is on top of the Conti attack that's plagued the country for the last several months. BleepingComputer was able to confirm that, in fact, Hive ransomware was behind Tuesday's attack. In a stroke of good luck, the Costa Rican government agency says citizens' health and tax information stored in the EDUS (Unified Digital Health) and the SICERE (Centralized Tax-Collection System) databases has not been compromised.
Global electronics giant Foxconn was hit with an attack by Lockbit 2.0 ransomware late last month. The incident occurred at Foxconn's plant on the Mexico-U.S. border. The factory in the city of Tijuana at the border with California is considered a major U.S. supply hub. It specializes in the production of medical devices, consumer electronics and industrial operations. According to TechCrunch, the plant is "gradually returning to normal." However, with the attackers demanding Foxconn pay the ransom by June 11, it remains to be seen how "normal" the company's operations really are.
Microsoft has issued an *unofficial* patch for Follina, an Office flaw tracked as CVE-2022-30190. The vulnerability was discovered last month by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT). Threat actors have already started using Follina to gain privilege escalation on systems and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw. According to Wired, as of this morning an official patch has not been released.
In Europe, Europol announced Wednesday that an operation involving 11 countries led to its recent takedown of FluBot, a fast-spreading Android malware. FluBot has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world. Europol said that Dutch Police successfully disrupted the malware’s infrastructure last month after collaborating with law enforcement from the U.S., Australia and eight European countries.
It was revealed this week that Pegasus Airlines, a low-cost Turkish airline, accidentally leaked personal information of flight crew alongside source code and flight data after misconfiguring an AWS bucket. The incident occurred on February 28. Almost 23 million files were found on the bucket, totaling around 6.5TB of leaked data. This included over three million files containing sensitive flight data such as: flight charts and revisions; insurance documents; details of issues found during pre-flight checks; and info on crew shifts.
That's a wrap for this week. Thanks for stopping by our blog!
Top Global Security News
Tom's Hardware (June 2, 2022) Foxconn Factory Hit by Ransomware Suffers From Production Impacts
Contract electronics manufacturer Foxconn has confirmed to Bleeping Computer that one of its factories in Mexico has fallen victim to cyber criminals. Specifically, a factory located in Tijuana, a critical supply hub for the US, is being extorted by a ransomware gang. The operators behind the Lockbit 2.0 ransomware have claimed responsibility.
According to reports today, the breach of Foxconn Tijuana systems occurred in late May. A post by the Lockbit group indicates that it has given Foxconn approximately a fortnight to comply with its demands, or it will leak "all available data," that it has purloined from Foxconn servers. The demands of the extortioners haven't been disclosed.
As a manufacturing partner to some of the biggest names in tech, Foxconn might hold valuable and sensitive third party data on its systems. This could be a bigger worry for Foxconn than its own proprietary information and records data.
Cyberscoop (June 2, 2022) Europol says it disabled FluBot botnet infecting 'huge' number of devices
The European Union’s law enforcement agency announced Wednesday that an operation involving 11 countries led to its recent takedown of a fast-spreading mobile malware known as FluBot.
The European Union Agency for Law Enforcement Cooperation, popularly known as Europol, said in a web post that the Android malware has been “spreading aggressively through SMS [text messages], stealing passwords, online banking details and other sensitive information from infected smartphones across the world.”
The malware’s infrastructure was disrupted last month by the Dutch Police, according to Europol, which said the Dutch success at inactivating the malware strain was the culmination of a highly technical investigation involving law enforcement from the U.S., Australia and eight European countries. Europol’s European Cybercrime Centre coordinated the complex interagency probe.
Reuters (June 1, 2022) Iranian-backed hackers targeted Boston Children's Hospital, FBI chief says
Hackers sponsored by the Iranian government last year attempted a "despicable" cyber attack against Boston Children's Hospital that threatened to disrupt services to patients, FBI Director Christopher Wray said on Wednesday.
"We got a report from one of our intelligence partners indicating Boston Children's was about to be targeted, and understanding the urgency of the situation, the cyber squad in our Boston field office raced out to notify the hospital," Wray said.
The FBI said it contacted the hospital in August 2021, and Wray said officials were able to quickly get the nationally renowned children's hospital the information it needed to "stop the danger right away" and mitigate the threat.
Wray called the incident "one of the most despicable cyberattacks I have ever seen" and an example of the increasing risks hospitals and other providers of critical infrastructure face from hackers, including state-sponsored ones.
HackRead (June 1, 2022) Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day
On Thursday, May 30th, Hackread.com warned against the probability of a dangerous Microsoft zero-day flaw dubbed Follina being exploited in the wild. According to the latest reports, Chinese hackers have already started using it.
What is Follina?
Follina is a Microsoft Office flaw tracked as CVE-2022-30190. This vulnerability was discovered in May 2022 by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT).
According to the researcher, the exploit is activated when the victim opens a malicious document. The Protected View feature, as we know it, is designed to protect users from opening infected files. But, in the case of Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed.
Threat actors can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.
Bleeping Computer (May 31, 2022) Costa Rica’s public health agency hit by Hive ransomware
All computer systems on the network of Costa Rica's public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them this morning. Hive, a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, has been behind attacks on over 30 organizations, counting only the victims who refused to pay the ransom and had their data leaked online.
BleepingComputer was able to confirm that Hive ransomware was behind today's attack after seeing one of the ransom notes.
The CCCS publicly acknowledged the attack three hours ago in a statement issued on Twitter, saying that the attackers hacked their way into its network "in the early hours of Tuesday."
While an investigation is still ongoing, the Costa Rican government agency says that citizens' health and tax information stored in the EDUS (Unified Digital Health) and the SICERE (Centralized Tax-Collection System) databases was not compromised. Employees reported [1, 2, 3] that they were told to shut down their computers and unplug them from the networks after all the printers on the govt agency's network began printing when the attack started. Some also shared video proof showing stacks of dozens of printed pages filled with gibberish ASCII-based text.
InfoSecurity (May 31, 2022) Airline in Turkey Exposes Flight and Crew Info in 6.5TB Leak
A low-cost Turkish airline accidentally leaked personal information of flight crew alongside source code and flight data after misconfiguring an AWS bucket, it has emerged. A research team from security comparison site SafetyDetectives discovered the cloud data store left wide open on February 28. It traced some of the leaked information to Electronic Flight Bag (EFB) software developed by Pegasus Airlines.
Almost 23 million files were found on the bucket, totalling around 6.5TB of leaked data. This included over three million files containing sensitive flight data such as: flight charts and revisions; insurance documents; details of issues found during pre-flight checks; and info on crew shifts.
Over 1.6 million files contained personally identifiable information (PII) on airline crew, including photos and signatures. Source code from Pegasus’s EFB software was also found in the trove, including plain text passwords and secret keys.
Other Thought-Provoking Stories