The LockBit Ransomware Gang to Adopt More Aggressive Strategy Involving Triple Extortion
Read also: Greece’s natural gas supplier DESFA hit with ransomware, an advanced BEC campaign targets high-ranking executives, and more.
Thursday, August 25, 2022
French hospital turns to pen and paper following a disruptive ransomware attack
French hospital Center Hospitalier Sud Francilien (CHSF), located south-east of Paris, was hit with a cyber-attack on August 21 that disrupted most of its IT systems forcing the facility to turn away patients, except for the most pressing emergencies.
Due to the attack, which impacted the hospital’s main computer systems, the personnel have had to return to pen and paper to keep track of the remaining patients. Local media reported that the institution has suffered a LockBit ransomware attack, with the hackers demanding a $10 million ransom.
The LockBit ransomware gang, whose dark web leak site has recently been hit with a DDoS attack demanding they delete data stolen from digital security service provider Entrust, has yet to claim responsibility for the CHSF attack. It’s worth noting that following the DDoS attack the gang announced they will use a more aggressive approach that would involve triple extortion, a strategy that seeks to add additional pressure on a victim company by targeting its affiliates, clients, or suppliers.
The Ragnar Locker gang leaks 360 GB of data allegedly stolen from Greece’s natural gas supplier DESFA
Cybercriminals behind the Ragnar Locker ransomware have leaked 360 GB of data they claim to have stolen from Greece’ largest natural gas system operator DESFA.
The company has confirmed the cyber incident in a statement on its web site and said it affected part of its IT infrastructure and possibly resulted in the leakage of “a number of files and data.” The attack did not disrupt natural gas supply, DESFA has assured.
Ragnar Locker’s operators said that they had contacted the company about a vulnerability that had led to the breach, but received no response. On the other hand, DESFA previously stated that “remains firm in its position not to negotiate with cybercriminals.”
A sophisticated BEC campaign abuses Microsoft 365 to target high-ranking executives
A sophisticated business email compromise (BEC) campaign has been spotted that uses spear phishing and Adversary-in-The-Middle (AiTM) techniques to compromise Microsoft 365 accounts of high-ranking executives, even those that have enabled multi-factor authentication (MFA).
In a described case the attacker gained access to the Microsoft 365 account of an executive in the organization from multiple locations. The threat actor used an adversary-in-the-middle (AiTM) phishing technique for initial access thus obtaining access to the executive’s account and mailbox. The attacker then set up a second Microsoft Authenticator app without the user’s knowledge, which gave the intruder “full persistency of the breached account and effectively nullified the value of MFA.”
66% of orgs revised their cybersecurity strategy due to the Russia-Ukraine war
A majority of businesses (66%) have changed their cybersecurity strategies and policies as a direct response to the ongoing Russia’s invasion of Ukraine, while 64% of decision makers believe that their organization has been directly targeted or otherwise affected by an attack carried out by nation-state threat actors, a recent study has found.
Furthermore, 77% of respondents believe that the world is now in a perpetual state of cyber warfare, while more than half (63%) decision makers said they doubt that they would ever know if their organization was breached by a nation-state threat actor.
Iran-linked hackers caught using a novel tool to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts
A state-sponsored threat actor, tracked as APT35 or Charming Kitten, believed to be acting in the interests of the Iranian government, has added a new tool to its arsenal designed to extract data from victims’ Gmail, Yahoo!, and Microsoft Outlook inboxes using previously obtained credentials.
Dubbed “Hyperscrape,” the tool leverages spoofing techniques to masquerade as an outdated web browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and skims through the contents of the mailbox downloading messages one by one. After the inbox has been downloaded Hyperscrape reverts language to the original settings and deletes any security emails from Google.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
