The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department's Office of Foreign Assets Control (OFAC).

The Evil Corp gang, also known as Indrik Spider and the Dridex gang, started as an affiliate for the ZeuS botnet. Over time, they formed a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.

As cybergangs started to transition to highly profitable ransomware attacks, Evil Corp launched a ransomware operation called BitPaymer, which was delivered via the Dridex malware in compromised corporate networks.

After being sanctioned by the US government in 2019, ransomware negotiation firms refused to facilitate ransom payments for Evil Corp ransomware attacks to avoid facing fines or legal action from the Treasury Department.

Evil Corp began renaming their ransomware operations to different names such as WastedLocker, Hades, and Phoenix to bypass these sanctions. 

The threat actors used Phoenix in an attack on insurance firm CNA.

Evil Corp impersonates Payload Bin hacking group

After breaching the Metropolitan Police Department in Washington, DC, and stealing unencrypted data, the Babuk gang said they were quitting ransomware encryption and instead focus on data theft and extortion.

At the end of May, the Babuk data leak site had a design refresh where the ransomware gang rebranded as a new group called 'payload bin,' shown below.

On Thursday, BleepingComputer found a new ransomware sample called PayloadBIN [VirusTotal] that we immediately assumed was related to the rebranding of Babuk Locker.

When installed, the ransomware will append the .PAYLOADBIN extension to encrypted files, as shown below.

Furthermore, the ransom note is named 'PAYLOADBIN-README.txt' and states that the victim's "networks is LOCKED with PAYLOADBIN ransomware."

After finding the sample, BleepingComputer thought Babuk was lying about their intentions to move away from ransomware and rebranded to a new name.

However, after analyzing the new ransomware, both Fabian Wosar of Emsisoft and Michael Gillespie of ID Ransomware confirmed that the ransomware is a rebranding of Evil Corp's previous ransomware operations.

While discussing why they would have impersonated another cybercrime group, Wosar felt that they saw and took an opportunity to impersonate a hacking group that is not sanctioned.

"Now they had a gang rebranding and just took the opportunity." - Fabian Wosar.

As the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation firms will likely not help facilitate payments for victims affected by the PayloadBIN ransomware.

GitHub announced on Friday their updated community guidelines that explain how the company will deal with exploits and malware samples hosted on their service.

To give some background behind the new policy changes, security researcher Nguyen Jang uploaded a proof-of-concept exploit (PoC) to GitHub in March for the Microsoft Exchange ProxyLogon vulnerability.

Soon after uploading the exploit, Jang received an email from Microsoft-owned GitHub stating that PoC exploit was removed as it violated the Acceptable Use Policies.

In a statement to BleepingComputer, GitHub said they took down the PoC to protect Microsoft Exchange servers that were being heavily exploited at the time using the vulnerability.

"We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited." - GitHub.

However, GitHub faced immediate backlash from security researchers who felt that GitHub was policing the disclosure of legitimate security research simply because it was affecting a Microsoft product.

GitHub releases updated guidelines

In April, GitHub issued a 'call for feedback' to the cybersecurity community regarding their policies for malware and exploits hosted on GitHub.

After a month of input, GitHub officially announced yesterday that repositories created to host malware for malicious campaigns, act as a command and control server, or are used to distribute malicious scripts, are prohibited.

However, the uploading of PoC exploits and malware are permitted as long as they have a dual-user purpose.

In the context of malware and exploits, dual-use means content that can be used for the positive sharing of new information and research while at the same time can also be used for malicious purposes.

The key changes added to the GitHub guidelines are summarized below:

• We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits. We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. This change modifies previously broad language that could be misinterpreted as hostile toward projects with dual-use, clarifying that such projects are welcome.
• We have clarified how and when we may disrupt ongoing attacks that are leveraging the GitHub platform as an exploit or malware content delivery network (CDN). We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.
• We made clear that we have an appeals and reinstatement process directly in this policy. We allow our users to appeal decisions to restrict their content or account access. This is especially important in the security research context, so we’ve very clearly and directly called out the ability for affected users to appeal action taken against their content.
• We’ve suggested a means by which parties may resolve disputes prior to escalating and reporting abuse to GitHub. This appears in the form of a recommendation to leverage an optional SECURITY.md file for the project to provide contact information to resolve abuse reports. This encourages members of our community to resolve conflicts directly with project maintainers without requiring formal GitHub abuse reports.

While dual-use content is allowed, the new GitHub guidelines around PoCs and malware states that they retain the right to remove dual-use content, such as exploits or malware, to disrupt active attacks or malware campaigns utilizing GitHub.

"In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible.

 

Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place." - GitHub.

GitHub states that they continue to support community feedback regarding their policies to continue improving their policies.

Update 6/5/21: Removed a comment to the PR as it was related to the previously proposed language and not the current guidelines.

The US Department of Justice (DOJ) announced today that a Latvian national was charged for her alleged role as a malware developer in the Trickbot transnational cybercrime organization.

Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment after being arrested on February 6 in Miami, Florida.

As a Trickbot malware developer, Witte wrote the code used by the malware to control, deploy, and manage payments of ransomware, the DOJ said in a press release published today.

Witte also purportedly provided the Trickbot Group with the code needed to monitor and track authorized malware users and developed the tools and protocols required to store login credentials stolen from victims' networks.

The case was investigated by the FBI's Cleveland Office and DOJ's Ransomware and Digital Extortion Task Force, created to battle the increasing number of ransomware and digital extortion attacks.

"Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems," FBI special agent Eric B. Smith said.

The Trickbot malware

Trickbot is a malware strain first spotted in October 2016 as a modular banking trojan that has been continuously upgraded with new modules and features since then.

Even though initially used only for harvesting sensitive data, Trickbot has slowly evolved into a highly dangerous malware dropper used to deliver additional, usually a lot more dangerous, malware payloads on infected devices.

This regularly happens after all sensitive information (system info, credentials, and any interesting files) has been collected and exfiltrated to attacker-controlled servers.

On October 12, Microsoft and several partners announced that they took down some Trickbot C2s. The US Cyber Command also reportedly tried to cripple the botnet before the presidential elections by pushing a configuration file to infected devices to cut them off from the botnet's C2 servers.

However, despite these coordinated attacks against TrickBot's infrastructure, the TrickBot gang's botnet is still active, and the group is still releasing new malware builds.

The TrickBot gang is known for distributing Ryuk and Conti ransomware onto the compromised network of valuable corporate targets.

"Trickbot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware," Deputy Attorney General Lisa O. Monaco said today.

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

A plug-and-play exploit could have posed a serious threat

Security researchers have discovered a code execution vulnerability in one of Huawei’s LTE USB dongles.

Part of Huawei’s mobile broadband dongle range, the Huawei LTE USB Stick E3372 can be plugged into a computer to enable users to browse the Internet using a LTE network.

However cybersecurity company Trustwave discovered a rather easy to exploit a vulnerability in the device. In a blog post, Trustwave’s Security Research Manager, Martin Rakhmanov explains the vulnerability exists because one of the installed files is missing appropriate access control settings. 

“All a malicious user needs to do is to replace the file with their own desired code and wait for a legitimate user to start using the cellular data service via Huawei device,” writes Rakhmanov.

Knocking on the wrong door

According to Trustwave, this affected file is automatically executed when a user plugs the dongle. It’s designed to fire up the default web browser and point it to the dongle’s device management interface.

However, Huawei hasn’t set proper permissions on the file. This enables any authenticated user on the computer to overwrite the file.

Rakhmanov explains that all a malicious user needs to do is to replace the contents of the file with their own malicious code. Now when a user plugs in the dongle, it’ll automatically execute the malicious code.

Trustwave told The Register that it’s been trying to bring the issue to Huawei’s attention for the past several months without making any headway. It turns out that they’ve been reporting the issue to the wrong address. 

In any case, once it was informed through the proper channels, Huawei quickly released a patch to fix the permissions on the file. 

Via The Register

JBS, the world's largest beef producer, has confirmed that all its global facilities are fully operational and operate at normal capacity after the REvil ransomware attack that hit its systems last weekend.

On May 31, JBS was also forced to shut down production after REvil ransomware operators breached and encrypted some of its North American and Australian IT system.

The FBI confirmed the REvil ransomware operation is behind the JBS ransomware attack on Wednesday.

The attack on JBS follows another major ransomware incident that forced Colonial Pipeline to shut down the largest US pipeline and pay a $5 million ransom.

JBS is the world's largest beef and poultry producer and the second-largest global pork producer, with facilities and operations in the United States, Australia, Canada, and the United Kingdom.

It has over 245,000 employees worldwide and an extensive portfolio of brands sold to customers from roughly 190 countries on six continents.

Back in business sooner than expected

JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident, and the restoration of systems critical to production was prioritized to reduce the impact on the food supply chain, producers, and consumers.

It also received strong support from the US, Australian and Canadian governments, with the FBI and CISA offering their technical support to JBS in recovering from the ransomware attack.

"The company's swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery," JBS USA said in a press release on Thursday.

"As a result, JBS USA and Pilgrim's were able to limit the loss of food produced during the attack to less than one days' worth of production."

According to JBS USA CEO Andre Nogueira, the REvil operators haven't been able to gain access to the company's core systems, which significantly reduced their attack's impact.

In a previous statement issued on Wednesday, JBS stated that it had not found evidence of customer, supplier, or employee data compromised during the breach.

All eyes on ransomware

After the JBS REvil ransomware attack, the White House has also urged business leaders and corporate executives to take ransomware attacks seriously.

Press Secretary Jen Psaki said in a press briefing that President Biden would discuss the recent attacks with Russian President Vladimir Putin at the June 16 Geneva summit, given that all of the ransomware gangs behind these incidents (including REvil) are believed to be operated out of Russia.

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said.

Reuters also reported on Thursday that the US government would give ransomware attacks a similar priority to terrorism due to their capability to disrupt critical services and the substantial financial impact on US interests.

A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability.

The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems.

FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters.

The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency.

Malware upgraded with new exploits

As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased.

"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said.

FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server.

For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

While early FreakOut versions were able to exploit only vulnerable versions of Lifearay, Laravel, WebLogic, TerraMaster, and Zend Framework (Laminas Project) web apps, the latest ones have more than double the number of built-in exploits.

Newly added exploits to malware variants observed by Cisco Talos in May include:

• VestaCP — VestaCP 0.9.8 - 'v_sftp_licence' Command Injection
• ZeroShell 3.9.0 — 'cgi-bin/kerbynet' Remote Root Command Injection
• SCO Openserver 5.0.7 — 'outputform' Command Injection
• Genexis PLATINUM 4410 2.1 P4410-V2-1.28 — Remote Command Execution vulnerability
• OTRS 6.0.1 — Remote Command Execution vulnerability
• VMWare vCenter — Remote Command Execution vulnerability
• An Nrdh.php remote code execution exploit for an unknown app
• Python versions of EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits

Thousands of VMware servers exposed to attacks

The VMware vCenter vulnerability (CVE-2021-21972) is present in the vCenter plugin for vRealize Operations (vROps) and is particularly interesting because it impacts all default vCenter Server installations.

Thousands of unpatched vCenter servers are currently reachable over the Internet, as shown by Shodan and BinaryEdge.

Attackers have previously mass scanned for vulnerable Internet-exposed vCenter servers after security researchers published a proof-of-concept (PoC) exploit code.

Russian Foreign Intelligence Service (SVR) state hackers have also added CVE-2021-21972 exploits to their arsenal in February, actively exploiting them in ongoing campaigns.

VMware vulnerabilities have also been exploited in the past in ransomware attacks targeting enterprise networks. As Cisco Talos revealed, FreakOut operators have also been seen deploying a custom ransomware strain showing that they are actively experimenting with new malicious payloads.

Multiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, previously used VMWare ESXi pre-auth RCE exploits to encrypt virtual hard disks used as centralized enterprise storage space.

"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added.

"Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems."

Microsoft Teams is getting better security and privacy next month with the addition of end-to-end encrypted 1:1 voice calls.

While Microsoft Teams already encrypts data at rest and in transit, it allows administrators to configure automatic recording and transcription of voice calls.

Due to this, Microsoft Teams calls are not suitable for sharing very sensitive information that should remain private between two individuals.

Starting in July, Microsoft Teams is getting end-to-end encryption for 1:1 VoIP calls so that their discussions remain entirely private.

"Teams will support an option to use end-to-end encryption (E2EE) for ad hoc 1:1 Teams VoIP calls, providing an additional option for conducting sensitive online conversations," Microsoft revealed today in the Microsoft 365 roadmap.

Microsoft says that they will allow Microsoft Teams administrators to configure who has access to this feature to support their particular organization's security and compliance policies.

As reported by MSPoweruser, this feature can be enabled by Microsoft Teams administrators for specific users or the entire organization. Users can then enable end-to-end encryption by enabling the 'End-to-end encrypted calls' setting under Settings > Privacy.

When end-to-end encryption is enabled, certain Microsoft Teams features will no longer be available, such as recording and transcription.

This feature will be a welcome addition as it allows the sharing of sensitive information, such as passwords, bank accounts, or other confidential information, without fear that they will be stored in recordings.

In October 2020, Zoom began supporting end-to-end encryption for meetings with up to 200 participants for both free and paid users.

UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT network.

The University of Florida Health, also known as UF Health, is a healthcare network of hospitals and physician practices that provide care to countries throughout Florida.

Today, BleepingComputer has learned that UF Health The Villages Hospital and UF Health Leesburg Hospital suffered a cyberattack preventing access to computer systems and email.

In a statement shared with BleepingComputer, UF Health states that UF Health Central Florida detected unusual activity and shut down portions of their networks to prevent further risks to their organization.

"On the night of May 31, UF Health Central Florida detected unusual activity involving its computer servers. Our information technology team is collaborating with IT experts on our Gainesville and Jacksonville campuses to investigate the situation and mitigate any potential risks.

"In an abundance of caution, we have suspended access to some of our Central Florida systems, including email, and have implemented our backup procedures as our teams continue to work to ensure that all data and networks are secure.

BleepingComputer was told that there is no indication that UF Health in Gainesville or Jacksonville was affected by the attack.

While UF Health would not shed further light on the attack, Villages-News reports that the hospitals were affected by a ransomware attack that has forced employees to switch back to pen and paper.

Both hospitals continue to see patients and provide healthcare.

Ransomware attacks under increased scrutiny

While ransomware has been a scourge on businesses worldwide since 2012, it has recently received increased scrutiny due to recent attacks on critical infrastructure, healthcare systems, and food suppliers.

Last month, the DarkSide ransomware operation attacked Colonial Pipeline, the largest US fuel pipeline. It led to a temporary shutdown of fuel transport to the southeast and northeast of the United States.

This week, the world's largest producer, JBS, suffered an REvil ransomware attack that shut down production sites while restoring data from backups.

As most of the large ransomware operations are believed to be operated out of Russia, White House Press Secretary Jen Psaki said that President Biden would be discussing these attacks with Russian President Vladimir Putin at the June 16th Geneva summit.

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing.

Reuters also reported today that ransomware attacks will now be given similar priority as terrorism by the US government due to their ability to disrupt critical services and the financial impact on US interests.

A couple of weeks ago, I told you that Opera browser isn't blocking YouTube ads. This issue has been quite the headache for users, but the latest update seems to have fixed the problem.

Opera has released a new version of its browser to the stable channel. The update announcement on the company's blog finally acknowledges the ad blocking issue was real. As a matter of fact, it was the only thing highlighted in the article. Opera 76 has fixed the YouTube ad blocking issue.

Interestingly, the post also confirms that the ad blocker was not properly blocking all ads. That kind of explains why I got ads only on some videos, it was random. The release notes for Opera 76.0.4017.177 makes things even more interesting, it reads,

DNA-93554 [AdBlock] Find a fix for blocking ‘new’ YouTube ads

Notice how the 'new' part is in quotes. Some Brave users had reported the ad blocking issue as well. That indicates there's something odd going on behind the scenes. It's good to see that the problem has been addressed by Opera.

Speaking of which, does the ad blocker work? There's only one way to find out. I reset the browser to make it work like a fresh install, and to get rid of all extensions and custom settings. The first part of the test was to use Opera browser with its default settings.

So, here are my observations from using the browser without the ad-blocker enabled. A lot of YouTube videos started out with a video advertisement before getting to the actual content, while some had banner ads that stayed on top of the media. The search results page had an ad banner too. There's nothing unusual about this, this is how the world looks when you aren't using an ad-blocker, and that's what makes it annoying.

Time for part 2 of the test, all I enabled was the option to block ads. I did not toggle the block trackers setting. After watching several videos and restarting the browser multiple times, I can confirm that the ad blocker works correctly. Opera browser blocked all three types of ads (in-video ads, sticky banners, and banners on the results page).

Opera 76 also fixes an issue with the picture-in-picture video playback, you can now control the sound properly in the pop-out.

Did you notice that Opera's blog announcement does not talk about Opera GX? If you read my previous article, you may remember that GX had the ad blocking issue as well. After a bit of searching, I found the change log for Opera GX on the community forums. The post mentions that the same fix for the ad blocker was added in version v75 of the browser. That's Opera GX 75.0.3969.282 to be precise. So, I gave it the same treatment as the regular variant of the browser, and GX seems to be blocking ads just as it should be.

If you're using an older version of the browser, I recommend updating to Opera 76. The installer is available at the official site.

Don't forget to tell us whether the ad blocker is now working fine for you.

Automattic, the company behind the WordPress content management system, force deploys a security update on over five million websites running the Jetpack WordPress plug-in.

Jetpack is a remarkably popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning.

The plugin has more than 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress.

No in the wild exploitation

The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug.

No other details are available regarding this security flaw to protect the sites that haven't yet been updated. However, we do know that Automattic addressed it with added authorization logic.

The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.

The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild.

"However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers warn.

Automattic is force installing patched versions on all websites running vulnerable Jetpack versions, with most sites already having been updated.

"To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version."

Currently, download stats available on the WordPress Plugins site confirm that the security updates have been pushed to most if not all exposed websites. 

Forced updates used to patch critical bugs affecting millions

This is not the first time Automattic used the automated deployment of security updates to patch vulnerable plug-ins or WordPress installations.

WordPress lead developer Andrew Nacin stated in 2015 that the company had used automated updates only five times since its launch.

Samuel Wood, another WordPress developer, added in October 2020 that Automattic used the forced security updates feature to push "security releases for plugins many times" since WordPress 3.7 was released.

This hints at the fact that Automattic deploys forced updates to patch plug-ins used by millions of sites against critical security vulnerabilities.

For instance, in 2019, Jetpack received a critical security update to fix a bug in the way the plug-in processed embed code.

Another security update addressed an issue found during an internal audit of the Contact Form block in December 2018. A May 2016 critical security update patched a vulnerability in the way some Jetpack shortcodes were processed.

In related news, in 2018, threat actors also found a method to install backdoored plugins on WordPress websites using weakly protected WordPress.com accounts and Jetpack's remote management feature.

Nonprofit healthcare provider, Scripps Health in San Diego, has disclosed a data breach exposing patient information after suffering a ransomware attack last month.

The healthcare provider has five hospitals and 19 outpost facilities with over 3,000 affiliate physicians. Every year, Scripps Health treats more than 700,000 patients.

On April 29th, Scripps Health suffered a cyberattack where threat actors deployed ransomware on their network and encrypt devices.

The attack caused the healthcare provider to suspend their IT systems, including public-facing portals, including MyScripps and scripps.org.

Due to the attack, hospitals in Encinitas, La Jolla, San Diego, and Chula Vista no longer received stroke or heart attack patients, which were diverted to other medical facilities.

Hackers stole patient data during the attack

On Tuesday, Scripps Health released an updated report on the attack and says that threat actors stole patient data during the attack.

"The investigation is ongoing, but we determined that an unauthorized person did gain access to our network, deployed malware, and, on April 29, 2021, acquired copies of some of the documents on our systems," said an updated Scripps Health security incident notice.

"By May 10, 2021, we were able to access a limited number of documents involved in the incident and, after a thorough review, determined that some of those documents contained certain patient information."

"As the investigation is ongoing, we do not yet know the content of the remainder of documents we believe are involved, though we are working with third party experts to determine those facts as quickly as possible."

When ransomware operations breach an organization, they will first silently spread throughout the network while stealing files and data. Once they gain access to a Windows admin account and the domain controller, they deploy the ransomware to encrypt devices.

The ransomware gangs then use the stolen data as leverage by saying they will release the stolen data on data leak sites if the victim does not pay the ransom.

After investigating the stolen data, Scripps Health determined that the attackers stole personal information for certain patients.

"For certain patients, this information included one or more of their names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, date(s) of service, and/or treatment information," warns Scripps Health.

"For less than 2.5% of patients, Social Security numbers and drivers’ license numbers were also affected."

"Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network."

For those patients whose data was exposed, Scripps Health has begun mailing notification letters on June 1st, 2021.

If the attack exposed a patient's Social Security or driver's license numbers, the healthcare provider also provides a free one-year subscription to credit monitoring and identity protection services.

It is unknown which ransomware operation conducted the attack, and none of the stolen data has been publicly released at this time.

Google has added new protection capabilities for Enhanced Safe Browsing users in Chrome, warning them when installing untrusted extensions and allowing them to request more in-depth scans of downloaded files.

The Safe Browsing feature, available in Google Chrome since 2007, warns you of dangerous events when visiting malicious websites (e.g., sites trying to steal your credentials, downloading harmful files) by checking URLs against a list of unsafe sites stored within Chrome.

Enhanced Safe Browsing, available to Chrome users since May 2020, significantly increases protection from dangerous sites, downloads, and extensions by adding faster, proactive safeguards and warning about password breaches.

"Since the initial launch, we have continuously worked behind the scenes to improve our real-time URL checks and apply machine learning models to warn on previously-unknown attacks," Google said.

"As a result, Enhanced Safe Browsing users are successfully phished 35% less than other users."

Upgraded to flag untrusted Chrome extensions

Starting with Google Chrome 91, released last month, a new Enhanced Safe Browsing feature is rolling out to all users to alert them if they're installing an extension made by an untrusted developer.

"Enhanced Safe Browsing will now offer additional protection when you install a new extension from the Chrome Web Store," Google added.

"A dialog will inform you if an extension you're about to install is not a part of the list of extensions trusted by Enhanced Safe Browsing.

"Any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing."

New developers will have to build up trust over at least a few months until they will be added to Enhanced Safe Browsing's list of trusted devs.

Until then, extensions they publish on the Chrome Web Store will be flagged as untrusted, and Chrome will notify users of what data the extensions can access.

While starting as untrusted even though they release extensions compliant with Google's Chrome Web Store Developer Program Policies, all will reach trusted status according to Google.

At the moment, almost 75% of all Chrome Web St extensions are marked as trusted, with the number to grow as more and more developers will become trusted.

Enhanced protection against risky files

Enhanced Safe Browsing was also upgraded in the latest Google Chrome release to provide even better protection against risky files downloaded from potentially malicious sites.

When a downloaded file is tagged as unsafe, users are now offered the option to request a more in-depth Google Safe Browsing analysis.

"After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning. As always, you can bypass the warning and open the file without scanning," Google said.

"If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real-time. Uploaded files are deleted from Safe Browsing a short time after scanning."

Chinese-backed threat actors breached New York City's Metropolitan Transportation Authority (MTA) network in April using a Pulse Secure zero-day. Still, they failed to cause any data loss or gain access to systems controlling the transportation fleet.

According to Rafail Portnoy, MTA's Chief Technology Officer, while the attackers hacked into several MTA computer systems, they couldn't gain access to employee or customer information.

"The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems," Portnoy said in a statement.

The third attack targeting MTA in recent years

MTA mitigated the vulnerability on April 21, one day after Pulse Secure issued an advisory, and CISA published an alert on the Pulse Secure zero-day exploited in the attack.

Additionally, existing security systems also hindered the attackers' attempts to move through the network.

"Importantly, the MTA's existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat," Portnoy added.

The breach was the result of the third attack on the transportation authority's network in recent years, as MTA officials told the NY Times.

MTA is the largest North American transportation network serving more than 15.3 million people across a 5,000-square-mile travel area around New York City.

The transit authority operates multiple transportation agencies, including the MTA New York City Transit, MTA Bus, Long Island Rail Road, Metro-North Railroad, and MTA Bridges and Tunnels.

Dozens of US and European organizations also hacked 

Cybersecurity firm FireEye revealed on April 20 that at least two Chinese-backed threat actors (tracked as UNC2630 and UNC2717) were actively exploiting a zero-day vulnerability to deploy 16 different malware families.

"Espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities," FireEye said in a report published last month.

"Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan."

The malware is custom-tailored for compromising Pulse Secure VPN appliances and used to maintain long-term access to networks, collect credentials, and steal proprietary data.

The zero-day was exploited together with other Pulse Secure bugs to hack the networks of dozens of US and European organizations across several verticals, including defense, government, high tech, transportation, and financial sectors.

A day later, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to mitigate the security flaw within two days by disabling the Pulse Secure Collaboration and Windows File Share Browser features.

Pulse Secure issued security updates to address the zero-day bug on May 3 and also released the Pulse Connect Secure Integrity Tool that helps organizations check if hackers modified files on their Pulse Secure appliances.

CISA also updated mitigation measures shared in its alert and urges organizations to check the guidance published by Ivanti, Pulse Secure's parent company.

Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28.

The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.

Classic tactics, new tool

SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control (C2) server.

According to Cluster25 threat research company, APT28 likely started this campaign at the beginning of March, focusing on ministries of foreign affairs, embassies, defense industry, and the military sector.

Multiple victims are in the European Union but the researchers told BleepingComputer that the activity may have impacted organizations in the United States, too.

SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader.

The lure is a message with a spoofed invitation to an international scientific event held in Spain at the end of July.

Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper (tpd1.exe), a malicious file that downloads the main payload.

Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file.

This payload deletes itself after extracting two files on the compromised system:

• C:\Users\%username%\AppData\Local\devtmrn.exe (2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce)
• C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll (ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698)

To keep a low profile, the malware executes these files at a later stage, after creating a persistence mechanism via a LNK file under Windows Startup folder, Cluster25 says in a report shared with BleepingComputer.

The LNK file is triggered at the next reboot of the infected machine and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:\Users\%username%\AppData\Local.

SkinnyBoy’s purpose is to exfiltrate information about the infected system, download, and launch the final payload of the attack, which remains unknown at the moment.

Collecting the data is done by using the systeminfo.exe and tasklist.Exe tools already present in Windows, which allow it to extract file names in specific locations:

• C:\Users\%username%\Desktop
• C:\Program Files - C:\Program Files (x86)
•  C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
• C:\Users\%username%\AppData\Roaming
• C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates
• C:\Windows - C:\Users\user\AppData\Local\Temp

All the information extracted this way is delivered to the C2 server in an organized fashion and encoded in base64 format.

Cluster25 says that the attacker used commercial VPN services to purchase elements for their infrastructure, a tactic that adversaries typicall use to better lose their tracks.

After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28. The company has mid-to-high confidence in its attribution.

In the report today, Cluster25 provides YARA rules for all the tools examined by its researchers (SkinnyBoy dropper, launcher, and the payload itself) as well as a list of observed indicators of compromise that can help organizations detect the presence of the new malware.

The White House has urged business leaders and corporate executives to take ransomware attacks seriously in a letter issued by Anne Neuberger, the National Security Council's chief cybersecurity adviser.

"The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively," Neuberger said.

The letter comes after a significant increase in the numbers and severity of ransomware attacks targeting the public and private sectors.

While disrupting and stopping the threat actors coordinating these attacks is one of the top priorities for President Biden, Neuberger also urges businesses to take this threat just as seriously and ensure their "corporate cyber defense match the threat."

"To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations," Neuberger added.

Neuberger also highlights best practices to help defend against ransomware attacks:

• Implement the five best practices from the President's Executive Order
• Backup your data, system images, and configurations, regularly test them, and keep the backups offline
• Update and patch systems promptly
• Test your incident response plan
• Check your security team's work using a third party pen tester 
• Segment your networks

The White House issued this letter after several ransomware incidents impacted US companies in the last 30 days, all of them orchestrated by cybercriminals groups believed to be Russian-based.

An attack coordinated by the DarkSide ransomware gang forced Colonial Pipeline to shut down the largest pipeline in the US and pay a $5 million ransom in early May.

On May 31, the world's largest meat processor JBS was also forced to shut down production after REvil ransomware operators breached and encrypted some of its North American and Australian IT system.

Press Secretary Jen Psaki said in a press briefing that President Biden would be discussing these recent attacks with Russian President Vladimir Putin at the June 16 Geneva summit.

"The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone," Neuberger concluded.

"The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices."

The Steamship Authority, Massachusetts' largest ferry service, was hit by a ransomware attack on Wednesday which led to ticketing and reservation disruptions.

"The Woods Hole, Martha's Vineyard, and Nantucket Steamship Authority has been the target of a ransomware attack that is affecting operations as of Wednesday morning," the ferry service said on Wednesday.

"There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process."

In an update issued today, the Steamship Authority says that it's still working on restoring services, with trips already scheduled to operate without disruption.

However, the availability of credit card systems for processing vehicle and passenger tickets is limited, so paying in cash is preferred.

"The Steamship Authority is continuing to work with our team internally, as well as with local, state, and federal officials externally, to address Wednesday's incident," the service added.

"The ticketing processes, including online and phone reservations, will continue to be affected today, Thursday, June 3, 3021."

"At this point, customers remain unable to book or change reservations online or by phone, and the use of cash is recommended as there is limited access to credit card systems at some terminal and parking locations."

This is one of several ransomware incidents that have impacted US targets in the last month, all of them orchestrated by cybercriminals believed to be Russian-based.

Another attack coordinated by the DarkSide ransomware gang forced Colonial Pipeline to shut down the largest US pipeline and pay a $5 million ransom during early May.

On May 31, the world's largest beef producer JBS shut down production following a REvil (aka Sodinokibi) ransomware attack that hit its North American and Australian IT systems over the weekend.

In a press briefing on Wednesday, Press Secretary Jen Psaki said that President Biden would be discussing these recent ransomware attacks with Russian President Vladimir Putin at the June 16 Geneva summit.

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said in a press briefing.