Plus, ransomware actors are once again targeting the healthcare industry, threatening patient health, and a new Panda Stealer campaign threatens cryptocurrency wallets. That and more in this week’s Cyber News Rundown.
Ransomware Takes Scripps Health Offline
Officials at Scripps Health were forced to take several of their client-facing systems offline over the weekend as they dealt with the aftermath of a ransomware attack. Patient appointments are being rescheduled a time when the healthcare provider hopes to again be operating normally. There has been no indication of the demanded ransom amount, but the organization is working with local law enforcement to identify the initial attack vector and contact affected employees and clients.
New Panda Stealer Campaign
Researchers have identified a new info stealing campaign from Panda Stealer that focues on cryptocurrency wallets and discovering stored credentials for several social applications including Discord and Telegram. The fileless payload is spread through email phishing and is often displayed as a .XLSM attachment that requires enabling macros. Once the payload is installed, the infection begins exfiltrating any browser information, stored cryptocurrency and messaging credentials it discovers.
Malware Trio Targets Global Finances
A highly sophisticated phishing campaign is targeting financial organizations around the world with offers for detailed services in a variety of fields. It begins with a malicious email containing URL links that lead to a drop page with an infected PDF which displays an error when trying to view. Next, a zip archive containing the first JavaScript payload, DoubleDrag downloader, that installs the remaining two parts of the trio. DoubleDrop creates a basepoint for the final component, DoubleBack, which is then used as a backdoor to allow future infiltration and distribution of malware.
Israeli Businesses suffer ransomware attacks
At least five Israeli businesses have fallen victim to a series of attacks seeming to stem from a new ransomware group known as N3TW0RM. Along with publishing a confirmed leak site with data from two of the Israeli targets, N3TW0RM’s ransom demands seem to range from 3-4 Bitcoins, which is unusually low for these types of attacks. Encrypted files are appended with “.n3tw0rm” extension, but due to the method of encryption, if any files remain on the computer after the attack the victim may be able to decrypt them.
DDoS Attack on Belgian ISP
Belnet, an internet service provider serving many Belgian governmental agencies, suffered a major DDoS attack earlier this week. Among the affected organizations are the Belgian Parliament, local universities, and up to 200 other organizations that rely on Belnet for multiple services. Due to the on-going nature of the attack, officials at Belnet are still dealing with the massive flood of traffic to their servers.