Lazarus Group suspected in CoinEx robbery
The theft of $31 million in digital assets from the CoinEx exchange that occurred on September 12 and that we reported on on Thursday has not been confirmed by at least three independent authorities to have been the work of the North Korea-linked Lazarus Group. The smoking gun in this case was an address that had been used by the group in a previous crypto theft. Analysts from the blockchain security firm Elliptic suggest that these latest attacks are an indication of the group’s “shift in focus from decentralized services to centralized ones…likely motivated by improvements in smart contract auditing and development standards in the DeFi space and increased access offered by centralized exchanges via social engineering attacks.”
Thailand financial company CardX discloses leak
The CardX company is part of Thailand’s SCB X group, which itself is a holding company for The Siam Commercial Bank Public Company. On Friday CardX announced a cybersecurity incident that exposed personal loan and cash card applications. The company emphasized that this information cannot be used for financial transactions, but warned customers to be wary of suspicious communications. It emphasized also that the incident was “unrelated to the information systems of Siam Commercial Bank or any other companies in their group.”
Ransomware hits trucking software provider
New Jersey-based ORBCOMM on Friday disclosed a ransomware attack that occurred on September 6 that impacted their FleetManager platform and BT product line. ORBCOMM provides, among other things, electronic logging device systems that are required by the U.S. Department of Transportation to monitor drivers’ driving time. The disruption has forced drivers to return to paper logbooks. At Friday’s announcement, the company would not say which ransomware group was behind the incident or whether a ransom would be paid.
Iranian espionage campaign focused on satellite and defense sectors
According to a report from Microsoft posted Thursday, a group named Peach Sandstorm used spray attacks on thousands of organizations in a campaign that ran from February to July. Although password spray attacks are relatively easy to detect, Microsoft is expressing concern about the group’s potential ability to deploy more sophisticated methods once they gain access.
Thanks to this week’s episode sponsor, Hyperproof
Colombian government ministries suffer from cyberattack on their network provider
In Colombia, several government ministries, including the Ministry of Health and Social Protection, the Judiciary Branch and the Superintendency of Industry and Commerce are dealing with a cyberattack on their provider IFX Networks Colombia. This is affecting court dates and is forcing the Ministries to work out alternative methods for delivering their services. Although no group has yet claimed responsibility, experts are seeing strong similarities in the ransom note to one used by the RansomHouse group on Colombian healthcare provider Keralty last November.
North Carolina hospitals suffer from Clop-MoveIt campaign
Nuance, a healthcare technology company owned by Microsoft, has confirmed the theft of personal data from 13 North Carolina hospital groups related to the ongoing MOVEIt campaign, and driven by the Clop group. The data stolen includes patients’ demographic information and the services they received. Nuance addressed and fixed the issue immediately upon learning about the flaw from Progress on May 31, but they warn patients and others to be wary of suspicious activity. The hospital groups affected are:
- Atrium Health, the Charlotte-based health care system giant.
- Catawba Valley Medical Center in Hickory.
- Charlotte Radiology.
- Duke University Health System.
- DLP Central Carolina Medical Center in Sanford.
- Greenville-based ECU Health.
- Pinehurst-based FirstHealth of the Carolinas.
- Asheville-based Mission Health System.
- Winston-Salem-based Novant Health.
- Novant Health New Hanover Regional Medical Center in Wilmington.
- Chapel Hill-based UNC Health.
- Raleigh-based Wake Radiology Diagnostic Imaging.
- Raleigh-based WakeMed Health & Hospitals.
Last week in ransomware
Obviously the story of the week last week was the attacks on the MGM and Caesars casino chains in Las Vegas. Caesars paid the ransom demand, after negotiating it down to $15 million from $30 million, according to the Wall Street Journal. The attacks were conducted by BlackCat/ALPHV ransomware affiliate Scattered Spider, exploiting 100 VMware ESXi servers. In addition to the police forces of Manchester, and ORBCOMM trucking software mentioned earlier, New Zealand’s Aukland Transportation Authority was hit last week and a new ransomware operation called 3AM was discovered finishing off a job that LockBit was blocked on.