Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware attacks. Show all posts
Malwares
Cyber Attacks cybercriminals data security Data Theft Hackers Infostealer Infostealer Malware Malware attacks Malwares

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.
Read more »
Malwares
browser credential theft Browser Extension Cyber Attacks Login Credentials Malicious Browser Extension Malware attacks Malwares

New Malware Impersonates Browser Extensions to Steal Login Credentials

 

Cybercriminals are continually evolving their tactics to evade antivirus detection and trick users into installing malicious software. One of the latest threats involves malware that impersonates legitimate browser extensions, allowing attackers to steal login credentials while remaining undetected. Although this discovery is concerning, researchers have identified the vulnerability before it could be widely exploited, giving security teams time to respond. 

According to a report by SquareX Labs, this attack starts with scammers developing seemingly useful browser extensions, such as an AI-powered transcription tool. To avoid malware detection, they distribute the extension outside official platforms like the Chrome Web Store or Google Play. Users are then encouraged to pin the extension for easy access, allowing it to quietly monitor their browsing habits over time. 

Once installed, the malicious extension collects data on the user’s existing extensions, particularly those used for handling sensitive information, such as password managers. When the right opportunity arises, it disables the legitimate extension and replaces its icon with an identical version. If the user attempts to access their password manager, they unknowingly interact with the fake extension instead. 

To further deceive users, the fraudulent extension displays a message stating that their session has expired, requiring them to log in again. However, rather than accessing their accounts, victims unknowingly submit their credentials directly to cybercriminals. With this information, attackers can break into password vaults, gaining access to sensitive data, stored passwords, and linked accounts. This method is particularly dangerous because it exploits trust in well-known extensions. 

Unlike traditional phishing attempts, which rely on fake websites or deceptive emails, this attack leverages the user’s own browser environment, making it harder to detect. Victims may not realize they’ve been compromised until they notice unauthorized activity on their accounts. Despite the sophistication of this attack, there is no immediate reason for panic. Security researchers identified the exploit before cybercriminals could widely deploy it, and browser developers have been alerted to the risk. 

However, this incident underscores the importance of practicing good cybersecurity habits. Users should only install browser extensions from trusted sources like the Chrome Web Store, avoid third-party downloads, and check reviews before installation. 

Additionally, enabling multi-factor authentication (MFA) on important accounts can provide an extra layer of security, reducing the risk of credential theft. As cyber threats continue to evolve, staying informed and cautious about software installations remains crucial to maintaining online security.
Read more »
Mobile Malware
Bank Information Security Cyber Attacks data security Data Theft Fake Apps Malicious Apps Malware attacks Mobile Malware

Massive Mobile Malware Campaign Targets Indian Banks, Steals Financial Data

 

Zimperium's zLabs research team has uncovered a significant mobile malware campaign that targets Indian banks. First reported on February 5, 2025, this threat was orchestrated by a threat actor called FatBoyPanel. Nearly 900 malware samples are used in the campaign, which is distributed via WhatsApp and uses malicious apps that impersonate banking or government apps to steal private and sensitive financial data from unsuspecting users.  

Once installed, the malicious apps steal the users data, such as credit and debit card information, ATM PINs, Aadhaar card details, PAN card numbers, and mobile banking information. Additionally, the malware uses sophisticated stealth techniques to conceal itself and avoid detection or removal by intercepting SMS messages that contain OTPs. 

By using the reputation and legitimacy of Indian banks and government agencies to trick users into thinking the apps are authentic, this cyberattack is a clear illustration of how threat actors have advanced to a new level. These cybercriminals are deceiving users into downloading malicious apps intended to drain accounts and compromise sensitive data by posing as trustworthy organizations. 

Upon closer examination, the malware can be divided into three different types: hybrid, firebase-exfiltration, and SMS forwarding. Different exfiltration techniques are used by each variant to steal confidential information. By employing live phone numbers to intercept and reroute SMS messages in real time, these Trojan Bankers go beyond standard attacks. By hiding its icon, the malware makes itself even more difficult to remove. 

According to a Zimperium report, more than 1,000 malicious applications were created with the intention of stealing banking credentials. An estimated 50,000 victims were impacted by the campaign, which revealed 2.5GB of financial and personal data kept in 222 unprotected Firebase buckets. Attackers have been able to trick users into divulging extremely sensitive information by using phony government and banking apps that are distributed via WhatsApp. 

This breach has serious repercussions, including the possibility of identity theft, financial loss, and privacy violations for impacted users. In order to assist authorities in locating the cybercriminals responsible for FatBoyPanel, Zimperium has shared the gathered data with them. Users should use security software to identify and eliminate malware, update their devices frequently, and refrain from downloading apps from unidentified sources in order to protect themselves. 

On Thursday, Feb. 20, Zimperium, the global leader in mobile security, will release new research highlighting the evolving landscape of mobile phishing attacks.

As organizations increasingly rely on mobile devices for business operations including BYOD, multi-factor authentication, cloud applications, and mobile-first workflows, mobile phishing is becoming one of the most severe threats to enterprise security. Adversaries are exploiting security gaps in mobile and cloud-based business applications, expanding the attack surface and increasing exposure to credential theft and data compromise.

Zimperium’s latest research provides a data-driven look at how attackers are evolving their tactics to evade detection and why businesses must rethink their security strategies to stay ahead. 

Key findings from the report include: Mishing surge: Activity peaked in August 2024, with over 1,000 daily attack records. Smishing (SMS/text based phishing) attacks dominate globally with 37% in India, 16% in the U.S., and 9% in Brazil. Quishing (QR code phishing) is gaining traction, with notable activity in Japan (17%), the U.S. (15%), and India (11%). Stealthy phishing techniques: 3% of phishing sites use device-specific detection to display harmless content on desktops while delivering malicious phishing payloads exclusively to mobile users. Zimperium’s research emphasizes that traditional anti-phishing solutions designed for desktops are proving inadequate against this shift, making mobile threat defense a critical necessity for organizations worldwide.

The FatBoyPanel campaign emphasizes the need for increased vigilance in an increasingly digital world and the increasing sophistication of cyber threats. Keeping up with online security best practices is crucial to reducing risks and protecting financial and personal information as cybercriminals improve their tactics.
Read more »
Ransomwares
Cyber Security Cyber Security Vendor macOS MacOS Malware Malware attacks MITRE MITRE ATT&CK Ransomwares

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Read more »
Malware attacks
AI generated Deepfake AI tools Cyber Attacks data security Data Theft Fake Apps Information Security Malware attacks

Meeten Malware Targets Web3 Workers with Crypto-Stealing Tactics

 


Cybercriminals have launched an advanced campaign targeting Web3 professionals by distributing fake video conferencing software. The malware, known as Meeten, infects both Windows and macOS systems, stealing sensitive data, including cryptocurrency, banking details, browser-stored information, and Keychain credentials. Active since September 2024, Meeten masquerades as legitimate software while compromising users' systems. 
 
The campaign, uncovered by Cado Security Labs, represents an evolving strategy among threat actors. Frequently rebranded to appear authentic, fake meeting platforms have been renamed as Clusee, Cuesee, and Meetone. These platforms are supported by highly convincing websites and AI-generated social media profiles. 
 
How Victims Are Targeted:
  • Phishing schemes and social engineering tactics are the primary methods.
  • Attackers impersonate trusted contacts on platforms like Telegram.
  • Victims are directed to download the fraudulent Meeten app, often accompanied by fake company-specific presentations.

Key behaviors include:
  • Escalates privileges by prompting users for their system password via legitimate macOS tools.
  • Displays a decoy error message while stealing sensitive data in the background.
  • Collects and exfiltrates data such as Telegram credentials, banking details, Keychain data, and browser-stored information.
The stolen data is compressed and sent to remote servers, giving attackers access to victims’ sensitive information. 
 
Technical Details: Malware Behavior on Windows 

On Windows, the malware is delivered as an NSIS file named MeetenApp.exe, featuring a stolen digital certificate for added legitimacy. Key behaviors include:
  • Employs an Electron app to connect to remote servers and download additional malware payloads.
  • Steals system information, browser data, and cryptocurrency wallet credentials, targeting hardware wallets like Ledger and Trezor.
  • Achieves persistence by modifying the Windows registry.
Impact on Web3 Professionals 
 
Web3 professionals are particularly vulnerable as the malware leverages social engineering tactics to exploit trust. By targeting those engaged in cryptocurrency and blockchain technologies, attackers aim to gain access to valuable digital assets. Protective Measures:
  1. Verify Software Legitimacy: Always confirm the authenticity of downloaded software.
  2. Use Malware Scanning Tools: Scan files with services like VirusTotal before installation.
  3. Avoid Untrusted Sources: Download software only from verified sources.
  4. Stay Vigilant: Be cautious of unsolicited meeting invitations or unexpected file-sharing requests.
As social engineering tactics grow increasingly sophisticated, vigilance and proactive security measures are critical in safeguarding sensitive data and cryptocurrency assets. The Meeten campaign underscores the importance of staying informed and adopting robust cybersecurity practices in the Web3 landscape.
Read more »
Microsoft
cybercriminals Hacking malware Malware attacks Microsoft

Hackers Exploit Visual Studio Code as a Remote Access Tool, Researchers Find

 

In a new wave of cyberattacks, hackers are using Microsoft’s Visual Studio Code (VSCode) as a remote access tool to gain unauthorized entry into computers, according to Cyble Research and Intelligence Labs. Visual Studio, a popular integrated development environment (IDE) for app development on the .NET framework, supports languages like C#, VB.NET, and C++. 

While the tool is widely used for legitimate purposes, cybercriminals have now found a way to exploit it for malicious activities. The attack begins with a seemingly harmless file, a malicious “.LNK” shortcut, which is likely spread through spam emails. Once opened, the file displays a fake “Installation Successful” message in Chinese. 

In the background, however, it secretly downloads a Python package named “python-3.12.5-embed-amd64.zip” and creates a directory on the target system. This malicious file then executes an obfuscated Python script (update.py) from the online source paste[.]ee, which was not detected by the VirusTotal scanning service. 

To maintain access, the malware sets up a scheduled task, “MicrosoftHealthcareMonitorNode,” which runs every four hours or when the computer starts, using SYSTEM-level privileges. If the system does not have VSCode already installed, the malware fetches the Visual Studio Code Command Line Interface (CLI) from Microsoft’s servers. 

This tool is then used to open a remote tunnel that enables the attackers to generate an 8-character activation code, giving them unauthorized remote access to the victim’s computer. Once access is established, the malware gathers sensitive system information, such as data from critical directories, running processes, user details, and even geographical locations. 

With this, hackers can fully control the victim’s machine, accessing files, directories, and the terminal. This discovery highlights the growing sophistication of cyberattacks and emphasizes the need for vigilance, especially with common developer tools like VSCode. Users are advised to be cautious of unexpected email attachments and ensure their systems are protected against such threats.
Read more »
Web Community
Cyber Attacks CyberCrime Cybersecurity efvt Malware attacks Microsoft Office Netskope Phishing Attacks QR code Quishing Quishing Campaign URL Web Community

Quishing Scams Exploit Microsoft Sway Platform

 


It has been discovered that a new phishing campaign is being run using Microsoft Sway, which has been found by researchers. A series of attacks have been called the "Quishing" campaign to describe what is happening. The practice of "squishing" is a form of phishing that uses QR codes to lead people to malicious websites. An example of Quishing is embedding malicious URLs into a QR code to commit phishing. 

A few groups of victims in Asia and North America are primarily focusing on the campaign. In late December, researchers noticed that an unexpected spike in traffic to unique Microsoft Sway phishing pages arose as a result of a campaign called "quishing," which targeted Microsoft Office credentials.  As defined by Netskope Threat Labs, quishing is essentially phishing to trick users into opening malicious pages by presenting them with QR codes, which are commonly used in many forms of phishing. 

According to a spokesperson for the campaign, the campaign mainly targets victims in Asia and North America, across multiple industries such as the technology, manufacturing, and finance sectors. A researcher from the University of California, Davis, reported that "attackers instruct their victims to scan QR codes with their mobile devices, in the hope that these portable devices do not possess the strict security measures found on corporate-issued devices," according to an article written by the researchers. 

This QR phishing campaign utilizes two techniques that have been discussed in previous articles: transparent phishing in conjunction with Cloudflare Turnstile" Those who operate phishing websites use Cloudflare Turnstile to ensure that their malicious websites are protected from static analysis tools so that they can hide their malicious payloads, prevent web filtering providers from blocking their domains, and maintain a clean reputation among the web community. 

This is known as an attack-in-the-middle phishing technique, which is more sophisticated than traditional phishing techniques. The attackers not only attempt to gain access to the victims' credentials but also attempt to log them into the legitimate service using those credentials, bypassing multi-factor authentication, so they can steal sensitive tokens or cookies which can be used to gain further unauthorized access to the system. 

This is a massive QR code phishing campaign, which abused Microsoft Sway, a cloud-based tool for creating presentations online, to create landing pages that scammed Microsoft 365 users into handing over their credentials in exchange for money. According to Netskope Threat Labs, these attacks were spotted in July 2024 after detecting an increase of 2,000-fold in attacks exploiting Microsoft Sway to host phishing pages that allegedly steal access credentials for Microsoft 365 accounts. 

Interestingly, this surge of activity dates back to the first half of the year when minimal activity was reported. So, it comes as no surprise that this campaign has been so widespread. Essentially, they were interested in targeting users in Asia and North America, concentrating primarily on the technology, manufacturing, and finance sectors, which were the most likely to present themselves to them. A free application, called Sway, is available in Microsoft 365 for anyone with a Microsoft account who has a Microsoft account. 

Attackers, however, utilize this open access as an opportunity to fool users by misrepresenting them as legitimate cloud applications, thus defrauding them of the money they are paid to use them. Furthermore, Sway is accessed once an individual logs into their Microsoft 365 account, adding a layer of legitimacy to the attack, since it is accessible once the victim has already logged into the account, thus increasing the chances of them opening malicious links. 

Netskope Threat Labs identified a new QR code phishing campaign in July 2024, marking a significant development in cyber threats. This campaign primarily targets victims in Asia and North America, affecting various sectors, including manufacturing, technology, and finance. Cybercriminals employ diverse sharing methods, such as email, links, and social media platforms like Twitter, to direct users to phishing pages hosted on the sway. cloud.Microsoft domain. 

Once on these pages, victims are prompted to scan QR codes that subsequently lead them to malicious websites. Microsoft Sway, a platform known for its versatility, has been exploited in the past for phishing activities. Notably, five years ago, the PerSwaysion phishing campaign leveraged Microsoft Sway to target Office 365 login credentials. This campaign, driven by a phishing kit offered through a malware-as-a-service (MaaS) operation, was uncovered by Group-IB security researchers.

The attacks deceived at least 156 high-ranking individuals within small and medium-sized financial services companies, law firms, and real estate groups. The compromised accounts included those of executives, presidents, and managing directors across the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore. This escalation in phishing tactics highlights the ongoing battle between cybercriminals and cybersecurity professionals, where each defensive measure is met with a corresponding offensive innovation. 

The need for a comprehensive approach to cybersecurity has never been more apparent, as malicious actors continue to exploit seemingly innocuous technologies for nefarious purposes. With the rising popularity of Unicode QR code phishing techniques, security experts emphasize the importance of enhancing detection capabilities to analyze not just images but also text-based codes and other unconventional formats used to deceive users and infiltrate systems. This sophisticated phishing method underscores the continuous vigilance required to safeguard digital environments against increasingly cunning cyber threats.
Read more »
US Healthcare
Cyber Security CyberCrime Cyberhackers Cyberstrealing CyberThreat Everest Gang Malware attacks NASA ransomware attacks US Healthcare

Everest Gang Poses New Cybersecurity Threat to US Healthcare

 


According to the Health Sector Cybersecurity Coordination Center, the Everest Ransomware group is a threat profile of the recent ransomware attack that took place at Gramercy Surgery Center in New York. The Everest Ransomware group is behind the recent attack. In addition to this, the group has also claimed responsibility for attacks on Horizon View Medical Center in Las Vegas, 2K Dental in Ohio, Prime Imaging in Tennessee, and Stages Pediatric Care in Florida, with more attacks targeted toward the healthcare and public health sectors since 2021. 

More than 120 victims have been added to the site of this group, of which 34% are in the United States, and 27% of them are in the healthcare industry, according to information gathered from their data leak. At least 20 attacks have been carried out by the group between April 2021 and July 2024 on healthcare organizations, with disproportionately high rates of attacks on medical imaging organizations during that period.

As one of the most prevalent types of cybercrime experienced by the world today, ransomware has rapided over the last few years. As a result, criminals are luring victims with highly automated and easy-to-distribute crypto-locking malware to encrypt systems forcibly to demand Bitcoin ransoms in exchange for keys that would allow them to unlock the systems. There are several sources of information available on this Ransomware Resource Center, including information on emerging ransomware variants, threat intelligence on attackers, as well as best practices for detecting, responding, and remediating ransomware. 

A relatively new Russian-speaking ransomware group is looking for targets in the healthcare sector and claims to have stolen sensitive patient information in recent attacks on at least two medical care providers in New York and Nevada. The Everest ransomware group was first identified in December 2020. Following the attack on the Brazilian government and NASA in April 2012, it quickly became well-known within the cybercrime community after several high-profile targets were targeted. 

The group has used double extortion tactics to extort money and exfiltrate data by infecting files with ransomware and then encrypting them with a ransom payment to be paid to decrypt the files and prevent them from being uploaded to its dark web data dump site. According to researchers, there are similarities between the encryptor used by Everest, as well as other ransomware groups, such as Ransomed, which is known to work in collaboration with Everest. Everest has previously been associated with BlackByte ransomware. 

Ransomware is only a recent attack method that was used by the group, as they initially focused on data exfiltration to run malware. Everest, a company that's been around since late 2022, has become a market leader in the initial access broker (IAB) niche. IABs are a group of malicious hackers whose primary objective is to breach company networks, install malware to provide remote access to those networks, and then sell that access to other groups of malicious hackers who need that access to carry out their threats. 

When it comes to threat groups making money with ransomware attacks, this tactic is relatively uncommon. That is because if a threat group can breach company networks and has an encryption tool, it might be able to make more money if it conducts the attack itself rather than outsource access to another group. It is possible that this could be happening to keep a low profile and avoid any law enforcement scrutiny as the explanation. Among the many victims listed on Everest's dark web leak site is Gramercy Surgery Center, which was struck down in January of this year. 

According to the company, it has exfiltrated from the New York-based practice 450 gigabytes of data, including patient and doctor information, which it claims is all private and confidential. Gramercy announced in a statement published on its website on June 18 that it may have been the victim of a cyberattack and that it would be investigating the matter. From June 14 to June 17, Gramercy Medical Center determined that some documents were lost within its information technology environment and as part of the incident, copies of these documents were made and viewed within its systems. 

There is a report that Gramercy reported the hacking incident to federal regulators on Aug. 9 as a data breach by HIPAA regulations that affects nearly 51,000 people. In addition, Everest also listed the Nevada-based Horizon View Medical Center on its data leak site and alleged that the Medical Records Information, which included test results and other sensitive information about patients, had been stolen. The notice about the alleged incident was not posted on Horizon View's website as of Thursday, and the company did not immediately respond to an inquiry for comment from Information Security Media Group regarding Everest's statements regarding the alleged incident.

Following the HHS HC3 alert, the American Hospital Association on Wednesday issued a warning to hospitals regarding the threat of Everest that could pose a threat to patient safety. To move from one victim's network to another, the group employs compromised user accounts and remote desktop protocols to gain entry into the victim's computer networks. It is well known that Everest attacks are made possible by exploiting weak or stolen credentials. 

They can exploit the credentials of several systems that are within an organization. They use tools like ProcDump to make copies of the LSASS process which allows them to steal additional credentials. Following the recommendations of the AHA and HC3, hospitals and healthcare organizations should set up network monitoring systems so that alerts can be sent out for activations of the Cobalt Strike. The US authorities have advised organizations within the healthcare sector to undertake a thorough review of their cybersecurity infrastructure in response to emerging threats from the Everest Gang. 

Specifically, they have recommended the meticulous examination of domain controllers, servers, workstations, and active directories to identify and address any new or unrecognized user accounts. Additionally, it is advised that organizations regularly back up their data, implement air-gapping for data copies, and ensure that backup copies are stored offline and secured with strong passwords. Moreover, the Everest Gang's malicious activities are not confined solely to the healthcare industry. 

The group has also targeted a wide array of sectors, including construction and engineering, financial services, legal and professional services, manufacturing, and government institutions. The authorities have urged all organizations within these industries to remain vigilant and adopt stringent cybersecurity measures to safeguard against potential breaches.
Read more »
Subscribe to: Posts (Atom)