The story of the attack against the Chinese shopping platform Pandabuy demonstrates that paying a ransom to an extortion group is risky to the victims.
BleepingComputer first reported that Pandabuy had previously paid a ransom to an extortion group to prevent stolen data from being published, but the same threat actor extorted the company again this week.
In April, at least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum.
The member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several critical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another threat actor named ‘IntelBroker.’
PandaBuy has been breached by Threat Actors operating under the names "Sanggiero" and "IntelBroker". Exfiltrated data includes:
— vx-underground (@vxunderground) April 1, 2024
– UserId
– First name
– Last name
– Phone number
– Login Ip
– Full address
– Order information
Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1
Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country.
“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking forum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by BreachForums.
The data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.
HIBP founder Troy Hunt confirmed that 1.3 million email addresses are valid, the remaining addresses are duplicates. Hunt added the leaked addresses to HIBP, users can check if they have been impacted in the incident.
A company representative said on a Discord channel that the security breach took place in the past, he also added that the company security team said no data breach took place this year.
On June 3, 2024, Sanggiero offered the entire database he had previously stolen from Pandabuy for sale at $40,000. The actor claims the database contains more than 17 million lines, greater than the initial dataset offered in April, which included 1.3 million lines.
“A Pandabuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount to stop the data leak, adding that the threat actor may have shared the data with others, so they would no longer cooperate with him.” reported BleepingComputer.
The company attempted to downplay the incident saying that the data offered by Sanggiero is the same of the previous leak
Pandabuy added that they could not continue paying ransom due to frozen funds, anyway they addressed the vulnerabilities exploited in the original attack. The company speculates the threat actors had “secretly sold” their data to cybercriminals.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercriminals)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber espionage campaign targeting defense forces in the country. The Ukrainian CERT attributes the attack to the threat actor UAC-0020 which employed a malware called SPECTR as part of the campaign tracked as SickSync.
The threat actor UAC-0020, aka Vermin, operates under the control of the law enforcement agencies of the temporarily occupied Luhansk.
The SPECTR malware has been active since at least 2019, it allows operators to steal sensitive data and files from the infected computer, it relies on the standard synchronization functionality of the legitimate SyncThing software.
Threat actors sent out spear-phishing messages with an attachment in the form of a password-protected archive named “turrel.fop.vovchok.rar”.
The archive contains another archive, named RARSFX archive (“turrel.fop.ovchok.sfx.rar.scr”) that contains the “Wowchok.pdf” decoy file, the “sync.exe” EXE installer created using InnoSetup, and the BAT file ” run_user.bat” used for initial startup.
The UA-CERT states that the “sync.exe” file contains the legitimate SyncThing components and SPECTR malware files, including additional libraries and scripts. Attackers modified the standard files of the SyncThing software to change the names of directories, scheduled tasks, disable the functionality of displaying messages to the user, etc.
The SPECTR information stealer can capture screenshots every 10 seconds, collect files, extract data from removable USB drives, and steal credentials from web browsers and applications like Element, Signal, Skype, and Telegram.
“It should be noted that the stolen information is copied to subfolders in the directory %APPDATA%\sync\Slave_Sync\, after which, using the standard synchronization functionality of the legitimate program SyncThing , the contents of these directories get to the attacker’s computer, which ensures data exfiltration.” reads the report from the CERT-UA. “From the point of view of network indicators (in case of confidence in not using the mentioned technology is authorized), taking into account the establishment of a peer-to-peer connection, among other things, we recommend paying attention to signs of interaction with the SyncThing infrastructure: *.syncthing.net.”
The report also includes indicators of cyber threats.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThinkPHP)
Akamai researchers observed a Chinese threat actor exploiting two old remote code execution vulnerabilities, tracked as CVE-2018-20062 and CVE-2019-9082, in ThinkPHP.
The campaign seems to have been active since at least October 2023, it initially targeted a limited number of customers/organizations but recently became widespread.
The attacks originated from various IP addresses associated with servers hosted on the “Zenlayer” cloud provider (ASN 21859) which is primarily located in Hong Kong.
“Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082.” reads the analysis published by Akamai.
In attacks detected on October 17, 2023, threat actors exploited vulnerabilities by instructing victim servers to install an obfuscated shell from a remote server under the attacker’s control, rather than using common “proof of concept” commands. This initial campaign was short-lived, but a similar and much larger campaign has been observed as of April 2024.
The CVE-2018-20062 and CVE-2019-9082 vulnerabilities in the Chinese ThinkPHP framework impact content management systems like NoneCMS and open-source BMS. These vulnerabilities allow attackers to remotely execute code on the victim’s server. They are part of a series of exploit variants targeting different ThinkPHP components, disclosed over several years starting from 2018.
The attacks detected by Akamai exploit the flaws to download a file named “public.txt” from a compromised server in China. This file is saved on victims’ systems as “roeter.php,” likely a misspelling of “router.” The downloaded file contains an obfuscated web shell, a server-side backdoor script for remote control. The web shell code is obfuscated using a basic ROT13 transformation, resulting in a long HEX string. The attackers used a simple password, “admin,” to access the web shell.
“The web shell demonstrates advanced capabilities, such as navigating the file system, which enables operations like file editing, deletion, and timestamp modification for obfuscation purposes.” continues the analysis. “The webshell user interface, also known as Dama, is in Traditional Chinese. In addition to the aforementioned advanced mechanisms, Dama facilitates file uploads to the server and gathers crucial technical system data, including precise OS versions and PHP information, which aids in the identification of pertinent privilege escalation exploits.
The experts pointed out that the Dama web shell stands out because of the Chinese origin of the user interface.
Post-exploitation features include network port scanning and access to existing databases and server data. The web shell also allows privilege escalation by bypassing disabled sensitive PHP functions to execute shell commands on the server. The web shell also uses the Windows task scheduler to reconfigure WMI and add high-privileged users. The Akamai researchers observed that despite its extensive functionality, the web shell lacks support for a command-line interface (CLI) for executing direct OS shell commands.
“This web shell is yet another example of a one-day — despite how long they’ve been known, attackers continue to target and exploit them, with notable success. This underscores the persistent challenge organizations face in identifying vulnerable assets and maintaining effective patch management processes.” concludes the report. “The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control. Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThinkPHP)
A new variant of the TargetCompany ransomware group uses a custom shell script as a means of payload delivery and execution, this is the first time the technique was observed in the wild.
The script was also used for data exfiltration, the stolen data are sent to two different servers so the ransomware actors have a backup of the information.
The new Linux-based variant was specifically designed to target VMWare ESXi environment.
TargetCompany has been active since June 2021, once encrypted a file it adds .mallox, .exploit, .architek, or .brg extension to the filenames of encrypted files.
Like other ransomware, TargetCompany removes shadow copies on all drives and kills some processes that may hold open valuable files, such as databases.
In February 2022, Czech cybersecurity software firm Avast released a decryption tool that could allow victims of the TargetCompany ransomware to recover their files for free under certain circumstances.
The threat actors behind TargetCompany are not targeting also virtualization environments to expand the scope of their attacks and cause greater damage and disruption. The ransomware operators have added the capability to detect if a machine is running in a VMWare ESXi environment by executing the “uname” command.
If the system name matches “vmkernel,” it indicates the machine is running VMware’s ESXi hypervisor. The malware then enters “VM mode” to encrypt files with specific extensions.
Once executed, the ransomware drops a text file named TargetInfo.txt that contains victim information. Like the Windows variant of the ransomware, the content of the file TargetInfo.txt is then sent to a C2 server.
Once the encryption process is completed, it drops a ransom note file named “HOW TO RECOVER !!.TXT” in all folders containing encrypted files. The malware appends the “.locked” extension to the encrypted filenames.
“The IP address used to deliver the payload and exfiltrate a victim’s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.” reads the report published by Trend Micro. “The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use.”
Trend Micro linked the sample analyzed by its researchers to an affiliate named “vampire,” which was identified through data sent to its C2 server. The experts believe that larger campaigns with high ransom demands and extensive IT system targeting are ongoing. “Vampire” may be connected to an affiliate mentioned in a report published by Sekoia.
Malicious actors are continually enhancing their TTPs, as demonstrated by the emergence of TargetCompany’s new Linux variant. The lates development allows operators to broaden its range of potential victims by targeting VMware ESXi environments.
Trend Micro also published the indicators of compromise for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
The FBI is inviting victims of LockBit ransomware to come forward because it has obtained over 7,000 LockBit decryption keys that could allow them to recover their encrypted data for free.
“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online.” said Bryan Vorndran, the Assistant Director at the FBI Cyber Division, during the 2024 Boston Conference on Cyber Security. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”
In February, a joint law enforcement action code-named Operation Cronos conducted by law enforcement agencies from 11 countries temporarily disrupted the LockBit ransomware operation.
This call to action comes after law enforcement took down LockBit’s infrastructure in February 2024 in an international operation dubbed “Operation Cronos.”
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The NCA seized the Tor leak site and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA reached out to victims based in the UK providing support to help them recover encrypted data.
“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
The FBI, UK National Crime Agency, and Europol have also unmasked the identity of the admin of the LockBit ransomware operation, aka ‘LockBitSupp’ and ‘putinkrab’ , and issued sanctions against him. It was the first time that the admin of the notorious group was identified by law enforcement.
The man is a Russian national named Dmitry Yuryevich Khoroshev (31) of Voronezh, Russia.
“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.” reads the press release published by NCA.
The NCA states that Khoroshev will now be subject to a series of asset freezes and travel bans.
“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.” continues the NCA.
According to the UK agency, data retrieved from the systems belonging to the ransomware gang revealed that from June 2022 to February 2024, the criminals gave orchestrated over 7,000 attacks. The most targeted countries included the US, UK, France, Germany, and China.
However, despite the law enforcement operation, the LockBit group is still active and targeted tens of organizations since February.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
Cybersecurity experts who analyzed the recently emerged ransomware operation RansomHub speculate that is is a rebranded version of Knight ransomware.
Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.
Knight ransomware-as-a-service operation shut down in February 2024, and the malware’s source code was likely sold to the threat actor who relaunched the RansomHub operation. RansomHub claimed responsibility for attacks against multiple organizations, including Change Healthcare, Christie’s, and Frontier Communications.
Researchers at Symantec, part of Broadcom, discovered multiple similarities between the RansomHub and Knight ransomware families, suggesting a common origin:
However, despite the two malware share origins, it is unlikely that the authors of Knight are now operating RansomHub.
“One main difference between the two ransomware families is the commands run through cmd.exe. While the specific commands may vary, they can be configured either when the payload is built or during configuration. Despite the differences in commands, the sequence and method of their execution relative to other operations remain the same.” states the report published by Symantec.
Although RansomHub only emerged in February 2024, it has rapidly grown and, over the past three months, has become the fourth most prolific ransomware operator based on the number of publicly claimed attacks.
“One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack.” concludes the report that also provides Indicators of Compromise. “The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and privacy concerns among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.
Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.
However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.
The popular cybersecurity expert Kevin Beaumont explained that an attacker can gain remote access to a device running Recall using a malware.
“When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.” reads a post published by Beaumont. “For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.”
Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.
— Kevin Beaumont (@GossiTheDog) May 30, 2024
Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.
HT detective pic.twitter.com/Njv2C9myxQ
Re the second paragraph in this BBC News piece about Copilot+ Recall – I don’t know if it’s a BBC error or a Microsoft misstatement, but the line is not true.
— Kevin Beaumont (@GossiTheDog) May 23, 2024
If you gain remote access to a device running Recall (eg a trojan) you can access Recall.https://t.co/ebGjiVyVsI pic.twitter.com/QDMRC0xuud
Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.
Watch as Microsoft staff gain access to the Recall database files at the 24 second mark here, you'll be shocked by their elite hacking skills. pic.twitter.com/RxBQ8iTixw
— Kevin Beaumont (@GossiTheDog) May 30, 2024
The cybersecurity researcher Alex Hagenah has released a PoC tool, named TotalRecall, that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.
“The database is unencrypted. It’s all plain text,” Hagenah says.” told Wired.
“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” Hagenah explained “Here’s where you can find them:
LoginC:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}
The images are all stored in the following subfolder
.\ImageStore\
The full OCR text with the temporarily visible password is available in the %LocalAppData%CoreAIPlatform.00UKP{<UUID>}ukg.db SQLite database, nicely gift wrapped
— Marc-André Moreau (@awakecoding) June 3, 2024
While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” concludes Wired.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AI)
In early May, German media outlet
In March, the German authorities admitted the hack by Russia-linked actors of a military meeting where participants discussed giving military support to Ukraine.
“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center.” reads the advisory published by the company.
Experts believe threat actors exploited an insecure direct object reference (IDOR) vulnerability to access internal Webex meetings. Threat actors gained access to information about the meeting, such as topics and participants, and spied on sensitive meetings, despite the German government decided to use an on-premises version of Webex.
The experts also discovered that some meeting rooms of high-ranking officials were not password-protected.
The IT giant now confirmed that the vulnerability exploited by the nation-state actors has been addressed.
“These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024.” continues the advisory.
Cisco notified customers who experienced observable attempts to access meeting information and metadata. Since the flaws were addressed, the company hasn’t observed any other attempts to exploit the vulnerabilities. The company added that the investigation is still ongoing and that they continuing to monitor for unauthorized activity, providing updates as needed through regular channels.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Germany)
Threat actors exploited a zero-day vulnerability in the video-sharing platform TikTok to hijack high-profile accounts. The vulnerability resides in the direct messages feature implemented by the platform, reported Forbes.
The malware spreads through direct messages within the app and only requires the user to open a message. The compromised accounts did not post content, and the extent of the impact is unclear. TikTok spokesperson Alex Haurek stated that their security team is aware of the exploit and has taken measures to stop the attack and prevent future incidents. The company is also working with affected account owners to restore access.
The list of compromised accounts includes CNN, Paris Hilton, and Sony, however, it’s still unclear how many accounts have been impacted.
The company did not share technical details about the vulnerability exploited by the attackers.
“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.” TikTok spokesperson Alex Haurek told Forbes.
Haurek pointed out that the attacks compromised a very small number of accounts.
Semafor first reported that CNN’s TikTok account had been hacked, forcing the broadcaster to take down its account for several days.
The TikTok spokesperson also added that their security team was recently alerted of malicious actors targeting CNN’s account.
TikTok remarked that it is committed to maintaining the platform’s integrity and will continue to monitor for any further fraudulent activity.
In August 2022, Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts stated that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February 2022, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
Zyxel Networks released an emergency security update to address three critical flaws in some of its NAS devices that have reached end-of-life.
An attacker can exploit the vulnerabilities to perform command injection attacks and achieve remote code execution. Two flaws can also allow attackers to elevate privileges.
The Outpost24 researcher Timothy Hjort reported the flaw to the manufacturer and published a detailed analysis and PoC exploit codes for the flaws.
Below is the list impacting the Zyxel NAS devices:
The vulnerabilities affect NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.
The vendor did not address CVE-2024-29975 and CVE-2024-29976 in its end-of-life products.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support.” reads the advisory published by the company. “Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.”
Zyxel is not aware of attacks in the wild exploiting these vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
A ransomware attack on pathology and diagnostic services provider Synnovis has severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases patients were redirected to other hospitals.
Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.
In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.
“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”
The pathology and diagnostic services provider has launched an investigation into the security breach with the help of experts from the NHS. The experts are working to fully assess the impact of the attack and to take the appropriate action to contain the incident. The company also announced they are working closely with NHS Trust partners to minimise the impact on patients and other service users.
— Shaun Lintern (@ShaunLintern) June 4, 2024
Below is the message sent by Professor Ian Abbs, Chief Executive Officer Guy’s and St Thomas’ NHS Foundation Trust:Dear Colleague
"I am writing to update you about the ongoing critical incident that is currently affecting our pathology services. I can confirm that our pathology partner Synnovis experienced a major IT incident earlier
today, which is ongoing and means that we are not currently connected to the Synnovis IT
servers. This incident is also affecting King’s College Hospital NHS Foundation Trust and primary care across south east London.
This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out.
I recognise how upsetting this is for patients and families whose care has been affected, and how difficult and frustrating this is for you all. I am very sorry for the disruption this is causing. An incident response structure has been stood up, with colleagues from across the Trust meeting regularly to assess the situation and put contingency plans into place. All clinical groups are represented on this, so please do direct any clinical or operational questions to your clinical group or directorate leadership as your clinical group or directorate leadership as appropriate. While we do not yet know all the details or how long this issue will take to resolve we will keep you updated through the usual routes, including through the clinical alert system."
The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.
“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement.
“Emergency care continues to be available, so patients should access services in the normal way by dialling 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise. We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need.”
At this time, the company has yet to provide details on the attack, such as the malware family that infected its systems and if it has suffered a data breach.
In April, Synlab Italia, the Italian branch of the SYNLAB group, experienced disruptions due to a Blackbasta cyber attack. The company suspended all activities at sampling points, medical centers, and laboratories in Italy.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
The RansomHub ransomware group claimed to have stolen the information of over 2 million customers from the American telecommunications company Frontier Communications. The RansomHub group claims to have stolen 5GB of data from the telecommunications giant.
Stolen data include names, email addresses, SSNs, credits, scores, dates of birth, and phone numbers.
“Data is more than 2 million customer with address name email ssn credit score date of birth and phone number. We gave frontier 2 months to contact us but they don’t care about clients data. Below is screenshot of some of the data.” reads the message published by the group. “Now anyone who wants to buy this data can contact our blog support, we only sell it once.”
In April, Frontier Communications notified the Securities and Exchange Commission (SEC) that it had to shut down certain systems following a cyberattack. The incident was identified on April 14 after that an unauthorized threat actor gained unauthorized access to parts of its IT environment.
The company launched an investigation into the security breach and started operations to contain the incident.
“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. “While we do not believe the incident is reasonably likely to materially impact our financial condition or results of operations, we continue to investigate the incident, have engaged cybersecurity experts, and have notified law enforcement authorities.”
The company did not provide details about the attack and has yet to disclose the number of the impacted people.
RansomHub has published an image of the stolen records as proof of the data breach and threatens to publish the stolen data if the victim will not pay the ransom within nine days.
At the end of May, Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred in the same month.
The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
