MSP cybersecurity news digest, April 4, 2024

The INC Ransom group attacked Scotland's National Health Service (NHS) and threatened to leak 3 TB of allegedly stolen data, as reported on its Tor leak site.

Scotland's NHS, a publicly funded health care system, operates independently from those in England, Wales, and Northern Ireland, and is overseen by the Scottish Government. The INC Ransom group posted a notice indicating the imminent publication of the stolen data, showcasing images of medical documents as proof of the attack demanding a ransom.

Efforts are currently underway to evaluate the extent of data compromise resulting from the cyberattack and its potential impact on patients and staff. NHS Dumfries and Galloway confirmed the unauthorized access to patient data, condemning the release of confidential information by cybercriminals. The Scottish government stated that the incident is contained to NHS Dumfries and Galloway and is collaborating with law enforcement and cybersecurity agencies to investigate the breach's scope and implications for affected individuals.

The South China Athletic Association (SCAA) faced a cyberattack, breaching their computer servers and raising concerns about member data security.

In response, the SCAA implemented measures to address the breach and protect its members. An official statement expressed regret over the incident and detailed actions taken, including shutting down affected equipment.

The matter was reported to law enforcement and the Privacy Commissioner's Office, estimating 70,000 individuals could be affected. Recommendations were issued by the Privacy Commissioner to safeguard personal data, urging vigilance against potential scams.

A recent StrelaStealer malware campaign has affected numerous organizations in the U.S. and Europe, targeting email account credentials. Initially identified in November 2022, StrelaStealer stole credentials from Outlook and Thunderbird using a polyglot file infection method to avoid detection.

While initially focused on Spanish-speaking users, recent reports from researchers now show a shift to targeting individuals in the U.S. and Europe. The malware spreads through phishing campaigns, with a surge in attacks observed since November 2023 which, on some days, has affected over 250 organizations. Analysts noted a peak in activity between late January and early February 2024, surpassing 500 attacks per day in the U.S., resulting in at least 100 confirmed compromises across the U.S. and Europe. 

StrelaStealer has evolved its infection methods, now utilizing ZIP attachments to deploy JScript files that execute a DLL via rundll32.exe, employing control flow obfuscation to evade detection and continue stealing email login information.

Attackers seized control of the official contact email for the Belgian Grand Prix, enticing fans with a fake website promising a €50 gift voucher. The Spa Grand Prix, hosted at Circuit de Spa-Francorchamps in Stavelot, Belgium, is renowned for its challenging track and historical significance. A deceptive email was sent, prompting recipients to click a link leading to a counterfeit website similar to the official one. This tricked users into sharing personal and banking information to claim the voucher.

The hijacking occurred on March 17, 2024, prompting Spa GP to caution users via email and to request its IT subcontractor to deploy additional security measures. Belgian cyber police were informed of the incident, and Spa GP plans to file a civil claim while urging affected customers to contact them.

Despite the breach, Spa GP assured users of the continued security of its official website and ticketing system.

Two North America-based companies, Radiant Logistics and Crinetics, have recently become victims in two separate cyberattacks. Following the attacks, both companies have reportedly taken action to address the breaches and mitigate potential risks.

Radiant Logistics, a logistics partner for domestic and international freight companies with revenue of over $1.08 billion in 2023, had to isolate its Canadian operations after a cyberattack impacted its systems. The company activated incident response protocols and engaged cybersecurity professionals to assess the breach's impact. The company stated that despite disruptions in Canada, operations in the U.S. and other international territories remained unaffected.

In a separate incident, Crinetics, a U.S.-based pharmaceutical company with annual revenue of $4.01 million, faced a cyberattack claimed by the LockBit ransomware group, which prompted the company to initiate its incident response protocol and engage third-party cybersecurity experts.