MSP cybersecurity news digest, May 10, 2024

LockBit 3.0’s extortion demand of French hospital CHC-SV will not be complied with

Hôpital de Cannes - Simone Veil (CHC-SV) in France faced a severe operational disruption due to a cyberattack, prompting the hospital to halt non-emergency procedures and appointments and take all computers offline.

Subsequently, the establishment received a ransom demand from the LockBit 3.0 ransomware gang, which they refused to pay — instead forwarding it to law enforcement authorities. LockBit threatened to leak stolen files from the hospital's attack on the dark web, but the hospital asserted that they would not yield to the ransom demand and promised to notify affected individuals if data leakage occurs. The gang claims to have exfiltrated 61.7 GB from hospital networks.

Meanwhile, the hospital's IT team continues to work on restoring affected systems, alongside the ongoing internal investigations into the incident. Situated along the French Riviera, the 869-bed hospital caters to approximately 150,000 outpatients, accommodates 50,000 emergency room visits, conducts 9,000 surgeries, and oversees 1,500 births annually, with a workforce of over 2,000 doctors and staff members.

Cyberattack on Canada’s London Drugs causes their stores to temporarily close down

London Drugs, a Canadian pharmacy chain, has temporarily shut down all its retail stores across Western Canada following a cybersecurity incident.

The company employs more than 9,000 people who provide pharmacy and healthcare services in over 80 stores across Alberta, Saskatchewan, Manitoba and British Columbia, and had an estimated $3 billion in sales in 2022.

The company stated that it has taken immediate steps to safeguard its network and data, though no evidence of customer or employee data compromise has been found so far. London Drugs added that collaboration with cybersecurity experts is underway to address the incident and ensure the secure reopening of its stores.

DPRK hacking groups hit South Korean defense contractors 

The National Police Agency in South Korea issued a critical warning regarding North Korean hacking groups targeting defense industry entities to exfiltrate valuable technology information.

The police identified successful breaches by Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus. Leveraging vulnerabilities in targets' or subcontractors' environments, the attackers implanted malware capable of exfiltrating data.

A special inspection conducted earlier this year uncovered compromised companies dating back to late 2022. The diverse methods employed in the attacks, such as exploiting network connection systems and stealing account information, underscore the persistent threat posed by North Korean hackers to South Korea's defense sector.

Phishing attacks cause data breaches at Los Angeles County Health Services and Kaiser Permanente

The Los Angeles County Department of Health Services reported a data breach impacting thousands of patients' personal and health information, following a phishing attack affecting more than two dozen employees. This health system oversees public hospitals and clinics in LA County, the second-largest public health care system in the U.S. after NYC Health + Hospitals.

Approximately 6,085 individuals' information may have been affected, with 23 employees having their credentials stolen in a February phishing attack, granting attackers access to patients' data stored in their email inboxes. While no evidence of misuse was found, affected individuals are advised to verify the accuracy of their medical records with their health care providers.

In a separate case, Kaiser Permanente, a major health care service provider in the U.S., reported a data security incident affecting approximately 13.4 million individuals. The incident involved the leaking of personal information to third-party trackers installed on its websites and mobile applications. Information potentially exposed includes IP addresses, user interactions with the platforms, and search terms used, but sensitive data such as usernames, passwords and financial information were not compromised. Kaiser Permanente has since removed the trackers and implemented measures to prevent similar incidents, and while there is no evidence of misuse, affected individuals will be notified as a precautionary measure.

BlackSuit ransomware claims responsibility for attack on Australian property firm

Australian property valuation specialists Herron Todd White reportedly lost over 300 GB of data to the BlackSuit ransomware gang.

The prolific BlackSuit gang claimed responsibility for the attack, posting details of the data exfiltrated to its darknet leak site. While BlackSuit did not disclose specific ransom demands or deadlines, they indicated possession of substantial data, including paperwork and customer databases.

The attack has prompted concern among employees and ex-employees of the company. Herron Todd White has an extensive presence across Australia, claiming its network covers 95% of the population. The company has assured clients of its commitment to resolving the issue, but declined further comment on the incident. BlackSuit's activities show a recent surge in attacks, totaling 21 victims in April alone.