Brief #25: Ransomware Disrupts Cancer Treatment, Google Calendar Exploited for C2 Operations and More

Week 45/2023 in Brief: Ransomware in Canadian Hospitals, OpenAI DDoS Attack, Google Calendar RAT Exploit, BlazeStealer Malware, Cl0p Ransomware's New Offensive

Brief #25: Ransomware Disrupts Cancer Treatment, Google Calendar Exploited for C2 Operations and More


Ransomware Hits Cancer treatments in Canadian Hospitals

  • Widespread System Compromise: On October 23, a ransomware attack by the Daixin Team severely disrupted five hospitals in southwestern Ontario, Canada. The cyber assault penetrated TransForm's IT infrastructure, leading to substantial data breaches, including access to 5.6 million patient visits and over 1,400 employees' social insurance numbers, causing massive outages and operational chaos​​.
  • Direct Impact on Patient Care: The cyberattack's fallout was profoundly felt at Windsor Regional Hospital, where cancer patients awaiting radiation treatments were forcibly relocated. Hospitals, including Erie Shores HealthCare and others, grappled with the shutdown of critical systems like emails, Wi-Fi, and patient information, pushing staff to resort to manual, paper-based work​​.
  • Ransom Demand and Data Exploitation: The attackers initially demanded an estimated $4 million ransom. In a brazen move, the Daixin Team exfiltrated and dumped vast quantities of sensitive data from the hospitals' servers, threatening further leaks or potential sales on dark web forums, escalating the crisis and putting countless patients at risk​​.
  • Security Lapses and Infiltration Tactics: A Daixin Team spokesperson revealed that the breach was facilitated by systemic weaknesses, notably the reuse of passwords across multiple systems by TransForm's system administrators and a lack of network segmentation. These vulnerabilities enabled the attackers to seamlessly traverse across the network, underscoring critical gaps in cybersecurity practices​​.

OpenAI's ChatGPT Services Disrupted by Targeted DDoS Attacks

  • Widespread Service Interruptions: OpenAI's ChatGPT and associated APIs experienced significant disruptions due to a series of distributed denial-of-service (DDoS) attacks. These attacks, which have been ongoing over 24 hours, have led to periodic outages, impacting user access and service reliability​​.
  • Response and Mitigation Efforts: The OpenAI engineering team acknowledged the issue and worked diligently to address the outages. By implementing targeted measures, they managed to restore services, though the attacks caused intermittent drops in service availability. The resolution of these issues marks a critical step in reinforcing the resilience of OpenAI's infrastructure against such cyber threats​​.
  • Hacktivist Group Involvement: A hacktivist group, previously known for targeting Microsoft, claimed responsibility for the DDoS attacks against OpenAI. This introduces a complex dimension to the incident, suggesting a potentially politically or ideologically motivated cyber attack, rather than purely malicious intent​​.
  • Implications for AI Service Stability: The incident underscores the vulnerability of AI-powered services to cyber attacks and highlights the importance of robust cybersecurity measures. It also raises questions about the resilience of such services in the face of increasingly sophisticated and targeted cyber threats, emphasizing the need for ongoing vigilance and adaptive security strategies.

Google Calendar Remote Access Tool (RAT) Exploited for Command-and-Control Operations

  • Innovative Exploit Development: The Google Calendar RAT (Remote Access Tool), developed by IT researcher Valerio Alessandroni, represents a significant advancement in cyber attack methodologies. This tool simplifies the infrastructure needed for command-and-control (C2) operations, enabling both red teamers and malicious actors to efficiently execute their strategies​​.
  • Public Proof-of-Concept Leveraged: Google has raised alarms about multiple threat actors utilizing a public proof-of-concept (PoC) exploit. This exploit takes advantage of Google's Calendar service to establish a C2 infrastructure. By using Google Calendar events through a Gmail account, the Google Calendar RAT facilitates covert operations, indicating a sophisticated approach to exploiting commonly used digital services​​​​.
  • Exploitation by Online Threat Actors: The increasing use of Google Calendar for C2 infrastructure by online threat actors has been documented. This exploitation highlights the evolving landscape of cyber threats, where even conventional digital tools can be repurposed for nefarious ends. The adaptability of threat actors to find and exploit vulnerabilities in everyday software applications poses a significant challenge to cybersecurity defenses​​.
  • Growing Cybercriminal Interest: Initially released on GitHub in June 2023, the Google Calendar RAT exploit has seen growing interest from the cybercriminal community. Its repeated forking on GitHub indicates an increased adoption among attackers, underscoring the need for heightened vigilance and proactive security measures to counter such innovative threats​​.

BlazeStealer Python Malware: A Developer's Nightmare

  • Covert Infiltration via Python Packages: BlazeStealer, a malicious Python malware, has emerged as a significant threat by infiltrating the Python Package Index (PyPI) repository. Disguised as innocuous obfuscation tools, these packages, including names like Pyobftoexe and Pyobfgood, target developers by installing a pernicious script that activates upon package installation. This sophisticated attack vector allows the malware to stealthily penetrate systems of developers likely dealing with sensitive information, making them prime targets​​​​​​.
  • Comprehensive System Control and Data Harvesting: Once installed, BlazeStealer unleashes a plethora of hostile capabilities. It runs a Discord bot that gives attackers full system control. This enables them to exfiltrate detailed host information, steal passwords, especially from Chrome browsers, set up keyloggers, download files, and capture screenshots and audio. Significantly, it can render a computer inoperative by overloading the CPU, forcing shutdowns, or inducing a blue screen of death (BSOD)​​​​​​.
  • Webcam Hijacking and File Encryption: A particularly invasive feature of BlazeStealer is its ability to take control of a PC's webcam. Using a discreetly downloaded application, WebCamImageSave.exe, the malware captures photos using the webcam, sending them back to the attackers. Additionally, it poses a ransomware risk by encrypting files on the infected host, further amplifying its threat profile​​​​.
  • Global Reach and Prevalence: The malware's impact is global, with significant download activities traced back to countries like the U.S., China, Russia, and various European nations. Before their removal, the malicious packages were downloaded 2,438 times, highlighting the widespread risk posed by these stealthy cyber threats. Developers are urged to exercise increased vigilance and thorough vetting of packages to mitigate risks in the increasingly exploited open-source domain​​​​.

Cl0p Ransomware Group Exploits SysAid Zero-Day in Latest Cyber Offensive

  • Zero-Day Vulnerability and Ransomware Deployment: The Cl0p ransomware group is exploiting a SysAid zero-day flaw, previously leveraging the MOVEit file transfer bug. Identified by Microsoft as CVE-2023-47246, the vulnerability was disclosed on Nov. 8, with SysAid releasing a patch the same day. SysAid's software is widely used across data-sensitive sectors, making this a critical security concern​​.
  • Incident Response and Mitigation Efforts: Upon discovering the vulnerability on Nov. 2, SysAid immediately initiated their incident response protocol. They communicated with customers for mitigation and engaged Profero, a cybersecurity incident response company, for investigation. SysAid urges customers with on-prem server installations to update to version 23.3.36 and conduct a comprehensive network assessment​​.
  • Technical Breakdown of the Attack: DEV-0950, also known as Lace Tempest, exploited the vulnerability by uploading a WAR archive containing a WebShell to SysAid Tomcat web service's directory. This granted unauthorized access and control over the system. The attackers then deployed a PowerShell script to execute a malware loader, named user.exe, used to load the GraceWire trojan into system processes. A subsequent script was used to erase evidence of the attack from the system logs​​.
  • Widespread Implications and Security Recommendations: The exploitation of this zero-day vulnerability by a sophisticated ransomware group underscores the importance of rapid response and patch management in cybersecurity. SysAid's proactive approach to incident response and their prompt issuance of a patch demonstrate the critical need for ongoing vigilance and up-to-date security protocols in the face of evolving cyber threats​​​​.