Breach Roundup: Rhysida Ransom Gang Cops to Hospital Hacks - Source: www.databreachtoday.com

Endpoint Security
,
Fraud Management & Cybercrime
,
Ransomware

Also: Cyberattack Disrupts Expat Voting in Ecuador; Africa Arrests Cybercriminals

Anviksha More (AnvikshaMore) •
August 24, 2023

Breach Roundup: Rhysida Ransom Gang Cops to Hospital Hacks

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, a ransomware gang claimed responsibility for attacks on a multistate U.S. hospital chain, a cyberattack disrupted expat voting in Ecuador, Africa cracked down on cybercrime, Latitude Financial said its hacking incident cost AU$76 million, and new malware targeted macOS users.

Ransomware Gang Sells Prospect Medical Holdings Data

Ransomware gang Rhysida on its dark web data leak site is claiming to sell for 50 bitcoin a 1.3-terabyte SQL database and 1 terabytes of “unique files” exfiltrated from Prospect Medical Holdings. Among the information Rhysida claims to have obtained from the multistate 16-hospital chain are 500,000 Social Security numbers as well as patient files, passports, driver’s licenses, and legal and financial documents.

Prospect Medical Holdings experienced a severe ransomware attack earlier this month that led some hospitals to refuse new emergency patients and others to postpone elective surgeries. The Associated Press reported Aug. 18 that system recovery was still ongoing. The Prospect Medical Holdings website as of Thursday said that the chain “is experiencing a systemwide outage. We are working to resolve the issue as soon as possible and regret any inconvenience.”

The U.S. Department of Health and Human Services warned the healthcare sector that Rhysida, a relatively new ransomware-as-a-service group, was focusing its attention on medical facilities (see: Authorities Warn Health Sector of Attacks by Rhysida Group).

Cyberattack Disrupts Online Voting in Ecuador

Ecuador’s national election encountered difficulties after a cyberattack disrupted telematics voting by citizens living abroad. Roughly 120,000 expatriates from the Andean nation registered to participate in the Sunday elections, which became particularly fraught after the Aug. 10 assassination of presidential candidate Fernando Villavicencio, an outspoken critic of the corruption induced by drug trafficking.

The presidential race ended in a runoff between left-wing candidate Luisa Gonzalez and centrist Daniel Noboa, who will both face a round of voting in October.

President of the National Electoral Council Diana Atamaint in a press conference acknowledged that the cyberattacks had affected the ease of accessing the telematics systems. She said the attacks had come – or appeared to have come – from India, Bangladesh, Ukraine, Russia, Pakistan, Indonesia and China, reported local media. The attacks did not compromise any votes, Atamaint said.
During an interview with CNN, she said voters located in Spain and Italy had been especially affected by the attack. “We always knew that we were exposed to this possibility – nevertheless and despite security measures, these are our circumstances,” she said, in Spanish. Ecuadorian law under some circumstances allows elections to be rerun if the voting turnout issues affected the results, she said.

Cybercrime Crackdown in Africa

In a collaborative effort spanning 25 African countries, Interpol and Africapol orchestrated the apprehension of 14 suspected cybercriminals alleged to be part of operations linked to the theft of more than $40 million.

Dubbed Africa Cyber Surge II, the operation spanned four months, commencing in April 2023. Kenyan authorities took down 615 malware-hosting sites, and Cameroonian law enforcement shuttered two darknet platforms.

Authorities in Cameroon also arrested three individuals for their alleged involvement in an online scam valued at $850,000, and Nigerian authorities detained someone suspected of being responsible for defrauding a Gambian victim.

Latitude Financial Reveals AU$76 Million Cost for Hacking Incident

Australian consumer lender Latitude Financial Services said in a regulatory filing that its March hacking incident will cost it AU$76 million. The non-bank lender disclosed that hackers had stolen approximately 7.9 million Australian and New Zealand driver’s license numbers and an additional 6.1 million records – including names, addresses, phone numbers and birthdates – in a database containing information dating back to at least 2005.

The lender refused to pay a ransom. In the filing, Latitude said insurance payouts may drive down “some or all” of the AU$76 million cost of responding to the incident.

New XLoader Variant Targets macOS

Security researches said hackers are targeting macOS users with a new variant of malware known as XLoader, a sign that threat actors are increasingly turning their attention to the Apple desktop. The latest version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, researchers at SentinelOne said. The malware “attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.”

A recent report from Malwarebytes said that although Mac malware is still rare, it is steadily on the rise.

The SentinelOne researchers said advertisements on criminal forums offer to rent the Mac version of XLoader for $199 a month or $299 for three months – substantially more than the Windows version, which retails at just $59 a month or $129 for three months.

Hackers behind the new XLoader modified it to run as a macOS disk management file after apparently finding the reach of its previous version from 2021 too limited. That original macOS XLoader was distributed as a Java program, but Apple hasn’t shipped the Java Runtime Environment on macOS since Snow Leopard debuted nearly 15 years ago. That meant the malware could only run on desktops on which users had installed Java.