Breach Roundup: Johnson Controls Suffers Ransomware AttackAlso, New Malware Targets New Bitwarden Users
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Johnson Controls suffered a ransomware attack, the Philippine state health insurance program was recovering from ransomware, Air Canada reported a cyberattack, an APT group used the American Red Cross as bait, new malware targeted Bitwarden, and a LATAM cybersecurity conference occurred.
Johnson Controls Suffers Ransomware Attack
Global smart building and security systems maker Johnson Controls faces a major cybersecurity incident, it disclosed in a regulatory filing. "The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations," it told the U.S. Securities and Exchange Commission.
Bleeping Computer reported the incident appears to be a ransomware attack from a recently formed criminal group calling itself "Dark Angels." The group is demanding $51 million, the outlet said.
The attack affects subsidiary brands, affecting operations. Some systems are offline, and the company is working to mitigate risks. Johnson Controls subsidiaries, such as Simplex and Ruskin, have displayed technical outage messages on their websites. "We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal," a banner message read.
CNN reported late Thursday afternoon that the U.S. Department of Homeland Security is investigating whether the hackers compromised information regarding the physical security of DHS facilities. Johnson Controls is a government contractor. "We do not currently know the full extent of the impact on DHS systems or facilities," states an internal memo reported by CNN.*
Philippine State Insurance Program Suffers Ransomware
PhilHealth President and CEO Emmanuel Ledesma said on Saturday that access to Health Care Institution member portals and e-claims was temporarily disabled as a precaution. "PhilHealth's Management assures the public that the incident is under control and that no personal information and medical information has been compromised or leaked," Ledesma said. The country's data protection regulator, the National Privacy Commission, ordered PhilHealth to appear before it and cooperate with an on-site investigation.
The Medusa ransomware operation took responsibility for the attack, demanded $300,000 for the data's deletion and threatened to release allegedly stolen data on Monday afternoon unless it receives an extortion payment.
Air Canada Reports Cyberattack
Air Canada reported a cyberattack on its internal systems, disclosing that unauthorized individuals had gained access to employee records. The airline said the breach did not affect customer information and that flight operations and customer-facing services are fully functional. Air Canada did not specify when the breach was discovered, but it acknowledged that the incident briefly allowed unauthorized access to limited personal information of some employees and certain records.
Air Canada employs close to 36,000 individuals who may have had their personal data compromised, although the airline did not disclose the exact nature of the accessed sensitive information. The company said it has taken steps to enhance security measures, collaborating with external cybersecurity experts to prevent future attacks.
APT Group Deploys American Red Cross as Bait
A new advanced persistent threat group dubbed AtlasCross is deploying a novel phishing lure using the American Red Cross as bait. NSFOCUS Security Labs discovered the campaign using a Microsoft Word macro-enabled document titled "Blood Drive September 2023.docm." Once victims had enabled macros, a Red Cross-themed flyer appeared, while malicious macro code dropped a
.pkg file on the victim's system. The file served as a loader Trojan, called as DangerAds, executing a shellcode to load the final payload, a unique Trojan dubbed AtlasAgent.
The AtlasAgent Trojan is designed for tasks such as obtaining host and process information, preventing multi-program execution, injecting specified shellcode and downloading files from command-and-control servers.
New Malware Targets New Bitwarden Users
Proofpoint researchers discovered a new malware strain they call "ZenRAT" hidden within counterfeit installation packages for open-source password management app Bitwarden. ZenRAT is a modular remote access Trojan targeting Windows users to steal information using SEO poisoning, adware bundles or email campaigns.
ZenRAT first appeared on a deceptive website resembling the legitimate Bitwarden site. It displays a fake Bitwarden download for Windows users while redirecting non-Windows users to an article cloned from opensource.com discussing how to set up Bitwarden.
Once launched as
ApplicationRuntimeMonitor.exe, ZenRAT collects system information including details about the CPU and GPU, the operating system version, IP address and installed software, transmitting it to a command-and-control server using a unique communication protocol. ZenRAT communicates with its C2 server through various parameters such as command IDs, data sizes, hardware IDs, bot IDs, versions, and builds. It supports commands such as transmitting logs, geofencing, mutex creation, disk size verification, and anti-virtualization measures. While ZenRAT's modular design suggests the potential for expanded capabilities, researches have probed only its core functionality so far.
Homeland Security Kicks Off Cyber Conference for the Americas
The Biden administration kicked off the Western Hemisphere Cyber Conference on Wednesday to address cybersecurity threats in the Americas, particularly concerning China's aggressive actions. The conference is hosted by the Department of Homeland Security and aims to foster cooperation between the U.S. and Latin American nations in identifying and countering hackers, whether individuals, criminal groups or state-sponsored actors. The two-day conference had participation from 21 countries that came together to emphasize the subject of cybersecurity in an interconnected world and seeks to fortify partner countries' cyber capabilities.
Other Coverage From Last Week
- Xenomorph Android Malware Campaign Targets US Banks
- School, Hospital Leaders on Front Lines of Ransomware Attack
- ShadowSyndicate: A New Player in the RaaS Landscape
- Sony Investigating Potential Data Breach
With reporting from Information Security Media Group's Prajeet Nair in Bengaluru
*Updated Sept. 28, 2023 21:23 UTC: Adds that the U.S. Department of Homeland Security is investigating whether the ransomware attack on Johnson Controls affects its physical security.