Ransomware Crisis: High Alert For Cyber Attacks

Toyota Financial Services and the Medusa ransomware attack

Toyota Financial Services (TFS) has confirmed unauthorized access to its systems in Europe and Africa, after ransomware group Medusa claimed responsibility for a ransomware attack on the company.

Medusa threatened to release the stolen data and demanded a ransom of $8 million.

Toyota was given 10 days to respond, with the option to extend the deadline by paying $10,000 per day.

The company's statement did not confirm whether the data was actually stolen.

However, cybercriminals have released data samples that include financial documents, purchase invoices, passwords, passport scans, internal organizational charts, and employee email addresses.

The Citrix Bleed vulnerability (CVE-2023-4966) may have been exploited by ransomware, a critical vulnerability that had not been patched in the company's German office, leaving it vulnerable.

Cyber attack in Long Beach, California

On November 14, the city of Long Beach, California, suffered a cyberattack that shut down parts of its IT network.

This measure of ransomware defense was taken to prevent the attack from spreading to other devices.

While the exact nature of the attack has not been confirmed, it has the characteristics of a ransomware attack.

If confirmed as a ransomware attack, it would be the 80th attack on a local government in the U.S. in 2023.

The city has hired a cybersecurity firm and notified the FBI; it has also made support measures available to citizens, according to the published press release.

The city has warned that some online services will be unavailable, but emergency services remain operational.

Toronto Public Library: Ransomware attack and data theft

Following the attack at the end of October that we reported on in the last newsletter, the Toronto Public Library has confirmed that information has been stolen.

This includes the personal information of employees, customers, volunteers, and donors, including name, social security number, date of birth, home address, and copies of government identification documents.

Despite the malware attack, the library's main servers were not encrypted.

The Black Basta ransomware group, an affiliate of the Conti ransomware, is suspected to be behind the attack.

The library continues to work with cybersecurity experts to investigate the incident and has notified Ontario's Information and Privacy Commissioner of the incident, according to the update.

Rhysida ransomware: Warning from FBI and CISA

The FBI and CISA have issued a warning about the Rhysida ransomware attack, which is targeting organizations in a variety of industries.

Rhysida, which first appeared in May 2023, quickly gained notoriety for leaking stolen data online.

Most recently, the U.S. Department of Health and Human Services (HHS) warned that Rhysida is responsible for recent ransomware in the healthcare sector.

The joint cybersecurity advisory provides indicators of compromise (IOCs), detection information, and Rhysida tactics, techniques, and procedures (TTPs) discovered during the investigation.

Those responsible for Rhysida attacks are known to target "targets of opportunity," including victims in the education, healthcare, manufacturing, IT, and government sectors.

Rhysida has been observed as a cybercrime model known as ransomware-as-a-service (RaaS), and attackers have compromised organizations in these industries, splitting the ransom between the group and affiliates.

In addition, Rhysida malicious actors are known for phishing attacks and exploiting Zerologon (CVE-2020-1472), a critical Windows privilege escalation vulnerability within Microsoft's Netlogon remote protocol.

LockBit exploits Citrix Bleed in ransomware attacks

LockBit ransomware attacks are leveraging publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to infiltrate the systems of large organizations, stealing data and encrypting files.

Although Citrix provided fixes for CVE-2023-4966 more than a month ago, thousands of Internet-facing endpoints are still running vulnerable devices, many of them in the United States.

Following the ransomware detection, the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing were found to be sharing exposed Citrix servers vulnerable to the Citrix Bleed vulnerability.

Currently, more than 10,400 Citrix servers are vulnerable to CVE-2023-4966, according to findings shared with BleepingComputer by Japanese threat researcher Yutaka Sejiyama.

Maine government data breach MOVEit: 1.3 million people notified

The government of Maine has announced a major cybersecurity breach affecting approximately 1.3 million people, nearly the entire population of the state.

The incident was caused by the exploitation of a vulnerability in the MOVEit file transfer tool, which is used by various Maine state agencies.

The data breach was part of a larger data theft campaign by the Clop ransomware group, which began exploiting a zero-day vulnerability in the software in late May 2023.

The attack compromised sensitive personal information, including full names, Social Security numbers, dates of birth, driver's license numbers, state and tax identification numbers, and health insurance information.

The hardest hit agencies were the Maine Department of Health and Human Services and the Maine Department of Education.

The Maine government said the delay in notifying the public was due to the need to conduct a thorough investigation.

All affected citizens will receive a notification letter with instructions on how to access free credit monitoring and identity theft protection services for two years.

Recipients are advised to regularly monitor their financial accounts for suspicious activity or unrecognized charges, and to report any irregularities to banking or law enforcement authorities.

In summary

Ultimately, recent incidents of ransomware attacks, such as those experienced by Toyota Financial Services, the City of Long Beach, MeridianLink, the Toronto Public Library, and the Government of Maine, highlight the escalation and sophistication of these threats.

These attacks underscore the vulnerability of IT infrastructures and the need for increased vigilance and security measures.

The use of vulnerabilities such as Citrix Bleed and the exposure of vulnerable servers increases the risk.

Collaboration with authorities and proper preparation are essential to address and mitigate the devastating impact of these ransomware attacks.