Netizen Cybersecurity Bulletin (June 31st, 2024)


  • Phish Tale of the Week
  • P2PInfect Botnet Evolves: New Miner and Ransomware Payloads Detected
  • Lurie Children’s Hospital Says 791,000 Impacted by Ransomware Attack
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as CareCix. The message politely gives us an opportunity to sign up for some healthcare, even giving us a login page to speed up the process to signing in to our new account. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this link:

  1. The first warning sign for this email is the formatting. Immediately, it’s apparent that different text boxes in the email have different alignments and different sizes, as well as strange spacing. The “go to login page” button is a great example of this strange spacing: the white space above the button is significantly larger than the white space below. It’s important to be wary of small inconsistencies such as this as they can be key indicators that the sender of the email may not be who they seem.
  2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “get started” and “this link is valid for 30 days.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
  3. The final warning sign for this email is the fact that we didn’t sign up for this healthcare. Receiving an email asking you to log into an account you didn’t create should always be a warning sign. Do not click on any “log in” or “sign up” button in any email you weren’t expecting, no matter how trustworthy it looks. With all of these 3 warning signs, it’s incredibly apparent that we are being phished.

General Recommendations:

phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

P2PInfect Botnet Evolves: New Miner and Ransomware Payloads Detected

The notorious P2PInfect botnet, known for targeting misconfigured Redis servers, has evolved into a formidable threat with the addition of ransomware and cryptocurrency miners. This transformation signifies a shift from a seemingly dormant botnet to a financially motivated operation.

Recent updates have significantly increased the threat level posed by P2PInfect. Initially perceived as a dormant threat, the botnet now deploys crypto miners, ransomware payloads, and rootkit elements. This development highlights the malware author’s intent to profit from illicit access and expand their network. Additionally, P2PInfect has been updated to target MIPS and ARM architectures, broadening its scope and potential impact.

P2PInfect primarily spreads by exploiting the replication feature of Redis servers, transforming victim systems into follower nodes under the attacker’s control. This allows the attacker to execute arbitrary commands on infected systems. The botnet also includes a feature to scan the internet for additional vulnerable servers and incorporates an SSH password sprayer module to gain access using common passwords.

The behavioral changes in P2PInfect are noteworthy. The botnet now drops miner and ransomware payloads, encrypting files with specific extensions and demanding a ransom of 1 XMR (approximately $165). Furthermore, a new usermode rootkit uses the LD_PRELOAD environment variable to hide malicious processes and files from security tools, a technique similar to those used by other cryptojacking groups.

Given the nature of targeted servers, which often store ephemeral in-memory data, the ransomware’s impact is limited. Therefore, the botnet likely sees more profit from its crypto miner due to its extensive use of system resources. Evidence suggests that P2PInfect might be a botnet-for-hire service, deploying other attackers’ payloads in exchange for payment. This theory is supported by the different wallet addresses used for miner and ransomware processes.

To secure its foothold, P2PInfect takes several defensive measures. It changes user passwords, restarts SSH services with root permissions, and performs privilege escalation to prevent other attackers from targeting the same servers.

In conclusion, the P2PInfect botnet represents a significant threat in the cybersecurity landscape, especially with its recent updates. Organizations must remain vigilant and employ robust security measures to protect against such sophisticated attacks. Regularly patching systems, monitoring for unusual activities, and implementing strong access controls are crucial steps in defending against botnet infections and their evolving payloads.

To read more about this article, click here.

Lurie Children’s Hospital Says 791,000 Impacted by Ransomware Attack

Ann & Robert H. Lurie Children’s Hospital of Chicago has announced that a recent ransomware attack has compromised the personal and health information of 791,000 individuals. The hospital took many of its systems offline in late January in response to the cyberattack, which led to limited access to medical records, disruptions to a patient portal, and hampered communications.

An investigation revealed that cybercriminals had access to Lurie Children’s systems between January 26 and January 31, 2024. A wide range of information was compromised, including names, addresses, dates of birth, dates of service, driver’s license numbers, Social Security numbers, email addresses, phone numbers, health claims information, medical conditions or diagnoses, medical record numbers, medical treatments, and prescription information.

Although the hospital did not explicitly state that it was targeted by a ransomware group, it confirmed in a data breach notification on its website that it refused to pay a ransom. “Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken. Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data,” Lurie Children’s said.

The Rhysida ransomware group, which claimed responsibility for the attack, has stated on its website that the data stolen from the hospital has been sold, indicating that a ransom was not paid. The cybercriminals allege they stole 600 GB of data from the organization.

A notice published by the Maine Attorney General’s office on Thursday reveals that the incident has affected more than 791,000 people. Impacted individuals are being notified and offered 24 months of identity and fraud protection services at no cost.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Copyright © Netizen Corporation. All Rights Reserved.