ALPHV Extorting Healthcare Network with Clinical Images of Breast Cancer Patients
On February 20, 2023, Lehigh Valley Health Network (LVHN), a healthcare network based in Pennsylvania, disclosed that it had suffered a cyberattack by ALPHV. ALPHV (also known as BlackCat) is a Russia-linked ransomware group that typically targets healthcare and academic organizations and continues to be very active this year. LVNH noted that the attack involved "patient images for radiation oncology treatment and other sensitive information on a single physician practice in Lackawanna County" and that the network would not be paying the demanded ransom. In response to this payment denial, ALPHV has begun attempting to extort LVNH by publishing exfiltrated data and clinical images of breast cancer patients to their leak site, describing the images as nudity. Alongside this data, ALPHV stated, "Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business. Your time is running out. We are ready to unleash our full power on you!" Security researchers are outraged at this level of extortion and the threat group attempting to capitalize on the sensitivities surrounding cancer treatment. CTIX analysts will continue to monitor this ongoing situation and will provide updates as they become available.
Threat Actor Activity
Threat Actors Romance Android Users, Install Espionage Malware
Transparent Tribe actors have unveiled a new campaign targeting Android users throughout India and Pakistan. Historically, Transparent Tribe (APT36) is known for their continuous cyberespionage attacks against research, defense, and diplomatic organizations in Afghanistan and India for nearly a decade. This new campaign has set sights on Indian and Pakistani Android users who are involved with military or political operations in the region. Users are contacted on common messaging platforms and are lured via romance scams to download and install another messaging platform laced with malicious software. Transparent Tribe actors embedded malicious code into the applications (MeetsApp and MeetUp) to install the “CapraRAT” backdoor, one (1) of their more commonly used malwares in previous campaigns. Once installed, CapraRAT has the capabilities to exfiltrate sensitive information, make phone calls, record phone call audio, capture screenshots, and send SMS text messages. Communications from both malicious applications relay back to the same command-and-control (C2) server and contain the same digital certificates. Personal identifiable information (PII) of around 150 victims were obtained and analyzed by researchers due to weak security by the threat actors. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
PoC Published on Twitter for a Critical Microsoft Word Vulnerability Allowing for RCE
A proof-of-concept exploit has just been published for a critical vulnerability affecting Microsoft Word that could be exploited by threat actors to conduct remote code execution (RCE) attacks on vulnerable systems. The flaw, tracked as CVE-2023-21716, is a heap memory corruption vulnerability within Microsoft Word's RTF (Rich Text Format) parser and occurs when dealing with Microsoft Office’s “wwlib.dll”, a font table "(*\fonttbl*) containing an excessive number of fonts (*\f###*).” A remote attacker could exploit this flaw by creating a malicious ".RTF" file and delivering it to the victim through a phishing email or other social engineering tactic. This flaw does not require much user interaction to be exploited; simply previewing a malicious .RTF file using Microsoft Word could allow the threat actor to execute code with the permissions of the opening application. The low-level of user interaction coupled with the low complexity of the attack and a PoC exploit gives this flaw a CVSS score of 9.8/10. To prevent exploitation, Microsoft users should ensure that the latest updates are installed. If users cannot apply the patch, Microsoft has provided workarounds in their advisory, which include modifying the Windows Registry and enabling the Microsoft Office File Block policy, preventing any Office applications from automatically opening RTF documents unless the user approves the file origin. There is currently no evidence of active exploitation. CTIX analysts will continue to monitor this matter as well as other Microsoft critical vulnerabilities.