United States: Ankura CTIX FLASH Update - May 9, 2023

Malware Activity

NextGen Healthcare Discloses Data Breach Impacting Over 1 Million Patients

NextGen Healthcare, Inc., a software, and services company headquartered in Georgia, has disclosed a data breach impacting the personal data of over 1 million patients. NextGen develops and sells electronic health record software as well as management systems to organizations within the healthcare industry. NextGen, in their data breach notification, stated that on March 30, 2023, suspicious activity was identified in their Office system, which is a "cloud-based EHR and practice management solution," and measures were taken to contain the incident, such as resetting passwords. An investigation was launched with a third-party forensic vendor, which determined that an unknown third-party gained unauthorized access to "a limited set of electronically stored personal information" between March 29 and April 14, 2023. The exposed information includes names, dates of birth, physical addresses, and Social Security numbers (SSNs). NextGen emphasized that there is currently no evidence that health or medical data was compromised during this unauthorized access. The company also noted that no fraudulent use of the exposed personal information has been identified as of April 28, 2023. It is currently suspected that the compromise stems from the "use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen." CTIX analysts will continue to monitor the ongoing threats against the healthcare industry and report on critical cyberattacks as they are detailed.

• DarkReading: NextGen Data Breach Article
• TechCrunch: NextGen Data Breach Article
• Office of the Main Attorney General: NextGen Data Breach Notification

Threat Actor Activity

Threat Profile: Dragon Breath

A newly discovered threat organization has surfaced in the landscape and is targeting gambling companies with various cyberattacks. The group is tracked under many names including Dragon Breath, Golden Eye Dog, or APT-Q-27, and has targeted several entities throughout China, the Philippines, Singapore, Hong Kong, Japan, and Taiwan. Primarily focused on exploiting gambling companies, Dragon Breath has utilized dynamic link library (DLL) sideloading attacks with a new twist. Typically, attacks identified in the landscape involve the standard sideloading attack with an application and malicious loader/payload. The twist Dragon Breath actors implemented adds a second clean application in the first stage of the attack, auto executing the malicious loader once deployed on its target. Applications that were seen forged in this campaign include WhatsApp, Telegram, and LetsVPN installers which were laced with first-stage malware. Once all loaders are installed on the system, the malicious code will clear any system event logs, copy all clipboard data, execute arbitrary commands, and in some cases harvest cryptocurrency from the victim's device. CTIX continues to monitor threat actor activity globally and will provide additional updates accordingly.

• Sophos: Dragon Breath Report

Vulnerabilities

Critical PaperCut Vulnerability Now Under Active Attack by Iranian State Sponsored Hackers

UPDATE: Threat intelligence researchers from Microsoft have identified two (2) Iranian state-sponsored hacking groups tracked as Mint Sandstorm (aka Phosphorus) and Mango Sandstorm (aka Mercury) exploiting the popular print management server vulnerability known as PaperCut. Since its initial disclosure and patching on March 8, 2023, PaperCut has been under active exploitation by multiple financially motivated threat actors to deliver Cl0p and LockBit ransomware. The fact that nation state-affiliated threat actors have pivoted their efforts to target this flaw is indicative of how severe the vulnerability is and how easy it is to exploit. The flaw tracked as CVE-2023-27350 (CVSS score of 9.8/10), is an improper access control vulnerability allowing remote attackers to bypass authentication and conduct remote code execution (RCE) with SYSTEM privileges to run malicious Windows PowerShell commands or drop infected Java archive (JAR) files on servers running vulnerable instances of PaperCut NG and MF. On May 5, 2023, CTIX analysts reported on a proof-of-concept (PoC) exploit published by researchers that bypassed the new detection measures of the March 8 PaperCut security patch. As soon as the PoC went public, Microsoft researchers began seeing the Iranian threat actors adding this vulnerability to their list of initial access tools. Mint Sandstorm and Mango Sandstorm both have ties to the Iranian government, with Mango Sandstorm attributed to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm attributed to the Islamic Revolutionary Guard Corps (IRGC). This new development comes days after the publishing of a Microsoft report showing that in general, Iranian threat actors are increasingly aggressive and shifting to new tactics, techniques, and procedures (TTPs) that combine offensive cyber-attacks with multi-faceted cyber espionage and influence operations. This activity indicates that these threat actors have worked to adapt and get ahead of their adversaries by rapidly incorporating brand new vulnerabilities and PoCs into their attack strategies, as opposed to relying on their tried-and-true methods and TTPs. The situation is very dynamic, and this is the fourth CTIX FLASH Update where analysts have published profound updates to the PaperCut campaign. CTIX analysts will continue to monitor this matter and provide further information to our readers if new developments arise.

• The Record: PaperCut Article
• Bleeping Computer: PaperCut Article
• The Hacker News: PaperCut Article
• Twitter: Microsoft PaperCut Thread

Honorable Mention

Scammers Identified Leveraging Fraudulent QR Codes to Invade Victims' Bank Accounts

Scammers are getting more creative as instances of fraudulent QR codes have increasingly been seen being used to access victims' bank accounts. QR codes have been an effective mode of accessing everything from restaurant menus to advertisements to payment links and surveys for sweepstakes. Users are easily able to scan a QR code with their phone's camera that redirects them to a URL for their intended purpose. More recently, however, the popularity of QR codes has been the target of scammers to redirect unsuspecting users to typosquatted domains or malicious applications where users enter sensitive information that could grant attackers access to their financial information. Officials in San Francisco, Texas, and the United Kingdom have warned about fraudulent parking tickets with QR codes that allow victims to pay online. The malicious QR codes take victims to a parking citations portal hosted on a copycat website to pay the alleged fines. There have also been instances in these areas where threat actors have stuck fake parking meter QR code stickers to parking meters which also brings users looking for quick-pay options to illicit domains where users are prompted to enter their credit card information. More recently, a sixty (60) year-old woman in Singapore reportedly scanned a QR code outside a bubble tea shop to fill out a survey for a "free cup of milk tea." She was then redirected to download a third-party app which granted the malicious actor access to her phone. This allowed the scammer to passively monitor the user's banking app, obtain her login credentials, and exfiltrate $20,000 from her bank account. CTIX analysts will continue to monitor for and report on emerging initial access vectors.

• Bleeping Computer: QR Code Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.