Security Leftovers and Windows TCO

posted by Roy Schestowitz on Mar 11, 2025

• USDOJ ☛ 2025-03-06 [Older] Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns

• 2025-03-06 [Older] NHS investigates API flaw that exposed patient data

• 2025-03-05 [Older] HCRG Care’s lawyers claimed an injunction issued in a “private” hearing required us to remove two posts. We didn’t comply.

• 2025-03-05 [Older] Rite Aid Agrees to $6.8M Settlement Over Data Breach Lawsuit

• 2025-03-05 [Older] Whitman Hospital & Medical Clinics In Colfax Suffers Cyber Attack

• Cybernews ☛ 2025-03-04 [Older] Japanese cancer hospital confirms breach; Qilin gang claims responsibility

• Bleeping Computer ☛ 2025-03-03 [Older] FBCS updates the number affected in its 2024 breach to 4,253,394

• 2025-03-02 [Older] Black Basta exposed: A look at a cybercrime data leak and a key member, “Tramp”

• 2025-03-03 [Older] Info accessed in Rainbow board data breach ‘deleted and has not been shared’

• Las Vegas Review Journal ☛ 2025-03-03 [Older] FTC, MGM close to solving dispute over costly 2023 cyberattack

• Windows TCO / Windows Bot Nets

  • SANS ☛ Commonly Probed Webshell URLs

    Look at your server to see if you can find any odd files (not just the files above). Web shells are easily overlooked if you do not have a good code promotion procedure. The list above is nothing but a "first guess," and there are many more.

  • SANS ☛ Shellcode Encoded in UUIDs

    I returned from another FOR610[1] class last week in London. One key tip I give to my students is to keep an eye on "strange" API calls. In the Windows ecosystem, Microsoft offers tons of API calls to developers. The fact that an API is used in a program does not always mean we are facing malicious code, but sometimes, some of them are derived from their official purpose. One of my hunting rules for malicious scripts is to search for occurrences of the ctypes[2] library. It allows Python to call functions in DLLs or shared libraries.

  • The Record ☛ Kansas healthcare provider says more than 220,000 impacted by cyberattack

    Sunflower Medical Group said nearly 221,000 of its patients had information accessed by hackers who broke into their systems on December 15. The company notified regulators in Maine, Vermont and California and posted a notice on its website.

    Those affected potentially had their names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information leaked.

  • The Register UK ☛ Does the NHS have a security culture problem?

    The Register attended a roundtable discussion held between senior NHS IT and security folk recently, and contrary to popular belief, solving the healthcare security crisis can't be fixed simply by throwing more money at the problem.

    It might help some hospitals to an extent, but the very idea that a fat cash injection could be a silver bullet for healthcare security was immediately met with unanimous headshakes from those in attendance. It's just not that simple.

  • The Register UK ☛ Two Rhysida healthcare attacks pwned 300K patients' data

    Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients.

    Kansas-based Sunflower Medical Group and Rhode Island's Community Care Alliance (CCA) both disclosed separate attacks.

  • The Record ☛ Musk blames X outages on alleged ‘massive’ cyberattack | The Record from Recorded Future News

    Alp Toker, director of internet monitor Netblocks, told Recorded Future News they have been observing a cycle of outages affecting X over the last six hours impacting the site’s availability globally.

    “This is amongst the longest Twitter outages tracked in terms of duration, and the pattern is consistent with a denial of service attack targeting X’s infrastructure at scale,” he said. “Latency has remained high, but services are returning to ordinary operation though it’s not clear that the issue has been fully mitigated at present.”

    DDoS attacks overwhelm websites with a flood of traffic with the goal of knocking them offline.

  • Security Week ☛ Elon Musk Claims X Being Targeted in ‘Massive Cyberattack’ as Service Goes Down

    Downdetector.com said that 56% of problems were reported for the X app, while 33% were reported for the website.

    It’s not possible to definitively verify Musk’s claims without seeing technical data from X, and the likelihood of them releasing that is “pretty low,” said Nicholas Reese, an adjunct instructor at the Center for Global Affairs in New York University’s School of Professional Studies and expert in cyber operations.