May 11th to May 17th
The IT company targeted in a Chinese hack that accessed the data of Ministry of Defence staff failed to report the breach for months.
UK defence secretary, Grant Shapps, told MPs on Tuesday that Shared Services Connected Ltd (SSCL) had been breached by a malign actor and “state involvement” could not be ruled out. Shapps said the payroll records of about 270,000 current and former military personnel, including their home addresses, had been accessed. China has not been openly named by the government as the culprit.
Sources said SSCL, an arm of the French tech company Sopra Steria, became aware of the breach in February, but the MoD was informed only recently.
SSCL was awarded a cybersecurity contract worth over £500,000 in April, weeks after the hack. The National Cyber Security Centre has warned of growing threats to the UK's businesses and critical infrastructure from hostile states. SSCL and its parent company hold £1.6bn in government contracts, including sensitive functions like Home Office recruitment.
Ascension, a US non-profit health system, confirmed its electronic health records (EHR) system was down following a ransomware incident on 8 May 2024. In a cybersecurity update on 13 May, Ascension stated its hospitals and facilities remained open, but its EHR and systems for ordering tests, procedures, and medications were not operational.
Clinical teams are using manual processes and paper records for medication dispensing, medical records, and diagnostic tests. Several of its 140 hospitals are on diversion for emergency services to triage cases immediately. Ascension is working with cybersecurity experts to restore systems safely, acknowledging that full restoration will take time.
The cyber attack, first announced on 9 May, involved unusual activity on network systems. Information security firm Mandiant is assisting with the investigation. Ascension has notified law enforcement and government bodies, including the FBI and CISA. The attack follows similar incidents, highlighting the vulnerability of healthcare data to cyberattacks.
Financially motivated cybercriminals are exploiting the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware. Microsoft has been investigating this campaign, tracked as Storm-1811, since mid-April 2024. The attackers start by email bombing the target with spam, then call the victims pretending to be Microsoft or company IT support. They trick victims into granting access via the Quick Assist tool.
Once access is granted, the attackers download malicious payloads. Microsoft identified downloads of Qakbot, remote management tools, and Cobalt Strike. After installing these tools, Storm-1811 moves laterally through the network and deploys Black Basta ransomware using PsExec. They also harvest credentials using PowerShell and exfiltrate them via Secure Copy (SCP).
Microsoft advises blocking or uninstalling Quick Assist if not used and training employees to recognize tech support scams. Black Basta, a Ransomware-as-a-Service (RaaS) operation, has breached over 500 organizations, collecting at least $100 million in ransom payments.
Some customers of Santander may have had their data stolen following a supply-chain attack targeting one of the bank’s third-party providers. The company confirmed the breach in a notification letter, stating, "We recently became aware of unauthorised access to a Santander database hosted by a third-party provider."
Santander implemented measures to contain the incident, blocking compromised access and establishing fraud prevention controls. The breach affected customers in Chile, Spain, and Uruguay, although localised Twitter accounts in Spain and Chile had no warnings. However, the Chile website displayed a warning.
The stolen data includes information on some current and former employees. Santander confirmed that customers in other markets are unaffected. The company assured that transactional data and user credentials were secure, and operations were not impacted.
Santander apologised for the inconvenience and confirmed that affected individuals would be notified. They also reported the incident to regulators and law enforcement and are working closely with them.
A ransomware attack on Swedish logistics company Skanlog has prompted warnings from Systembolaget, the country’s sole liquor retailer, that store shelves may be empty by the week's end. Skanlog, a critical distributor for Systembolaget, was attacked by a group allegedly based in North Korea, according to CEO Mona Zuko, though the basis for this attribution is unclear.
Systembolaget's press officer, Teodor Almqvist, cautioned that various beers, wines, spirits, and even paper bags could sell out within days. While there’s no risk of a "total drying out," certain brands may disappear until deliveries resume.
Skanlog has not indicated when operations might return to normal. Systembolaget has a backup plan if deliveries remain disrupted. This incident coincides with Sweden’s reform of its National Cyber Security Centre, integrating it into the cyber and signals intelligence agency following performance concerns. Earlier this year, a ransomware attack on Tietoevry affected numerous Swedish customers, forcing store closures nationwide.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.