Johnson Controls Suffers Ransomware Attack

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: Johnson Controls suffers a ransomware attack, the Philippine state health insurance program struggles to recover from a ransomware and Air Canada reports a cyberattack. Also: an APT group uses the American Red Cross as bait, new malware targets would-be users of Bitwarden, and the U.S. Department of Homeland Security kicked off a conference for Latin American cybersecurity.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

Johnson Controls Suffers Ransomware Attack

Global smart building and security systems maker Johnson Controls faces a major cybersecurity incident, it disclosed in a regulatory filing. “The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations,” it told the U.S. Securities and Exchange Commission.

Bleeping Computer reports the incident appears to be a ransomware attack from a recently-formed criminal group calling itself “Dark Angels.” The group is demanding $51 million, the outlet says.

The attack affects subsidiary brands, affecting operations. Some systems are offline, and the company is working to mitigate risks. Johnson Controls subsidiaries such Simplex and Ruskin, have displayed technical outage messages on their websites. “We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal,” a banner message read.

Philippine State Insurance Program Suffers Ransomware

Philippine national healthcare insurance program PhilHealth is grappling with a Sept. 22 ransomware attack that forced it to take numerous websites and portals offline.

PhilHealth President and CEO Emmanuel Ledesma said on Saturday that access to Health Care Institution member portals and e-claims were temporarily disabled as a precaution. “PhilHealth’s Management assures the public that the incident is under control and that no personal information and medical information has been compromised or leaked,” Ledesma said. The country’s data protection regulator, the National Privacy Commission, ordered PhilHealth to appears before it and cooperate with an onsite investigation.

The Medusa ransomware operation took responsibility for the attack, demanding $300,000 for the data’s deletion and threatening to release allegedly stolen data on Monday afternoon unless it receives an extortion payment.

Air Canada Reports Cyberattack

Air Canada reported a cyberattack on its internal systems, disclosing that unauthorized individuals gained access to employee records. The airline said the breach did not affect customer information, and that flight operations and customer-facing services are fully functional. Air Canada did not specify when the breach was discovered, but it acknowledged that the incident briefly allowed unauthorized access to limited personal information of some employees and certain records.

Air Canada employs close to 36,000 individuals who may have had their personal data compromised, although the airline did not disclose the exact nature of the accessed sensitive information. The company says it’s taken steps to enhance security measures, collaborating with external cybersecurity experts to prevent future attacks.

APT Group Deploys American Red Cross as Bait

A new advanced persistent threat group dubbed AtlasCross is deploying a novel phishing lure using the American Red Cross as bait. NSFOCUS Security Labs discovered the campaign using a Microsoft Word macro-enabled document titled “Blood Drive September 2023.docm.” Once victims enabled macros, a Red Cross-themed flyer appeared, while malicious macro code dropped a .pkg file on the victim’s system. The file served as a loader Trojan, called as DangerAds, executing a shellcode to load the final payload, a unique Trojan dubbed AtlasAgent.

The AtlasAgent Trojan is designed for tasks such as obtaining host and process information, preventing multi-program execution, injecting specified shellcode and downloading files from command and control servers.

New Malware Targets New Bitwarden Users

Proofpoint researchers discovered a new malware strain they’re calling “ZenRAT” hidden within counterfeit installation packages for open-source password management app Bitwarden. ZenRAT is a modular remote access Trojan targeting Windows users to steal information using SEO poisoning, adware bundles or email campaigns.

ZenRAT first appeared on a deceptive website resembling the legitimate Bitwarden site. It displays a fake Bitwarden download for Windows users while redirecting non-Windows users to an article clone from opensource.com discussing how to set up Bitwarden.

Once launched as ApplicationRuntimeMonitor.exe, ZenRAT collects system information including details about the CPU and GPU, the operating system version, IP address and installed software, transmitting it to a command and control server using a unique communication protocol. ZenRAT communicates with its C2 server through various parameters such as command IDs, data sizes, hardware IDs, bot IDs, versions, and builds. It supports commands like transmitting logs, geofencing, mutex creation, disk size verification, and anti-virtualization measures. While ZenRAT’s modular design suggests the potential for expanded capabilities, researches have probed only its core functionality so far.

Homeland Security Kicks Off Cyber Conference for The Americas

The Biden administration kicked off the “Western Hemisphere Cyber Conference” on Wednesday to address cybersecurity threats in the Americas, particularly concerning China’s aggressive actions. The conference is hosted by the Department of Homeland Security and aims to foster cooperation between the U.S. and Latin American nations in identifying and countering hackers, whether individuals, criminal groups or state-sponsored actors. The two-day conference had 21 countries in participation, coming together to bring emphasis to the subject of cybersecurity in an interconnected world and seeks to fortify partner countries’ cyber capabilities.

Other Stories From Last Week

With reporting from Information Security Media Group’s Prajeet Nair in Bengaluru