Ransomware Attack Causes Severe Disruption at Hospital Clínic de Barcelona

• Written by Ari Denial Cybersecurity & Tech Writer

The Hospital Clinic de Barcelona has been hit by a ransomware attack that caused significant disruptions to its computer systems. As a result, the clinic had to cancel 150 non-urgent surgeries and up to 3,000 patient check-ups. The attack has been linked to foreign threat actors.

As per Security Week’s report, the Sunday ransomware attack had a crippling impact on the Hospital Clinic de Barcelona. The attack impacted various areas, including laboratories, emergency rooms, pharmacies at three main centers, and multiple external clinics.

The attack resulted in around 150 elective surgeries, 500 extractions, and roughly 300 consultations being postponed. The hospital is redirecting urgent cases to other locations.

During a news conference, the hospital director Antoni Castells said – “We can’t make any prediction as to when the system will be back up to normal.” According to a report, Sergi Marcen, the Secretary for Telecommunications and Digital Transformation at the Hospital Clinic de Barcelona, stated that the ransomware attack was carried out by threat actors outside of Spain. Marcen said that “RansomHouse carries out these types of attacks in exchange for money, but so far they have not been in contact.”

Additionally, a government statement noted that the cyberattack had a significant impact on the emergency services of three medical centers linked to Clínic de Barcelona, namely CAP Casanova, CAP Borrell, and CAP Les Corts.

Although the hospital’s SAP system was not affected, all other applications and communications have been disrupted, and the restoration of critical systems is ongoing. As a result, physicians cannot access patient information, and the situation has affected the provision of care services.

To minimize the impact of the attack and facilitate communication between different departments, additional health assistants and administrative staff have been deployed in Clínic de Barcelona.

According to hospital officials, Radiology, endoscopic tests, radiological scans, dialysis, and outpatient pharmacy services have not been affected by the cyberattack and will continue to operate normally.

New Custom Backdoor Used by Chinese Hackers to Bypass Detection Measures

• Written by Ari Denial Cybersecurity & Tech Writer

The prime targets of the attack by the infamous Chinese APT group, Mustang Panda, are government and political organizations spanning Asia and Europe.

Since the start of this year, Mustang Panda, the Chinese cyber espionage group, has been observed using a new custom backdoor called ‘MQsTTang’ in their attacks. Mustang Panda has a history of targeting organizations globally and utilizing their custom remote access trojan (RAT), PlugX, to steal data.

However, this time, the group has developed the MQsTTang backdoor malware to increase the difficulty of detection and attribution. Furthermore, Mustang Panda has begun using other customized tools, including PUBLOAD, TONESHELL, and TONEINS.

One way to achieve persistence for malware is by creating a new registry key in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”, which enables the malware to launch automatically during system startup. Once the system is rebooted, the malware executes only the C2 communication task, which allows it to communicate with its command and control server.

Researchers from ESET have identified MQsTTang in an ongoing campaign that began in January 2023. The campaign is directed towards government and political organizations in Europe and Asia, with a specific focus on Ukraine and Taiwan.

The distribution of the malware occurs through spear-phishing emails, and the payloads are downloaded from GitHub repositories created by a user linked to previous Mustang Panda campaigns.

The MQsTTang executable is compressed into RAR archives and named after diplomatic themes, such as passport scans of embassy and diplomatic mission personnel. Upon execution, the malware generates a duplicate with a command-line argument that allows it to execute tasks like enabling C2 communications or guaranteeing persistence.

MQsTTang distinguishes itself by utilizing the MQTT protocol for C2 communications, which enhances its resilience to C2 takedowns, conceals the infrastructure employed by the hackers, involves a broker for transmitting communications, and verifies the absence of debuggers/monitoring tools to evade detection.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families,” according to ESET’s report.