Seoul’s Premier Hospital Falls Victim to North Korean Hackers, Losing 830K Data
- Written by Ari Denial Cybersecurity & Tech Writer
According to the Korean National Police Agency (KNPA), Seoul National University Hospital (SNUH) fell victim to a cyberattack orchestrated by North Korean hackers. The incident took place between May and June of 2021 and targeted patients’ personal information and medical records.
Law enforcement has been diligently investigating the case, and based on various pieces of evidence, they have attributed the attack to North Korean threat actors. Intrusion techniques, IP addresses linked to North Korea, website registration details, and linguistic patterns utilized in the attacks all contributed to the conclusion reached by authorities.
Speculations point to the Kimsuky hacking organization as the potential culprits behind the incident, according to South Korean media. However, the police report refrains from naming any specific threat actors involved. The attack on the hospital’s internal network originated from seven servers located in South Korea and other countries.
Authorities have disclosed that a staggering 831,000 individuals had their personal information compromised as a result of the incident, with the majority being patients. Among the affected individuals, approximately 17,000 are either current or former employees of various hospitals.
In a news release, the Korean National Police Agency (KNPA) issued a warning stating that North Korean hackers could potentially target critical infrastructure across multiple sectors. The importance of implementing robust security measures such as regular patching, stringent user access management, and data encryption was strongly emphasized.
The Korean National Police Agency (KNPA) has issued a warning about safeguarding South Korea’s cyber infrastructure against state-backed cyber-attacks by enhancing information sharing and collaboration with relevant authorities. North Korean hackers have been linked to previous attacks on hospital networks to steal patient information and demand ransom payments.
- Written by Ari Denial Cybersecurity & Tech Writer
Microsoft has reported that Iranian nation-state groups are actively exploiting a critical vulnerability discovered in PaperCut print management software. The threat intelligence team at Microsoft observed the involvement of Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) in leveraging the CVE-2023-27350 flaw to gain initial access in their operations.
Microsoft noted that Mint Sandstorm demonstrated the ability to quickly incorporate proof-of-concept exploits into their operations, while Mango Sandstorm relied on tools from previous intrusions to connect to their command and control infrastructure.
Microsoft has identified connections between Lace Tempest, FIN11, TA505 cybercrime gangs, and the Clop ransomware operation in recent attacks. Additionally, Microsoft found that some of these intrusions resulted in LockBit ransomware attacks, although further details were not provided. The Cybersecurity and Infrastructure Security Agency (CISA) included the PaperCut vulnerability (CVE-2023-27350) in its list of actively exploited vulnerabilities. Federal agencies were ordered to secure their PaperCut servers within three weeks.
This vulnerability is a critical remote code execution bug in PaperCut MF or NG versions 8.0 or later and does not require authentication. PaperCut’s enterprise printing management software is widely used by large companies, state organizations, and educational institutions worldwide. The software claims to have over 100 million users across more than 70,000 companies, making it a significant target for attackers.
Researchers quickly released PoC exploits for the RCE bug disclosed in March 2023, and Microsoft later warned that Clop and LockBit ransomware groups were using it to gain initial access to corporate networks. Despite indicators of compromise and detection rules from multiple cybersecurity companies, VulnCheck revealed a new attack method that bypasses existing detections, allowing uninterrupted exploitation of CVE-2023-27350.
It is crucial for defenders to develop robust and comprehensive detections that cannot be easily evaded, as attackers learn from publicly available detection methods. To eliminate the RCE bug and mitigate the associated attack vector, defenders are strongly recommended to promptly upgrade their PaperCut MF and PaperCut NG software to versions 20.1.7, 21.2.11, and 22.0.9 or newer.
