Change Healthcare just started to notify hospitals, insurers, and other customers that they may have had patient information exposed in a massive cyberattack.  The company also said that it expects to begin notifying individuals or patients in late July.  Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group provides technology used to submit and process billions of insurance claims a year.  Hackers gained access to its system in February and unleashed a ransomware attack that encrypted and froze large parts of it.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently revealed that its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor and warned chemical facilities that sensitive data may have been exfiltrated.  CISA noted that the attackers exploited a zero-day vulnerability in an Ivanti Connect Secure appliance to infiltrate CSAT from January 23 to 26, 2024.

The "RansomHub" ransomware operation is using a Linux encryptor designed to encrypt VMware ESXi environments in attacks against organizations. RansomHub, a Ransomware-as-a-Service (RaaS) operation, active since February 2024, has claimed over 45 victims in 18 countries and shares code with "ALPHV/BlackCat" and "Knight" ransomware. This article continues to discuss findings regarding RansomHub's ESXi encryptor.

A cyberattack on CDK Global, a Software-as-a-Service (SaaS) provider for car dealers and auto equipment manufacturers, has temporarily disrupted customer operations. CDK helps about 15,000 car dealerships in North America manage sales, customer relationships, financing, and other operations. Customers use locally installed apps to access the CDK platform. A cloud-based Software-Defined Wide Area Network (SD-WAN) and a Virtual Private Network (VPN) solution make 24/7 access to the platform and CDK data centers possible. This article continues to discuss the CDK Global cyberattack.

According to Symantec, telecommunications companies in an Asian country have been targeted with tools linked to Chinese espionage groups. Since 2021, the campaign has targeted telecommunications operators, a university in another country, and others with "Coolclient," "Quickheal," "Rainyday," and other malware. This article continues to discuss findings regarding the years-long espionage campaign that has targeted telecommunications companies in Asia with tools associated with Chinese groups.

Cyber defenders should prepare for cyberattacks enabled by Artificial Intelligence (AI). At the Infosecurity Europe 2024 conference, cyber threat intelligence professionals discussed which AI-powered cyber threats are being actively exploited, which are likely to emerge, and which are still potential threats. Trend Micro VP of threat intelligence Jon Clay said Large Language Model (LLM) tools enable threat actors to write clear phishing emails and deliver them in different languages. Some LLM tools let them embed URLs in messages.

A malware loader called "SquidLoader" is linked to an unknown threat actor that has targeted Chinese-speaking victims for two years, LevelBlue Labs reports. LevelBlue Labs believes SquidLoader was active for at least a month before its discovery at the end of April. The threat actor using it has long targeted entities in China. Recently observed attacks start with phishing emails delivering malware loaders disguised as documents for Chinese organizations. When the loaders are executed, they fetched and executed shellcode payloads in the loader process' memory.

The French cybersecurity agency ANSSI reports that the Russian-aligned threat actor "Nobelium" has targeted French diplomatic entities and public organizations since 2021. The French agency said the threat actor participated in at least five coordinated campaigns between 2021 and 2024. Nobelium has targeted the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies.