Full Report
For the latest discoveries in cyber research for the week of 3rd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Orange Group has confirmed a cyberattack on its Romanian branch, in which a hacker linked to the HellCat ransomware group stole 6.5GB of data over a month. The breach exposed 380,000 email […] The post 3rd March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Week of March 3rd Cyber Incidents Summary
## Executive Summary
The week of March 3rd featured multiple high-profile ransomware attacks targeting sectors including telecommunications (Orange Group), media (Lee Enterprises), and healthcare (HCRG), resulting in significant data exfiltration ranging from 6.5GB to 50TB. Simultaneously, critical technical vulnerabilities were disclosed, including an unauthenticated Remote Code Execution flaw in MITRE Caldera and an SQL Injection bug in Exim, highlighting pervasive risk across application and infrastructure layers.
## Incident Details
- Discovery Date: Ongoing reporting throughout the week of March 3rd.
- Incident Date: Varied, with Orange Group compromise spanning over a month.
- Affected Organization: Orange Group (Romania), HCRG Care Group (UK Healthcare), Lee Enterprises (US Media), DM Clinical Research (US Healthcare), Philippine Army, Cleveland Municipal Court.
- Sector: Telecommunications, Healthcare, Media, Government, Clinical Research.
- Geography: Romania, UK, US, Philippines.
## Timeline of Events
### Initial Access
- **Date/Time:** Varied (e.g., Orange Group breach spanned over a month).
- **Vector:** Ransomware groups (HellCat, Medusa, Qilin) utilized unknown vectors, possibly phishing or exploiting known vulnerabilities, to gain entry to Orange, HCRG, and Lee Enterprises. For DM Clinical Research, the vector was a publicly accessible, **misconfigured, non-password-protected database**.
- **Details:** Unknown initially for most intrusions, but the impact suggests standard intrusion techniques followed by deployment of ransomware payloads.
### Lateral Movement
- **Date/Time:** Post-initial access (Implied).
- **Vector:** Attackers achieved high levels of compromise. Medusa claimed **full control over HCRG's systems**, including access to NTDS logs, indicating domain or privileged access. Qilin disrupted Lee Enterprises' internal systems, cloud storage, and corporate VPNs.
- **Details:** Sophisticated movement was necessary to map networks and access sensitive data repositories.
### Data Exfiltration/Impact
- **Date/Time:** Over a month for Orange Group; immediate disruption for Lee Enterprises and Cleveland Municipal Court.
- **Vector:** Data theft via identified threat actors (Medusa, Qilin, HellCat).
- **Details:**
- **Orange Group:** 6.5GB of data stolen (emails, source code, contracts, partial payment card details).
- **HCRG:** Allegedly 50TB of data stolen (Medusa revealed discrepancy).
- **Lee Enterprises:** 350GB of data stolen (Gov ID scans, financial documents, NDAs).
- **DM Clinical Research:** 1.6 million sensitive/clinical records exposed due to poor database configuration.
- **Philippine Army:** Alleged theft of military/personal records (names, medical/financial details for 10,000 service members).
- **Cleveland Municipal Court:** Complete shutdown of internal systems and platforms.
### Detection & Response
- **Date/Time:** Variable. Lee Enterprises reported the attack to the SEC; Orange Group confirmed the breach.
- **Vector:** External reporting/internal discovery.
- **Details:**
- **Orange Group:** Investigation underway; customer operations unaffected so far.
- **Lee Enterprises:** Reporting operational disruptions; partial data leak threatening full release by March 5th if ransom unpaid.
- **Cleveland Municipal Court:** Forced closure since February 23rd to secure and restore services.
- **Philippine Army:** Stated intrusion was contained with no *confirmed* data theft, contradicting attacker claims.
## Attack Methodology
- **Initial Access:** Phishing/Exploitation leading to ransomware deployment (Orange, HCRG, Lee Ent); Misconfiguration (DM Clinical Research).
- **Persistence:** Inferred via ransomware deployment achieving "full control" (Medusa).
- **Privilege Escalation:** Implied, evidenced by access to NTDS logs at HCRG.
- **Defense Evasion:** Sophisticated campaigns (like the large-scale exploitation of the legacy Truesight.sys driver) bypassed security blocklists.
- **Credential Access:** Implied for network control; explicitly exposed via NTDS logs theft.
- **Discovery:** Standard lateral movement reconnaissance techniques were used to map HCRG and Lee Enterprises environments.
- **Lateral Movement:** Extensive mapping allowing exfiltration of massive data sets (50TB, 350GB).
- **Collection:** Gathering of source code, contracts, IDs, and clinical data.
- **Exfiltration:** Data uploaded by ransomware groups before deploying impact/ransomware payload.
- **Impact:** Data exposure via double-extortion tactics; operational disruption (Cleveland Court, Lee Enterprises).
## Impact Assessment
- **Financial:** Ransom demands are implicit for HCRG, Lee Enterprises, and potentially Orange Group; significant remediation costs anticipated for all victims.
- **Data Breach:** Massive scale: up to 50TB from HCRG; 350GB from Lee Enterprises; 1.6 million records from DM Clinical Research; 380,000 emails from Orange Group. Data types include PII, financial details, source code, and military records.
- **Operational:** Complete shutdown of Cleveland Municipal Court systems; significant disruption to Lee Enterprises (VPN, Cloud access).
- **Reputational:** Public accusations and counter-accusations between HCRG and Medusa group regarding the true extent of the breach.
## Indicators of Compromise
*(Note: Specific malicious hashes/domains were not provided in summary; related threat intelligence is listed.)*
- **Network indicators:** IOCs related to Truesight.sys driver exploitation (if the root cause was this campaign).
- **File indicators:** Ransomware payloads associated with MedusaLocker, Qilin. (Defanged examples provided in context: `Ransomware.Wins.MedusaLocker.ta.*`, `Ransomware_Linux_Qilin_A`).
- **Behavioral indicators:** Large-scale data staging and egress, unauthorized loading of legitimate but vulnerable drivers to bypass blocklists (Truesight.sys campaign).
## Response Actions
- **Containment:** Philippine Army contained the intrusion; Cleveland Court shut down systems to secure the environment.
- **Eradication:** Unknown specific steps taken by the organizations, but typically involves rebuilding compromised systems and patching exploited entry points.
- **Recovery:** Cleveland Municipal Court is actively working to secure and restore services. Orange Group assures customer operations remain unaffected while investigating.
## Lessons Learned
- **Database Security is Critical:** Misconfiguration errors (like the publicly accessible, non-password-protected database at DM Clinical Research) remain a leading cause of massive data exposure, superseding complex technical exploits.
- **Supply Chain & Legacy Software Risks:** The large-scale exploitation of the legacy Truesight.sys driver demonstrates that security policies must aggressively manage unblocked/vulnerable third-party drivers, even on modern OSes.
- **Ransomware Actors Use Sophistication:** Ransomware groups are evolving, using double extortion and escalating conflict publicly (Medusa vs. HCRG) to increase pressure.
## Recommendations
- Conduct immediate independent audits of all publicly accessible databases and storage systems to verify authentication controls and access rights.
- Enhance endpoint security policies to strictly enforce Microsoft Vulnerable Driver policies and actively inventory/remove legacy drivers like Truesight.sys.
- Regularly review and enforce patching schedules for external-facing software (e.g., Exim, third-party plugins like Everest Forms) to mitigate known RCE and SQLi risks.
- Implement robust network segmentation to limit lateral movement potential following initial compromise, especially preventing access to critical assets like NTDS/domain controllers.