Information Technology

Hossein Jazi and Malwarebytes’ Threat Intelligence team released a report on Thursday highlighting a new threat actor potentially targeting Russian and pro-Russian individuals.The attackers included a manifesto about Crimea, indicating the attack may have been politically motivated. The attacks feature a suspicious document named “Manifest.docx” that uniquely downloads and executes double attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. “Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading and executing files,” Jazi said. “The second template is a an exploit for CVE-2021-26411 which executes a shell-code to deploy the same VBA Rat. The VBA Rat is not obfuscated but still has used some interesting techniques for shell-code injection.”Jazi attributed the attack to the ongoing conflict between Russian and Ukraine, part of which centers on Crimea. The report notes that cyberattacks on both sides have been increasing. But Jazi does note that the manifesto and Crimea information may be used as a false flag by the threat actors. Malwarebytes’ Threat Intelligence team discovered the “Манифест.docx” (“Manifest.docx”) on July 21, finding that it downloads and executes the two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.

The analysts found that the exploitation of CVE-2021-26411 resembled an attack launched by the Lazarus APT. According to the report, the attackers combined social engineering and the exploit in order to increase their chances of infecting victims. Malwarebytes was not able to attribute the attack to a specific actor, but said that a decoy document was displayed to victims that contained a statement from a group associating with a figure named Andrey Sergeevich Portyko, who allegedly opposes Russian President Vladimir Putin’s policies on the Crimean Peninsula. Jazi explained that the decoy document is loaded after the remote templates are loaded. The document is in Russian but is also translated into English. The attack also features a VBA Rat that collects victim’s info, identifies the AV product running on victim’s machine, executes shell-codes, deletes files, uploads and downloads files while also reading disk and file systems information.Jazi noted that instead of using well known API calls for shell code execution which can easily get flagged by AV products, the threat actor used the distinctive EnumWindows to execute its shell-code. More

Fortinet delivered strong second quarter growth thanks to an expansion in business from EMEA and the Americas.  

Fortinet delivered second quarter revenue of $801.1 million, up 29.7% from a year ago. For the second quarter, Fortinet’s non-GAAP earnings of $0.95 a share were above expectations. Wall Street was expecting Fortinet to report second quarter earnings of $0.87 a share on revenue of $744.14 million.For 2021, Fortinet is projecting revenue of $3.21 billion to $3.25 billion with non-GAAP earnings of $3.75 to $3.90 a share.For the third quarter, Fortinet is projecting revenue between $800 million and $815 million with non-GAAP earnings between $0.90 and $0.95 a share.  In Q4, the company updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.Fortinet announced in March that it was investing $75 million in router maker Linksys as part of a “strategic alliance” aimed at securing work from home networks.

Ahead of the earnings call, the company unveiled a new FortiGate 3500F Next-Generation Firewall that is designed to protect organizations with hybrid data centers against ransomware and other attacks.Fortinet CMO John Maddison added that Fortinet is also “redefining services by expanding its security services options — which currently include FortiCare and FortiGuard — with FortiTrust, enabling a unified offering with one licensing model for flexible consumption options across networks, endpoints, and clouds.”

Tech Earnings More

Email phishing attacks and brute force attacks against exposed remote desktop protocol (RDP) services are the most common methods cyber criminals are using to gain an initial foothold in corporate networks to lay the foundations for ransomware attacks.

Cybersecurity researchers at Coveware analysed ransomware attacks during the second quarter of this year and have detailed how phishing attacks and RDP attacks are the most popular entry points for starting ransomware attacks. Part of the appeal for cyber criminals is that these are low-cost to carry out while also being effective. Phishing attacks – where cyber criminals send emails containing a malicious attachment or direct victims towards a compromised website which delivers ransomware – have slightly grown in popularity over the last quarter, accounting for 42 percent of attacks.  Meanwhile, attacks against RDP services, where cyber criminals brute force weak or default usernames and passwords – or sometimes gain access to legitimate credentials via phishing emails – remain extremely popular with ransomware groups, also accounting for 42 percent of attacks.  Both phishing and RDP attacks remain effective as they’re relatively simple for cyber criminals to carry out but, if carried out successfully, can provide them with a gateway to a whole corporate network. Breaching RDP credentials is particularly useful, because it allows attackers to enter the network with legitimate logins, making malicious activity more difficult to detect. Software vulnerabilities are in a distant third place as the most popular vector for breaching networks to deliver ransomware, accounting for 14 percent of attacks, but that doesn’t make them any less dangerous – especially as they’re often leveraged by some of the most sophisticated and disruptive ransomware gangs. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

According to Coveware, Sodinokibi – also known as REvil – accounted for the highest percentage of ransomware attacks during the reporting period at 16.5 percent. REvil is responsible for some of the most high-profile ransomware attacks this year, including the massive ransomware attack on customers of Kaseya. In recent weeks, REvil’s infrastructure has mysteriously gone offline. The second most prolific ransomware during the period was Conti, accounting for 14.4 percent  of ransomware. One of the most high-profile attacks by the group was the attack against the Irish healthcare system. In the end, Conti provided the decryption key for free, but healthcare services across Ireland remained disrupted for months. The third most prolific ransomware during the three months between April and June was Avaddon, a form of ransomware distributed via phishing emails, which accounted for 5.4 percent of attacks. In June, the group behind Avaddon announced they were shutting down and released a decryption key for the ransomware.  New forms of ransomware Mespinoza and Hello Kitty make up the rest of the top five – and it’s likely that with groups like REvil and Avaddon seemingly shutting down, new ransomware groups will attempt to replace them.What all these ransomware groups have in common is how they exploit the likes of phishing attacks and weaknesses in RDP services to lay the foundation for attacks. To help protect networks from being compromised organisations can apply multi-factor authentication across the network, something which can help stop intruders from breaching accounts. It’s also recommended that organisations apply software updates and security patches when they are released in order to prevent attackers from exploiting known vulnerabilities to gain access to networks. MORE ON CYBERSECURITY More

(Image: Morteza Nikoubazl, Reuters)
Researchers with cybersecurity company SentinelOne reconstructed the recent cyberattack on Iran’s train system in a new report, uncovering a new threat actor — which they named ‘MeteorExpresss’ — and a never-before-seen wiper.

On July 9, local news outlets began reporting on a cyberattack targeting the Iranian train system, with hackers defacing display screens in train stations by asking passengers to call ‘64411’, the phone number of Iranian Supreme Leader Khamenei’s office. Train services were disrupted and just one day later, hackers took down the website of Iran’s transport ministry. According to Reuters, the ministry’s portal and sub-portal sites went down after the attack targeted computers at the Ministry of Roads and Urban Development.In his examination, SentinelOne principal threat analyst Juan Andres Guerrero-Saade explained that the people behind the attack called the never-before-seen wiper ‘Meteor’ and developed it in the last three years. Hackers took over screens in Iranian train stations on July 9 and put up the phone number 64411– the number to Iran’s Supreme Leader’s Office. 
Fars News
“At this time, we have not been able to tie this activity to a previously identified threat group nor to additional attacks,” Guerrero-Saade said, adding that they were able to reconstruct the attack thanks to security researcher Anton Cherepanov and an Iranian antivirus company.  “Despite a lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components they had missed. Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker.”Guerrero-Saade said the early analysis of Padvish security researchers was key to SentinelOne’s reconstruction alongside “a recovered attacker artifact that included a longer list of component names.”

“The attackers abused Group Policy to distribute a cab file to conduct their attack. The overall toolkit consists of a combination of batch files orchestrating different components dropped from RAR archives,” Guerrero-Saade explained. “The archives decompressed with an attacker-supplied copy of Rar.exe coupled with the password ‘hackemall’. The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system.”SentinelOne found that the majority of the attack was “orchestrated via a set of batch files nested alongside their respective components and chained together in successive execution.” The batch file copies the initial components via a CAB file in a network share within the Iranian railways network, according to the report. From there, the batch file uses its own copy of WinRAR to decompress additional components from three additional archives that use a Pokemon-themed password, “hackemall” which was also referenced elsewhere during the attack. “At this point, the execution begins to bifurcate into other scripts. The first one is ‘cache.bat’, which focuses on clearing obstacles and preparing the ground for subsequent elements with the use of Powershell,” Guerrero-Saade said. “‘cache.bat’ performs three main functions. First, it will disconnect the infected device from the network. Then it checks to see if Kaspersky antivirus is installed on the machine, in which case it’ll exit. Finally, ‘cache.bat’ will create Windows Defender exclusions for all of its components, effectively clearing the way for a successful infection without impediments.” The report explained that this specific script was instructive in rebuilding the attack chain because it includes a list of the attack components that gave researchers specific things to search for. Two batch files are deployed that make the machine unbootable and clean up the event logs. After a number of other actions, update.bat will then call ‘msrun.bat,’ which passes “the Meteor wiper executable as a parameter.” Another batch file — msrun.bat — moves in a screen locker and the encrypted configuration for the Meteor wiper, Guerrero-Saade explained. A scheduled task is created by the script called ‘mstask’ that is then set to execute the Meteor wiper at five minutes to midnight.”There’s a strange level of fragmentation to the overall toolkit. Batch files spawn other batch files, different rar archives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.  “The main payload of this convoluted attack chain is an executable dropped under ‘env.exe’ or ‘msapp.exe’. Internally, the coders refer to it as ‘Meteor’. While this particular instance of Meteor suffers from a crippling OPSEC failure (the inclusion of verbose debug strings presumably intended for internal testing), it’s an externally configurable wiper with an extensive set of features.”The Meteor wiper, according to the report, is supplied with a single argument, an encrypted JSON configuration file ‘msconf.conf.’Meteor wipes files as it moves from the encrypted config deletes shadow copies and takes a machine out of a domain to complicate remediation. These only scratched the surface of what Meteor is capable of, according to the report. Although not used in the attack on the Iranian train station, the wiper is able to change passwords for all users, disable screensavers, process termination based on a list of target processes, install a screen locker, disable recovery mode, change boot policy error handling, create schedule tasks, log off local sessions, delete shadow copies, change lock screen images and execute demands. Guerrero-Saade noted that the developers of the wiper created multiple ways for the wiper to accomplish each of these tasks”However, the operators clearly made a major mistake in compiling a binary with a wealth of debug strings meant for internal testing. The latter is an indication that despite whatever advanced practices the developers have in their arsenal, they lack a robust deployment pipeline that ensures such mistakes do not happen. Moreover, note that this sample was compiled six months before its deployment and the mistake was not caught,” the report found. “Secondly, the code is a bizarre amalgam of custom code that wraps open-source components (cpp-httplib v0.2) and practically ancient abused software (FSProLabs’ Lock My PC 4). While that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation, that’s juxtaposed with an externally configurable design that allows efficient reuse for different operations.” When SentinelOne researchers did a deeper dive into Meteor, they found that the redundancies were evidence that the wiper was created by multiple developers who added different components. The report added that the “externally configurable nature of the wiper” shows that it wasn’t created for this particular operation. They have yet to see any other attacks or variants of the Meteor wiper in the wild. Researchers were not able to attribute the attack to a specific threat actor but explained that the attacker is an “intermediate level player whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed.” “On the one hand, we have a new externally-configurable wiper packed full of interesting capabilities, involving a mature development process, and redundant means to accomplish their goals. Even their batch scripts include extensive error checking, a feature seldom encountered with deployment scripts. Their attack is designed to cripple the victim’s systems, leaving no recourse to simple remediation via domain administration or recovery of shadow copies,” Guerrero-Saade wrote. “On the other hand, we see an adversary that doesn’t yet have a handle on their deployment pipeline, using a sample of their malware that contains extensive debug features and burning functionality irrelevant to this particular operation.” Guerrero-Saade goes on to say that SentinelOne “cannot yet make out the shape of this adversary across the fog” and theorizes that it is “an unscrupulous mercenary group” or state-backed actors with a variety of motives. Although they were unable to attribute the attack, they noted that the attackers appeared to be familiar with the general setup of Iran’s railway system and the Veeam backup used by the target, implying the threat actors spent time in the system before launching an attack. At the time of the attack, Iranian officials did not confirm if there was a ransom demand or who they believed was behind the attack, Reuters reported. The Times of Israel noted that following the infamous Stuxnet attack in 2010, Iran disconnected significant parts of its infrastructure from the internet.  More

Mozilla’s virtual private network (VPN) service has arrived in seven more countries, including Austria, Belgium, France, Germany, Italy, Spain and Switzerland. The expansion is a big move for the Firefox browser-maker, which launched its VPN in summer 2020 in the US, UK, Canada, New Zealand, Singapore, and Malaysia.  The service is available for Windows 10, macOS, Linux, Android, and iOS and uses the WireGuard protocol. Mozilla lets users connect up to five devices and currently has over 400 servers in over 30 countries.  The VPN market has grown considerably over the past few years as consumers realize the value of additional privacy, partly driven by Edward Snowden’s leaks about US mass surveillance. VPNs let users encrypt traffic between a device, the VPN’s servers, and the website a user wants to connect to. That makes them useful for preventing snoops on the same public Wi-Fi networks at cafes and airports from capturing your credentials. Mozilla, traditionally trusted because it’s a non-profit, is seeking new sources of revenue as its traditional search revenues from Firefox dwindles. But it also has a recognizable and trustworthy brand that lends itself to new services like a VPN. The Mozilla-branded VPN launched with a price of $4.99 a month, making it competitively priced compared with better known, consumer-focused paid-for VPNs like ExpressVPN and NordVPN. According to Mozilla, “thousands of people” have signed up its VPN. But those prices are about to change. It will honor the $4.99 a month price for customers from the US, Canada, UK, Singapore, Malaysia, and New Zealand, who signed up already. But from now on that price will only be available for customers who sign up for a year. Otherwise the fee rises to $7.99 a month for a six month deal or $9.99 for a month of access. That makes it slightly cheaper than ExpressVPN but more expensive than NordVPN.   

“We changed our prices after we heard from consumers who wanted more flexibility and different plan options at different price points,” Mozilla says in a blogpost.  “For new customers in those six countries that subscribe after July 14, 2021, they can get the same low cost by signing up for a 12 month subscription,” Mozilla notes.   Mozilla also launched a new feature called split tunneling, which allows users to move some traffic through the VPN and funnel the rest through a local connection outside the VPN. This feature is offered by ExpressVPN, NordVPN and other commercial VPN providers. “We’re launching the split tunneling feature so you can choose which apps that you want to use the Mozilla VPN and which ones you want to go through an open network,” Mozilla said. It lets users choose the internet connections on apps they want to to be protected by the Mozilla VPN. It’s available on Windows, Linux and Android. More

A new report from McAfee Advanced Threat Research spotlights the Babuk ransomware gang, which recently announced it would be developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. 

McAfee’s Thibault Seret and Northwave’s Noël Keijzer wrote that many core backend systems in companies are running on these *nix operating systems, and Babuk wasted little time in infecting high-profile victims despite numerous problems with the binary. Researchers noted that some ransomware gangs experimented with writing their binaries in the cross-platform language Golang (Go).”It seems that Babuk has adopted live beta testing on its victims when it comes to its Golang binary and decryptor development. We have seen several victims’ machines encrypted beyond repair due to either a faulty binary or a faulty decryptor,” Seret and Keijzer said.  “Even if a victim gave in to the demands and was forced to pay the ransom, they still could not get their files back. We strongly hope that the bad coding also affects Babuk’s relationship with its affiliates. The affiliates perform the actual compromise and are now faced with a victim who cannot get their data back even if they pay. This essentially changes the crime dynamic from extortion to destruction, which is much less profitable from a criminal’s point of view.”The typical Babuk attack features three distinct phases: initial access, network propagation, and action on objectives. Babuk also operated a ransomware-as-a-service model before shutting down in April. Northwave investigated a Babuk attack that was perpetrated through the CVE-2021-27065 vulnerability also being exploited by the HAFNIUM threat actor. According to the report, once access is gained, the threat actor placed a Cobalt Strike backdoor on the system. Attackers generally use cobalt Strike for repeat access, and Northwave found multiple backdoors on “several key systems within the network.” 

Through a custom version of zer0dump, the attacker was able to gain domain administrator credentials and used Mimikatz to get access to credentials.”During later stages of the attack, the threat actor opted to create a new local administrator account on some of the systems as a means of additional persistence. Lateral movement between Windows systems was achieved using RDP,” the report said. 

“For connections to Linux systems, the attacker made use of SSH (using Putty). Moving files to Linux systems was done using WinSCP from Windows systems. While tools used on Windows systems were downloaded from the internet. The threat actor made use of the “temp.sh” and “wdfiles.ru” file hosting websites to host most of his tools. Other tools were downloaded directly from GitHub or the websites of their respective developers.”The attacker also used DFind, NetScan, and LAN Search Pro to search through the environment and exfiltrate data before rolling out the ransomware. Once compressed data was exfiltrated to both Mega and Google Drive, the attacker destroyed the victim’s backups and moved on to the victim’s ESXi hosts to deploy a precompiled ransomware binary.That binary encrypts all of a victim’s virtual machines. Still, according to McAfee’s analysis, it was “very poorly implemented and contained several different design flaws that resulted in the irreversible corruption of data.”At the end of April, Babuk’s operators decided to change things up following the widely covered ransomware attack on the DC Police Department. After trying and failing to extort the police department, the group leaders said they would no longer encrypt systems and instead focus on data exfiltration. They also pledged to make their ransomware an open-source project by publishing the code.A recent message from Babuk.
McAfee
“The threat actor indicated that it would focus on publishing data from victims that were unresponsive to its ransom demands. Furthermore, the threat actor indicated that it would host and publish data for other groups. As such, the Babuk threat actor seems to be moving towards a data management position,” the report said. 

ZDNet Recommends

“Given the poor design of its ransomware, a fair number of victims should be saved from completely losing their data when being attacked by Babuk. As mentioned in the previous sections, Northwave has seen threat actors slowly move from a scheme extorting victims by encrypting their data towards a double-extortion scheme where the threat actors both encrypt the victim’s data and exfiltrate it as well. It is interesting to see threat actors now moving towards a scheme where their sole source of pressure to extort victims is the exfiltration of sensitive data.”The Babuk team began leaking data, first releasing source code for the Cyberpunk 2077 game in May. But after that, the gang went dark again, according to the report. The study also discusses the Babuk decryptor, which Seret and Keijzer said has a limit in the maximum number of bytes that will decrypt, “which is strange.””Overall, the decryptor is poor as it only checks for the extension ‘.babyk’, which will miss any files the victim may have renamed in an attempt to recover them. Also, the decryptor checks if the file is more than 32 bytes in length as the last 32 bytes are combined later with other hardcoded values to get the final key,” the study said. “This is bad design as those 32 bytes could be trash, instead of the key, as the customer could make things, etc. It does not operate efficiently by checking the paths that are checked in the malware. Instead, it analyzes everything.” Seret and Keijzer go on to explain that the Babuk ransomware caused significant damage because it was operating faulty ransomware that led to a decryption process that fails in some instances, causing “irrecoverable damage.””We suspect that this poor design of the ransomware was the reason that the threat actor decided to move towards a data management position,” Seret and Keijzer added. “Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.”McAfee Advanced Threat Research warned that Babuk was posting recruitment memos asking for individuals with pentest skills. They urge defenders to watch for penetration testing tools like winPEAS, Bloodhound, and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire, or Covenant. More

Zero Trust, the borderless security strategy being pushed by vendors, has fully caught on in the enterprise, according to Microsoft’s latest survey of cybersecurity defenders. Microsoft, IBM, Google, AWS, Cisco and others in the cybersecurity industry have been banging the ‘zero trust’ drum for the past few years. The case for zero trust was made clearer after this year’s software supply chain attacks on US tech firms, which came amid a mass shift to remote work that demonstrated the need to protect information inside and beyond a trusted environment in a world that spans BYOD, home networks, VPNs, cloud services and more.As Microsoft has argued, part of zero trust is assuming the corporate network has already been breached, either by hackers targeting that network through phishing or malware, or via an employee’s compromised home device connecting to the network.The message has gotten through to organizations. Microsoft’s survey of 1,200 security decision makers over the past year found that 96% of consider Zero Trust to be critical to their organization. Zero trust will also soon be compulsory for federal agencies, helping standardize the concept in the broader market. US president Joe Biden’s cybersecurity executive order in May mandated agencies move to zero-trust as-a-service architectures and enable two-factor authentication (2FA) within 180 days. The Commerce Department’s NIST followed up last week by calling on 18 of the US’s biggest cybersecurity vendors to demonstrate how they would implement a zero trust architecture.    

Microsoft found that 76 percent or organizations are in the process of implementing a Zero Trust architecture — up six percent from last year.”The shift to hybrid work, accelerated by COVID-19, is also driving the move towards broader adoption of Zero Trust with 81 percent of organizations having already begun the move toward a hybrid workplace,” writes Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity.”Zero Trust will be critical to help maintain security amid the IT complexity that comes with hybrid work.”The top reasons for adopting Zero Trust included increased security and compliance agility, speed of threat detection and remediation, and simplicity and availability of security analytics, according to Jakkal. It’s all about confirming everything is secure, across identity, endpoints, the network, and other resources using signals and data.Biden this week highlighted the real-world stakes at play with recent ransomware and supply chain attacks on critical infrastructure, telling the US intelligence community that a major hack would likely be the reason the US enters “a real shooting war with a major power”. The US president yesterday signed a memorandum addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure. More

UC San Diego Health released a notice this week announcing that they suffered a breach that gave cyberattackers widespread access to information about patients, students and employees. UC San Diego Health’s executive director of communications and media relations Jacqueline Carr confirmed to ZDNet that the breach resulted from a phishing attack. From December 2, 2020 to April 8, 2021, hackers had access to data including names, addresses, claims information, laboratory results, medical diagnosis and conditions, Medical Record Numbers and other medical identifiers, prescription information, treatment information, medical information, Social Security numbers, government identification numbers, payment card numbers or financial account numbers and security codes, student ID numbers, and usernames and passwords.In an FAQ attached to the notice, the hospital said it discovered suspicious activity on March 12 but it took until April 8 for its security team to officially identify it as “a security matter.”The statement said the hackers gained control of employee email accounts for weeks before UC San Diego Health discovered the breach, terminated the accounts and contacted the FBI. A cybersecurity company is still investigating the incident and UC San Diego Health said the review will finish in September. “In addition to using sophisticated tools to parse and search the data, UC San Diego Health is also conducting a manual review of the affected data. This is a labor-intensive and time-consuming process that involves hundreds of hours of detailed review and analysis,” the hospital said.  “In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures.”

The academic health system of the University of California, San Diego said it will send notices to the students, employees, and patients whose personal information was contained in the accounts by September 30. The hospital will offer free credit monitoring and identity theft protection services through Experian IdentityWorks for one year. A call center has been created for those who may be concerned about their information. Those affected can call 1-855-797-1160 from 6:00 a.m. to 8:00 p.m. PT Monday through Friday and from 8:00 a.m. to 5:00 p.m. PT Saturday and Sunday. Questions about the incident can also be sent to iscommunication@health.ucsd.edu.The statement from UC San Diego Health also took time to deny that this breach was connected to the Accellion file transfer appliance vulnerability, which led to dozens of cyberattacks. This is not the first time UC San Diego Health has had to inform patients about a breach. In 2018, the hospital told 619 patients that their data was accessed after an attack on Nuance Communications, a third-party medical transcription provider. More