London Drugs Hit by LockBit Ransomware, Courtroom Recording Software Deliver Malware: Your Cybersecurity News Roundup

Cybersecurity news on ransomware and malware threats.

London Drugs Hit by LockBit Ransomware, Refuses to Pay $25 Million Demand

Canadian pharmacy chain London Drugs has been hit by a ransomware attack orchestrated by the LockBit gang. The incident initially labelled a “cybersecurity incident,” occurred on April 28, 2024, and led to the temporary closure of all 79 London Drugs locations across western Canada. The company has confirmed that the attack resulted in the theft of corporate files, some of which may contain employee information. LockBit is demanding a $25 million ransom and threatening to leak the stolen data if the company does not comply.

Despite LockBit’s claims that London Drugs offered $8 million initially, the pharmacy chain has publicly stated it is “unwilling and unable” to pay any ransom to the cybercriminals–even if employee data is in jeopardy. Although London Drugs reassures that patient and customer databases remain unaffected, the company has notified all current employees about the potential compromise of their personal information. The pharmacy chain offers two years of free credit monitoring and identity theft protection to affected employees while continuing to investigate the extent of the data breach.

This attack comes amidst a decline in LockBit’s activities following a law enforcement operation that disrupted the gang’s infrastructure and exposed its kingpin. Despite this setback, the ransomware gang is still actively targeting organizations, as evidenced by the London Drugs attack. While law enforcement efforts may have put a dent in LockBit’s operations, the group remains a significant threat in the cybersecurity landscape.

pcTattletale Spyware Suffers Major Security Breach, Exposing User Data and Source Code

The pcTattletale spyware, known for its presence in the booking systems of several Wyndham hotels in the United States and its history of leaking sensitive data, has been hit by a significant security breach.

A security researcher, Eric Daigle, discovered a serious flaw in pcTattletale’s API, allowing unauthorized access to screenshots taken from devices where the spyware was installed. Attempts to contact the developers to fix the issue were ignored.

Additionally, an unknown hacker exploited a different vulnerability to deface the pcTattletale website and leak 20 archives containing the spyware’s source code and database data. The hacker claims they used a Python exploit to extract AWS credentials via the spyware’s SOAP-based API. In an ironic twist, the hacker shared a video allegedly taken using pcTattletale, showing the website owner trying to restore the site. This suggests the owner may have been using their own spyware on their own device.

This incident highlights the risks associated with spyware and the potential for misuse of sensitive data. Users who have been targeted with pcTattletale may have had their screenshots, keystrokes, and other personal information compromised. The leaked source code could also be used by malicious actors to develop more sophisticated spyware or exploit the vulnerabilities in the existing software.

Critical Flaw in Courtroom Recording Software Exploited to Deliver RustDoor Malware

A critical security flaw (CVE-2024-4978) has been discovered in the installer of JAVS Viewer v8.3.7, a software used for recording courtroom proceedings and other events. This vulnerability allowed attackers to deliver malware known as RustDoor through a compromised installer.

The attack involved replacing the legitimate installer with a malicious version signed with a fake certificate. Upon execution, the malware communicates with a command-and-control server, disables security features, and downloads additional payloads.

This malware, RustDoor, was previously known to target macOS devices, but this incident reveals a Windows version as well. Both versions share similar functionalities and are linked to a ransomware-as-a-service group called ShadowSyndicate.

The attack was discovered by Rapid7, who initiated an investigation after finding a malicious executable within the software’s installation folder. JAVS, the software developer, has acknowledged the issue, removed the affected version from their website, and taken steps to secure their systems. They claim their source code and other software releases remain unaffected.

Users are advised to check for signs of compromise and, if infected, re-image affected devices, reset credentials, and update to the latest version of JAVS Viewer. This incident underscores the risks associated with software supply chain attacks and the importance of verifying the authenticity of downloaded software.