company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

EDR

loading..
loading..
loading..

EDRKillShifter: A New EDRKilling Malware Weapon for Ransomware Operators

Discover EDRKillShifter, a new EDR-Killing malware used by ransomware operators. Learn how it bypasses security software detection capabilities

16-Aug-2024
3 min read

No content available.

Related Articles

loading..

Woocommerce

WebShell

Critical WooCommerce phishing alert: Fake patches install backdoors & web shells...

A brazen, large-scale phishing campaign is exploiting panic among WooCommerce users, duping website administrators into installing a "critical security patch" that hijacks their sites, creates secret backdoors, and plants web shells for long-term control. Discovered by Patchstack researchers, the operation mirrors a 2023 attack but deploys chilling new tactics to evade detection. ### **A Perfect Storm of Fear and Deception** The attack begins with an email that strikes at the heart of every website owner's fears: a *critical vulnerability*. Posing as an urgent security alert from WooCommerce (`help@security-woocommerce[.]com`), the message claims hackers are actively exploiting an “*unauthenticated administrative access*” flaw. Recipients are urged to download a patch immediately, or risk catastrophic breaches. **Key Red Flags Hidden in Plain Sight:** - **Spoofed Domain**: The link directs to `woocommėrce[.]com`, using a Lithuanian “ė” (U+0117) to mimic the legitimate `woocommerce.com`. - **Fabricated Dates**: The email references a non-existent vulnerability “discovered” on April 14, 2025, and a scan from April 21, 2025—dates deliberately set in the future to avoid suspicion. - **Urgency Overload**: Phrases like “*urgent measures*” and “*protect your data*” pressure victims to act without scrutiny. _“This is psychological warfare,” says a Patchstack analyst. “They weaponize trust in brands like WooCommerce to bypass rational judgment.”_ --- ### **A Malicious Plugin That Disappears** The downloaded file, `authbypass-update-31297-id.zip`, masquerades as a security patch. But once installed, it unleashes a cascade of attacks: 1. **Hidden Cronjob Hijacking**: A randomly named cronjob executes every minute, spawning a new admin account with an 8-character randomized username (e.g., `xq9f7zty`). 2. **Silent Backchannel**: The plugin pings `woocommerce-services[.]com/wpapi` to fetch a second-stage payload—a heavily obfuscated script. 3. **Web Shell Onslaught**: The payload deploys PHP-based shells like **P.A.S.-Form**, **p0wny**, and **WSO** into `wp-content/uploads/`, granting attackers full server control. **Why This Matters**: These web shells can: - Steal credit card data from checkout pages. - Redirect users to phishing/scam sites. - Enlist the server in DDoS botnets. - Deploy ransomware to lock owners out. Worse, the plugin *erases itself* from the WordPress dashboard and hides the malicious admin account—leaving victims oblivious. ### **Anatomy of an Attack** *(Source: Patchstack)* | **Stage** | **Action** | |-------------------------|---------------------------------------------------------------------------| | **1. Phishing Email** | Fake WooCommerce alert with “Download Patch” button. | | **2. Malicious Domain** | Homograph `woocommėrce[.]com` mimics the real site. | | **3. Plugin Installation** | Installs cronjob, hidden admin, and fetches payload. | | **4. Web Shell Deployment** | Drops P.A.S.-Form, p0wny, and WSO shells for remote access. | | **5. Persistence** | Self-deletes from plugins list; evades manual audits. | --- ### **How Attackers Stay Invisible** The campaign’s sophistication lies in its stealth: - **Domain Rotation**: Payloads are fetched from `woocommerce-services[.]com`, `woocommerce-api[.]com`, or `woocommerce-help[.]com`—domains likely discarded once exposed. - **Legacy Code Mimicry**: The plugin’s structure resembles legitimate WooCommerce updates to avoid raising flags. - **No Trace Left**: After installation, the plugin vanishes, forcing admins to hunt for artifacts like cronjobs or hidden folders. _“This isn’t smash-and-grab,”_ warns Patchstack. _“It’s a silent siege designed to persist undetected for months.”_ --- ### **Detection & Mitigation** **If You’re Affected:** - **Check for**: - Random 8-character admin accounts. - Cronjobs executing `/wp-content/plugins/[random]/includes.php`. - Folders named `authbypass-update`. - Outbound traffic to suspicious domains (e.g., `woocommerce-services[.]com`). - **Immediate Steps**: - Terminate unrecognized admin accounts. - Scan for web shells in `wp-content/uploads/`. - Audit server logs for unusual GET/POST requests. **Prevention Tactics**: 1. **Never Trust Email Links**: Manually navigate to official sites for updates. 2. **Homograph Defense**: Type domains manually or use bookmarks. 3. **Enable 2FA**: Mandate two-factor authentication for all admin accounts. 4. **Backup Relentlessly**: Store backups offline to counter ransomware. ### **A Repeating Threat** This campaign is a sequel to a late-2023 operation that peddled fake patches for a fictional WordPress vulnerability. Both attacks share: - Identical payload-hiding methods. - Overlapping web shell toolkits. - Near-identical email templates. _“These actors are iterating,”_ says Patchstack. _“They learn from past campaigns to refine their social engineering.”_ As phishing campaigns grow more polished, the line between legitimate alerts and lethal traps blurs. For WooCommerce’s 5+ million users, this attack is a wake-up call: *assume every email is guilty until proven innocent*. **“Cybersecurity isn’t about tools—it’s about habits,”** says a Patchstack spokesperson. “Slow down. Verify. Question urgency. That’s how you break the chain.” --- *Stay vigilant. Share this article with your network. For real-time updates, follow [Your Publication] on Twitter/X and subscribe to our Threat Intel newsletter.*

loading..   29-Apr-2025
loading..   4 min read
loading..

DaVita

Interlock

Interlock ransomware claims theft of 20TB from DaVita Healthcare, leaking 1.5TB ...

**Denver, CO** — Patients reliant on life-saving dialysis treatments from DaVita Healthcare Partners Inc. are confronting a new threat: the potential exposure of their sensitive personal and medical data. The Interlock ransomware group, a rising cybercriminal entity, has claimed responsibility for stealing **20 terabytes of data** from the healthcare giant, including the personal details of millions of patients. While 1.5 terabytes of this data have already been leaked on the dark web, the group is now attempting to monetize the remaining 18.5 terabytes, escalating fears of widespread identity theft, insurance fraud, and privacy violations. ### **A Timeline of Events** The cyberattack unfolded on **April 12, 2025**, when Interlock infiltrated DaVita’s systems, encrypting critical infrastructure and disrupting internal operations. DaVita, which operates over **3,000 outpatient dialysis centers globally** and serves approximately **281,100 patients**, promptly notified the U.S. Securities and Exchange Commission (SEC) but withheld specifics to avoid compromising its investigation. The disclosure triggered a **3% drop in DaVita’s stock price**, reflecting investor anxiety over the breach’s financial and reputational fallout. By early May, Interlock began leaking stolen data on its dark web portal, including patient names, Social Security numbers, medical histories, and treatment records. Screenshots reviewed by *Hackread.com* confirm the authenticity of some posted files, though DaVita has yet to verify the full extent of the breach. _“We are disappointed in these actions against the healthcare community and will continue working to defend against such attacks,”_ a DaVita spokesperson said, emphasizing efforts to safeguard patient care continuity. --- ### **Interlock’s Growing Threat to Healthcare** Emerging in **October 2024**, Interlock has rapidly gained notoriety for high-impact ransomware campaigns. The group employs a double-extortion model: encrypting victims’ systems and exfiltrating data to pressure organizations into paying ransoms. According to **Paul Bischoff, Consumer Privacy Advocate at Comparitech**, Interlock has executed **13 confirmed attacks** and claims **17 U.S. healthcare breaches in 2025 alone**. _“Healthcare providers are prime targets due to the critical nature of their services and the sensitivity of patient data,”_ Bischoff told *Hackread.com*. _“Attacks like DaVita’s can paralyze operations and leave victims vulnerable to exploitation for years.”_ Interlock’s prior targets include the **Texas Tech University Health Sciences Center**, where a 2024 breach compromised records of **530,000 individuals**. The group’s escalating activity mirrors a broader crisis: **25.7 million patient records** were exposed in **160 healthcare ransomware incidents** in 2024, per Comparitech data. --- ### **Patient Risks and Industry Implications** The DaVita breach poses dire risks for patients, particularly those undergoing dialysis—a lifeline for individuals with end-stage renal disease. Leaked data could enable: - **Medical identity theft**: Fraudulent insurance claims or prescription fraud. - **Targeted phishing schemes**: Criminals posing as healthcare providers. - **Discrimination**: Exploitation of sensitive health conditions in employment or insurance contexts. Cybersecurity experts warn that even partial data leaks can have cascading consequences. “Once data is on the dark web, it’s nearly impossible to retract,” Bischoff noted. “Victims must monitor their accounts indefinitely.” --- ### **DaVita’s Response and Regulatory Scrutiny** DaVita has activated incident response protocols, including third-party cybersecurity audits and patient notification systems. However, the company faces mounting scrutiny over its data protection practices. Under the **Health Insurance Portability and Accountability Act (HIPAA)**, healthcare providers must implement safeguards against cyber threats—a standard critics argue DaVita failed to meet. The breach also reignites debates about ransomware payments. While DaVita has not confirmed whether it negotiated with Interlock, the FBI discourages payments, arguing they incentivize further attacks. As DaVita races to contain the fallout, the Interlock breach serves as a grim reminder: in an era of escalating cyber warfare, healthcare providers—and the patients who depend on them—are increasingly in the crosshairs.

loading..   26-Apr-2025
loading..   4 min read
loading..

Healthcare

Yale New Haven Health data breach exposed the personal information of 5.5M patie...

Connecticut's largest healthcare system, Yale New Haven Health System (YNHHS), has reported a significant data breach affecting approximately 5.5 million patients. The cyberattack, which occurred in March 2025, allowed unauthorized access to sensitive patient information including personal identifiers and some healthcare-related data. While the organization has implemented mitigation measures and begun notifying affected individuals, the incident has already resulted in multiple class-action lawsuits. This breach represents one of the largest healthcare data compromises reported in 2025 and highlights the persistent cybersecurity challenges facing the healthcare sector. ## Timeline and Discovery of the Breach The security incident began on March 8, 2025, when YNHHS detected unusual activity affecting its information technology systems[1][4][14]. The organization immediately took steps to contain the incident, engaging external cybersecurity experts, including Mandiant, to assist with system restoration and forensic investigation. Federal law enforcement authorities were promptly notified about the breach. On March 11, 2025, YNHHS made its first public statement about the cybersecurity incident, acknowledging system disruptions but emphasizing that patient care operations remained unaffected[1]. Approximately one month later, on April 11, 2025, the healthcare system confirmed through its investigation that the incident was indeed a data breach, revealing that an unauthorized third party had gained network access and obtained copies of certain data. The data breach was formally reported to the U.S. Department of Health and Human Services Office for Civil Rights on April 11, 2025, with documentation confirming that 5,556,702 individuals were affected. Beginning April 14, 2025, YNHHS started mailing notification letters to affected patients whose information was involved in the breach. ## Scope of the Compromised Data The investigation revealed that the unauthorized third party accessed YNHHS's network and obtained copies of sensitive patient information[4]. The compromised data varied by individual but potentially included several categories of personally identifiable information and limited healthcare-related data. The types of data exposed in the breach include: - Full names - Dates of birth - Home addresses - Telephone numbers - Email addresses - Race/ethnicity information - Social Security numbers - Patient type classifications - Medical record numbers ImportSignificantly, YNHHS has clarified that specific categories of sensitive information were not compromised in the breach. The organization's statement emphasized that electronic medical records and treatment information were not accessed during the incident. Additionally, financial account details and payment information were also confirmed not to be part of the exposed data. ## YNHHS Response and Mitigation Efforts Yale New Haven Health System implemented a multi-faceted response to contain the breach and mitigate potential harm to affected individuals. Upon detecting the unauthorized activity, the organization immediately engaged cybersecurity firm Mandiant to assist with system restoration and conduct a thorough forensic investigation. The healthcare system also reported the incident to law enforcement authorities, who initiated an ongoing investigation. In accordance with federal regulations, YNHHS began sending notification letters to affected patients on April 14, 2025[1][4]. In a statement on its website, the organization noted: "YNHHS considers the health, safety, and privacy of patients our top priority. We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future". For patients whose Social Security numbers were exposed in the breach, YNHHS is offering complimentary credit monitoring and identity protection services. When contacted by media outlets, YNHHS Director of Public Relations Dana Marnane stated that the health system takes its "responsibility to safeguard patient information incredibly seriously"[10]. When pressed by TechCrunch about whether the incident was ransomware-related, Marnane did not dispute this characterization, noting that "the sophistication of the attack leads us to believe that it was executed by an individual or group who has a pattern of these types of incidents"[query]. ## Legal and Regulatory Implications The data breach has promptly triggered legal action, with at least eight federal lawsuits filed against YNHHS as of late April 2025[10]. These class-action complaints allege that the healthcare system failed to adequately protect patients' personally identifiable and health information, particularly sensitive data like Social Security numbers and medical record numbers. The lawsuits further claim that YNHHS delayed clearly notifying affected patients, potentially hindering their ability to take timely protective measures[10]. Plaintiffs are seeking various remedies, including financial damages, free lifetime identity protection services, and comprehensive improvements to the health system's cybersecurity practices[10]. One complaint specifically alleges that YNHHS failed to implement basic security protections such as file encryption, proper employee training on data security, and multi-factor authentication[10]. Another lawsuit claims that patients now face "a lifetime risk of identity theft due to the nature of the information lost, which they cannot change and which cannot be made private again"[10]. Some plaintiffs have reported experiencing an increase in spam calls and phishing attempts since the incident, suggesting that their information may already be circulating in illicit channels[10]. Law firm Levi & Korsinsky, investigating the breach, noted that it exemplifies insufficient data protections in a sector handling highly sensitive personal information[10]. ## Context of Healthcare Data Breaches The YNHHS breach occurs amid a concerning pattern of data security incidents within the healthcare sector. Just days before this breach was publicly confirmed, Blue Shield of California disclosed that it had inadvertently exposed protected health information of 4.7 million members to Google's analytics and advertisement platforms between April 2021 and January 2024[8][11]. Unlike the apparent malicious attack on YNHHS, the Blue Shield incident resulted from a misconfiguration of Google Analytics that allowed sensitive data to be shared with Google Ads[8]. Earlier in 2025, UK healthcare provider HCRG Care Group confirmed it was investigating a cybersecurity incident after the Medusa ransomware group claimed to have stolen more than two terabytes of sensitive data from the company[3]. In that case, the ransomware group threatened to publish the allegedly stolen data unless HCRG paid a $2 million ransom demand[3]. The healthcare sector remains particularly vulnerable to cyberattacks due to the high value of medical data on illicit markets and the critical nature of healthcare operations that creates pressure to resolve disruptions quickly. According to cybersecurity experts, about 83% of organizations admit to paying hackers following a ransomware attack, with more than half paying at least $100,000[7]. However, paying ransoms carries significant risks-80% of ransomware victims who paid were subsequently targeted again, often with higher ransom demands[7]. As of the reporting date, no major ransomware group has publicly claimed responsibility for the YNHHS attack[1]. However, the spokesperson's comments about the "sophistication of the attack" and reference to attackers with "a pattern of these types of incidents" suggest potential ransomware involvement, though the healthcare provider has declined to confirm whether it received any ransom demands[query]. ## Conclusion The Yale New Haven Health System data breach represents one of the most significant healthcare security incidents of 2025, affecting approximately 5.5 million patients. While the organization acted quickly to contain the breach and has begun offering protective services to those with exposed Social Security numbers, the incident has already generated multiple lawsuits and raised serious questions about data security practices within the healthcare sector. For affected individuals, the breach creates potential long-term risks of identity theft and fraud, particularly concerning given the sensitive nature of the exposed information. Patients whose data was compromised should carefully monitor their credit reports and financial accounts for suspicious activity, consider accepting the offered credit monitoring services, and remain vigilant against potential phishing attempts that might leverage the stolen information. The incident underscores the persistent and evolving cybersecurity challenges facing healthcare organizations, which must balance operational demands with the need to protect vast amounts of sensitive patient information. As investigations continue and legal proceedings advance, this breach will likely influence healthcare security practices and potentially shape regulatory approaches to data protection in the healthcare sector. Citations: [1] https://www.bleepingcomputer.com/news/security/yale-new-haven-health-data-breach-affects-55-million-patients/ [2] https://www.govinfosecurity.com/yale-new-haven-health-notifying-55-million-march-hack-a-28081 [3] https://techcrunch.com/2025/02/20/uk-healthcare-giant-hcrg-confirms-hack-after-ransomware-gang-claims-theft-of-sensitive-data/ [4] https://www.pymnts.com/cybersecurity/2025/yale-new-haven-health-system-reports-data-breach-affecting-5-5-million-patients/ [5] https://www.techtarget.com/healthtechsecurity/news/366623025/Yale-New-Haven-Health-notifies-nearly-56M-people-of-breach [6] https://www.hartfordbusiness.com/article/federal-judge-oks-1m-settlement-in-ynhh-retirement-fee-lawsuit [7] https://techcrunch.com/2023/10/31/ransomware-victims-paying-hackers-ransom/ [8] https://www.bleepingcomputer.com/news/security/blue-shield-of-california-leaked-health-data-of-47-million-members-to-google/ [9] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf [10] https://yaledailynews.com/blog/2025/04/25/patients-sue-ynhh-after-cyberattack-compromises-health-data/ [11] https://techcrunch.com/2025/04/25/data-breach-at-connecticut-yale-new-haven-health-affects-over-5-million/ [12] https://yaledailynews.com/blog/2025/02/12/ynhh-systematically-underpaid-employees-lawsuit-alleges/ [13] https://www.hhs.gov/sites/default/files/new-haven-resolution-agreement-corrective-action-plan.pdf [14] https://www.ynhhs.org/legal-notices [15] https://aspe.hhs.gov/sites/default/files/private/pdf/77196/rpt_Disclosure.pdf [16] https://www.ynhhs.org/policies [17] https://www.techmonitor.ai/technology/cybersecurity/ynhhs-cyberattack-data-5-5-million-patients [18] https://patch.com/connecticut/across-ct/details-emerge-number-patients-impacted-yale-data-breach [19] https://www.digitalhealthnews.com/yale-new-haven-health-breach-exposes-data-of-5-5-mn-patients [20] https://www.ynhhs.org/policies [21] https://yaledailynews.com/blog/2023/10/13/following-cyberattack-yale-new-haven-health-asks-for-state-aid-lowered-price-to-aquire-connecticut-hospitals/ [22] https://www.bankinfosecurity.com/yale-new-haven-health-notifying-55-million-march-hack-a-28081 [23] https://ssojet.com/blog/yale-new-haven-health-data-breach-impacts-over-55-million-patients/ [24] https://www.ynhhs.org/news/yale-new-haven-health-notifies-patients-of-data-security-incident [25] https://yalehealth.yale.edu/nondiscrimination-notice [26] https://ctmirror.org/2024/01/04/ct-welltok-data-breach-ynhh/ [27] https://www.securityweek.com/5-5-million-patients-affected-by-data-breach-at-yale-new-haven-health/ [28] https://lifehacker.com/tech/yale-new-haven-health-data-breach [29] https://www.ctpost.com/business/article/yale-new-haven-health-data-breach-20292710.php [30] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf [31] https://www.hipaajournal.com/yale-new-haven-health-system-data-breach/ [32] https://www.malwarebytes.com/blog/news/2025/04/4-7-million-customers-data-accidentally-leaked-to-google-by-blue-shield-of-california [33] https://www.ynhhs.org [34] https://news.bloomberglaw.com/daily-labor-report/yale-new-haven-health-system-hit-with-wages-hours-class-action?context=search&index=7 [35] https://www.beckershospitalreview.com/cybersecurity/yale-new-haven-seeks-price-reduction-in-hospital-acquisition-amidst-cyberattack-fallout.html [36] https://www.techtarget.com/healthtechsecurity/news/366623133/Blue-Shield-of-California-Data-of-millions-shared-with-Google [37] https://www.ynhh.org/patients-visitors/patient-rights-responsibilities [38] https://yaledailynews.com/blog/2025/04/25/patients-sue-ynhh-after-cyberattack-compromises-health-data/ [39] https://techcrunch.com/2025/04/25/data-breach-at-connecticut-yale-new-haven-health-affects-over-5-million/ [40] https://www.securityweek.com/blue-shield-of-california-data-breach-impacts-4-7-million-people/ [41] https://aspe.hhs.gov/reports/records-computers-rights-citizens [42] https://www.nbcconnecticut.com/news/local/yale-new-haven-health-investigating-cybersecurity-incident-affecting-it-services/3517226/ [43] https://www.ctinsider.com/business/article/yale-new-haven-health-data-breach-20292710.php [44] https://www.hartfordbusiness.com/article/yale-new-haven-health-faces-lawsuits-over-data-breach-health-system-discloses-more-details [45] https://www.bleepingcomputer.com/news/security/yale-new-haven-health-data-breach-affects-55-million-patients/ [46] https://medicalbuyer.co.in/ynhhs-pmh-locked-in-legal-battle-over-435m-hospital-deal/ [47] https://www.lmhospital.org/news/yale-new-haven-health-notifies-patients-of-data-security-incident [48] https://www.tradingview.com/news/reuters.com,2025-04-17:newsml_GNXc7h6Z4:0-lynch-carpenter-investigates-claims-in-yale-new-haven-health-systems-data-breach/ [49] https://techcrunch.com/2025/02/20/uk-healthcare-giant-hcrg-confirms-hack-after-ransomware-gang-claims-theft-of-sensitive-data/ [50] https://www.hhs.gov/sites/default/files/fy-2018-foia-log.xlsx [51] https://www.pymnts.com/cybersecurity/2025/yale-new-haven-health-system-reports-data-breach-affecting-5-5-million-patients/ --- Answer from Perplexity: pplx.ai/share

loading..   26-Apr-2025
loading..   11 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958