Johnson Controls Faces Major Ransomware Attack; Dark Angels Group Demands $51 Million
Johnson Controls International, a major multinational conglomerate that produces industrial control systems, security equipment, and more, has been hit by a ransomware attack. The attack encrypted numerous company devices, including VMware ESXi servers, disrupting the operations of both the main company and its subsidiaries. The breach reportedly began at the company's Asia offices. Following the attack, many of its subsidiaries displayed technical outage messages on their websites. The Dark Angels ransomware group is believed to be behind the attack, demanding a $51 million ransom and claiming to have stolen over 27 TB of corporate data. Johnson Controls has acknowledged the cybersecurity incident and is working with external experts to investigate. 
ALPHV/BlackCat Ransomware Targets McLaren Health Care, Claims Breach of 2.5 Million Patient Data
The ALPHV/BlackCat ransomware gang has targeted McLaren Health Care in Michigan, USA, claiming to have stolen data from 2.5 million patients. The gang accuses McLaren of trying to hide the breach and asserts they still have access to the organization's network. The group's message suggests that McLaren attempted to negotiate with them and downplayed the breach's severity. The ALPHV ransomware group has been active in recent weeks, targeting various entities, including Clarion and the Motel One hotel chain. Since its inception in November 2021, the gang has attacked numerous organizations, demanding ransoms ranging from thousands to millions of dollars. 
Unpatched Exim Vulnerability Exposes Over 3.5 Million Servers to Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2023-42115 with a CVSS score of 9.8, affects all versions of the Exim mail transfer agent (MTA) software. This vulnerability allows remote attackers to execute arbitrary code on affected Exim installations without requiring authentication. The vulnerability stems from an Out-of-bounds Write issue in the SMTP service, which arises due to the lack of proper validation of user-supplied data, potentially leading to a write past the end of a buffer. An anonymous researcher disclosed this flaw through Trend Micro’s Zero Day Initiative (ZDI) on June 6, 2022, and ZDI reported it to the vendor on June 14, 2022. Despite more than a year having passed since the disclosure, the vulnerability remains unpatched. As of the report, over 3.5 million Exim servers are exposed online. The only suggested mitigation strategy is to restrict access to the application to trusted networks. 
Lazarus Group's Stealthy LinkedIn Attack on Spanish Aerospace Firm Unveiled
ESET researchers uncovered a cyberattack by the Lazarus group against a Spanish aerospace company. The attackers posed as Meta recruiters on LinkedIn, using job offers to lure employees. The actor delivered malicious executables via ISO images on third-party cloud storage masqueraded as coding challenges. The primary tool used was an HTTP(S) downloader named NickelLoader, which subsequently deployed a new remote access trojan (RAT) called LightlessCan. This RAT mimics native Windows commands, enhancing its stealth. The attack underscores the continuous evolution of Lazarus's tactics and the need for heightened awareness against unsolicited messages. 
NATO Faces Second Alleged Cyber Breach by Hacktivist Group SiegedSec
NATO is investigating claims by the hacktivist group SiegedSec that they breached NATO's computer systems for the second time in three months. SiegedSec alleges they stole around 3,000 NATO documents, amounting to over nine gigabytes of data. In response, NATO has implemented additional cybersecurity measures, emphasizing that there has been no impact on their missions or operations. In July, SiegedSec claimed to have stolen 700 files from a NATO portal. The group, which emerged on Telegram in April 2022, has a history of politically motivated attacks and denies any state affiliations. They have targeted various entities, from state websites to satellite receivers, often citing political motivations. Recently, the group has hinted at connections with other cybercrime groups involved in extortion activities. 
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
Ransomware and DDoS Feature in The Apex of Crime-as-a-Service Report
Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang
 “Building automation giant Johnson Controls hit by ransomware attack,” BleepingComputer. Accessed: Oct. 09, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/building-automation-giant-johnson-controls-hit-by-ransomware-attack/
 P. Paganini, “BlackCat gang claims they stole data of 2.5 million patients of McLaren Health Care,” Security Affairs. Accessed: Oct. 09, 2023. [Online]. Available: https://securityaffairs.com/151748/cyber-crime/mclaren-health-care-blackcat-ransomware.html
 P. Paganini, “A still unpatched 0-day RCE impacts more than 3.5M Exim servers,” Security Affairs. Accessed: Oct. 09, 2023. [Online]. Available: https://securityaffairs.com/151693/hacking/cve-2023-42115-exim-mail-transfer.html
 “Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company.” Accessed: Oct. 09, 2023. [Online]. Available: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
 A. J. Vicens, “NATO investigating breach, leak of internal documents,” CyberScoop. Accessed: Oct. 09, 2023. [Online]. Available: https://cyberscoop.com/nato-siegedsec-breac/