Security
Romanian Hospitals, RoguePlanet, FortiBleed: Daily Security Digest
Over 100 Romanian hospitals went offline to stop ransomware; a zero-day in Defender; and a GPU cluster cracked 75,000 Fortinet firewalls.
Romanian Hospitals Fight Ransomware with Pen and Paper
On 10 February 2024, a ransomware attack using the BackMyData strain hit over 100 Romanian hospitals. The breach occurred at the Bucharest-based software firm RSC, compromising the widely used Hippocrates medical system. Attackers demanded a ransom of €160,000 in bitcoin. Dan Cimpean of Romania’s Cyber-Security Directorate ordered all affected hospitals to disconnect from the internet immediately. Medical staff switched to pen and paper, using Excel and offline tools to register patients, and requested lab results on paper. Surgeon Oana Goidescu at Buzău Hospital noted the loss of lab tests, radiology, medicines and supplies records. Vlad Paic of Carol Davila Hospital described developing an offline method for patient registration. The DNSC used public messaging to urge patients to avoid hospitals unless necessary and instructed hospitals not to contact the hackers or pay the ransom. Cyber-investigators found 26 hospitals had been infected. Uninfected hospitals were brought back online with added protections the next day. Within five days, most hospitals were back online and operating near normally. No deaths or serious harm to patients were reported. Some data was lost forever, and entering information recorded on paper took weeks longer. Cimpean said the attack could have happened anywhere - the more technology and digitisation, the greater the risk.
How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack →
Apple and Tesla Documents Leaked After Tata Electronics Breach
An international ransomware group hacked into Tata Electronics, an India-based subsidiary of Tata Group that provides manufacturing and assembly services. The breach exposed sensitive technical documents belonging to Apple and Tesla to the dark web. The incident highlights the supply chain risks associated with third-party vendors handling confidential data for major technology companies.
Apple, Tesla documents exposed after hackers hit Tata: report →
RoguePlanet Zero-Day in Microsoft Defender Grants Full System Access
Security researcher Nightmare Eclipse discovered a zero-day vulnerability in Microsoft Defender, designated CVE-2026-50656 and named RoguePlanet. The flaw is a race condition that allows attackers to gain full system-level access on fully patched Windows 10 and Windows 11 devices. The researcher published a proof-of-concept exploit in a self-hosted Git repository and stated that Microsoft had previously removed its exploit-hosting repositories on GitHub and GitLab. Microsoft confirmed the vulnerability as an elevation-of-privilege issue in the Microsoft Malware Protection Engine in Microsoft Defender and stated it is working to provide a high-quality security update. Further information will be released in the CVE when the update is available.
Microsoft scrambles to patch a Defender security flaw called RoguePlanet →
Prinz Eugen Ransomware Targets Recent Files, Skips Ransom Notes
Prinz Eugen ransomware, a Go-based encryptor, prioritizes recently modified files for encryption, processing files by modification time starting with the most recent and using alphabetical order only when timestamps match. It appends the .prinzeugen extension to encrypted files. A June 17 analysis by ThreatDown reported that the sample uses ChaCha20-Poly1305 encryption, integrity checks, and a custom file header. It supports an optional —delete flag that removes the original file only after verifying the encrypted copy can be decrypted. Notably, the analyzed sample did not create a ransom note, HTML page, wallpaper change, or any other written demand on the victim’s file system. After execution, it zeroes key material, runs garbage collection, and deletes itself. For IT teams, the risk is a recovery and detection gap: same-day work may be hit before the next clean snapshot, while playbooks built around ransom-note discovery may not trigger quickly enough. In the environment ThreatDown investigated, the actor used RemotePC to launch PowerShell stagers and deploy additional payloads.
Prinz Eugen Ransomware Hits Recent Files First and Skips Ransom Notes - TechRepublic →
FortiBleed Campaign Exposes 75,000 Fortinet Firewalls via Rented GPU Cluster
The FortiBleed campaign exposed valid credentials for nearly 75,000 internet-facing Fortinet FortiGate firewalls across 21,632 domains. Attackers rented a massive decentralized GPU cluster via Vast.ai, using 36 enterprise-class GPUs managed through a Telegram bot, costing roughly $14.40 per hour or under $350 for a full day. They used AI-assisted code editors and open-source frameworks to crack hashes, with legacy Fortinet hashes processed at up to 720 billion raw hashes per second and newer PBKDF2 hashes at 180-360 million per second. The attackers ingested exported FortiOS config files, exposed plaintext passwords of firewall administrators, deployed network sniffers, and captured roughly 143,000 Kerberos and 33,000 NetNTLM hashes targeted at internal domain controllers. Compromised edge devices served as beachheads for lateral movement into third-party vendors, MSPs, and trusted partners, creating a cascading supply chain crisis. Cybersecurity researcher Kevin Beaumont commented that the generative AI craze has lowered the bar for password cracking. Hudson Rock launched a dedicated portal for organizations to verify if their domains are part of the compromised dataset.