FR: Mutuelle Nationale des Hospitaliers et des professionnels de la santé et du social (MNH) discloses cyberattack
(translation of statement on their web site):
The MNH has been undergoing a cyber attack since Friday, February 5, 2021 . Computer systems have been disconnected for security reasons.
Our websites (mnh.fr, members’ area, corresponding and elected extranets) as well as our telephone platform (3031) are temporarily unavailable. The processing times for your requests are extended.
Believe that we are well aware of the inconvenience caused. Our teams are working to restore services as quickly as possible.
We are committed to communicating in complete transparency on the evolution of the situation on our website mnh.fr
Gérard Vuidepot, Chairman and Médéric Monestier, Chief Executive Officer
LeMagIT adds some speculation as to how the attackers gained a foothold (translation):
The mutual’s email is protected by Proofpoint, which suggests that the attack did not come that way. But data from the specialized search engine Onyphe points to a Citrix / Netscaler Gateway system that was affected by the CVE-2019-19781 vulnerability, known as Shitrix, until January 15, 2020.
Such a vulnerability may have been exploited to position a bridgehead that will have been exploited much later. The example of Dassault Falcon Jet tends to illustrate this, at least if we are to believe the assertions of the attackers. Last December, they told us they had exploited a system that was still affected by the Shitrix vulnerability at the end of March 2020. But they would not have fully taken advantage of it until around June, three months after having established a head of the bridge.
LeMagIT also notes that polling firm BVA was also hit with ransomware.
Update: BleepingComputer reports that the MNH attack was by the RansomExx threat actor(s).