{
	"id": "7a9c51ec-d01b-4d66-bace-cd50211ab107",
	"created_at": "2026-05-01T03:09:20.791524Z",
	"updated_at": "2026-05-01T03:10:50.726027Z",
	"deleted_at": null,
	"sha1_hash": "934f6c9cf58d24192e7ab87ffe5723af1cb678aa",
	"title": "Cybersecurity News: INC targets healthcare, Providence schools cyberattack, Apple iPads bricked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134427,
	"plain_text": "Cybersecurity News: INC targets healthcare, Providence schools\r\ncyberattack, Apple iPads bricked\r\nBy Steve Prentice\r\nPublished: 2024-09-20 · Archived: 2026-05-01 02:15:39 UTC\r\nIn today’s cybersecurity news…\r\nNew INC ransomware targets U.S. healthcare sector\r\nA warning from Microsoft about a financially motivated threat actor who is using INC ransomware against the\r\nU.S. health sector for the first time. The group has been given the name Vanilla Tempest. In a series of posts on X,\r\nMicrosoft describes its campaign as “receiving hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and\r\nmanagement (RMM) tool, and the MEGA data synchronization tool.” Following this, “the attackers proceed to\r\ncarry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management\r\nInstrumentation (WMI) Provider Host to deploy the INC ransomware payload.”\r\n(The Hacker News)\r\nhttps://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/\r\nPage 1 of 4\n\nProvidence public schools deal with “irregular” internet activity\r\nThe Providence Public School District (PPSD) is working to handle issues caused by the shutdown of their\r\nnetwork following an incident that occurred on September 11. The district serves more than 20,000 students\r\nacross 37 schools. The PPSD is not saying if this was a ransomware attack or a cyberattack, but Rhode Island\r\nState Police and the Department of Homeland Security have been called in. The Medusa ransomware gang has\r\nclaimed responsibility – this is the same group who last year attacked the Minneapolis Public School system and\r\nleaked student data. Classes remain open at PPSD schools.\r\n(The Record)\r\nApple pulls iPadOS 18 update that was bricking M4 iPad Pro devices\r\nFollowing complaints from some users about their devices turning into bricks without even the ability to be turned\r\nback on, Apple has paused the rollout of iPadOS 18 on iPad Pro tablets with the M4 chip. Regular recovery\r\nmethods such as a force restart or recovery mode are not working, requiring owners to visit their local Apple store\r\nfor evaluation. Apple says the problem appears to impact only a small number of devices, but did not provide\r\nactual numbers, nor any information on what the problem might be.\r\n(BleepingComputer)\r\nGitHub Scanner campaign pushes malware\r\nA new and creative campaign is using GitHub repositories to send malware to users who visit an open source\r\nproject repository or who are subscribed to email notifications from it. The threat actor opens a new issue on an\r\nopen source repository claiming that there is a security vulnerability. The message then asks other users to visit a\r\ncounterfeit GitHub Scanner domain, which, of course, tricks them into installing Windows malware. Users and\r\ncontributors to these repositories receive email alerts from legitimate GitHub servers each time a threat actor files\r\na new issue on a repository, which makes the campaign and its sense of urgency more convincing.\r\n(BleepingComputer)\r\nThanks to today’s episode sponsor, Conveyor\r\nIt’s Friday and Conveyor hopes you don’t have a meaty security questionnaire waiting for you on\r\nthe other side of this podcast. If you do, you should check them out.\r\nAs the market-leader in instant, generative AI answers to entire security questionnaires, Conveyor\r\nhelps you complete questionnaires fast, no matter the format they’re in, so you don’t feel like you’re\r\ngetting crushed by the wave of unfinished work.\r\nhttps://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/\r\nPage 2 of 4\n\nLearn why we’re the software your infosec friends love at www.conveyor.com\r\nHadooken malware strikes Oracle servers\r\nAccording to researchers from Aqua Security Nautilus, Hadooken is a Linux malware that targets Oracle\r\nWebLogic servers and has been linked to several ransomware families. Upon execution, the malware drops a\r\nTsunami malware and deploys a cryptominer. Its target, the Oracle WebLogic Server is “an enterprise-level Java\r\nEE application server developed by Oracle, designed for building, deploying, and managing large-scale,\r\ndistributed applications.” The researchers suggest that the threat actors behind this campaign are targeting\r\nWindows endpoints for ransomware attacks, and Linux servers to deploy backdoors and cryptominers.\r\n(Security Affairs)\r\nCredential Flusher steals login credentials directly from browser\r\nResearchers at OALABS describe this new technique as using an AutoIt script to “force users to enter their\r\ncredentials in a browser operating in kiosk mode. This mode limits the user’s ability to close the browser or access\r\nother applications, making it easier for hackers to obtain the desired information.” The script does not steal the\r\ncredentials but works with other stealer malware to do so. The attackers are taking advantage of the service\r\nprovided by browsers to save user’s passwords securely. The researchers state that standard security hygiene such\r\nas updated software, 2FA and avoiding re-use of passwords will help protect against this new technique.\r\n(Security Affairs)\r\nUK Pegasus spyware victims ask police to charge NSO Group\r\nFour UK-based human rights advocates who are also critics of Middle Eastern states have requested that London’s\r\nMetropolitan Police lay charges against NSO Group, the manufacturer of Pegasus spyware. The complainants\r\nstate that their communications were spied on and they accuse NSO and its associates of being behind alleged\r\nspyware infections dating back to 2018. They say also that “the use of Pegasus against targets inside the UK has\r\nthreatened the country’s sovereignty and security,” and point out that the UK government has not taken any legal\r\naction to date against the spyware maker.\r\n(The Register)\r\nKnowledge bases at risk due to ServiceNow misconfigurations\r\nAccording to researchers Aaron Costello of AppOmni and Dan Meged of Adaptive Shield, thousands of\r\ncompanies are “potentially leaking secrets from their internal knowledge base (KB) articles via ServiceNow\r\nmisconfigurations.” The researchers, working separately and publishing separate reports, suggested that “pages set\r\nto ‘private’ could still be read by tinkering with a ServiceNow customer’s KB widgets.” This applies to cases\r\nwhere an organization’ s KB is set to ‘public,’ but the pages inside it are set to ‘private.’ Meged estimates 30\r\npercent of ServiceNow customers have this faulty configuration and could be “unwittingly exposing secrets held\r\nin their KB, such as first-time-access passwords for new starters connecting to a company VPN.\r\nhttps://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/\r\nPage 3 of 4\n\n(The Register)\r\nSource: https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/\r\nhttps://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/"
	],
	"report_names": [
		"cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked"
	],
	"threat_actors": [],
	"ts_created_at": 1777604960,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/934f6c9cf58d24192e7ab87ffe5723af1cb678aa.pdf",
		"text": "https://archive.orkl.eu/934f6c9cf58d24192e7ab87ffe5723af1cb678aa.txt",
		"img": "https://archive.orkl.eu/934f6c9cf58d24192e7ab87ffe5723af1cb678aa.jpg"
	}
}