The post Microsoft Defender Flaw Erased DigiCert Root Certificates and Paralyzed Windows Systems appeared first on Daily CyberSecurity.
Related posts:
New Malware “I2PRAT” Exploits Anonymous I2P Network for Stealthy Command and Control
Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
SonicWall Warns: Trojanized NetExtender VPN Client Stealing Credentials in Active Campaign
Microsoft fixed a Defender false positive that flagged legitimate DigiCert certificates as malware, disrupting Windows trust stores for some IT teams.
The post Microsoft Defender Bug Triggers False Malware Alerts for DigiCert Certificates appeared first on TechRepublic.
The ChipSoft ransomware incident has disrupted healthcare operations across multiple institutions after the Dutch software vendor was hit by a cyberattack on April 7. The attack forced hospitals to disconnect critical systems and triggered widespread precautionary actions, highlighting the ongoing risks ransomware poses to the healthcare sector.
Z-CERT confirmed it has been working closely with ChipSoft, healthcare institutions, and other stakeholders since the incident was first detected. Th
The ChipSoft ransomware incident has disrupted healthcare operations across multiple institutions after the Dutch software vendor was hit by a cyberattack on April 7. The attack forced hospitals to disconnect critical systems and triggered widespread precautionary actions, highlighting the ongoing risks ransomware poses to the healthcare sector.
Z-CERT confirmed it has been working closely with ChipSoft, healthcare institutions, and other stakeholders since the incident was first detected. The organization is actively monitoring the situation while providing support and threat intelligence to affected entities.
ChipSoft Ransomware Incident Forces System Shutdowns
In response to the ransomware incident, the company disabled connections to key platforms, including Zorgportaal, HiX Mobile, and the Zorgplatform, as a precaution. These systems remain temporarily unavailable as ChipSoft works to restore services in phases.
Users are being issued new login credentials as part of the recovery process. ChipSoft has maintained direct communication with its customers, outlining steps to manage disruptions while systems are gradually brought back online.
According to reports, 11 hospitals disconnected ChipSoft software from their networks following the attack. A confidential advisory also urged customers to cut secure VPN connections after the compromise was identified.
Hospitals Face Operational Challenges, Not Critical Disruptions
The ChipSoft ransomware incident has led to logistical challenges across healthcare institutions rather than critical failures in patient care. Hospitals have increased staffing at service desks, expanded telephony support, and relied more heavily on direct communication channels.
Systems were reported unavailable at several hospitals, including Sint Jans Gasthuis, Laurentius Hospital, VieCuri Medical Center, and Flevo Hospital.
Despite these disruptions, Z-CERT noted that no critical care processes have come to a standstill so far, suggesting that contingency plans and manual workflows are helping maintain essential medical services.
Investigation Ongoing, Attackers Yet to Be Identified
At this stage, the source of the ChipSoft ransomware incident remains unknown, and no ransomware group has claimed responsibility. ChipSoft’s website was also reported unreachable at the time of writing, indicating ongoing technical or security challenges.
The attack appears to have originated from a compromise within ChipSoft’s environment, prompting widespread defensive actions by its customers to limit further risk.
The impact of the ransomware incident has extended beyond system outages. Leiden University Medical Center (LUMC) announced it has postponed the rollout of a new electronic patient record system supplied by ChipSoft following the breach.
The hospital clarified that there are no indications that patient data has been leaked, reinforcing the current assessment that the incident has not resulted in data exposure.
Healthcare Sector Remains a Prime Target
The ChipSoft ransomware incident highlights the persistent threat facing healthcare organizations. Cybercriminals frequently target hospitals and medical software providers due to the critical nature of their services, where downtime can create pressure to restore systems quickly.
A recent example includes the cyberattack on University of Hawaiʻi Cancer Center, where a ransomware incident impacted research systems and exposed sensitive personal data collected over decades. While clinical operations were not affected, the breach highlighted the long-term risks associated with storing large volumes of historical data.
Z-CERT Continues Support and Monitoring
Z-CERT continues to play a central role in managing the fallout from the ransomware incident. The organization is assisting healthcare institutions with prevention, detection, response, and recovery efforts, while also sharing updated threat intelligence.
As restoration efforts progress, authorities and healthcare providers remain focused on minimizing disruption and ensuring patient care remains uninterrupted.
The ransomware incident serves as another reminder of how cyberattacks on third-party vendors can cascade across critical sectors, reinforcing the need for stronger resilience in healthcare cybersecurity systems.
IntroductionWhen a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and
When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach.
The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others.
BLUF Incident Impact Summary:
Capita was attacked by BlackBasta ransomware in March 2023
Over six million individual’s records were exfiltrated from Capita’s systems
A £14 million fine was issued to Capita by the ICO
Capita said in May 2023, the incident cost up to £20 million to recover
Important context about Capita
The Capita Group is a business process outsourcing (BPO) and professional services group employing approximately 34,500 people worldwide and with a reported annual revenue of £2,421.6 million. For readers outside of Great Britain, Capita is best known as the UK’s go-to managed service provider for large-scale, data-sensitive public sector operations.
Companies within the Capita Group act as data processors for a range of business services to both public and private sector organisations. Capita plc is the ultimate parent company of a large corporate group consisting of multiple legal entities.
Capita has long been one of the UK government’s biggest suppliers of outsourced services.
They manage (or have managed):
The BBC TV Licensing system
The UK Congestion Charge for Transport for London (TfL)
The National Pupil Database – via contracts with the Department for Education.
Electronic tagging of offenders – under contracts with the Ministry of Justice.
Council administration and call-centre services – many local authorities (e.g., Birmingham, Southampton, Sheffield)
Numerous Local Government and private sector pension schemes (including universities, utilities, and insurance companies).
Ministry of Defence (MOD) – Training and support contracts for the British Army’s Recruitment Partnership Project (including vetting systems) and Royal Navy training programmes.
The ICO established that during the Incident, data was exfiltrated from two legal entities which were acting as data controllers, and from four legal entities which were acting as data processors:
Capita plc - Capita plc’s focus includes Central Government, Local Public Service, Defence, Education, and Pensions. Capita was selected to administer the UK’s Civil Service Pension Scheme (CSPS) from September 2025, via a contract worth £239m over 10 years.
Capita Resourcing Limited - is a subsidiary of Capita plc focused on resourcing/human-capital services, i.e., recruitment, contingent staffing, talent acquisition.
Capita Business Services Limited - is another subsidiary that provides business-process and digital services (as a part of the Capita outsourcing ecosystem). The supplier record shows over £331.9m recorded government spending linked to this entity.
Capita Pension Solutions Ltd (CPSL) - a regulated pensions business within the Capita Group. Its role: delivering pensions administration and consulting services for pension schemes, including defined benefit schemes.
Breach Timeline
In the ICO’s report, a timeline of events that led to data exfiltration and ransomware deployment was provided. The timeline diagram below helps illustrate what happened.
TheRecord also reported that Capita’s share price dropped more than 12% from a high of £38.64 ($47.97) on March 30, the day before the incident was first reported, to £33.72 ($42.58) on Wednesday morning.
On 3 April 2023, Capita released a public statement about the cyber incident. At the time, Capita said the “issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.”
On 8 April 2023, Brett Callow spotted that Capita had been listed on BlackBasta’s Tor data leak site before it was quickly removed that same day.
Security researcher Kevin Beaumont who analysed the leaked data samples at the time identified copies of stolen passport scans, PII records, bank account details, internal floor plans of multiple buildings from various schools as well as Capita Nuclear, part of Capita Business Services.
It took Capita until 20 April 2023 to confirm that some of its systems were in fact breached and that data had been stolen.
Types of Stolen Data
In the ICO’s report, we learn that 6,024,221 data subjects for whom Capita was the data processor had personal data exfiltrated, as determined by Capita’s forensic provider.
Types of data stolen included sensitive such as Home Address, Email, Phone Number, National Insurance Numbers, Driver’s License Scans, Passport Scans, Bank Account Numbers & Sort Codes, Credit Card Numbers, Biometrics, Criminal Record Checks, and Employee Login details.
BlackBasta Operator TTPs
The tactics, techniques, and procedures (TTPs) of the BlackBasta operators provided in the breach timeline by the ICO are useful for understanding what technical steps were involved that led to the breach and ransomware attack. A summary of the aspects of the attack have been mapped to a diamond model diagram below.
Outside of the breach timeline, some additional technical details were shared:
Following initial access, the Threat Actor accessed the ‘CAPITA\backupadmin’ service account approximately 4.5 hours later. Capita could not confirm how the Threat Actor was able to escalate their privileges; however, there were traces of Kerberos credential harvesting and reconnaissance activity found following the Incident.
The Threat Actor was able to use the ‘CAPITA\backupadmin’ domain administrator account to pivot to administrator accounts in different Capita domains. In total no fewer than 8 domains were compromised, a very large quantity of data was exfiltrated and the Threat Actor attempted to deploy ransomware on at least 1057 hosts.
Even though Capita quarantined the device through which the Threat Actor first gained access on 24 March 2023, by this time the Threat Actor had deployed software into the network which had enabled them to establish persistence and ultimately allowed them to continue moving laterally across the network into different Capita domains and to access/exfiltrate data, before deploying ransomware on 31 March 2023.
Interestingly, in February 2025 internal chat logs from the BlackBasta gang were leaked publicly online. Analysis of the leaked chat logs for references of Capita revealed the below command shared by one of the BlackBasta members months after the attack happened:
The domain "corpcitrix.ad.capita.co.uk" appears to be an internal Active Directory domain name used by Capita to host its corporate Citrix environment. The "ad" label shows it’s an AD DNS namespace, "corpcitrix" indicates the environment is for Citrix-published desktops/apps or related infrastructure, and "capita.co.uk" is the organisation’s FQDN.
The command shown above is a PowerShell invocation (potentially via Cobalt Strike) to enumerate every system in the domain, resolve each machine’s IP address, and save the results to “SFS_pc.txt” file. Powerpick runs the code in an unmanaged PowerShell environment and can execute without being dependent on powershell.exe.
In short, this command shows a BlackBasta operator running net reconnaissance mapping hosts and IPs (likely to plan lateral movement, targeting, exfiltration or ransomware deployment).
Notable moments during the Incident
Critical alerts were mishandled or deprioritised: The initial malicious file (‘jdmb.js’) triggered a P2 (High) alert at 08:00 on 22 March 2023, indicating compromise. The SOC did not act for nearly 58 hours, despite automatic escalation warnings for missed service-level agreements (SLAs). The ICO also noted that “at no point in the six months before or after the Incident did Capita meet their SLA for any alert level.”
Excessive delay between detection and containment, plus a lack of automation: Isolation of the device from the rest of the Capita network still required human intervention, which took 58 hours to arrive. Capita’s SOC lacked the ability to isolate the device automatically. By then, the attacker had already gained domain admin access and moved laterally.
Inadequate incident response procedures: Capita did not invoke its Major Incident Management process until 09:22 on 29 March 2023, which was seven days after compromise. By that point, data exfiltration was already underway and it was two days before ransomware was deployed on 31 March 2023.
Understaffed and overburdened SOC team: Capita is understood to have had 1 SOC analyst per shift in place at the time of the Incident in March 2023. This combined with historic underperformance indicates systemic issues within the SOC, including inadequate staffing, insufficient training, and/or inefficient processes.
Lessons Learned from the BlackBasta Ransomware Attack on Capita
Having tools isn’t enough, they must be configured, integrated, and monitored effectively
Capita had Trellix EDR, a SIEM, and a SOC, but alerts were missed and containment delayed.
Lessons: Security tools are only as effective as the people, processes, and automation supporting them. Critical security alerts must have clear, measurable response times with automatic escalation if breached. Security Leadership must define and enforce strong Service Level Agreements (SLAs) for incident response.
Implement proper Active Directory (AD) tiering
Lack of AD tiering allowed attackers to move laterally from low-privilege systems to domain controllers (specifically a backup service account with domain admin privileges).
Lessons: Segregate admin privileges between tiers (workstations, servers, domain controllers) to contain breaches. Limit, rotate, and monitor privileged accounts using a PAM solution to enforce least privilege. Regularly review service accounts, ensure unique credentials, and monitor their activity for anomalies.
Act on penetration test findings promptly
Multiple pentests also warned of AD and privilege issues months before the breach, but fixes were delayed.
Lesson: Treat pentest reports as actionable tasks with deadlines and executive oversight.
Automate incident response where possible (SOAR)
Lack of Security Orchestration, Automation and Response (SOAR) led to manual triage delays.
Lesson: Use SOAR playbooks to automate containment, escalation, and alert enrichment for faster response.
Entrar