At a glance.
- Updates on US hospital data breaches.
- Bogus Subway order confirmations place data at risk.
- Controversy over the Baltimore County Public Schools ransomware incident.
Updates on US hospital data breaches.
Monroe Surgical Hospital in the US state of Louisiana was the victim of a data breach that impacted patient data, reports the Ouachita Citizen. Attackers hijacked the user account of an employee of Technology Management Resources Inc., the third-party company the hospital uses to process payments, potentially accessing images of checks containing the personal data of Monroe patients. The hospital’s systems were unaffected, and impacted patients are being notified.
Meanwhile, Security Week reports that University of Vermont Medical Center is still recovering from the cyberattack it experienced in October and the repercussions of the incident are costing the hospital a whopping $1.5 million per day. Investigators are working to determine the source of the attack that impacted all five thousand of the center’s computers, and hospital CEO Dr. Stephen Leffler says they are about 70% of the way to full recovery.
Bogus Subway order confirmation serves TrickBot (and that's a lot of work for a sandwich, even a hero).
Customers of Subway sandwich restaurants in the UK and Ireland have been receiving phishing emails, reports Naked Security. The scam begins with a fake order confirmation email that addresses the user by name and contains a link to a fraudulent FreshBooks webpage. From there, the user is prompted to download an XLS spreadsheet embedded with macros that, when run, will install TrickBot malware on the user’s computer. The scam is not exactly convincing, as the user is required to follow a series of steps far too complicated for any ordinary sandwich order. The larger concern is, where did the threat actors obtain the list of customer names and email addresses? Subway stated they are investigating a “disruption to their email systems” but has not confirmed that there was a data breach, Bleeping Computer reports. Customers have been advised to ignore and delete the emails.
If successful, the Subway order-confirmation scam is stealing credentials from browsers; it's also compromising Active Directory data and serving as a point of entry for ransomware. Colin Bastable, CEO of Lucy Security, wrote in an email:
"This is an elaborate attack. People in the UK are going to get more than their lunchtime 'sarnie' delivered. It's another reminder that security awareness training, with macro downloads and ransomware simulations, can considerably reduce the risk of social engineering attacks. To stay one step ahead, security teams should also look to war-game ransomware attacks, i.e.. test what happens if an employee falls for an attack like the Subway one. By running "what-if" scenarios, where companies simulate the hundreds of tools employed by hackers, security teams can discover exactly what happens if an employee executes a malicious file, and proactively address system vulnerabilities in their network infrastructure before a real malware attack occurs."
(A linguistic note: apparently "sarnie" is British slang for what Americans variously call a "hoagie," a "grinder," a "sub," or a "hero." That's what Lucy Security tells, anyway.) That’s a lot of work for a sandwich.
Baltimore County Public Schools and county officials at odds following attack.
As the CyberWire reported last month, Baltimore County Public Schools (BCPS), located in the suburbs outside of Baltimore city in the US state of Maryland, suffered a ransomware attack that disrupted online learning and possibly compromised school data. As the investigation into the attack continues, the Baltimore Sun reports, Baltimore County Executive Johnny Olszewski Jr. sent a letter to BCPS superintendent Darryl Williams asserting that the district is not being transparent about the attack, withholding information from county officials and denying police access to the consultants hired to assist the investigation. Furthermore, Olszewski claims that BCPS did not consult with the police before deciding to contact the attackers, and “it is unclear whether BCPS knows the identity of the hackers or the amount of ransom requested.” As a result, he stated, the county will be withdrawing the aid they’ve provided thus far. WBAL reports, Williams denies Olszewski’s claims, stating that the district has provided the county with requested information whenever possible, and expressed his disappointment at the prospect of losing their assistance.