At a glance.
- Report: physicians' database breached.
- San Francisco International Airport hack attributed to Energetic Bear.
- Power utility sustains RagnarLocker ransomware attack.
- Nemty gang says it's going out of business next week.
- Patient data at risk during COVID-19 pandemic.
- Zoom's privacy issues continue.
Physicians' database breached?
HackRead reports that a database belonging to Millennium Technology Solutions, qa.findadoctor.com, has appeared for sale on the dark web. The service that was breached enables patients to find doctors and consult with them online. HackRead says that the data touch some 1.4 million US doctors. The information for sale does not include email addresses, normally a valuable commodity to criminals, but it does contain "full names, genders, name of the hospital – organization where they work, their location, mailing address, practice address, country, phone numbers, license number, and much more." It won't be much use for phishing, at least not immediately, but smishing would be much easier.
SFO hack attributed to Energetic Bear (that is, Russian military intelligence).
There's now an attribution of the attack on two networks at San Francisco International Airport, ZDNet reports. On the basis of the tactics, techniques, and procedures the security company observed, ESET attributes the attack to Energetic Bear, generally regarded as a threat group operating on behalf of Russia's GRU. Energetic Bear is also known as "Dragonfly." They were not so much after the airport’s networks themselves as they were the credentials of those who used the networks. Specifically, as ESET puts it, “the intent was to collect Windows credentials (username/NTLM hash) of visitors.” As always attribution is usually circumstantial, and that’s the case here.
Power utility sustains a RagnarLocker ransomware attack.
Recharge News reports that Portugal-based international power producer EDP has suffered a ransomware attack. According to BleepingComputer, the strain involved in the attack was RagnarLocker, and the attackers have demanded 1580 Bitcoin in ransom, the equivalent of $10.9 million or €9.9 million, to restore EDP's files. As is now customary, the ransomware operators say they've taken some 10 terabytes of company information, which they threaten to release if the victim is slow to pay. EDP is a major player in Europe's gas and electric sector, and the world's fourth-largest windpower producer. The attackers say the data are "private," but it's unknown so far whether they contain personal information, company proprietary business information, intellectual property, or all three.
Nemty ransomware gang announces that it's going out of business.
ZDNet reports that the Nemty ransomware gang says it's ceasing operations, probably next week, when it will close its infrastructure. Unlike some other retirement announcements that turned out to be little more than rebrandings, this seems to be a genuine business failure. Nemty is a ransomware-as-a-service operation, and it simply couldn't compete with its rivals. The gang was only able to follow through once on a doxing threat, and security companies were able to field free decryptors relatively quickly.
Cyberattacks on medical facilities surge; patient data at greater risk.
The Washington Post and others report that there's been no respite in attacks, particularly ransomware attacks, against organizations engaged in developing or administering treatment for COVID-19. This isn't because healthcare and research organizations are especially poorly prepared to defend themselves. Rather, it's because the data they hold are urgently needed, and therefore unusually valuable. Health IT Security sees smaller hospitals and care facilities as particularly attractive targets: the criminals perceive them as likely to pay the ransom rather than risk an interruption of care. They're also highly sensitive from the point of view of individual privacy.
Zoom continues to face privacy issues.
Reuters reports that London-based Standard Chartered is the first major, global bank to tell its employees to stop using Zoom because of concerns about the platform's security. The bank declined to elaborate, but the memo Reuters say also indicated that employees should shun Google Hangouts, too. Standard Chartered says its employees have other, more secure means available to conduct business.
As concerns grew over the teleconferencing service's security (summarized by OneZero) Zoom has begun to issue weekly security updates. iMore reports that the latest of these, out yesterday, enhances the password options available to users and session organizers.
One of the widely reported security problems that have troubled Zoom as the teleconferencing platform's usage suddenly expanded has been the availability of login credentials on various black markets. This data exposure, as Fast Company points out, isn't due to a breach at Zoom itself. Instead, it's the result of credential stuffing in which attackers try credentials culled from other incidents to see if their users have casually employed them for other sites or services. All too often the users have done exactly that.