At a glance.
- University of New Mexico Health breach update.
- Utility customers' data in West Virginia city affected by ransomware.
- REvil rising?
- Update on the Howard University ransomware incident.
Update on UNM Health breach.
As we noted last month, UNM Health, one of the largest healthcare systems in the US state of New Mexico, suffered a cyberattack that potentially exposed the data of over 600,000 patients. Protected health data including patient names, health insurance info, and clinical details were among the info exposed. Though the incident was discovered in June, it’s unclear why a public notice wasn’t released until just last month. Impacted individuals are currently being contacted. The healthcare system told KOB4: 'UNM Health is notifying all affected patients. Patients with questions are encouraged to contact the dedicated, toll-free call center...for more information.'
West Virginia utilities customers exposed.
The City of Bridgeport, located in the US state of West Virginia, has experienced a ransomware attack exposing the data of residents seeking to activate their city-provided utilities. The potentially compromised info includes social security numbers and driver’s license details, though it’s unclear if the intruders actually accessed the data. The City has begun sending impacted individuals a five-page letter and reference guide. City Manager Randy Wetmore told WBOY, “We have begun implementing additional cybersecurity protection procedures and continue to evaluate additional actions to further strengthen our security posture.”
Is REvil back?
After nearly two months of silence, the servers of the infamous REvil ransomware gang have mysteriously sprung back to life. As Bleeping Computer recounts, the Russian-based threat group’s infrastructure went dark just after REvil exploited a vulnerability in Kaseya’s VSA remote management software in order to extort the company’s clients. When US officials threatened to take the matter into their own hands if Russia did not respond, REvil’s servers abruptly shut down, leaving many of the victims in the lurch with no way to negotiate a ransom. (Oddly, Kaseya later received an encryption key from a “trusted third party,” which many believe might have been Russian intelligence.) Now, REvil’s Tor negotiation and data leak sites have suddenly reawakened. While this could mean the gang is reopening shop, there are other potentially less threatening explanations for the supposed resurrection. It’s possible that authorities have taken over the servers to gather intel, or that competing cybercriminals are picking through REvil’s rubbish. Perhaps the simplest rationale is that the flicker of life is no more than a glitch. Only time will tell.
James McQuiggan, security awareness advocate at KnowBe4, commented:
“Cyber criminals, like regular criminals, are constantly moving, covering their tracks, and rarely return to the exact location in fear of being caught. Within the internet and dark web, it is observed that cyber criminal groups will operate for a while and then separate, forming into other groups.
"With this recent activity, it is most likely possible that they are collecting files, data, zero-days or other malware to use in their next group. The other hypothesis is law enforcement has gained access to forensically analyze the data.
"Either way, REvil is possibly out of commission; but like the ancient Greek story of the hydra, cut off one head, and three more grow in its place. The same could be occurring with this activity.”
Steve Moore, chief security strategist, Exabeam, also noted the futility of insisting on rigorous individuation of cyber gangs:
“REvil is already very likely a reincarnation of a previous group. After all, adversaries' talent and confidence is stronger after prior successes. I encourage organizations to think about this two-fold.
"First, they undoubtedly have their next software supply chain compromised. The technique began in espionage and has now been borrowed for criminal activity; this campaign hasn't started yet – but will very soon
"On the other hand, defenders should focus more on the missed intrusion and poor recovery options and less on ransomware. Ransomware is the product of being unable to detect and disrupt the cycle of compromise – period.
"Directly, Revil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind.”
Comment on the France-Visas data exposure incident.
Schengenvisainfo News adds to earlier reports on a breach at France-Visas. It appears that around nine-thousand applicants for a French visa have seen their data placed at risk by a cyberattack against the official application site.
Trevor J. Morgan, product manager with comforte AG, sees no reason why governmental organizations should be expected to be immune to the sorts of attacks that bedevil the private sector:
“This news is ironic but not surprising. We all have to realize that not only are enterprises being targeted but also governmental organizations and their third-party partners and vendors who collect and process highly sensitive PII.
"Nobody and no organization is safe, especially if the defensive strategy is to rely on traditional perimeter-based security models which isolate sensitive data but only protect the borders. Data-centric security, which protects the data itself, is a much better and safer option that can augment more traditional protection methods, because it focuses on protecting data elements themselves using techniques such as tokenization or format-preserving encryption. In these methods, innocuous representational data replaces sensitive data elements, so the actual information is incomprehensible and ultimately free from being leveraged by threat actors for their own gain.
"This incident purportedly isn’t far-reaching and doesn’t involve highly sensitive information. However, the next one might, either for this victim or even your own organization. Head off potentially catastrophic repercussions by augmenting your defensive posture with data-centric security. It’s a passport for your journey to a more secure data environment.”
Updates and comment on the Howard University ransomware breach.
The ransomware attack Howard University detected at the end of last week is still under investigation and in the process of resolution. As the university posted yesterday:
“The situation is still being investigated. ETS and its partners” ETS is the university’s IT department, Enterprise Technology Services) “have been working diligently to fully address this incident and restore operations as quickly as possible. We are currently working with leading external forensic experts and law enforcement to fully investigate the incident and the impact. To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
Courses remain suspended today, with physical access to campus restricted to essential personnel only. They’re working on setting up an alternative wi-fi system, but that’s not expected to be ready today.
Lisa Plaggemier, Interim Executive Director at the National Cyber Security Alliance (NCSA) wrote to comment about universities' particular vulnerability to ransomware:
"Universities are attractive targets for a couple of reasons. Firstly, they offer huge name recognition – especially those as high-profile as Howard University – which is a primary factor in the decision-making process for bad actors, as hackers are known for trying to take down the biggest fish they possibly can. Additionally, universities also are a treasure trove of sensitive information. For example, according to U.S. News and World Report, Howard University has a current undergraduate enrollment in excess of 6,000 students – not to mention graduate students, faculty, staff and previous students. These kind of “bulk” targets are massively attractive for hackers as they look to gain the most information possible."
We asked her whether universities were deep-pocketed enough to make them attractive extortion targets. Her answer is that it's complicated, and depends on the institution's circumstances:
"Each university and college is different, however, there is precedent of higher education institutions – such as the UC San Francisco case in 2020 -- paying ransoms to hackers. Additionally, we have seen instances over the last few years of ransoms being 'negotiable' which makes it increasingly challenging for organizations in general to take a hardline approach when it comes to whether they are going to pay ransoms or not given. Furthermore, many universities and colleges may just simply not have the resources or time to rebuild an entirely new infrastructure from scratch meaning that they are more likely to pay ransoms."
Nigel Thorpe, Technical Director at SecureAge, addressed some of the same questions. "Universities are particularly vulnerable to ransomware due to the diverse population that uses their networks" he said. "While commercial and other public sector organizations have some control over the machines which attach to their networks, universities have a wide range of student devices attached. The university often has no strong control over the devices attached by students and the IT security software installed on them. In addition, the diverse student population has little IT security experience and can easily fall into the traps set by cybercriminals."
And as far as their attractiveness to criminals, he said that the barriers to entry in ransomware are now low enough that even a modest return may be worth the hoods' while:
"At the same time, ransomware-as-a-service is easy to obtain, encouraging wide malware deployment. The cybercriminal can accept lower returns from universities since the cost to the criminal is low, together with the chance of getting caught. Multiple ransom returns of tens of thousands of dollars is easy money. The ‘big fish’ commercial organizations may deliver higher ransom returns but they are correspondingly more difficult to attack."
Thorpe had some advice for universities who'd like to harden themselves against this threat:
"Stolen sensitive data remains a problem - one that can be resolved by ensuring that all data is encrypted. In addition, protecting university-owned systems with software that blocks all unknown apps would at least ensure that the core university network systems remain protected, limiting the time to recovery to resolving problems with student devices."
Finally, Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct, emphasized the criminals' opportunism:
“It’s no surprise that cyber-criminals will use anything to their advantage, including attacking with devastating results over holiday downtime. As we come out of the US Labor Day holiday weekend, the reports of ransomware attacks are starting to come in. The attack on Howard University is just the latest attack on education this year. This year alone, there have been 29 reported major attacks against the educational sector, a sharp increase over 2020 when 32 were reported for the whole year - with 35 percent of the victims that had reported encrypted data from a ransomware attack giving into the demands and paying the ransom. This makes for a very lucrative target for these cyber-criminal gangs.
"Educational targets can be lucrative for cyber-criminals due to the double extortion tactics they are now employing; not only are they encrypting and disabling the environments of the victim and then demanding a ransom to restore it. They are now extracting data from the victims' environment and then demand additional ransom to not publicly release the information. As we know, the educational sector collects a tremendous amount of data on its students and faculty. This information contains not only personal identifiable information (PII) but also financial and medical records.
"One key piece of information we need to keep in mind is that there has been a sharp uptick in criminal activity and ransomware attacks over US holiday breaks. With that in mind, we need to be mindful of the upcoming Thanksgiving and Christmas holidays. Based on past experiences, we can safely say we are going to see a lot more attacks during this time, and IT and security professionals will need to be even more vigilant over holiday breaks than in the past. We cannot let our guard down. Organizations need to prepare and perform a thorough review of their security stacks and defenses. I also encourage IT and security professionals to step back and adopt a prevention-first strategy. Prevent these attacks from penetrating your environments; we cannot allow these cyber-criminals free access to critical infrastructure. Deny them access to your environments before they deny you access to your own data and systems.”