At a glance.
- Argentina's big data breach.
- Data breach at University Medical Center, Newark.
- Hospital breach lawsuit.
- What happened to REvil, this time around?
- More comment on Sinclair Broadcast Group's ransomware incident.
Argentina ID system breach exposes data of millions.
Argentina’s national ID card system was reportedly breached by a hacker who is now selling access to his bounty -- ID details for the entire population -- on the dark web. News of the leak first surfaced last month when a Twitter user posted the ID photos of several dozen celebrities, then published a post on a hacking forum boasting he could supply the personal details of any Argentinian requested. After investigating the incident, the Ministry of Interior’s security team found a Ministry of Health VPN account had accessed the Registro Nacional de las Personas (RENAPER) for specific photos at the very same time they were posted on Twitter. The authorities concluded that a breach had not occurred and began investigating eight government workers in connection to the leak. However, the Record by Recorded Future spoke with the hacker peddling the data, who provided evidence he is indeed in possession of a copy of the entire RENAPER database. He also says he plans to continue selling the data, adding “Maybe in a few days I’m going to publish [the data of] 1 million or 2 million people.”
Saryu Nayyar, CEO of Gurucul, commented on some of the early reports of this breach:
"There is a credible report that an attacker has breached the Argentinian national database and obtain information on all citizens of that country. The data includes names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs. This data is currently either being sold off to interested buyers, or held for ransom to the Argentinian government.
"The attacker apparently got access to the data through a VPN using a legitimate user account, through what the attacker claimed was “employee carelessness.” This is an extreme example of an insider threat in that while the attacker probably isn’t an employee, an insider was the source of the breach.
"This demonstrates the need for all organizations to use analytics and machine learning to look for and flag unusual activities on the network. It’s highly unlikely that a legitimate employee would have a need to download all records. A good analytics solution would have made use of real time data to quickly identified that anomaly, making it possible to remediate before the download was complete.
Doug Britton, CEO of Haystack Solutions, also reacting to early reports, thinks the root cause of such risk may be a shortage of security professionals:
"If this is valid, it is an example of a highly sensitive and distressing breach. Sensitive data that was "secure" several years ago is now being threatened with highly interconnected systems that allow different attack vectors that are even more difficult to protect against. Ultimately data is increasingly more difficult to secure. Hackers are taking advantage and can wreak havoc on a global scale. Furthermore, if there was an insider assisting, then this is troublesome on another level.
"There needs to be a global investment in cyber security professionals. We can see that there are steps that could have been taken to make the entire database more secure and difficult to exfiltrate. Investing in a strong cybersecurity team can help organizations understand their unique security challenges and implement measures to stay one step ahead of these types of attacks. We have the technology to find cyber talent regardless of language or geography. We need to find the next generation of international cyber experts before public infrastructure is exploited and public confidence is eroded."
Rajiv Pimplaskar, CRO at Veridium discerns lessons about fat targets and, especially, fat targets of opportunity, and how porous knowledge-based authentication can render their defenses:
"National ID databases like RENAPER help health, financial and telecom companies underwrite the Know Your Customer (KYC) process with Government source verification and have shown tremendous promise disintermediating fraud across emerging markets. However, such databases can create massive honeypots with significant downside ramifications in the event of a data breach.
"National ID systems should move away from Knowledge Based Authentication (KBA) such as PIN or Passwords and embrace biometric modalities like face and fingerprint. Biometrics reduce the risk envelope of credential theft and lateral movement that can proliferate data breaches.
"Several contactless biometric solutions are available to be accessed via consumer smartphones that can enable a variety of remote enrollment and verification use cases. Such modalities should be device independent so as to provide consistent access and user experience for all citizens regardless of make and model of their mobile phone.”
Tony Pepper, CEO of Egress, observed that big disruptive attacks are well within the capabilities of criminals:
“This is a monumental hack, exposing the personal details of up to 46 million people. The black market for stolen data is big business, and cybercriminals will stop at nothing to find their next big payday. This attack should be a warning to governments: cybercriminals have the means to execute large-scale, sophisticated attacks, and their citizens’ data is under threat.
"With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money.”
Patient data exposed by hospital employee.
Data Guidance reports that University Hospital Newark (UH), located in the state of New Jersey, has disclosed a data breach in which an employee passed on private patient data to unauthorized individuals. The hospital notified the US Department of Health and Human Services Office for Civil Rights that over nine thousand patients were impacted by the incident, and the exposed data include names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and treatment info.
Trevor Morgan, product manager with comforte AG, wrote to explain the nature of one aspect of the insider threat:
“The data breach incident that University Hospital disclosed about a former employee who viewed and shared highly sensitive patient information accentuates the threat posed by the 'inside job. We often focus on threat actors working on the outside of our perimeters trying to get into the enterprise environment and thereby compromise data, but people on the inside have a leg up because usually they have some access to the internal network environment and IT resources. Also, employees are usually granted a certain level of trust with enterprise data, even if they don’t have access and rights to all information within the organization. Working from the inside with an implied level of trust means that the inside job has more time to develop and execute an effective exfiltration strategy.
"The answer to counter this threat is to recognize how vulnerable businesses are from the inside and to adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network. Reduce or better yet eliminate implicit trust, challenge data requests more frequently and aggressively, and provide bare-minimum privileges if an expressed need for data or resources can actually be validated. Don’t trust, but still verify.”
Sascha Fahrbach, cybersecurity evangelist at Fudo Security, reminds us that "insiders" aren't confined to employees:
“Insider threats remain a significant risk for organizations, and healthcare, in particular, is highly vulnerable due to all the valuable PII that cybercriminals are after. With the pivot to remote work and cloud migration, that task has become even more of a challenge. We have to remember that insiders aren't only limited to employees. This term can also encompass contractors, suppliers, as well as former employees.
"Thankfully, there is a lot of guidance available to aid organizations in preparing themselves as best they can to mitigate this risk. For any organization to stand a chance, first, an audit should take place. It's vital to know what a typical 'normal' situation looks like. Only then can proper security policy guide the rest of the way. With the NIST cybersecurity framework, a thorough roadmap is given to the industry, which can help with a comprehensive plan covering vital elements: identify, protect, detect, respond and recover.
"Unfortunately, no one can ever guarantee complete security. There is still the human factor at the core, and this can play out in various ways. Ultimately, it is a holistic approach to security that encompasses secure access, significantly reducing risk. When organizations incorporate zero-trust into their departments, a positive step is taken to combat insider threats.”
Hospital breach lawsuit.
In the wake of a ransomware attack on UF Health, a medical network located in the state of Florida, an impacted patient has filed a class action lawsuit seeking damages in excess of $5 million. Village-News explains, the suit alleges that UF Health downplayed the incident and “failed to implement industry protocols and exercise reasonable care in protecting and safeguarding” the data, which was subsequently offered for sale on the dark web. The data of over 700,000 patients were compromised.
What happened to REvil, this time around?
Steve Moore, chief security strategist at Exabeam, agrees that this might be the last call for REvil, which has sustained an organizational failure we normally associate with legitimate enterprises. “This latest disruption seems to be caused by insider fighting or possible offensive takedown – it’s the final blow to REvil," he said. "The operator only mentions a 'third party' – no attempt is made to identify their identity. Keep in mind these are organizations like any other, but with fewer rules. Based on information shared, they lost control of their backups which contained keys to overtake their network. In the exciting twist, the adversary was seemingly taken down due to weak technology hygiene, a flaw generally exploited by them to extort money from their victims.”
More comment on Sinclair Broadcasting's ransomware incident.
Matt Glenn, Illumio's VP of Product Management, sees no immediate end to the ransomware threat, and thinks it significant that the gang hit Sinclair over the weekend:
"We’re seeing attackers wait for holidays or the weekend to strike with ransomware, proving they are becoming increasingly calculated as they await their 'perfect opportunity.' Ransomware attacks continue to proliferate, so business resiliency remains the name of the game. Organizations that are prepared for cyber incidents -- and recognize them as inevitable -- are better able to withstand the impact and consequences when they are hit with an attack. As communicated by the Biden Administration in their Executive Order on cybersecurity, cyber resiliency must start with an “assume breach” mindset. This includes making Zero Trust strategy adoption a priority -- as opposed to solely approaching cybersecurity from a preventative standpoint. Think of it this way: In today’s world, bad actors will always find a way in. It’s not enough to surround your castles with moats if invaders are already inside your walls.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, sees ransomware moving out to touch sectors that the gangs had hitherto overlooked:
"I think more and more industries are coming to the rude awakening that they are now targets of cyberattack. The old mindset of 'we’re too small' or 'we don’t have anything hackers would be after' is simply no longer true. The epidemic of ransomware attacks largely fueled by the advent of cryptocurrency’s enabling of bank-free extortion payments has effectively monetized every network in the world. Further, modern cybercrime rings have become highly skilled operations with significant budgets. 'Zero-day' exploits, once thought to be largely the purview of nation-state level actors are now well within the operating budget to purchase or develop in house for even moderate ransomware gangs. These factors leave many organizations with an antiquated approach to information security extremely vulnerable to suffering a significant compromise.
"It’s also important to observe that while cybersecurity insurance may help assist with paying for a ransom, there are intangibles that can’t be covered such as prolonged operational downtime or loss of customer confidence."
RiskLens CEO Nick Sanna thinks CISOs need to work on communicating cyber risk in business terms. "The pressure is on CISOs of all industries to justify the right investments in cybersecurity to a business audience who will support them if they understand the financial impact of ransomware attacks to their organization," he said. "Quantifying cyber risk in financial terms is key to get the right buy-in and level of protection against this increasingly prevalent threat."
There are also legal and policy dimensions to ransomware attacks of this kind. Robert Cattanach, a partner at the international law firm Dorsey & Whitney, commented, "The onslaught of ransomware attacks continues virtually unabated (notwithstanding President Biden’s admonishments to President Putin, which may or may not have paused the scourge briefly). Many ransomware events pass unnoticed, as the hacked entity sees no upside to making the vulnerability pubic, and the reputational damage remains significant. So what can we learn from the Sinclair attack?" He went on to enumerate some lessons:
1. "Criminal enterprises will remain huge threats to US companies for the foreseeable future, and no target is safe. This means you. And you, and you, and you," Cattanach says.
2. "Practice, practice, practice. By all public accounts, Sinclair appears to have been completely unprepared for this contingency. No out of channel backups for the chain of command – such as simple and cheap burner phones – and apparently no contingency plans for when, not if, systems are encrypted. Reporters and news rooms were left to manage on their own. Some companies can muddle through, but if your commercial currency depends on reliable access to systems, you need to spend the time and money necessary to have a backup plan," Cattanach says.
3. "The hackers hold all the cards. Even if Sinclair restores through backup – which itself carries risks of re-infection – it may still face the Hobson’s choice of sensitive information being dumped on the dark web if it refuses to pay the ransom. If the personal information of California residents is determined to have been exfiltrated, or potentially even accessed, there will be a class-action stampede to the courthouse," Cattanach says.
4. "Messaging within the first 24-48 hours is critical; but risky. Underplay the impact and you immediately lose credibility. Admitting you don’t know gets the same result. Overstimating tanks your stock. Typically, forensic investigations take several days, or even weeks, to determine the extent and cause. You can’t figure this stuff out on the fly," Cattanach says.
5. "All of which is to say you need a plan, developed by actual stakeholders, not their minions, and a process to assemble the key decision makers at least virtually, craft the content and cadence of your messaging, and make the best decisions you can with incomplete and likely conflicting information (the fog of breach)," Cattanach says.
Cattanach's conclusion is, "If any good can come of this, it will be in the lessons learned for Sinclair and the targets about to find out the hard way,"