At a glance.
- Online restaurant ordering platforms compromised.
- Apps found exposing AWS keys.
- Update on Pennsylvania's contact tracing app data exposure.
- Scripps Health suffers ransomware attack.
Leftovers prove to be a more secure dinner option.
Gemini Advisory reports that over the past six months, five online restaurant ordering platforms have been targeted by hackers, resulting in the exposure of approximately 343,000 credit cards. The impacted platforms -- Easy Ordering, MenuSifu, E-Dining Express, Food Dudes Delivery, and Grabull -- serve dozens of restaurants, giving the threat actors access to a large customer base. As the pandemic has resulted in an upswing in demand for online restaurant delivery services, threat groups like Keeper deploy Magecart malware in order to infiltrate the platforms’ payment systems and take advantage of this lucrative threat vector. Restaurants can prevent attacks by investing in strong firewalls and monitoring for malicious code, as well as by selecting ordering platforms that make cybersecurity a priority.
BeVigil finds dozens of apps exposing access keys.
Cybersecurity and intelligence company CloudSEK provides a platform, BeVigil, that allows individuals to check an application’s security rating before installing. The Hacker News explains that after analyzing 10,000 apps, BeVigil identified over forty apps, totaling more than 100 million downloads, with private Amazon Web Services access keys hardcoded within them, posing a major security risk. The apps in question include popular platforms such as Adobe Photoshop Fix, IBM's Weather Channel, and online shopping service Club Factory. “AWS keys hardcoded in a mobile app source code can be a huge problem, especially if its [Identity and Access Management] role has wide scope and permissions,” CloudSEK researchers stated. “The possibilities for misuse are endless here, since the attacks can be chained and the attacker can gain further access to the whole infrastructure, even the code base and configurations.”
Update on Pennsylvania's contact tracing exposure.
As the CyberWire noted last week, Insight Global, a Georgia-based company contracted by the Pennsylvania Health Department to conduct COVID-19 contact tracing, potentially exposed the private data of approximately 72,000 state residents by communicating about user data via unsecured channels. WPXI, the news station that first discovered the breach, reports that state representatives gathered in the state capital of Harrisburg on Monday to demand the immediate termination of the contract with Insight Global and to request an independent investigation at the federal or state level, as well as an investigation by the state house oversight committee. While the state initially planned to work with Insight Global until their contract expires in July, State Representative Jason Ortitay stated “The public trust in Insight Global is gone. And as long as the company continues to do contact tracing for our state who is going to give them any information?”
We heard from Trevor Morgan, product manager with comforte AG, who sees the incident as a cautionary tale of contracting and regulatory standards:
“The exposure of PHI affecting the tens of thousands of Pennsylvanians brings up the critical issue of meeting minimum data security standards. According to reports, the Pennsylvania Department of Health established security protocols that the department now claims were willfully disregarded by Insight Global, the vendor contracted to provide contact tracing.
"This situation is a cautionary tale. Whether through contractual obligation or regulatory mandate, enterprises working with sensitive data need to meet the acceptable threshold of data security. However, vendors can’t trust that sensitive data such as PHI will always remain protected if it travels outside protected perimeters, because data is vulnerable even when resting within security perimeters. When data is on the move, it is especially prone to mishandling and potential compromise, which means that a more data-centric approach to security should be part of those minimum data security standards. Data-centric security such as tokenization and format-preserving encryption replaces sensitive data with benign representational information, so even if it falls into the wrong hands the data cannot be compromised by the wrong parties.
"For more and more regulatory agencies and individual enterprises, data-centric security measures are now part of minimum data security standards because of the ability to protect data even while in motion.”
Scripps Health sustains apparent ransomware attack.
The San Diego Union-Tribune reports that California-based healthcare system Scripps Health experienced a ransomware attack this past weekend. Scripps, which serves more than 700,000 patients a year, was forced to suspend patient access to its online portal MyScripps, reschedule appointments set for Monday, and redirect some critical care patients to other hospitals. An official statement released Sunday initially downplayed the incident, but the San Diego Union-Tribune obtained an internal memo indicating that two of Scripps’ four main hospitals were impacted, including backup servers in Arizona, and that personnel were forced to rely on paper records, as electronic records and medical imaging were down. According to NBC 7 San Diego, the San Diego County Office of Emergency Services stated that as a precaution, ambulances were being diverted from Scripps' hospitals to other area facilities. HealthITSecurity reports that all four hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were placed on emergency care diversion for some critical patients.
We received a great deal of industry reaction to the incident at Scripps.
Jerome Becquart, COO of Axiad, sees the criticality of healthcare during a pandemic as requiring a comparable level of attention to cybersecurity in the medical sector:
“As healthcare workers take on such a critical role in the pandemic and vaccine rollout, hospitals and healthcare providers need to ensure security in every aspect of their employees’ work to prevent cyberattacks. Email is the most frequent cause of compromised security within the industry - often due to phishing threats where employees are unable to distinguish if an email is genuine or not and ultimately share confidential information. Healthcare providers can utilize digital signature to help their employees identify if an email is truly from an internal source or a phishing threat.
"Security incidents in the healthcare industry are also frequently caused by vulnerable passwords that healthcare workers create for convenience and use many times throughout a shift to log in and out of their system, on various machines. Moving to multi-factor authentication that doesn’t require unsafe passwords will help secure healthcare employees, patients, and their data. It will also increase the productivity of frontline workers. The less time healthcare employees spend logging in and out of systems, resetting passwords, or dealing with credential issues, the more time they can spend on their critical work.”
Edgard Capdevielle, CEO of Nozomi Networks, excoriates the criminals who hit healthcare facilities. And in this he's surely right--this is loathsome activity:
“Showing just how low cybercriminals will go, the attack on a major healthcare facility like Scripps highlights the dark side of ransomware, disturbingly putting lives at risk. The truly sad reality is no one is immune from ransomware, and, like good medicine, the best defense is prevention.
"The probability of ransomware attacks must be factored into an organization’s incident response and business continuity plans. This includes training staffs on the threat and the techniques cybercriminals will use to get into systems, and carrying continuous security monitoring across IT and OT networks to identify malicious activity or vulnerabilities that cybercriminals could exploit. Ransomware should be factored into an organization’s incident response and business continuity plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions.
"Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterward, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption.
"Cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be used to protect IT and operational environments from ransomware and other cyberattacks.”
Bert Rankin, COO of Zentry Security, is as condemnatory of the hack as is Capdevielle:
"The attack on Scripps Health is a terrible reminder that ransomware attacks on healthcare organizations can potentially cost lives, which is probably why healthcare is such a prime target: with so much at stake, they have to pay ransom. Last year, it’s been estimated that ransomware attacks cost the healthcare industry over $20 billion—that’s money that should be put into quality healthcare, not the pockets of cyber criminals. The Healthcare industry has to double-down on keeping cyber criminals out, and on educating the workforce on how to identify and subvert phishing emails and avoid clicking on malicious links. Zero trust network access solutions should be part of the offensive that healthcare organizations take against ransomware. Whereas VPNs offer the keys to the kingdom once a user tunnels in, the ZTNA approach to secure remote access ensures employees and contractors only have access to those applications and systems they need to do their jobs, and no more. It’s a big step forward to zero trust security and could go a long way to bringing the ransomware statistics in the healthcare industry way down."
Alexa Slinger, identity management expert at OneLogin, notes that the difficulties lie not just in the heightened demands on direct provision of care during the pandemic, but also the pressure to operate remotely that the pandemic has imposed. Healthcare organizations were driven to speed up digital transformation, and some of the attendant improvisation has exacted a toll on security:
“Malicious actors and attackers are unrelenting in their pursuits to take advantage of the most vulnerable systems, healthcare organizations, and exploit them. We’ve seen that weak access control and social engineering phishing are usually the main ways they target and exploit healthcare institutions, resulting in data breaches and/or ransomware attacks. While Scripps has not made details known, we have seen COVID-related topics and email subject lines as the enticement to lure vulnerable individuals in.
"Due to COVID, healthcare organizations were forced to accelerate their digital transformation efforts to accommodate remote models for activities such as telemedicine. Oftentimes, healthcare facilities are using outdated legacy infrastructure and unpatched hardware and software systems, which make them easy targets for hackers seeking valuable patient records and research data. In addition, healthcare systems are often highly connected, meaning that when a breach does impact one part of the system, it has the potential to bring down the whole system.
"The healthcare industry is notorious for underspending on IT and malicious actors know the data they can glean from a healthcare hack is especially lucrative on the dark market. Healthcare organizations must begin to understand and tackle the threats they are faced with, especially as it pertains to the regulations and protections for the critical data they hold. This breach highlights the need for a full scale access management platform to secure entry into their systems, applications and intellectual property. In addition, the healthcare industry must begin to implement comprehensive security awareness training to educate all personnel on how to spot phishing attempts, password practices and what to do in the case of an active exploit.”
Purandar Das, CEO and Co-Founder of Sotero, sees the incident as another case of criminals hitting easy, deep-pocketed targets of opportunity:
"Hackers are targeting soft targets knowing that they are easy to attack and they are financially rewarding. This also plays into current situations where medical information is more valuable than other categories of stolen information. It is also highlighting a weakness in current deployments of technology platforms that adopt a legacy approach to security and data protection. Criminals are targeting organizations that have been slow to adopt a more robust and resilient architecture. Organizations have to move towards protecting data, via new encryption technologies, that keep them secure while enabling privileged access. This prevents a “data help hostage” situation. Secondly, organizations have to move towards a resilient deployment architecture that enables them to bring up a failover system without risking long term outages."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, has some sympathy for the problems healthcare providers face:
"In a lot of ways I feel like healthcare has somehow gotten the worst of all worlds integrating technology into their operations. I’m sure it varies from institution to institution, but personal experience has involved routinely filling out duplicate paper forms that are entered into a computer by caregiving personnel only to be asked to complete the same documents on the next visit. Not exactly a huge win for efficiency gains. At the same time, recent examples both with Scripps Health as well an incident in Germany last year that contributed to the death of a patient show that dependence on the same technology can completely disrupt a facilities ability to provide care.
"To protect themselves and their patients, healthcare organizations must adopt a true culture of security that includes a holistic approach to how risk is identified and mitigated, starting with education and extending into adoption of security best practices, continuous monitoring, and regular testing to ensure that no gaps have been missed."
Erich Kron, Security Awareness Advocate at KnowBe4, returns to the life-and-death criticality of healthcare. While Scripps has said it continues to deliver safe and effective care, some systems that have come under cyberattack have been affected, sometimes with lethal results:
"Ransomware, while once an inconvenience, has become a significant issue impacting not only finances, but also human lives. This is not the first time hospitals have had to divert patients because of a ransomware attack. This unfortunately cost the life of an individual in Germany last year [see Forbes for an account of that incident], and could lead to the same here. Any time you impact the ability of a hospital to provide critical trauma care or to have to divert serious conditions to other places, likely costing precious time, the risk of tragedy increases greatly.
"Unfortunately, due to the criticality of EHR and the impact it can have on patients when unavailable, ransomware gangs often target medical facilities in the hope that due to the urgency, the organization will pay the ransom quickly. In addition, quite often, the attackers also exfiltrate sensitive data, which can be valuable on the dark web.
"Ransomware is most often spread through email phishing attacks or through remote access portals. Since the beginning of the pandemic, many workers have been working remotely, creating a rise in the number of internet-facing remote access portals for cyber criminals to attack. This means organizations must be more diligent than ever to ensure these portals are properly secured and whenever possible, use some form of multi-factor authentication.
"In addition, organizations greatly benefit from stepping their employees through high-quality security awareness training to help them spot and report email phishing attacks. The training does not need to be long, however, it should be engaging and relevant to the employees, as well as being done on a frequent basis to ensure watching for these emails is at the top of their mind. Combining training with simulated phishing attacks greatly improves the ability and likelihood that employees will spot and report these dangerous emails."