At a glance.
- Alumni data leaked from a Pembroke College telethon.
- More third-party exposure via CaptureRx.
- Student health insurance carrier sustains data breach.
- Update on ransomware attacks against Irish healthcare agencies.
- Double-encrypted ransomware.
Pembroke College leaks alumni data.
A data leak at Oxford’s Pembroke College led to the exposure of private alumni data, Cherwell reports. Information pertaining to a recent telethon was exposed to users of the University’s student services platform, and the data included alumni names, ages, and addresses, as well as details about telethon training and donations. According to a Pembroke spokesperson, “On being alerted to this breach, which we now know arose out of a technical issue when the site was created, the College immediately secured the data and launched an urgent internal investigation.”
CaptureRX attack claims two new victims.
The February ransomware attack on CaptureRx, provider of 340B IT solutions for hospitals, has impacted two Ascension hospitals in the US state of Michigan, Becker’s Hospital Review reports, bringing the number of hospitals compromised in the attack up to eight. Seven thousand five hundred Ascension patients were impacted, and the compromised data include names, dates of birth, and prescription information.
Student health insurer suffers data breach.
Canadian health insurance carrier guard.me experienced a data breach in which a threat actor gained access to personal policy holder information by exploiting a website vulnerability, Bleeping Computer reports. One of the largest health insurance providers for students traveling abroad, guard.me took their website offline last week after noticing suspicious activity. Visitors are redirected to a webpage that reads, “Our IS and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible." The breach exposed personal student data including date of birth, gender, street address, and encrypted passwords.
Pravin Madhani, CEO and Co-Founder of K2 Cyber Security, emailed the following comments on the incident, and sees it as strong motivation to check on your application security:
"This recent data breach of personal information leaked by Guard.me is a good reminder to organizations to check for some of the most common application security issues in their public facing web applications. The easiest protection against cyber attacks is to keep your operating systems, applications, devices, and software patched and up to date. Virtual patching tools that protect the application, like the ones offered by RASP (Runtime Application Self-Protection) solutions, actively monitor the application during runtime and help protect the organization against new and unpatched vulnerabilities. RASP is now mandated by the most recent version of the NIST Security and Privacy Framework published last September."
Updates on ransomware attacks against Ireland’s health agencies.
As the CyberWire noted yesterday, Ireland’s Health Service Executive (HSE) and Department of Health were targeted by ransomware attacks over the weekend. Bleeping Computer explains that while IT specialists were unable to detect the ransomware before the HSE’s systems were encrypted, they had adequate warning of the attack on the Department of Health to detect Cobalt Strike beacons deployed on the network and block the malware before it locked down the department’s systems. The National Cyber Security Centre (NCSC) has confirmed that Conti ransomware, operated by the Russian threat group Wizard Spider, is to blame for the attacks, the BBC reports. Taoiseach Micheál Martin and other government officials have been briefed on the incident by health ministers and have made it clear they have no intention of meeting the attackers’ ransom demands. Cybersecurity experts at McAfee and FireEye are monitoring dark web data dump sites for any indications that the criminals have made good on their threat to publish the stolen HSE data if the ransom is not paid, the Irish Times reports. A spokesperson for the Russian embassy has condemned the attacks, though they stated “we do not have any way to judge on who the perpetrators are...The Irish authorities have not yet approached the embassy regarding this ransomware attack.” James Moles, senior engineer at cybersecurity company Extrahop, believes it’s unlikely the perpetrators will be extradited. “If they’re attacking targets in the West, President Putin is not going to stop them. It is not in his interests to do so,” he stated.
Comment on Avaddon ransomware's proliferation.
Chad Anderson, Senior Security Researcher at DomainTools, emailed some comment on how Avaddon has evolved:
“The Avaddon gang continues to be prolific. As of right now their target page on the dark web contains both Acer Finance and AXA Group as well as Henry Oil & Gas, EVGA, and Nijman transport. In total, since their discovery in June 2020, the Avaddon gang has published data on dozens of victims on their dark web site, following the now common double-extortion technique amongst ransomware operators. Avaddon also maintains an affiliate program where they recruit hackers from underground forums to deploy their ransomware. This most recent intrusion shows that the human operators behind these ransomware families continue to hone their skills and become continually faster at deploying on victim networks.”
WIRED describes the growing trend of double encryption. The gangs began by simply rendering victims' data unavailable, moved on the data theft and doxing, and now have begun encrypting data twice. In some cases they use one strain on part of a victims' information and a second strain on the rest, which means that a decryptor will at best restore a fraction of the data. In others the criminals use first one strain, then another, on the entire corpus. Thus a second decryptor is necessary. You pay for one decryptor, and then find you’re being upsold to two. This doesn’t seem a sustainable business model.