At a glance.
- FBI intercepts cyberattack on US hospital.
- Mexican bank calls hacker’s bluff, and loses.
- MailChimp data breach impacts DigitalOcean customers.
FBI intercepts cyberattack on US hospital.
Becker's Hospital Review reports that the US Federal Bureau of Investigation (FBI) prevented an attempted cyberattack targeting Butler County Health Care Center, a hospital located in the US state of Nebraska. The FBI agents were acting on a tip from investigators in Ireland who said six different co-ops within their jurisdiction, including the healthcare provider in question, had been targeted by threat actors. Once informed of the threat, the hospital’s IT director identified and safeguarded the compromised server before patient data were exposed. The attackers have not yet been identified.
Mexican bank calls hacker’s bluff, and loses.
Grupo Financiero Banorte, Mexico’s second largest bank, discovered the hard way that cease-and-desist orders don’t necessarily work when dealing with cybercriminals. Earlier this month Singapore-based cybersecurity firm Group-IB sent a letter to hacker forum Breached on the bank’s behalf claiming that an auction on the site for a database allegedly containing the stolen data of 10 million of the bank’s customers was fabricated and should be taken down. “The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” the letter reads. “We ask you to remove this post containing Banorte data.” Breached’s administrator, the infamous hacker Pompompurin, not only refused to take down the auction, but purchased the database himself, posting it for all of the forum’s users to see. Pompompurin wrote, “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”
KrebsOnSecurity explains that the hacker who originally posted the database for sale, Holistic-K1ller, has made a name for himself selling stolen data from Mexican institutions like phone company Telcel and lending platform Yotepresto on the forum (and its predecessor, RaidForums) over the past two years. When asked why Group-IB felt the cease-and-desist was the best plan of action, CEO Dmitriy Volkov stated, “It is not a common practice to send takedown notifications to such forums demanding that such content be removed. But these abuse letters are legally binding, which helps build a foundation for further steps taken by law enforcement agencies. Actions contrary to international rules in the regulated space of the Internet only lead to more severe crimes, which — as we know from the case of Raidforums — are successfully investigated and stopped by law enforcement.”
MailChimp data breach impacts DigitalOcean customers.
Cloud infrastructure provider DigitalOcean has released a statement confirming that some of its customers were impacted in the recent security incident at MailChimp, a leading American email marketing platform. MailChimp disclosed earlier this month that it experienced a cyberattack targeting its crypto-related customers. The marketing leader told BleepingComputer that the hackers used phishing and social engineering tactics to access over two hundred MailChimp accounts. "We recently experienced a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users by employing sophisticated phishing and social engineering tactics. Based on our investigation to date, it appears that 214 Mailchimp accounts were affected by the incident,” MailChimp stated.
Digital Ocean explains that the company discovered its Mailchimp account had been compromised earlier this month. They determined that some DigitalOcean customer email addresses might have been exposed, and that attackers have already attempted to compromise the accounts of a small number of DigitalOcean customers through password resets. The company goes on to say that an email address from the @arxxwalls.com domain, which has been used in numerous scams in the past, was added as a sender to its MailChimp account. DigitalOcean customers are being advised to employ multifactor authentication on their accounts, if they have not already done so, as it seems the safety protocol protected a number of accounts from compromise.
We received a number of comments from industry experts on the incident. Michael Oglesby, EVP, Security Services & Innovation at Cerberus Sentinel wrote to describe how serious the effects of a vulnerable email system can be. “Attacks against email systems are one of the most impactful security events a company can face. We assume that protecting our passwords is what keeps our online accounts safe; however, if you forget your password, most accounts have a password reset feature that relies on your email account. Access to your email is arguably more important than knowing your password and attackers know this. Email has been around since the beginning of the Internet and sending email today seems commonplace, however email security is often overlooked leaving a large target for attackers. Companies should ensure they have robust email security controls in place and regularly review the security of their email providers.”
James McQuiggan, security awareness advocate at KnowBe4, reminds us of the importance of well-understood incident response plans. “Organizations must have well-documented and repeatable incident response plans for security events with clear lines of communication and reporting. Additionally, these procedures should also include Public Relations responses for any event to effectively deal with questions from customers, third parties, and media. No organization wants to suffer a data breach and loss of their client or employee information. However, the organization's leadership must consider cybersecurity operations critical to protect the organization effectively. Too often, leadership views cybersecurity and risk as an IT issue, not a board issue. If this view continues, more organizations will suffer a similar situation.”
His colleague at KnowBe4, Erich Kron, placed the incident in the context of the supply chain:
“This is another example of a situation where a security incident at one point in the supply chain has caused significant issues for their customers. Unfortunately, the Mailchimp incident may have potentially led to downstream breaches of DigitalOcean customers by generating password reset requests, through no fault of their own. For cybercriminals, gaining access to an email service such as Mailchimp could reap huge benefits as they would be able to send phishing emails to customers from a known and trusted account. In the event DigitalOcean customers were to fall for a phishing attack stemming from the Mailchimp breach, the most likely scenario would be that the customer would be upset with DigitalOcean, not really knowing about Mailchimp. While useful, these sorts of vendor partnerships can unfairly taint an otherwise trustworthy brand, highlighting the importance of choosing vendors wisely.
"Customers of DigitalOcean should be on alert for potential phishing emails that seem like they come from the organization, and organizations that use the Mailchimp service should be asking tough questions of the provider. Educating employees on how to spot and report email phishing is an important security control for organizations of all sizes, especially given the damage suffered by falling for a phishing attack.”