At a glance.
- Update on the Los Angeles Unified School District ransomware attack.
- Predator spyware discovered on Greek diplomat’s phone.
- Cybercriminals take off with airline frequent flyer data.
- Daixin Team takes credit for Texas hospital ransomware attack.
Update on the Los Angeles Unified School District ransomware attack.
As the CyberWire noted last week, the Los Angeles Unified School District (LAUSD), the second largest school district in the US, suffered a ransomware attack over Labor Day weekend that shut down the district’s email system and other computer platforms. Also last week, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Russian-speaking ransomware group Vice Society would be likely targeting the education sector. So it’s perhaps no surprise that Vice has claimed responsibility for the LAUSD attack. As Yahoo News reports, not long after the attack was disclosed, cybersecurity reporter Jeremy Kirk tweeted that the ransomware group had told him they were behind the incident. LAUSD released an update on September 8 stating that it’s on the way to “full operational stability” for a number of its key IT services and that the district plans to make multifactor authentication mandatory for employees and contractors starting today. There were also reports that login credentials belonging to several LAUSD employees had been published on the dark web, but LAUSD stated in its update that “compromised email credentials reportedly found on nefarious websites were unrelated to this attack, as attested by federal investigative agencies." It’s worth noting that this is not the first time LAUSD has been exposed to ransomware. Hold Security CEO Alex Holden told the Verge that in February 2021 his company discovered an LAUSD device that had been compromised by the TrickBot banking Trojan. Fortunately LAUSD was notified of the compromise and presumably took action as the compromised device disappeared from the TrickBot botnet.
Dan MacKenzie, Senior Product Marketing Manager at Torq, wrote to point out that LAUSD isn't an outlier. Schools are attractive targets for ransomware operators:
"The increasing escalation in cyberattacks targeting educational infrastructures underlines the need for a unified, consistent cybersecurity approach for these institutions. School boards and districts need to make mitigating these attacks a key priority to prevent the growing level of disruption they are causing for school systems nationwide. Having a combination of the right cybersecurity staff, systems and tools, and resourcing need to become an integral part of every educational institute’s planning, while also embracing automation to take the overall security operations to the next level."
Predator spyware discovered on Greek diplomat’s phone.
Greece’s struggle with Israeli-made spyware Predator continues as an investigation reveals that the phone of former lawmaker and Minister of Infrastructure and Transport Christos Spirtzis, a member of the left-wing party SYRIZA, was hacked using the surveillance software in 2021. As Haaretz reports, this is the third instance of a Greek national being targeted with Pegasus, as it was previously discovered on the devices of investigative journalist Thanasis Koukakis and the leader of the country’s social democratic party, Nikos Androulakis. The Greek government has admitted that it carried out the surveillance, emphasizing that all surveillance was conducted within the parameters of Greek law, but has not confirmed whether Predator was used. Panagiotis Kontoleon, head of Greece's intelligence service, resigned in August in the midst of the surveillance revelations.
Cybercriminals take off with airline frequent flyer data.
Philippine Airlines (PAL) confirmed yesterday that a third-party data breach compromised the data of thousands of members of its frequent flyer program. The attack was targeted at Accelya, an IT provider that stores data related to PAL's Mabuhay Miles program, and exposed the data of members who joined the program between 2015 to 2017. Simple Flying reports that the stolen data include names, dates of birth, nationality, and gender. PAL Senior VP and Data Protection Officer Alvin Limqueco stated, "PAL is closely coordinating with Accelya who confirmed to us that the incident has been contained. We urged Accelya to fortify security measures to ensure that there can be no recurrence.” As a precaution, PAL has advised all travelers to change their Mabuhay Miles passwords, but emphasized that none of its internal systems were impacted and that operations will proceed as usual.
Daixin Team takes credit for Texas hospital ransomware attack.
OakBend Medical Center, a healthcare provider located in the US state of Texas, has disclosed that it suffered a ransomware attack on September 1. Upon detection of the attack, OakBend’s administrators took all systems offline and placed them in lockdown mode to contain the malware. The FBI and the Fort Bend County Government Cyberteam were enlisted to investigate, and the hospital has begun the process of restoring its network. OakBend’s phone and email systems are still down, and alternative contact information has been distributed, but a notice from the center states. “At no time was patient safety ever in jeopardy.” Although Oakbend has not stated who might be behind the incident, threat group Daixin Team told DataBreaches on Friday that they were responsible for the attack, claiming they exfiltrated approximately 3.5 GB of data, including 1.2M records of patient and employee details. As evidence, Daixin provided a sample of patient data including date of birth, weight, pregnancy status, and other health information. The threat actors claim to have stolen employee data as well. “Possible the FBI not worry about the possible publication of more than a million personal data of USA citizens and definitely don’t worry about OakBend Medical business,” Daixin wrote. OakBend has been contacted about Daixin’s claim, but has not yet responded.