At a glance.
- TheTruthSpy: a global stalkerware network.
- Australian Clinical Labs breach exposes thousands of health records.
- Scope of Medibank data breach grows to 4 million victims.
- Expert comment on the Daixin Team.
- The rise of Hive ransomware.
TheTruthSpy: a global stalkerware network.
TechCrunch has been investigating a massive stalkerware operation embedded in a bevy of Android apps including TheTruthSpy, Copy9, and MxSpy. Now, TechCrunch reports, a source has shared a cache of tens of gigabytes of data dumped from the stalkerware’s servers that includes the operation’s core database and detailed records on every device targeted by TheTruthSpy’s stalkerware apps since 2019. Using this data, TechCrunch has created a lookup tool to allow individuals to check if their device was compromised by TheTruthSpy's network of apps. Analysis of the data shows that the massive network spans every continent and nearly every country, and includes approximately 360,000 unique identifiers for devices linked to the operation’s victims. It also includes the email addresses of the 337,000 users who downloaded the apps in order to spy on others. In the last six weeks of the dumped data alone, the database stored 608,966 victim location data points, specific enough to pinpoint places of worship or transportation hubs where the targets were located. The US had the most location data points, followed by India, Indonesia, Argentina, and the UK. Canada, Nepal, Israel, Ghana, and Tanzania rounded out the top ten countries.
Operations such as this one take advantage of the fact that the possession of stalkerware is technically not against the law, though under federal wiretapping laws and many state laws, recording private conversations without the participants’ consent is illegal. Such apps circumvent app store restrictions by hiding their true intent, posing as more innocuous platforms like child monitoring software. Though cybersecurity companies and antivirus vendors have been working to block stalkerware, only a few developers have faced government penalties, and only then because federal regulators like the Federal Trade Commission have used creative legal approaches to bring charges.
Australian Clinical Labs breach exposes thousands of health records.
Aussies have been pummeled with cyberattacks over the past few weeks, and the latest target is Australian Clinical Labs (ACL), one of the country’s largest pathology providers. The attackers made off with the data of 223,000 people, including medical and health records of 18,000 individuals. ACL first learned in February that the IT system of its pathology unit, Medlab, had been compromised, and though at first it appeared no user data had been exposed, in June the government cybersecurity agency notified the company that data had been posted on the dark web. There’s no evidence of a ransom demand, and Medlab is reaching out to all impacted individuals. As CRN Australia notes, this is the second medical data breach to hit Australia in recent days, as the country is still reeling from an attack on Medibank, its largest health insurer.
Scope of Medibank data breach grows to 4 million victims.
Speaking of the Medibank breach, the leading Australian health insurer yesterday confirmed that the data of all 4 million of its customers had been exposed in the incident, CRN Australia reports. The attacker behind the breach, who claimed to be in possession of 200GB of company data, initially released the records pertaining to one hundred customers as evidence, and as Medibank launched an investigation, it warned the public that the number of impacted individuals was likely to grow.
Chief executive David Koczkar said in a statement yesterday, “Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data. I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community." The company has stated that none of its systems appear to have been infected with ransomware, and the breach has been contained. As the story continues to unfold, Insider Guides provides a helpful fact sheet outlining everything we’ve learned about the breach so far.
Expert comment on the Daixin Team.
CISA has warned that the Daixin Team, a criminal ransomware group, is currently active against US organizations. The Joint Alert, issued early this week,says in part, "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations."
We've received comment from Stephan Chenette, Co-Founder and CTO of AttackIQ. He highlighted to particular risk the threat group poses to the healthcare sector:
“The Daixin Team has recently surfaced as a threat to the healthcare industry. In September 2022, the cybercrime group launched an attack on the OakBend Medical Center and claimed to have stolen over one million patient and employee records. A similar attack occurred in June of this year when the Daixin Team attacked Fitzgibbon Hospital in Missouri and exposed 40 GB of patient and employee data on their public leak site.
"This is not the first time the healthcare industry has been of concern in CISA and the FBI’s warnings. In September of this year, the agencies warned of significant vulnerabilities in many medical devices aged 30 years or older. The cost of an attack is the highest in the healthcare industry, as cybercrime groups like the Daixin Team risk patients’ safety and well-being when exposing personally identifiable information (PII) on the dark web. To be better prepared for Daixin Team attacks, healthcare organizations must adopt a threat-informed cyber strategy using the MITRE ATT&CK framework.
"The framework’s catalog helps organizations understand common techniques and tactics used by threat actors. Knowing the procedures used by the adversary helps inform organizations’ security programs and assists in building a more resilient proactive defensive and responsive security program. Using automated security solutions that safely validate organizations’ defensive controls against ransomware campaigns and threat actors can better prepare the healthcare industry to combat the next Daixin Team threat.”
The rise of Hive ransomware.
The Hive ransomware group, a ransomware-as-a-service gang, has leaked proof-of-hack personal data of some Tata Power customers, Infosecurity Magazine reports.The data include "Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers."
Intel 471 released a report today highlighting ransomware activity in Q3 2022. Among the ransomware operations that have risen to prominence is Hive. Forty-two attacks were seen by the Hive ransomware group this quarter, and most impacted the US and UK. Consumer and industrial products were the most affected sector by this ransomware. In August of this year, an alleged Hive threat actor revealed phishing emails are the initial attack vector. Hive has also released stolen corporate human resources files.
Edward Liebig, Global Director of Cyber-Ecosystem, Hexagon Asset Lifecycle Intelligence, wrote to point out the futility of paying ransom for secure return of sensitive data:
"With the release of corporate employee data by the Hive Ransomware Group it seems that ransom negotiations have failed. Let’s face it, even if negotiations are successful, there is still only a 50%/50% chance of recovery of the encrypted assets. The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.
"There is another aspect to consider in this scenario and that is the rules of the cyber insurance carrier. Some Cyber Insurers prohibit the payment of a ransom. This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.
"Increasing the chances of defending against ransomware begins with watching the front and back doors. Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable exploitation of those assets. Establish a comprehensive method for searching for Indications of compromise or attack. Monitor rogue connections to unknown or malicious URLs. Flag outbound connection requests from unusual systems. Have a regular, trusted, off-site back-up and recovery strategy. The best way to defend against ransomware is to never let it take root in your systems. The next best way is to have a bullet proof, trusted recovery strategy to minimize downtime and eliminate the 'ransom' debate."