At a glance.
- Report: possible employee data breach at Booz Allen Hamilton.
- Black Basta adds Sobeys to its shopping cart.
- AFP confirms Russian hackers behind Medibank breach.
- Scareware making the rounds.
Report: possible employee data breach at Booz Allen Hamilton.
Leading American management and information technology consulting firm Booz Allen Hamilton has disclosed a May data incident potentially exposed the personally identifiable information (PII) of active employees. While working at the company, a now-former employee downloaded a copy of an internal report that was improperly stored on an internal SharePoint site. DataBreaches.net reports that the compromised data include employee names, Social Security numbers, compensation, gender, race, ethnicity, dates of birth, and U.S. Government security clearance eligibility. The company says their investigation indicates no intent to misuse the data on the part of the ex-employee. It’s unclear how many employees were impacted, but the company employs approximately 29,300 individuals. Affected employees have been notified and offered two years of credit monitoring.
Black Basta adds Sobeys to its shopping cart.
Bleeping Computer reports that Canadian grocery retailer Sobeys has suffered a ransomware attack at the hands of the Black Basta ransomware group. Parent company Empire issued a press release Monday stating that some services had been impacted by a company-wide IT issue. "The Company's grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay," the retailer stated, adding that all stores were operating as usual. However, local media say that Canadian provincial privacy watchdogs from Quebec and Alberta received "confidentiality incident" notifications from the retailer, which are only sent following the breach of personal data. What’s more, employees reported that all computers were locked out in impacted Sobeys stores and shared photographs of in-store computers displaying a ransom note from Black Basta. Based on these notes and screenshots of negotiation chats, the threat actors deployed ransomware payloads to encrypt Sobeys' systems.
Though Sobeys says the issue is now resolved, a food researcher and professor Sylvain Charlebois says the incident should serve as a warning for Canada’s agri-food sector, which is an attractive target for threat actors due to the industry’s high-value, low-margin nature. “Stakes are so much higher for Sobeys because it is a front-facing company, they deal with customers so if there’s a breach in their databases and some of the security is compromised, you have some personal data that is probably shared now,” Charlebois told Global News. It’s worth noting that Maple Leaf Foods, Inc., another Canadian agri-food company, suffered a cyberattack over the weekend.
Stephan Chenette, Co-Founder and CTO at AttackIQ, wrote to offer some background on Black Basta:
“Though Black Basta just recently appeared in 2022, it has already gained notoriety for a number of large-scale attacks. In April of this year, the American Dental Association (ADA) suffered a cyberattack during which stolen data was published on the Black Basta leak site. Unfortunately, the Canadian food retail giant Sobeys has become the most recent victim of Black Basta ransomware. Though Sobeys has been experiencing IT systems issues since last weekend, Black Basta’s history points to the potential for more dire consequences.
"Black Basta is known for stealing corporate data and documents, making the data of Sobeys’ 134,000 employees and 1,500 stores favorable targets. Although details are still emerging about the attack, Black Basta could leverage double-extortion tactics to shame victims into paying a ransom before sensitive information is published on their leak site. This method puts the safety of employees and customers at risk by further exposing them to future attacks.
"To prevent similar ransomware attacks, organizations must adopt a threat-informed cyber strategy using the MITRE ATT&CK framework. The framework’s catalog will help organizations understand the common techniques, tactics and procedures used by Black Basta and other known threat actors. This will allow organizations to build more resilient security detection, prevention and response programs to avoid falling victim in the future.”
AFP confirms Russian hackers behind Medibank breach.
Investigations continue into the massive data breach of Medibank, Australia’s largest insurance provider. The Record by Recorded Future reports that the Australian Federal Police (AFP) have officially confirmed the attackers behind the breach and attempted extortion are linked to Russia. AFP Commissioner Reece Kershaw said the force was “undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL.” He added, “This is important because we believe that those responsible for the breach are in Russia,” and that “intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world.” Australian Prime Minister Anthony Albanese, who authorized the AFP to confirm the attackers’ Russian ties, explained, “We know where they’re coming from, we know who is responsible, and we say that they should be held to account…The nation where these attacks are coming from should also be held accountable for the disgusting attacks and the release of information — including very private and personal information.”
Though it’s unclear which threat group is behind the attack, Medibank has now been listed on the extortion site formerly operated by REvil, the Russian-linked ransomware group that temporarily shut down after Russian officials with the Federal Security Service raided homes owned by fourteen suspected REvil members. The gang’s leak site appeared to become operational again in May, though analysts are unsure who might be operating it. Digital Shadows Senior Cyber Threat Intelligence Analyst Chris Morgan says the group’s resurrection is linked to the US’s decision to shut down a channel of communication dedicated to cybersecurity issues after Russia’s invasion of Ukraine, and as 9 News Australia notes, experts say the Medibank attack is likely a response to Australia’s support of Ukraine. The Russian embassy in Canberra has criticized the AFP for publicly linking the attack to Russia before contacting Russian law enforcement.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, noted the particular sensitivity of medial data:
“Medical information is among our most sensitive data. We all have a distinct right to data privacy and expect that our healthcare providers are doing everything they can to fulfil on that right. So when ransomware attacks hit healthcare institutions—as it has with Australia's largest health insurer Medibank —we in data-heavy industries should all take a pause and consider the implications of our cybersecurity choices. The enterprise surely pays a steep price for failure to prevent attacks and subsequent data leaks. However, let's not lose sight of the end victim, which is the individual whose private and sensitive health data wrongfully becomes public.
"The best way to prevent the pain suffered by both victims, the enterprise and the individual, is to safeguard sensitive records such as medical information through a data-centric approach to data protection. Data-centric methods such as tokenization replace sensitive data elements with innocuous tokens that maintain the analytic value of the data while obscuring the actual sensitive information itself. It becomes non-identifying and, therefore, worthless in the hands of threat actors, while remaining fully workable by the enterprise."
Not a true privacy issue, just a scam. (But dangerous nonetheless.)
BleepingComputer reports that scammers (they call themselves "Team Montesano") are running a scareware operation that claims, falsely, to have hacked individuals' devices or organizations' servers. They're demanding a ransom in exchange for a promise to exit the systems and not release data they've stolen. It's important to understand, should you receive one of their emailed ransom demands, that these are mass mailings, and that the senders haven't compromised anything. It's a pure scam.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the sad consequences such scams can have, and offers some advice on coping with them:
"In general we can probably classify these types of fake scams as a type of "scareware." These types of scams have been around forever, but really peaked a decade ago in the form of fake antivirus warnings, where someone would get an "emergency warning" that their PC was infected with multiple computer viruses and to call or contact someone to get the software to clean it up. During the last decade of ransomware, there have been tons of fake ransomware warnings, where the message would claim that ransomware has executed on your computer and you have to pay a ransom to make it go away, but really all it was an annoying message that took a minute to get rid of if you knew what you were doing.
"Sadly, some of the fake scams, like the very popular, 'The FBI has detected you watching porn' or 'We've got video evidence of you watching child porn' have caused people to kill themselves...not realizing that it's completely random and fake. So, we still have to take these scams as seriously, because many victims...I'm not sure of the percentage, take them as real and respond accordingly. That's also why in our ransomware response checklist, step one is to confirm that the attack is real and not a fake attack, or worse, wiperware. Because you can't always trust that a claim is real and you need to confirm that the attack is real, or something different, before you respond.”