At a glance.
- Washington healthcare provider succumbs to phishing scam.
- Update on HubSpot data breach.
- Further developments in the Okta ransomware attack.
- Police round up teenagers in the Lapsus$ investigation.
Washington healthcare provider succumbs to phishing scam.
Spokane Regional Health District (SRHD) has disclosed a data breach in which patients’ protected health information was possibly “previewed” by an intruder who infiltrated the Washington state-based healthcare provider’s system via a phishing email, KXLY reports. SRHD Deputy Administrative Officer Lola Phillips stated, “Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves.” Fortunately, it does not appear that the threat actor opened or downloaded any documents, and no Social Security numbers or financial data were compromised.
Update on HubSpot data breach.
As we noted earlier this week, customer relationship management (CRM) company HubSpot, which provides services to cryptocurrency services firms, suffered a data breach that originated from an employee account. Threatpost reports that a rogue HubSpot employee has been fired over the incident, and that the attacker was targeting the company’s cryptocurrency industry customers. Crypto firms BlockFi, Swan Bitcoin, NYDIG, Circle and Pantera Capital are on the growing list of impacted companies. Camellia Chan, CEO and founder of embedded artificial intelligence company X-PHY, said that given the growing popularity of digital currency, the attack isn’t surprising. “Surges in technological advancement create the perfect environment for cybercrime to flourish,” Chan explained. “So, with the rapid development of digital currencies was sure to come a rise in the cybersecurity risks associated with it.”
Further developments in the Okta ransomware attack.
US identity management firm Okta, Inc. continues to respond to the Lapsus$ ransomware attack that resulted in the potential exposure of client data. The company has named third-party sub-processor Sitel as source of the breach, ZDNet reports, and at a virtual briefing on Wednesday, Okta Chief Security Officer David Bradbury admitted the incident has been "an embarrassment for myself and the entire Okta team." Bradbury explained that the attackers used remote desktop protocol (RDP) to access the customer support engineer's laptop owned by Sitel, and that up to three hundred sixty-six clients might have been impacted. The Verge notes that Bradbury expressed his disappointment about the length of time it took to issue a complete investigation report after Okta’s initial notification to Sitel in January. Bradbury admitted, "Upon reflection, once we received the Sitel summary report last week, we should have, in fact, moved more swiftly to understand its implications." That said, Bradbury reiterated that the breach was mostly contained by security protocols and that users do not need to take any action at this point.
Police round up teenagers in the Lapsus$ investigation.
Speaking of Lapsus$, City of London Police say they’ve arrested seven teenagers allegedly affiliated with the ransomware gang, including a sixteen-year-old who is purported to be the ringleader. Going by the handles "White" and "Breachbase," the Oxford teen was doxxed on a hacker site after a dispute with his business partners. The BBC reports that the doxxers published his name, address, and social media pictures, along with a bio that explained, "After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he is] now is affiliated with a wannabe ransomware group known as 'Lapsus$', who has been extorting & 'hacking' several organisations."
CRN Australia notes that, along with the most recent data breach of Okta identity management firm, Lapsus$ is allegedly behind recent attacks on high-profile companies Nvidia, Samsung, and Microsoft. Security Week explains that a recent Microsoft blog post details Lapsus$’s strategy, which focuses on exfiltration and extortion rather than network encryption, and capitalizes on brazenly publicizing their kills. “DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations,” Microsoft explained. SecurityScorecard recounts Lapsus$’s speedy rise in the ransomware ranks, first targeting Brazilian and Portuguese organizations like the Brazilian Ministry of Health and Brazilian Government Virtual School, and then moving on to the aforementioned prominent US-based tech companies. Reflective of its youthful membership, the ransomware gang engages with its social media followers on Telegram to determine what targets to expose, and focuses on attack vectors like social engineering and stolen cookies that do not require sophisticated technical skills to exploit.
Ken Westin, Director of Security Strategy at Cybereason thinks it would be facile to dismiss teenaged hackers as script kiddies:
“It's tough to know the motivation of the teen involved in this case, as many had speculated it was an organized cybercrime syndicate or potential nation state actors. However, I do feel that the security community underestimates the younger generation. We forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security.
"I speculated the group was young based on their modus operandi, or lack thereof, it was as if they were surprised by their success and were not sure what to do with it. In some of their follow up communications their language appeared more interested in the notoriety and defensive of their capabilities and accomplishments than any financial motivation.
"Today, teens have seen how much money is being made in criminal hacking, in some ways they are the new rockstars. You pair this with the fact kids have been couped up for three years often with nothing but the internet to entertain themselves and we shouldn't be surprised we have skilled hackers. The problem is that their brains are still developing and the line between fun and crime can get blurred, where it's common for kids to hack to gain notoriety amongst their peers, but this easily crosses over into decisions that can affect the rest of their lives."
"Also, we shouldn’t underestimate the technical prowess of teens behind keyboards. There are teens today in some of the military's top offensive security units. Cybercrime is asymmetric, it only takes the identification of one vulnerability whether by skill or chance to topple an entire infrastructure. In addition, threat models should consider a lone wolf just as much as they consider advanced nation state adversaries.
"It is too early to say if this will be the end of Lapsus$, it could still be a false flag, bad attribution, or even framing someone for the hacks. If it is this 16-year-old in England, it is likely we will see an end to the group’s activity, unless one of their partners in cybercrime takes up the mantle.”