At a glance.
- Data of millions of individuals exposed in Maximus data breach.
- Cyber-extortionists post explicit photos of plastic surgery patients.
Data of millions of individuals exposed in Maximus data breach.
Another MOVEit-related data breach. This time the victim is Maximus, a US government services contractor, and according to the company’s filing with the Securities and Exchange Commission, the attack potentially compromised the data of up to 11 million individuals. Maximus says there’s no indication that the hackers progressed further than the MOVEit file transfer platform, and upon detection of the breach the company immediately isolated it from the rest of the corporate network, TechCrunch reports. The filing states, "Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident.” Bleeping Computer notes that the Cl0p ransomware gang, which has claimed responsibility for the mass-hack that has impacted hundreds of organizations world-wide, added Maximus to its dark web data leak site yesterday, along with seventy other new victims including well-known accounting firm Deloitte, and global sports betting provider Flutter. The cybercriminals claim to have stolen 169 gigabytes of data from Maximus, but have not yet released the data online.
Ray Kelly, Fellow at Synopsys Software Integrity Group, draws the lesson: the software supply chain is a source of pervasive vulnerabilities. “This massive exploit of the MOVEit vulnerability is yet another demonstration of the importance of securing the software supply chain when it comes to data privacy. The key takeaway for business leaders is clear—just a single vulnerability in one piece of a third-party vendors' software can lead to the compromise and exposure of personally identifiable information across every organization that vendor services." The challenge is complex, the risks both direct and regulatory. "Organizations should ensure that any third-party vendor performs regular security assessments across their entire portfolio and infrastructure, and also meets compliance policy standards such as GDPR and SOX. Unfortunately, adopting these practices is not a silver bullet and does not ensure your organization's protection against a future ransomware attack via the software supply chain.”
Stephan Chenette, Co-Founder and CTO at AttackIQ, commented on the way Cl0p has worked against targets in several industries, with government contracting now being represented among the victims. "Clop ransomware group continues to exploit the MOVEit vulnerability across several industries. This most recent attack on the U.S. contractor, Maximus, highlights the far-reaching consequences of this zero-day flaw," Chenette said. "Clop was previously known for using the 'double extortion' tactic, which is based on exfiltrating the victim’s information and encrypting local information. In this way, if the victim refuses to pay the ransom, the adversary will not restore access and will publish the stolen information on a dedicated data leak site. As of 2021, TA505 has opted for performing data exfiltration rather than encryption." He offered some suggestions to organizations on how they might better protect themselves against Cl0p, and against the kind of threat the gang represents. "To best defend against ransomware attacks, it is critical for all organizations that manage sensitive information to adopt a threat-informed cyber-defense strategy They focus on naming the ransomware threats and TTPs that matter most to you, aligning your defenses against those threats, and running your defenses against the adversary to understand your program performance. AttackIQ has released an attack graph that seeks to emulate the full capabilities of the TA505’s toolkit to help customers validate their security controls and their ability to defend against a highly adaptable threat that has been able to stay ahead of the evolving cybersecurity landscape."
Cyber-extortionists post explicit photos of plastic surgery patients.
Photos and private details belonging to approximately eighty patients of Gary Motykie, a well-known plastic surgeon in the US state of California, have been published by cybercriminals online. The attackers’ goal is clearly extortion, and before posting new images this week, they wrote, “...before publishing a new client’s data, we give them a choice. If the client is willing to pay $2,500, we guarantee that their data will be deleted on our end and will not go public.” One victim, who says she learned about the breach from another patient, told NBC Los Angeles, "I'm just horrified, just completely physically ill, because I had no prior knowledge.” She added that it has been nearly fifteen years since she saw Motykie for surgery.
According to a filing Motykie’s legal team submitted to the Attorney General’s Office in Maine, the breach impacted over three thousand patients. The photos in question appear in orderly rows, and images of a man who appears to be Motykie are included as well. Brett Callow of cybersecurity firm Emsisoft says the incident is unlike any extortion attempt he’s analyzed. “Those websites are usually sloppily created. There’s not much effort that goes into them,” said Callow. “But this one is different. It does appear as some care went into it, and it seems specifically intended to outrage."
Making matters worse, patients say they did not receive notification from the Motykie’s office, instead learning of the breach only after the pictures were spotted online. Although Motykie filed a report about the extortion attempt with police back in May, as of July 27 Motykie’s website still does not directly reference the breach. “In my personal opinion, patients and people in general should find out their information has been compromised from the organizations which lost their data," Callow said. "It should never ever be through the hackers." Motykie’s social media and public relations manager Ethan Reynolds responded, “We try our best to reach out to the patients directly and we’ve spoken to a multitude of patients. But this is a high-volume practice so there’s no way we could personally connect with every patient that’s ever been part of the practice.”