At a glance.
- California healthcare network hit with patient data breach.
- New Cl0p variant: same MO, different OS.
California healthcare network hit with patient data breach.
The San Diego Union-Tribune reports that one of the largest health providers in the US state of California has suffered a data breach. San Diego not-for-profit regional healthcare group Sharp HealthCare says a cyberattack has compromised the data of 62,777 of its patients. While the data exposed varies by individual, Sharp says, “The information contained in the file was limited to patient names, internal Sharp identification numbers, and/or invoice numbers, payment amounts and the names of the Sharp entities receiving payment.” The incident only impacted patients who used Sharp’s online bill payment service between August 2021 and January 2023, and the healthcare group emphasized the fact that more sensitive information like Social Security numbers and health records were not among the data compromised. Sharp also notes that the attackers concentrated on the organization’s website, but they did not infiltrate the “FollowMyHealth” patient portal.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented that regulatory attention tends to follow attractiveness to criminals:
“Healthcare providers are among the most highly regulated organizations in any market. The reason for this scrutiny is obvious: they collect and handle some of the most sensitive personal data about an individual, information that goes beyond contact and financial data. And by that very reason, the healthcare industry is among the most lucrative targets for threat actors.
"Each and every enterprise that collects, handles, processes, and stores data is a target! But the healthcare industry and all related businesses present attractive targets because PHI data persists for healthcare management purposes over long periods. PHI data is quite sensitive, including financial data, identity information, health history, etc. Penetrating one of the systems (either the healthcare business itself or the related business) presents a gold mine of information for attackers to hold hostage or sell.
"Companies should learn from situations and prepare for such eventualities by deploying data-centric security and having a robust backup strategy. The bare minimum of data security includes fortifying the perimeters around this type of data. However, more effective data protection methods are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption. These measures guard the data itself instead of the environment around it by replacing sensitive information with representational and innocuous tokens. This data-centric protection travels with the data, so even if hackers circumvent perimeter security or information is inadvertently exposed, any sensitive data subsequently accessed will be worthless, thereby averting the worst repercussions of a breach or leak.”
New Cl0p variant: same MO, different OS (and some criminal missteps).
The infamous Cl0p ransomware group is sporting a new variant that impacts Linux operating systems, Security Week reports. Discovered by cybersecurity company SentinelOne, the variant was deployed in an attack on a Colombian university this December. Although the new version is still in the development stages, SentinelOne’s analysts say it uses the same encryption method as its Windows counterpart: the ransomware first attempts to access root, then branches off to encrypt other directories. However, unlike the Windows variant, this version targets specific folders and subfolders for optional software packages, multiple Oracle directories, and the home directory for each user, encrypting all of the files therein.
One small silver lining: SentinelOne identified a flaw in the encryption algorithm that allowed the analysts to decrypt the infected files, and the company has made a Python script of the decryptor available on GitHub, allowing victims to restore their data without paying a ransom. That said, SentinelOne predicts there will be more Linux variants from Cl0p in the future. “While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.”
Jon Miller, CEO & Co-founder of Halcyon, commented on the implications of this new version of a dangerous ransomware strain. Botched or not, it's a development worth paying attention to:
“Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment, such as sandboxing.
"It is interesting that the threat actors developed a Linux version. Typically attacks focus on Windows OS since it has the most market share - and ROI is top of mind for attackers when choosing their target. While Linux has a tiny footprint in desktop computing, it runs ~80% of web servers, the majority of smartphones, 100% of the Top 500 supercomputers, and a large portion of embedded devices, which hold the most sensitive of all. Linux is favored by large network applications and data centers that drive most of the U.S. government and military networks, financial institutions, and even the backbone of the internet. So, while there are comparatively few Linux targets, what targets there are potentially extremely lucrative for an attacker.”
"The 'always on' nature of Linux systems provides a strategic beachhead for moving laterally throughout the network. Targeting Linux systems would allow the threat actors to brick the most sensitive parts of an organization's networks, which means the attackers can demand a higher ransom.”