At a glance.
- US health network suffers ransomware attack.
- Cybercriminals shop for grocery delivery service data.
- Roundup of recent global ransomware attacks.
- The Netherlands sees rise in stalkerware.
US health network suffers ransomware attack.
Several medical groups within the Heritage Provider Network, based in the US state of California, reported earlier this month that a December ransomware attack had resulted in a data breach. The Record by Recorded Future reports that notification letters were sent out on February 1 to more than 3.3 million potentially impacted patients, and the compromised data include Social Security numbers, phone numbers, dates of birth, and treatment details. The US Department of Health and Human Services is conducting an investigation, but so far Heritage has been tight-lipped regarding who is behind the attack and what size ransom might have been requested. The Register notes that the Hive ransomware group, known for targeting medical institutions, was shut down by the Federal Bureau of Investigation in late January, and during a press conference about the sting US Attorney General Merrick Garland said Hive's most recent victim in California was hit in December.
(Added 11:00 PM, February 14th, 2023. We received some industry comment on this incident that provides perspective on the attack. Ted Miracco, CEO of Approov, focused on the vulnerabilities that persist in the healthcare sector: “The healthcare industry remains one of the most vulnerable and most targeted sectors of the economy when it comes to cyber attacks. While the specifics of the attack have not been disclosed, it would not be surprising if the attack involved either the use of mobile devices and/or the exploitation of APIs. This is a common vector, as the security of mobile applications and the APIs they rely on remain the weakest link in protecting this most sensitive and most personal data. A more comprehensive approach to cybersecurity in the healthcare space is required, and that approach must take into account more than protection, and also address the detection and effective countermeasure to be effective.”
Jan Lovmand, CTO of BullWall, explained why medical records are particularly valuable commodities in criminal markets:
“The addition of healthcare records may make this recent attack on these California medical groups one of the most significant data events in years. Social Security numbers go for around a dollar. Trust me, the bad guys already have your social. Log-in credentials go for around $25 and maybe up to $75 if this also gives the cyber criminal access to your banking log-ins. If they have the credentials of an email admin you could see those go for as high as $1,500 (email admins should never put their job title on their LinkedIn for just this reason. However healthcare records, pins and log-ins can go for more than any of these.
“First, threat actors can see a person’s prescription history and will attempt to fill those prescriptions and sell the drugs on the Silk Road like websites, easily available on the Tor network. Second, if the records are detailed enough, they will attempt to extort those with embarrassing medical information. Imagine you are a married executive and a criminal approaches you letting you know they have all the information about your psychiatric history and medications, abortions or even venereal diseases. The amount they can extort in these instances can be tremendous and these often go unreported.
“When healthcare records are stolen the thieves will often gain $10's of thousands of dollars of drugs and services from those records and the average victim will spend nearly 200 hours repairing the situation. It's hard to know precisely what was stolen in this event but if the Healthcare records are detailed this may be one of the more costly breaches in the last 5 years.”)
Cybercriminals shop for grocery delivery service data.
An American online grocery delivery startup with the enthusiastic moniker of Weee! disclosed it suffered a cyberattack that resulted in the theft of a year’s worth of customer data. TechCrunch reports that the compromised data includes customer names, addresses, email addresses, phone numbers, order numbers, and order comments for purchases made between July 12, 2021 and July 12, 2022. Fortunately, payment information was not accessed. Although it’s unclear who was responsible for the breach, a user on a cybercrime forum is offering for sale information on 11.3 million orders and 1.1 million customer accounts stolen from Weee! earlier in February.
Roundup of recent global ransomware attacks.
A series of recent ransomware attacks have impacted institutions in the US, Israel, and Ireland. The city of Oakland, located in the US state of California, suffered a ransomware attack that forced the city to shut down its systems. Although the city says the incident has not impacted critical resources like 911 and the fire department, the public has been warned there could be delays in other services. Computing reports that the culprits have not yet been identified, and the City's Information Technology Department (ITD) has not shared info regarding ransom demands or data leaks. Oakland reporter Jaime Omar Yassin, who reported last year that the ITD was understaffed, was the first to break the news about the attack on Twitter last week.
(Added, 10:30 PM, February 14th, 2023. Dmitry Dontov, CEO and chief architect of Spin.AI, offered some comments on Oakland's ransomware incident.
“Ransomware attacks, like the one against the City of Oakland, are becoming increasingly common against cloud assets and applications. While we don’t know all the details of the attack, it’s been reported that city officials sent an email noting that “City mobile devices, Office 365, NeoGov, OakWiFi, the City’s website, Oracle and other services are not known to be impacted.
"It should be noted that SaaS applications generate a large amount of SaaS data – and with the rise of SaaS applications usage during the pandemic – ransomware gangs are targeting this data at rates never before seen. We will very likely see more of these types of attacks, especially those targeting SaaS data and applications, in coming months.
"Organizations looking to mitigate this type of threat should be proactively assessing their ransomware readiness and ensuring they have hardened their security posture with ransomware detection and response. Detecting ransomware before or during an attack, instead of after the attack, ensures fast incident response and limited impact on SaaS data. Downtime is an inevitable part of any ransomware attack. After the attack it’s too late, and it can take an average of one month to recover the data, with most organizations never fully recovering all of it.")
Ireland’s Munster Technological University (MTU) has disclosed that a recent cyber attack led to data being “accessed and copied” from its computer systems and published on the dark web. The Irish Examiner reports that the university’s Cork campus is set to reopen today after being forced to shut down last week in the wake of the attack, which is believed to be the work of the Russian-based hacking group Blackcat (aka APLHV or Noberus). The Irish Times adds that on Friday MTU secured an interim High Court injunction to help prevent the sale, publication, possession, or other use of any of the data that might have been stolen, and specialists have been enlisted to monitor the internet for any possible trace of the data. The High Court was informed that the attackers have threatened to publish confidential information about the university’s staff and students if the school does not meet their ransom demands, but the exact amount of the ransom has not been disclosed.
The Jerusalem Post reports that Technion University, Israel's top technology school, experienced a ransomware attack yesterday at the hands of a previously unknown threat group called DarkBit. The group’s motives appear to be ideological, as they’ve made statements indicating opposition to Israel as an "apartheid" state, but it’s possible this is just a tactic to distract investigators. DarkBit has issued a ransom demand of 80 Bitcoins, or NIS six million, with a threat to raise the amount by 30% if they don't receive payment within forty-eight hours. The Haifa-based school issued a statement saying, "To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage." The Israel National Cyber Directorate has said it’s communicating with Technion “to get a full picture of the situation, to assist with the incident and to study its consequences."
Etay Maor, Senior Director of Security Strategy at Cato Networks, sees a potential political motive in the attack on Technion:
“The Technion incident is still being investigated and Israeli government authorities have stepped in. There is not much known about the threat actor (DarkBit) at this point, but political motivated attacks are nothing new. Israel, and Israeli academic bodies, have been targeted by nation state actors and hacktivists groups for years. The Israeli National Cyber Directorate said it has identified 53 different such attack against academic bodies in 2022. Of course, Israel is not the only one – with such institutes around the world being a prime target both for nation state actors (for their research and knowledge) and for ransomware groups (for the money).
"Unfortunately, with cyber tools being almost commoditized via underground forums and peer to peer chat applications, the bar has been lowered for threat actors to obtain malware such as ransomware. This means that you do not have to be a nation state or large crime syndicate (or even a software developer) to own and operate tools like ransomware. With some threat actors offering RaaS (Ransomware as a Service) we are bound to see, and have been seeing for the past years, more and more organizations fall victim to such attacks. Organizations, whether they are large financial institutions, academic institutes, local businesses, or a home office one person operation must realize these attacks are conducted as a multiple stage attack and fight back using holistic systems that can identify the threat at multiple stages of its lifecycle.”
The Netherlands sees rise in stalkerware.
Dutch consumer television program Kassa says that several thousand people used stalkerware last year to track the movements of individuals including children and ex-partners. NL Times explains that while such tools are often marketed as parental control software, it can easily be abused to monitor other individuals, and can pose a threat to safety even when used to track offspring. Kassa says that several of the largest security companies in the Netherlands have all seen a recent increase in stalkerware usage, particularly during the pandemic. Bitdefender, for example, detected 2,657 infected devices in 2022, a 260% increase over 2021, and there’s no telling how often stalkerware goes undetected. Domestic abuse cybersecurity expert SafetyNed, is calling for protections to ensure that victims of domestic violence are not unwittingly tracked by their abusers.