At a glance.
- Data corruption incident affects New Hampshire medical center.
- Atlassian discloses data breach.
- PayPal impersonation scam seeks personal information.
Data corruption incident affects New Hampshire medical center.
Health IT Security reported yesterday that healthcare practice Wentworth Health Partners Garrison Women’s Health (GWH) saw a data breach in December of last year. The breach caused corruption of some patient information data, rendering them unrecoverable. The breach followed a December 12 outage of third-party technology service provider Global Network Systems, who manages the practice’s IT infrastructure and applications. In a notice to patients, the center notes the possibility of an unauthorized party accessing some of the facility’s data between April 29 and December 12. “In response, steps were quickly taken to explore alternative data back-up sources and restoration methods,” the notice read. “GWH’s access to certain information, such as in specific radiology and ultrasound applications, was eventually restored and completed. During January 2-9, 2023, the GWH electronic medical record system was restored through backups which included earlier data through April 28, 2022.” The corrupted data included a variety of different information from patients, including medical history, genetic information, medical record numbers, procedures and lab results, claims and insurance information, and scheduling for upcoming appointments.
Atlassian discloses data breach.
In what appears to be a case of stolen credentials, Atlassian says that unauthorized parties obtained access to sensitive corporate information, including employee records. CyberScoop reports that the SiegedSec criminal group claims it's begun leaking the stolen data. "We are leaking thousands of employee records as well as a few building floorplans," the gang woofed earlier this week. "These employee records contain email addresses, phone numbers, names, and lots more~!" According to BleepingComputer, the criminals obtained the data via Envoy, a third-party app Altassian uses to manage its offices. Neither Envoy nor Atlassian were "hacked," in the sense of having malware deployed against them, or by having their systems compromised by attackers using technical means. Rather, it appears that an Atlassian employee's Envoy credentials were obtained and then used to access the app. Atlassian and Envoy are cooperating on their response to the incident.
Oz Alashe MBE, CEO of CybSafe, points out the difficulties involved in closing off the kind of access used in this attack. "While the details are still unclear, this particular breach highlights the various ways malicious actors can gain access to sensitive information. Considering the data accessed, Atlassian workers will be an important line of defense in preventing further breaches. They will need to be aware of the ways cyber criminals can use their credentials to gain further access to sensitive information," Alashe said, adding observations about recent US standards:
"Recently, the government extended the NIST Directive regulations to include MSPs, but legislation can only go so far. Similarly, awareness, while important, does very little in isolation to tangibly impact the behaviors that lead to vulnerabilities. To tackle this problem, we should be aiming to influence culture and behavior. The frequency of cyber-attacks is rising, using tried and tested methods. Organizations, therefore, need to do more to stress the importance of cyber security as a core value across all platforms and partnerships. Businesses will be more secure by moving beyond compliance, towards proactive efforts to target and improve specific security behaviors."
Lorri Janssen-Anessi, Director External Cyber Assessments at BlueVoyant, calls attention to the dimension of third-party risk exposed in the incident.
"The reported Atlassian breach due to a third party is yet another reminder for organizations to look at their own vendor and supplier cybersecurity. Many organizations have recently been breached due to an issue with a third party," Janssen-Anessi wrote. "Atlassian says customer and product data was not at risk. However, other sensitive data, including floor plans for offices in San Francisco and Sydney, and employee data were reportedly leaked." The supply chain is an increasingly important segment of any organization's attack surface:
"Supply chain breaches like this are becoming more common. According to a recent survey of c-level executives, 98% say their organization has been negatively impacted by a breach in their supply chain. Digital supply chains are made of vendors, suppliers, and other third parties with network access. Forty percent of those surveyed said they wouldn’t know if a vulnerability arose with a third party, showing the challenge of monitoring this risk. As organizations’ own internal cybersecurity becomes stronger, a third party may have weaker security.
"To monitor supply chain security, organizations should be continuously monitoring their third parties and working closely with them to quickly remediate any issues. Many organizations instead use questionnaires to monitor their vendors but this only gives a point-in-time view.
"Organizations need to also closely monitor how quickly their vendors patch. For example in June, Atlassian announced an active vulnerability present in its Confluence Data Center and Serve. The company had a release available the next day. According to BlueVoyant’s threat intelligence, after the June 3 Confluence fix was announced, about 30% of vulnerable organizations patched within the first 10 days. However, the patch rate plateaued the following week. That means 70% of vulnerable Confluence instances remained exposed, a major risk for those organizations. Cyber criminals are learning to exploit vulnerabilities like this faster, so time unpatched is risky."
PayPal impersonation scam seeks personal information.
A new phishing campaign is targeting PayPal users with claims that the users need to call a phone number in order to avoid being charged $700, according to Jeremy Fuchs at Avanan. After calling the number, the victim will be inveigled into providing personal information to the scammers. It's a progressive scam that proceeds in stages. At a bare minimum, if you call the scammers, they'll have your phone number, which they can go on to use in other capers.
We heard from industry about the implications of this sort of social engineering. Chris Clements, VP of solutions architecture at Cerberus Sentinel, explained that scams of this sort tend to bypass technical filters. “Cybercriminals leveraging legitimate platforms for their campaigns is an easy way for them to bypass email or web filters that they would otherwise have to put in a good bit of work to evade," Clements wrote. "We’ve seen it in many forms such as hosting malware in storage platforms like Google Drive, sending phishing messages through compromised personal and business emails, as well as abusing “contact us” web forms. Similar to this PayPal campaign, the advantage is twofold. First, these platforms are often inherently trusted by spam and web filters and sail right through to the targeted users. Second, users themselves also tend to feel the messages are more legitimate as they come from otherwise trusted sources and things like domain names match what they expect as opposed to ad-hoc ones like IT_Support.TotallyNotaScam.com they may have been trained to spot as fraudulent."
It's unlikely that criminals will abandon this kind of technique. It has low barriers to entry, and even in its more primitive forms (Avanan noted in their research that the emails were frequently marred by grammatical and usage errors, for example) someone somewhere will fall for it. Clements sees a responsibility on the part of platforms to seek ways of limiting this kind of fraud. “These platforms need to take a harder look at how they may be abused by cybercriminals and implement controls and monitoring to be able to prevent and quickly respond to being used as a proxy for an attack," Clements said. "Still, it’s an unfortunate reality that this form of attack will continue, meaning users need to be aware that they may be targeted by cybercriminals leveraging well-known services or platforms. It’s becoming increasingly difficult for the average user to wade through the many different layers of misdirection and obfuscation employed by modern cybercriminals, but a reliable way of protecting yourself is to validate any inbound request you received whether via email, text message, or phone call by independently confirming the legitimacy using a trusted path, such as looking up a person or company’s phone number and calling it directly rather than attempting to contact them through any website or phone numbers provided in a suspicious inbound request.”
Javvad Malik, lead awareness advocate at KnowBe4, placed the incident in the larger context of social engineering. “This is another example of criminals using social engineering tactics to try and phish users out of their hard-earned cash. It's why it's important for timely and relevant security awareness training to be provided, so that people can be better-placed to identify and report any suspected phishing attacks. In this case, we can see a couple of red flags," Malik wrote. "Firstly, the spelling and grammar is a giveaway as to the communication not being legitimate. Secondly, the criminals are using an emotional hook of scaring victims in order to have them pay quickly to avoid a hefty fine or worse." And emotions, whether positive or negative, are exploited by social engineers to induce people to give up their information. "Emotional hooks are extremely common. Some of the most common ones seen are based on fear (you will be fined), greed (you've won money), or love (romance scams). People should be mindful of these and when in doubt, reach out to the company involved directly through a known or trusted route.”