At a glance.
- Ring customers targeted in phishing campaign.
- DC Health Link breach compromises US Congress members and staffers' data.
- DDosSecrets spills damaging details about Oakland police force.
Ring customers targeted in phishing campaign.
INKY warns that a phishing campaign is targeting users of the Ring video security system. The scammers are sending very brief phishing emails instructing recipients to click on the attached HTML file in order to update their membership. The file will open a webpage hosted locally on the victim’s machine, which helps the attackers avoid detection by security filters. The HTML file contains a link to a phishing site that spoofs Ring’s login page, and is designed to harvest the victim’s credentials, credit card information, and social security number. After entering their information, the victim will be redirected to Ring’s legitimate website.
INKY notes that users should instantly be wary of the phishing page, since it asks for their social security number. “After completing the login process, customers are presented with a form to update credit card information,” INKY says. “The form also asks for a social security number, which is suspicious considering vendors rarely ask for your social security number and hardly ever along with credit card information.”
(Added, 6:45 PM ET, March 14th, 2023. Jon Miller, CEO & Co-founder of the Halcyon ransomware resilience platform, wrote to connect the attack to the ALPHV/BlackCat ransomware group:
"This is the unfortunate reality of our permanently online and connected modern world. As more consumer devices are connected to the internet, we open ourselves up to the possibility that the data they collect will be exposed, held hostage, or used for malicious purposes. Theft of sensitive data prior to delivery of the actual ransomware payload is a favored tactic for most ransomware operators. It was only a matter of time before consumer privacy became yet another casualty of the ransomware epidemic.
"If these early reports of BlackCat/ALPHV's attack on Ring are accurate, we can assume that the group has already exfiltrated a significant amount of sensitive data, which they will likely leverage to compel payment when they make their ransom demand. This could include data that was stored in the cloud. BlackCat/ALPHV is known to post stolen data to leak websites on the public web as opposed to the dark web like other groups, so any leaked personally identifiable information would be greatly exposed. BlackCat/ALPHV is one of the more active RaaS platforms - they demanded millions of dollars over the course of 2022. But even if Ring is ready and able to respond to the ransomware attack, they will still have to contend with possibly paying BlackCat/ALPHV to prevent further data exposure, and even then, there is no guarantee the attackers will honor their end of the agreement.")
Jon Miller, CEO and Co-founder, of HalcyonData breach exposes legislators', staffers' personal data.
The Washington Examiner reports that the DC Health Link, the health insurance marketplace for the District of Columbia, has suffered a breach that exposed personal data belonging to lawmakers and staff in both chambers of US Congress. House Chief Administrative Officer (CAO) Catherine Szpindor sent an email to members stating, "Speaker McCarthy and Democratic Leader Jeffries have formally requested additional information from DC Health Link on what data was taken, who was impacted and what steps they are taking — including providing monitoring protections — to protect House victims of this breach." A similar message was sent to members of the Senate, and all staffers and members have been advised to freeze their credit as a precaution. The cause of the breach has not been disclosed, but the Federal Bureau of Investigation (FBI) is conducting an investigation.
The exact number of impacted individuals has not yet been determined, but the FBI estimates it’s in the hundreds, and House Administration Committee ranking member Joe Morelle described the breach as “extraordinarily large.” Politico adds that House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries sent an email in which they noted that the breach could also impact lawmakers’ and staffers’ family members. The House leaders wrote, “Right now, our top priority is protecting the safety and security of anyone in the Capitol Hill community affected by the cyber hack.” A DC Health Link spokesperson has confirmed the breach and says the organization is working with forensic investigators and law enforcement to investigate and identify the impacted parties. The House Administration Committee is also opening an investigation and tweeted that House Administration Committee Chair Bryan Steil “is aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the (personal identifiable information) of any impacted member, staff, and their families.”
We received a number of comments on the incident from industry experts.
Dror Liwer, co-founder of cybersecurity company Coro, points out some of the difficulties in dealing with this kind of threat: “Healthcare records are the most sought after by attackers as they represent the highest profit per record on the dark web. Companies storing such records must employ encryption to ensure that even if a perimeter breach occurs, the data remains safe," Liwer says. "For most organizations, a breach is difficult to identify as cybersecurity products are siloed and don’t talk to each other. This leaves organizations with the need to rely on the cybersecurity team to ingest alerts and extract intelligence from them across domains. It’s an unreasonable expectation, considering that according to our data, healthcare providers are attacked 11.4 times a week per employee (on average).”
Saryu Nayyar, founder and CEO of Gurucul, sees this kind of incident as falling into a gray area where crime can be difficult to distinguish from state action:
"The line between state-sponsored threat actor groups and actual nation state attacks is a gray area. Collecting personal data, especially healthcare information about individuals and their families, can have catastrophic consequences as this data can be easily used for blackmail and extortion of our nation's lawmakers, whether this data is sold to our enemies or directly stolen by them. The results of these attacks can obviously go beyond personal or financial gain against our lawmakers and bleed into how they approach public policy and voting. The government must focus beyond just securing our critical infrastructure or military installations and focus on a widespread policy that leverages the most innovative and advanced technology for monitoring users, systems and data. This includes early warning threat detection, investigation and response systems leveraging identity and behavioral analytics working in conjunction with traditional methods to identify threat actor activity early in the kill chain. Relying on established and cheaper solutions versus more advanced and customizable solutions will continue to hamper our ability to protect our people, resources, businesses and intellectual property."
According to Avishai Avivi, CISO at SafeBreach, writes that, troubling as the breach may have been, there are grounds to think it might not have been as bad as it could have been:
“Based on the data that was provided I can say that I’m cautiously optimistic that this breach is not as bad as it could have been. According to the notice from the CAO, the Personally Identifiable Information (PII) that was exposed: '…included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII).'
"Considering this was a health exchange, the data exposed could have easily included Protected Health Information (PHI). While malicious actors can try and use the data included in the breach to attempt further breaches, the PII elements in question are not too dangerous. To those of us who remember the days before the internet exploded, phone companies used to distribute free books with thousands of PII records including full names, physical address, and phone numbers.
"This is not meant to diminish the severity of this breach, and until we understand more about the full scope of the incident, I would recommend all potential victims of this breach raise their level of awareness to unusual or suspicious messaging. One example would be unsolicited phone calls or emails from someone claiming to represent DC health, looking to verify information, or even trying to prompt the individual to login in using a link provided to change their password. These should be considered highly suspicious, and should be reported to the authorities.”
Liat Hayun, CEO of Eureka Security, discusses the various forms the value of data can assume. "From hacktivism to monetization and fraudulent activities, one thing is clear: data is valuable and hackers want it," Hayun writes. "Some bad actors use hacking as a form of protest, retrieving sensitive information for political or social purposes as vigilantes. These specific types of hackers are intent on maximizing their crusade's media exposure and drawing attention to organizations they believe cause harm. Common motivations include revenge, political or social incentives, ideology, protest, a desire to embarrass certain organizations or individuals within those organizations, company rivalry or vandalism."
Eric O’Neill, National Security Strategist at VMware, wrote to explain the espionage value of personally identifiable information. “While the nature of the attacker and the extent of the stolen personal information from DC Health Link–the Affordable Care Act online marketplace that caters to members of Congress and Capitol Hill staff– is not known, even general personally identifiable information can be used by spies to create disinformation campaigns that can undermine public trust, create chaos, and promote their own interests," O'Neill said. "Criminal attackers typically sell stolen personally identifiable information on Dark Web marketplaces." He added, "Valuable public official information like that which was stolen in the DC Health Link breach is a goldmine for espionage threat actors. That information may be used to create fake social media profiles or news articles that appear to be from legitimate sources. They can then use these profiles to spread false information or amplify existing rumors to sway public opinion. Both criminals and spies frequently use stolen personally identifiable information to conduct spear-phishing email attacks, using personal information to craft targeted emails that appear to be from a trusted source that leads to further breaches or theft of information.”
Darren James, Senior Product Manager at Specops Software, also wrote to point out what made this information in particular a high-value target. “The sensitivity of data and the high-stakes pressure make any healthcare organization a high-value target for cyber criminals," James said. The fact that DC Health Link is handling Personally Identifiable Information (PII) for members of congress will raise awareness of the importance of reviewing cyber security policies for your own organization, as well as suppliers. User access safeguards are usually protecting PII, so securing complex enterprise systems requires a dynamic multifaceted approach. Ensure you require both strong passwords and multi-factor authentication to access critical systems, ensure all systems are regularly patched against known vulnerabilities, offer training for all users to help them quickly identify and report irregular behavior, and test your backups and business continuity plans so that you can be sure you are ready when needed.”
Nick Tausek, Lead Security Automation Architect at Swimlane, hopes, among other things, that no one's considering paying the ransom in this case.
"DC Health Link, the organization that manages healthcare plans of U.S. House members, has recently disclosed a data breach that exposed the personally identifiable information (PII) of thousands of patients. The Federal Bureau of Investigation (FBI) has been pulled in to investigate the breach of unknown size or scope that has resulted in stolen data up for sale online. Although no hacking group has yet claimed the attack, notorious threat actor IntelBroker is selling the stolen information on a hacking forum.
"It goes without saying that government officials are extremely hot targets for cybercriminals given their status, power, and the level of chaos that can ensue when these officials’ personal information is released to the public. IntelBroker is already requesting payment in the form of cryptocurrency in exchange for the stolen information, so it is likely that this breach could turn into a ransom situation, with the government facing great pressure to resolve the situation given the level of confidentiality that comes along with the officials targeted. In the event that this does become a ransom situation, however, the federal government should abide by its own advice and not pay the ransom-- after all, paying the ransom does noting to ensure that the data is not still sold, or utilized as leverage in a multiple-extortion campaign.
"To better defend against similar cyber incidents, it is essential that organizations adopt systemwide low-code security automation that enables them to leverage streamlined detection and implement proper incident response to ensure first-rate protection free of human error. By adopting low-code security automation tools, companies can achieve a cohesive protection strategy that prevents threat actors from accessing sensitive data.
Lior Yaari, CEO and co-founder of Grip Security, wrote to say that it's now time to play defense: the information is already out. “Once your personal information gets out, there’s little you can really do except to play defense," Yaari said. "The people affected should take measures to protect their personal identities. What’s troubling is that the cause or method of data exfiltration is unknown, so this breach could be even larger than what has been reported up to now. Once hackers infiltrate an organization, they usually steal as much data as possible and even try to move laterally to expand their access to other groups, functions or related organizations. The fact the data is now for sale probably means that the hackers got everything they could and they have probably moved on to their next target.”
DDoSecrets spills personal information about Oakland’s police force.
Non-profit whistleblower site Distributed Denial of Secrets (DDoSecrets) just obtained and published 11.7 gigabytes worth of data stolen by the Play ransomware group in a recent attack on California’s Oakland City Council. CyberSecurity Connect reports that the data includes personal info on city employees including Oakland mayor Sheng Thao, as well as city banking account information and details on police operations. Play had been in communication with the council to negotiate a ransom since February, but when the council declined to meet the cybercriminal’s demands, Play published the data on the dark web and turned it over to DDoSecrets. The whistleblower group says the data reveals some controversial information about the Oakland Police Department, which for the last twenty years has been under federal oversight due to a history of police abuses. DDoSecrets said in an announcement, “DDoSecrets reviewed some of the files and has confirmed officer disciplinary records including for supervisors that failed to intervene and report misconduct. We are also able to confirm the files include information on misconduct allegations against high-ranking police officers, and documents about internal affairs investigations.”