At a glance.
- Inadvertent data exposure at Kroger’s prescription services arm.
- iD Tech’s breach response leads to unhappy campers.
- Details sparse about cyberincident at British healthcare trust.
- Phishing expedition abuses trusted services.
- Cl0p goes everywhere exploiting GoAnywhere.
Inadvertent data exposure at Kroger’s prescription services arm.
Postal Prescription Services (PPS), which provides the mail-order pharmacy services for grocery giant Kroger, suffered a breach that exposed the data of over 82,000 customers. PPS says the breach was the result of an internal error which led to patient names and email addresses, which were used to create Kroger customer online accounts, being improperly shared. Although details about the error have not been disclosed, PPS stated that the incident was “not caused by or related to a security incident.” Health IT Security adds that PPS is updating its website in order to correct the issue, and Kroger is reviewing its data handling practices in order to prevent such a mistake from happening again.
iD Tech’s breach response leads to unhappy campers.
In February a user on a hacker forum claimed he had attacked the networks of iD Tech, a children’s coding camp based out of the US state of California, in January and made off with the data of nearly one million campers. However, a month later, the camp has yet to publicly disclose the incident, leaving parents scratching their heads about what might have happened. The hackers say the stolen data include names, dates of birth, plaintext passwords, and approximately 415,000 unique email addresses. Parents only learned of the event when data breach notification services like Have I Been Pwned or device security services software companies notified the impacted families. One parent told TechCrunch that when they reached out to iD Tech to ask about the incident, the company claimed it had already contacted the holders of the compromised accounts. However, there’s no evidence of this, and iD Tech has neglected to disclose the breach on its website or social media channels. When contacted, CEO Pete Ingram-Cauchi declined to provide a copy of the notification letter that was allegedly sent to parents and would not say if the incident had been reported to the government offices stipulated in breach notification laws.
Details sparse about cyberincident at British healthcare trust.
The Record by Recorded Future reports that England’s Walsall Healthcare NHS Trust, overseer of Walsall Manor Hospital, has disclosed it suffered a cyberincident. Describing the breach as “contained,” Walsall notified the public of the breach yesterday, although the Trust’s IT staff have been responding to the incident since March 10. They have not shared details about the nature of the incident, but the hospital is reportedly working with the UK National Cyber Security Centre and the Information Commissioner’s Office (ICO). The breach comes on the heels of the publication of Britain’s new cybersecurity strategy for the National Health Service, as hospitals and other medical institutions, both in the UK and out, have been increasingly targeted by cybercriminals. While confirming the incident at Walsall, an ICO spokesperson stated, "When a data incident occurs, we would expect an organization to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”
Phishing expedition abuses trusted services.
Kaspersky reports that SharePoint servers are being abused to send bogus, and malicious, notifications. The scam takes advantage of a trusted business service that people use routinely, and whose alerts they're accustomed to responding to,
Erich Kron, security awareness advocate at KnowBe4, summed it up as "a clever way to use legitimate services for illegitimate purposes." He explained, "By using a well-known, trusted, and legitimate service to send the notifications, the bad actors are able to fool potential victims into following a chain of events that eventually ends with them giving up their credentials and most likely account access. Notifications like this, especially for organizations that use SharePoint often, are going to blend in with the typical day-to-day e-mail and business traffic, making people much more likely to trust the email and follow its instructions." This is the sort of risk against which education can be effective. Kron added, "It is critical for organizations to educate their employees on how to spot fake login pages, and what to watch out for when opening documents or following links. Because email phishing is still one of the biggest threats organizations face when it comes to initial network access and malware distribution, wise organizations ensure they have a robust educational program for their users, and have processes in place to quickly report any accidental clicks or other potentially dangerous actions.”
Roger Grimes, data-driven defense evangelist, also at KnowBe4, says that, really, there's nothing new about this kind of approach. "Bogus file-sharing requests have been around for decades, even bogus SharePoint file-sharing requests," he said. "I was covering this type of threat back in 2003 when I was writing up the first official Microsoft course on SharePoint security back in the very early days of SharePoint. SharePoint file-sharing phishing campaigns come and go. You think they are gone forever, but then they rear their ugly head again. And it will be that way until Microsoft SharePoint goes away into the dustbin of malware history like DOS boot viruses." And he too advocates training as the remedy. "The only defense that will work is AGGRESSIVELY educating your employees about these types of attacks. Really, any unexpected message, no matter how it arrives (e.g., email, web, SMS, chat app, social media, phone call, in-person, etc.), that is asking you to do something new for that requestor (whether you think you know them or not, whether it's coming from a legitimate email address/phone number/etc. or not), should be verified using an alternate, 'out-of-band' method before performing the request action. You need to teach everyone to have a healthy level of skepticism for any new request and create a culture where new requests that could possibly harm the potential victim or their organization are verified before performing."
Cl0p goes everywhere exploiting GoAnywhere.
Another trusted service is being abused by Cl0p. A ransomware campaign in which the Cl0p gang has exploited Fortra’s GoAnywhere managed file transfer (MFT) tool has caused the compromise of data from a wide range of victims. Major financing firms, energy companies, and even governments worldwide have seen breaches due to the gang’s exploitation of the zero-day vulnerability.
Bart McDonough, CEO of cybersecurity company Agio, blogged about the attacks. The remote code execution vulnerability in the MFT software, tracked now as CVE-2023-0669, was first reported by Krebs on Security on February 2. Fixes for the vulnerability followed on the seventh, however, it had already been too late by that point, as data had been stolen.
Many organizations have come forward revealing that they were victimized in this series of breaches. The Record reports that the government of the city of Toronto, Canada, and British conglomerate Virgin UK’s rewards club, Virgin Red, all experienced data exposure. Bleeping Computer wrote Thursday that another British organization, the United Kingdom’s Pension Protection Fund, was impacted by the zero-day. Several victims were located in Canada, with the Financial Post reporting yesterday that Canadian movie chain Cineplex Inc. said that it was hit in the attacks, and SC Magazine also confirming that major Canadian financing firm Investissement Qubec was impacted. Procter & Gamble was added to the gang’s leak site, and Saks Fifth Avenue confirmed an attack, according to TechTarget. These may be added to previously disclosed incidents at Hitachi Energy and Rio Tinto. For more on Cl0p's recent activity, see CyberWire Pro.