Archive for November 3, 2023

4.1 million Mortgage Holders Are Unable To Make Payments After Cyber Attack 

Posted in Commentary with tags on November 3, 2023 by itnerd

Yesterday, the nation’s largest servicer of mortgages, Mr. Cooper, posted a notice of a cyberattack breach that caused the company to shut down IT systems, including customers’ access to its online payment portal.

Wednesday, customers attempting to log in to Mr. Cooper’s website to pay their mortgages or loans were instead greeted with a message stating that the company was suffering a technical outage.

The company stated that it discovered the cybersecurity incident on October 31st in which an unauthorized third party gained access to “certain technology systems”.

Customers will be unable to make mortgage payments while the systems are down, but will not be charged any fees, penalties, or negative credit reporting related to late payments as they restore systems.

It is unclear whether customer data was stolen but Mr. Cooper said it will notify impacted customers if any was exposed during the attack.

Emily Phelps, Director, Cyware had this comment:
   “Cyberattacks against critical financial infrastructure, like that experienced by Mr. Cooper, underscore the importance of robust cybersecurity measures and constant vigilance. While it’s reassuring to know customers won’t face financial repercussions for late payments due to the outage, the potential exposure of customer data remains a significant concern. Continuous monitoring, timely alerts, and an educated customer base are crucial components in the fight against such threats.”

This attack illustrates what bad stuff can happen if an attack hits crucial infrastructure. That makes defending against attacks a today problem that everybody needs to take seriously.

Healthcare Giant Henry Schein Pwned TWICE By BlackCat

Posted in Commentary with tags on November 3, 2023 by itnerd

Healthcare giant Henry Schein was hit by the BlackCat (ALPHV) ransomware group last month, when the group successfully infiltrated their network. The group claimed to have exfiltrated 35TB of data, including payroll and shareholder information. Henry Schein, a Fortune 500 company operating across 32 countries, reported annual revenue exceeding $12 billion in 2022.

Henry Schein acknowledged the breach occurred on October 15, and that they were forced to shut down systems to contain the cyberattack that had impacted its manufacturing and distribution sectors.

The company immediately informed law enforcement authorities and engaged external cybersecurity and forensics experts to probe the incident, suspecting a potential data breach.

However, two weeks later, when the company had their network almost back to normal, the BlackCat/ALPHV ransomware group added Henry Schein to its dark web leak site, claiming they had successfully penetrated the company’s network and taken the 35 terabytes of data. They also claimed to have re-encrypted the company’s systems, undoing the progress made during restoration efforts, saying the company was not negotiating in good faith. As Henry Schein was removed from the BlackCat site shortly thereafter, it is likely that they came to terms with the ransomware group.

Steve Hahn, Executive VP, BullWall:

“Two things are really striking to me:

   “First, that a fortune 500 company, with the most targeted data on earth (healthcare records) couldn’t stop a Ransomware Attack despite having the funds to utilize every best of breed security tool on earth. They no doubt had the best in next Gen EDRs, Gateways, Firewalls, SIEMs and Orchestration tools yet all the prevention in the world won’t stop a persistent modern day threat actor. All they need is one foothold- a shadow IT device somebody forgot to decommission that hasn’t been patched or managed,  an IoT device, a malicious or incompetent user, even a compromised personal device from an employee who accesses the company network. Once they have that foothold they use red team tools like Mimikatz or Cobalt Strike to extract admin passwords and with those, every security tool in the environment can be bypassed or disabled. Prevention doesn’t work if it’s not running.

   “Second, they were hit twice. This isn’t commonly known but 86% of companies hit by Ransomware will be hit again within the next year. Why? Once the threat actor has gained access and maintained persistence they spin up VMs, user accounts, embed malicious macros in internal documents, white list applications and hide hundreds of other second stage attacks throughout the environment. We see this exact scenario play out hundreds of times per year on some of the most advanced companies on earth.

   “The net here is we are living in a “when” not “if” world of Ransomware. You have be prepared to contain that Ransomware outbreak in milliseconds because they’ve doubled their encryption speed this year from 25,000 files per minute to 50,000 files per minute. You have to have MFA to every server every session to prevent RDP access that can be used to disable your tools and you have to have a recovery strategy in place for what happens once you’ve been hit. You cannot stop these events, but you can contain them rapidly and minimize the impact. “

Steve Hahn brings up an interesting point. A lot of companies who get pwned often get pwned again because once a threat actor gets in, they set up shop and launch second stage or even third stage attacks. That should terrify anyone who entrusted to keep the bad guys out. And it highlights why the best defence is to not allow the bad guys in from the start.

UPDATE: Craig Harber, Security Evangelist: Open Systems adds this:

   “Ransomware attacks have surged this year. The latest victim is healthcare giant Henry Schein. The ransomware gang BlackCat (ALPHV) claims it stole 35TB of data, including payroll and shareholder information. There are no published details of the steps taken to infiltrate their network. 

   “Henry Schein notified law enforcement and hired external cyber forensic experts to assist with the investigation. The company engaged its incident response team to contain the attack; however, based on available reporting, the cybercriminal encrypted the company’s devices and data for a second time before the incident response team restored all its systems. Speculation is this happened because ongoing ransom negotiations were unsuccessful. 

“Ransomware attacks are becoming an all too familiar story. Some companies are not making the necessary investments upfront to protect their critical systems and sensitive data. Then, it is a race against the clock for their incident response teams to secure the systems and sensitive information from further attack once a breach occurs. 

   “From every indication, Henry Schein paid the ransom because the ransomware group deleted the published data leak site. The decision to pay a ransomware attack is always complex. There are many factors to consider, not the least of which is you are negotiating with a cybercriminal. There is no guarantee that even if you pay the ransom, these cybercriminals will restore systems and return stolen company data. It is best to heed law enforcement advice and not pay because doing so only encourages continued criminal activity.”

28 Countries Agree To Collaborate On ‘Frontier AI’

Posted in Commentary with tags on November 3, 2023 by itnerd

This week, the UK hosted the AI Safety Summit in Bletchley Park where 28 countries, including the US, the UK, China, six EU member states, Brazil, Nigeria, Israel and Saudi Arabia, signed the Bletchley Declaration, an agreement establishing shared responsibility for the opportunities, risks and needs for global action on systems that pose urgent and dangerous risks.

“Many risks arising from AI are inherently international in nature, and so are best addressed through international cooperation,” reads a public statement published by the UK Department for Science, Innovation and Technology. 

The declaration lays out the first two steps of their agenda for addressing ‘frontier AI’ risk:

  1. Identify shared concerns for AI safety risks by building a “scientific and evidence-based understanding of the risks, and sustaining that understanding as capabilities continue to increase, in the context of a wider global approach to understanding the impact of AI in our societies.”
  2. Build respective risk-based policies to ensure safety in light of identified risks, collaborating “while recognizing our approaches may differ based on national circumstances and applicable legal frameworks.” This includes: increased transparency by developers, tools for safety testing and evaluation metrics, and developing relevant public sector capabilities and scientific research.  

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “The Bletchley Declaration demonstrates a more proactive approach by governments, signaling a possible lesson learned from past failures to regulate social media giants. By addressing AI risks collectively, nations aim to stay ahead of tech behemoths, recognizing the potential for recklessness. This commitment to collaboration underscores some determination to safeguard the future by shaping responsible AI development and mitigating potential harms.

   “We all certainly harbor doubts regarding the ability of governments and legal systems to match the speed and avarice of the tech industry, but the Bletchley Declaration signifies a crucial departure from the laissez-faire approach witnessed with social media companies. We should applaud the proactive effort of these governments to avoid idle passivity and assertively engage in shaping AI’s trajectory, while prioritizing public safety and responsible governance over unfettered market forces.”

Emily Phelps, Director, Cyware adds this comment:
   “Recognizing that AI-driven risks cross borders, it is imperative for countries to join forces, ensuring that advancements in AI are accompanied by safety measures that protect all societies equally. The focus on a scientific and evidence-based approach to understanding these risks will enhance our collective intelligence and response capabilities. While the nuances of national circumstances will lead to varied approaches, the shared commitment to transparency, rigorous testing, and bolstered public sector capabilities is a reassuring move towards a safer AI-driven future for everyone.”

It’s a good thing in my mind that there’s cross border collaboration on AI as the potential for it to help mankind is great. But the potential for it to harm mankind is also great. Thus rules, boundaries and limitations need to be wrapped around it so that the latter does not happen.

Bike Parts Company Shimano Pwned In Ransomware Attack

Posted in Commentary with tags on November 3, 2023 by itnerd

Shimano is a company that makes bike parts. In fact they’re the largest bike parts company in the world. I have used their parts on my previous bike as well as my current bike. Not to mention that many pros use their parts. Which means that the fact that the company has been pwned in a ransomware attack orchestrated by LockBit will hit home for many:

The notice claims that the group has breached highly sensitive data, including:

  • Employee information, including identification, social security numbers, addresses and passport scans
  • Financial documents, including balance sheets, profit and loss reports, bank statements, various tax forms and reports
  • Client data, including addresses, internal documents, mail correspondence, confidential reports, legal documents and factory inspection results
  • Other documents, including non-disclosure agreements, contracts, confidential diagrams and drawings, development materials and laboratory tests

This is pretty bad for Shimano. And it illustrates how busy LockBit has been. Boeing for example has been pwned by LockBit recently. It will be interesting to see the following happens:

  • Will they pay up?
  • If they don’t pay up, what data will pop up on the Internet.
  • Will they explain what happened and how they will stop it from happening again? So far, I cannot find any comment of any sort from Shimano.

Stay tuned to see what happens next.

Google Canada reveals winners for inaugural Google Search Honours Awards

Posted in Commentary with tags on November 3, 2023 by itnerd

Today, Google Canada is announcing the winning Canadian advertisers and agencies selected for the inaugural Google Search Honours Awards, celebrating those who are using AI-powered advertising to propel their business forward. 

There are plenty of awards that recognize flashy brand campaigns, but Search marketing doesn’t get the same recognition despite its impact on driving business results. The Google Search Honours Awards were created to celebrate brands and marketers using Google’s AI-powered ads to reach new audiences, maximize their spends and push the boundaries of what their campaigns can achieve.

On September 14, Google announced the shortlist, and six winners were announced at the awards celebration on Thursday November 2.

Reach Expansion The Reach Expansion category recognizes work that leverages AI-powered Search tools to efficiently connect with a wider audience.Rising StarWinner: Simplii Financial Shortlist: BMO | KINESSO; Desjardins | Glassroom; Hyundai | INNOCEAN
Best in ClassWinner: Canadian Tire Shortlist: Hudson’s Bay; lululemon athletica; RBC Insurance | WebAgency
Value Impact The Value Impact category celebrates AI-powered work that uses smart bidding strategies to get the most out of Search advertising investments.Rising StarWinner: Shopify Shortlist: Destination BC | Noise Digital; Scotiabank; WestJet Airlines Ltd. | Touché! 
Best in ClassWinner: Toyota Saatchi & Saatchi Shortlist: Air Canada; Jewlr; QuickBooks Online
AI Innovation The final category is AI Innovation, which shines a light on those who are pushing the boundaries and breaking new ground with AI-powered Search campaigns. Agency of the YearWinner: Mindshare Shortlist: PHD; Saatchi & Saatchi/Synergize; Starcom
Marketer of the YearWinner: QuickBooks Online Shortlist: Canadian Tire; lululemon athletica; TD Bank

Guest Post: A day without the internet in the world would cost $43 billion

Posted in Commentary with tags on November 3, 2023 by itnerd

The internet has become such an integral part of our daily lives that we often do not even think about how much we rely on it.

According to the data presented by the Atlas VPN team, a day without internet in the world would cost $43 billion. The United States and China almost make up half of the sum together, accumulating $21 billion.

The United States, one of the most connected countries regarding internet usage, would face huge losses of around $11 billion for a single day without online access. An outage would bring many economic activities in the US to a standstill.

China is estimated to lose nearly $10 billion, though this figure may underestimate the true cost. With China’s heavy reliance on manufacturing and exporting goods globally, an internet outage would significantly slow cross-border trade.

The United Kingdom, with its robust e-commerce and financial services sectors, would lose approximately $3 billion. Japan is predicted to suffer around $2.7 billion in damage, given the vital role that advanced telecommunications and internet technology play in its economy.

Losing the internet would severely inhibit Germany’s production and business operations, potentially costing $1.5 billion based on its GDP share and the high level of internet dependence across its industrial sectors.

Cybersecurity writer at Atlas VPN, Vilius Kardelis, shares his thoughts on the internet’s impact on our society:

“We often don’t appreciate the backbone role the internet now plays. An outage would bring activities to a standstill and underscore how much our economic functions depend on stable online access. Access to the internet should be a basic human right, and should not be restricted by governments or providers.”

To read the full article, head over to:


Data Related To Five Ontario Hospitals Hit By A Cyberattack Is Now Online

Posted in Commentary with tags on November 3, 2023 by itnerd

A few days ago I posted a story about five Ontario hospitals getting pwned in a cyberattack. That was bad, but it just got worse for them as there is now data that was swiped in that cyberattack floating around on the Internet:

“We have become aware that data connected to the cyber incident has been published,” the hospitals said in a statement Thursday. “We are reviewing the data to determine its contents. Working with leading cybersecurity experts, we continue to investigate to determine the exact data impacted.”


It was not immediately clear Thursday which data were published and where. 

In the joint statement, the hospitals said that any individuals whose data was affected will be notified, and that the hospitals are working closely with law-enforcement agencies, including local police, OPP, Interpol, and the FBI. 

The Ontario Information and Privacy Commissioner has also been notified. 

“Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands. We are aligned in this position with the governments of 50 nations, including Canada, who have recently pledged to never pay ransom to cybercriminals,” the statement read. “We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the coming days.”

At least they didn’t pay up. But it sucks that the data is now out there as that data can be used to launch future attacks. Seeing as the Ontario Information and Privacy Commissioner is now involved, I would expect more details about this hack to come to light in the weeks ahead. In the meantime, I hope that the affected hospitals not only get normal service back online quickly, but they fully disclose what was swiped so that victims can protect themselves.

88 million People Impacted By Health Data Breaches This Year 

Posted in Commentary with tags on November 3, 2023 by itnerd

Even with two months left in 2023, more than 88 million individuals have been affected by breaches of private health data according to the Department of Health and Human Services in a breach settlement involving a health information.

Since 2019, there has been a 239% increase in large breaches reported to Office of Civil Rights (OCR) involving hacking, and with two months still left in 2023, the number of people affected by health data breaches has risen by 60% since 2022 with 220 hospitals affected by cyberattacks in just the first half.

Despite researchers and cybersecurity experts warning health systems about the risk that cyberattacks pose to patient care, the last 4 years has seen a 278% increase in ransomware.

“[…] ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches. In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks,” said OCT Director, Melanie Fontes Rainer.

Jan Lovmand, CTO, BullWall offers this comment:

   “Ransomware attacks on hospitals have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, postponing critical surgeries and treatments and putting patients’ lives at risk, but also compromise the security of sensitive patient information. The impact of these attacks can be devastating, as they can leave hospitals struggling to recover their data and regain control of their systems. Whether the ransom is paid or not, the costs in dollars and lost patient care severely cripple these already struggling institutions.

   “Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. This is compounded by their limited resources to invest in cybersecurity measures. But with ransomware continuing to be a significant threat to these organizations, investments must be made to contain these attacks, eliminating the need to resort to a complete shutdown of IT systems, and healthcare services.”

Dave Ratner, CEO, HYAS follows with this:

“Healthcare organizations are increasingly under attack because of the value of the data they hold.  In addition to regularly reviewing risks, records, and updating policies, organizations need to assume that they will be breached and ensure that they have the required visibility internally to detect a breach, isolate it, and shut it down before the criminals exfiltrate and/or encrypt data.  Ensuring that they are resilient to breaches is the only path forward.”

While it’s been known for a while that healthcare is a prime target for threat actors, I have to admit that I never imagine that it would be so bad to have 88 million people affected by breaches related to health care.

And counting seeing as the year isn’t over yet.

Dallas County Stops Recent Cyber Attack

Posted in Commentary with tags on November 3, 2023 by itnerd

Dallas County said Tuesday that its IT staff interrupted an attempt to steal data and “effectively prevented any encryption of its files or systems.” They claim that an attempt to hack into its network earlier this month was blocked and investigators are continuing to look into the incident.

The County believes that its cyber defenses withstood the attack, stating “Due to our containment measures, Dallas County interrupted data exfiltration from its environment and effectively prevented any encryption of its files or systems. It appears the incident has been effectively contained, partly due to the measures we have implemented to bolster the security of our systems.

These measures include:

  • Extensive deployment of an Endpoint Detection and Response (EDR) tool across servers and endpoints connected to our network.
  • Forcing password changes for all users to grant access to our systems.
  • Mandating multi-factor authentication for remote access to our network.
  • Blocking ingress and egress traffic to IP addresses identified as malicious.

The County Update on the attack states: “Currently, there is no evidence of ongoing threat actor activity in our environment. Given these measures and findings, it appears at this time that the incident has been successfully contained and that Dallas County’s systems are secure for use.”

However… The Record informs us that “On Saturday, the Play ransomware gang posted the county to its leak site, claiming to have stolen an undisclosed amount of data, which it threatened to leak by November 3.”

Steve Hahn, Executive VP, BullWall had this to say:

   “Since around 2018 Ransomware Threat Actor groups have increasingly targeted Cities across the United States. Baltimore and Oakland both down for months before returning to full operation and forced to declare a state of emergency as essential services were incapacitated. Texas has seen more than 40 government entities impacted since that time, clearly taking the brunt of this new focus on Cities.

   “The reasons for this are varied. Russian based threat actor groups are largely responsible for these attacks and the disruption and even loss of life they can cause is a major driver. 911 services are taken down, emergency response, healthcare services, even court case documents wiped out for serious criminals. The other driver for this is clearly the lack of robust security controls for City and State governments.

   “I’ve seen first hand how the security leaders in these cities plead for funding and resources for the most basic security controls and are repeatedly denied funding for essential products. Unfortunately, it’s not until after the fact, that they tend to receive that funding. The security leaders know what they need, better prevention tools and the latest technologies like Ransomware Containment solutions, but they just can’t navigate the political landscape sufficiently to get that funding. Until then, we will see a continued rise in Ransomware attacks with increasing levels of severity. These new attacks not only encrypt files, they also disable massive amounts of the critical IT infrastructure rendering it inoperable.”

I guess we’ll have to wait to see how much data that the Play ransomware group swiped. It’s not clear how long they were inside the environment, thus anything is possible.