The IT Nerd

Yesterday, the nation’s largest servicer of mortgages, Mr. Cooper, posted a notice of a cyberattack breach that caused the company to shut down IT systems, including customers’ access to its online payment portal.

Wednesday, customers attempting to log in to Mr. Cooper’s website to pay their mortgages or loans were instead greeted with a message stating that the company was suffering a technical outage.

The company stated that it discovered the cybersecurity incident on October 31st in which an unauthorized third party gained access to “certain technology systems”.

Customers will be unable to make mortgage payments while the systems are down, but will not be charged any fees, penalties, or negative credit reporting related to late payments as they restore systems.

It is unclear whether customer data was stolen but Mr. Cooper said it will notify impacted customers if any was exposed during the attack.

Emily Phelps, Director, Cyware had this comment:
 
   “Cyberattacks against critical financial infrastructure, like that experienced by Mr. Cooper, underscore the importance of robust cybersecurity measures and constant vigilance. While it’s reassuring to know customers won’t face financial repercussions for late payments due to the outage, the potential exposure of customer data remains a significant concern. Continuous monitoring, timely alerts, and an educated customer base are crucial components in the fight against such threats.”

This attack illustrates what bad stuff can happen if an attack hits crucial infrastructure. That makes defending against attacks a today problem that everybody needs to take seriously.

Healthcare giant Henry Schein was hit by the BlackCat (ALPHV) ransomware group last month, when the group successfully infiltrated their network. The group claimed to have exfiltrated 35TB of data, including payroll and shareholder information. Henry Schein, a Fortune 500 company operating across 32 countries, reported annual revenue exceeding $12 billion in 2022.

Henry Schein acknowledged the breach occurred on October 15, and that they were forced to shut down systems to contain the cyberattack that had impacted its manufacturing and distribution sectors.

The company immediately informed law enforcement authorities and engaged external cybersecurity and forensics experts to probe the incident, suspecting a potential data breach.

However, two weeks later, when the company had their network almost back to normal, the BlackCat/ALPHV ransomware group added Henry Schein to its dark web leak site, claiming they had successfully penetrated the company’s network and taken the 35 terabytes of data. They also claimed to have re-encrypted the company’s systems, undoing the progress made during restoration efforts, saying the company was not negotiating in good faith. As Henry Schein was removed from the BlackCat site shortly thereafter, it is likely that they came to terms with the ransomware group.

Steve Hahn, Executive VP, BullWall:

“Two things are really striking to me:

   “First, that a fortune 500 company, with the most targeted data on earth (healthcare records) couldn’t stop a Ransomware Attack despite having the funds to utilize every best of breed security tool on earth. They no doubt had the best in next Gen EDRs, Gateways, Firewalls, SIEMs and Orchestration tools yet all the prevention in the world won’t stop a persistent modern day threat actor. All they need is one foothold- a shadow IT device somebody forgot to decommission that hasn’t been patched or managed,  an IoT device, a malicious or incompetent user, even a compromised personal device from an employee who accesses the company network. Once they have that foothold they use red team tools like Mimikatz or Cobalt Strike to extract admin passwords and with those, every security tool in the environment can be bypassed or disabled. Prevention doesn’t work if it’s not running.

   “Second, they were hit twice. This isn’t commonly known but 86% of companies hit by Ransomware will be hit again within the next year. Why? Once the threat actor has gained access and maintained persistence they spin up VMs, user accounts, embed malicious macros in internal documents, white list applications and hide hundreds of other second stage attacks throughout the environment. We see this exact scenario play out hundreds of times per year on some of the most advanced companies on earth.

   “The net here is we are living in a “when” not “if” world of Ransomware. You have be prepared to contain that Ransomware outbreak in milliseconds because they’ve doubled their encryption speed this year from 25,000 files per minute to 50,000 files per minute. You have to have MFA to every server every session to prevent RDP access that can be used to disable your tools and you have to have a recovery strategy in place for what happens once you’ve been hit. You cannot stop these events, but you can contain them rapidly and minimize the impact. “

Steve Hahn brings up an interesting point. A lot of companies who get pwned often get pwned again because once a threat actor gets in, they set up shop and launch second stage or even third stage attacks. That should terrify anyone who entrusted to keep the bad guys out. And it highlights why the best defence is to not allow the bad guys in from the start.

UPDATE: Craig Harber, Security Evangelist: Open Systems adds this:

   “Ransomware attacks have surged this year. The latest victim is healthcare giant Henry Schein. The ransomware gang BlackCat (ALPHV) claims it stole 35TB of data, including payroll and shareholder information. There are no published details of the steps taken to infiltrate their network. 

   “Henry Schein notified law enforcement and hired external cyber forensic experts to assist with the investigation. The company engaged its incident response team to contain the attack; however, based on available reporting, the cybercriminal encrypted the company’s devices and data for a second time before the incident response team restored all its systems. Speculation is this happened because ongoing ransom negotiations were unsuccessful. 

“Ransomware attacks are becoming an all too familiar story. Some companies are not making the necessary investments upfront to protect their critical systems and sensitive data. Then, it is a race against the clock for their incident response teams to secure the systems and sensitive information from further attack once a breach occurs. 

   “From every indication, Henry Schein paid the ransom because the ransomware group deleted the published data leak site. The decision to pay a ransomware attack is always complex. There are many factors to consider, not the least of which is you are negotiating with a cybercriminal. There is no guarantee that even if you pay the ransom, these cybercriminals will restore systems and return stolen company data. It is best to heed law enforcement advice and not pay because doing so only encourages continued criminal activity.”

Shimano is a company that makes bike parts. In fact they’re the largest bike parts company in the world. I have used their parts on my previous bike as well as my current bike. Not to mention that many pros use their parts. Which means that the fact that the company has been pwned in a ransomware attack orchestrated by LockBit will hit home for many:

The notice claims that the group has breached highly sensitive data, including:

• Employee information, including identification, social security numbers, addresses and passport scans
• Financial documents, including balance sheets, profit and loss reports, bank statements, various tax forms and reports
• Client data, including addresses, internal documents, mail correspondence, confidential reports, legal documents and factory inspection results
• Other documents, including non-disclosure agreements, contracts, confidential diagrams and drawings, development materials and laboratory tests

This is pretty bad for Shimano. And it illustrates how busy LockBit has been. Boeing for example has been pwned by LockBit recently. It will be interesting to see the following happens:

• Will they pay up?
• If they don’t pay up, what data will pop up on the Internet.
• Will they explain what happened and how they will stop it from happening again? So far, I cannot find any comment of any sort from Shimano.

Stay tuned to see what happens next.

A few days ago I posted a story about five Ontario hospitals getting pwned in a cyberattack. That was bad, but it just got worse for them as there is now data that was swiped in that cyberattack floating around on the Internet:

“We have become aware that data connected to the cyber incident has been published,” the hospitals said in a statement Thursday. “We are reviewing the data to determine its contents. Working with leading cybersecurity experts, we continue to investigate to determine the exact data impacted.”

And:

It was not immediately clear Thursday which data were published and where. 

In the joint statement, the hospitals said that any individuals whose data was affected will be notified, and that the hospitals are working closely with law-enforcement agencies, including local police, OPP, Interpol, and the FBI. 

The Ontario Information and Privacy Commissioner has also been notified. 

“Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands. We are aligned in this position with the governments of 50 nations, including Canada, who have recently pledged to never pay ransom to cybercriminals,” the statement read. “We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the coming days.”

At least they didn’t pay up. But it sucks that the data is now out there as that data can be used to launch future attacks. Seeing as the Ontario Information and Privacy Commissioner is now involved, I would expect more details about this hack to come to light in the weeks ahead. In the meantime, I hope that the affected hospitals not only get normal service back online quickly, but they fully disclose what was swiped so that victims can protect themselves.

Even with two months left in 2023, more than 88 million individuals have been affected by breaches of private health data according to the Department of Health and Human Services in a breach settlement involving a health information.

Since 2019, there has been a 239% increase in large breaches reported to Office of Civil Rights (OCR) involving hacking, and with two months still left in 2023, the number of people affected by health data breaches has risen by 60% since 2022 with 220 hospitals affected by cyberattacks in just the first half.

Despite researchers and cybersecurity experts warning health systems about the risk that cyberattacks pose to patient care, the last 4 years has seen a 278% increase in ransomware.

“[…] ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches. In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks,” said OCT Director, Melanie Fontes Rainer.

Jan Lovmand, CTO, BullWall offers this comment:

   “Ransomware attacks on hospitals have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, postponing critical surgeries and treatments and putting patients’ lives at risk, but also compromise the security of sensitive patient information. The impact of these attacks can be devastating, as they can leave hospitals struggling to recover their data and regain control of their systems. Whether the ransom is paid or not, the costs in dollars and lost patient care severely cripple these already struggling institutions.

   “Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. This is compounded by their limited resources to invest in cybersecurity measures. But with ransomware continuing to be a significant threat to these organizations, investments must be made to contain these attacks, eliminating the need to resort to a complete shutdown of IT systems, and healthcare services.”

Dave Ratner, CEO, HYAS follows with this:

“Healthcare organizations are increasingly under attack because of the value of the data they hold.  In addition to regularly reviewing risks, records, and updating policies, organizations need to assume that they will be breached and ensure that they have the required visibility internally to detect a breach, isolate it, and shut it down before the criminals exfiltrate and/or encrypt data.  Ensuring that they are resilient to breaches is the only path forward.”

While it’s been known for a while that healthcare is a prime target for threat actors, I have to admit that I never imagine that it would be so bad to have 88 million people affected by breaches related to health care.

And counting seeing as the year isn’t over yet.

Dallas County said Tuesday that its IT staff interrupted an attempt to steal data and “effectively prevented any encryption of its files or systems.” They claim that an attempt to hack into its network earlier this month was blocked and investigators are continuing to look into the incident.

The County believes that its cyber defenses withstood the attack, stating “Due to our containment measures, Dallas County interrupted data exfiltration from its environment and effectively prevented any encryption of its files or systems. It appears the incident has been effectively contained, partly due to the measures we have implemented to bolster the security of our systems.

These measures include:

• Extensive deployment of an Endpoint Detection and Response (EDR) tool across servers and endpoints connected to our network.
• Forcing password changes for all users to grant access to our systems.
• Mandating multi-factor authentication for remote access to our network.
• Blocking ingress and egress traffic to IP addresses identified as malicious.

The County Update on the attack states: “Currently, there is no evidence of ongoing threat actor activity in our environment. Given these measures and findings, it appears at this time that the incident has been successfully contained and that Dallas County’s systems are secure for use.”

However… The Record informs us that “On Saturday, the Play ransomware gang posted the county to its leak site, claiming to have stolen an undisclosed amount of data, which it threatened to leak by November 3.”

Steve Hahn, Executive VP, BullWall had this to say:

   “Since around 2018 Ransomware Threat Actor groups have increasingly targeted Cities across the United States. Baltimore and Oakland both down for months before returning to full operation and forced to declare a state of emergency as essential services were incapacitated. Texas has seen more than 40 government entities impacted since that time, clearly taking the brunt of this new focus on Cities.

   “The reasons for this are varied. Russian based threat actor groups are largely responsible for these attacks and the disruption and even loss of life they can cause is a major driver. 911 services are taken down, emergency response, healthcare services, even court case documents wiped out for serious criminals. The other driver for this is clearly the lack of robust security controls for City and State governments.

   “I’ve seen first hand how the security leaders in these cities plead for funding and resources for the most basic security controls and are repeatedly denied funding for essential products. Unfortunately, it’s not until after the fact, that they tend to receive that funding. The security leaders know what they need, better prevention tools and the latest technologies like Ransomware Containment solutions, but they just can’t navigate the political landscape sufficiently to get that funding. Until then, we will see a continued rise in Ransomware attacks with increasing levels of severity. These new attacks not only encrypt files, they also disable massive amounts of the critical IT infrastructure rendering it inoperable.”

I guess we’ll have to wait to see how much data that the Play ransomware group swiped. It’s not clear how long they were inside the environment, thus anything is possible.