The IT Nerd

In an 8-K filing with the SEC, Bassett Furniture said it shut down some of its IT systems following a ransomware attack it discovered on July 10.

“The threat actor disrupted the Company’s business operations by encrypting some data files. As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities.

“The Company’s retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted,” Bassett Furniture said in the 8-K filing.

“[…] the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed,” Bassett Furniture admitted.

No ransomware group has come forward to take credit for the incident as of Tuesday afternoon.

Evan Dornbush, former NSA cybersecurity expert had this to say:

   “The 8-K disclosure does not explicitly make clear that Bassett has been prompted to pay a ransom and with none of the more notorious actors yet coming forward to claim credit, it could be the breach was by a newer operator appearing on to the scene without the refined processes seen by the more established groups.  

   “The cybersecurity community needs to do a better job of prohibiting new actors from emerging, ensuring manufacturing and retail sectors don’t have to experience downtime and face other material impacts.”

Stephen Gates, Principal Security SME, Horizon3.ai followed with this:

In Bassett Furniture’s recent Form 8-K filing with the SEC, the company announced a disruption in its operations due to a cyber incident. It appears that a threat actor may have gained a foothold inside the company’s business operations network, likely leading to a human-operated, ransom-based attack.

Considering the potential virtual connectivity between Bassett’s business network and its suppliers for ordering and fulfilling raw materials, I would recommend investigating the breach from the perspective that the attacker might have first gained access through a supplier’s network. This scenario is highly probable in today’s interconnect supply chains.

If this were the case, the attacker, once inside Bassett’s business system, would have likely escalated their privileges, moved laterally within the network, accessed critical data, and encrypted it as part of the ransom attack. Consequently, Bassett’s response appears to have included disconnecting their production network from the business network as a containment measure.

Manufacturers and organizations with supply chains must acknowledge that their cyber risk now extends to their suppliers as well. I highly advise organizations with supply chains to incorporate third-party risk management using continuous cyber risk assessments into their risk management plans. Autonomous cyber risk assessment technologies that provide continuous and affordable assessments are readily available to help meet these types of directives.

I said this yesterday. Companies can either spend money up front to protect themselves, or spend even more money after getting pwned. The choice is theirs.

Yesterday, a hacker with the alias “Emo”, leaked 21.1 GB of information on over 15 million users of the Atlassian-developed project management tool Trello.

According to the hacker, the data breach occurred in January 2024, including the following:

• 15,182,073 email addresses
• User IDs
• Usernames
• Full names
• Profile URLs
• Status information
• Various settings and limits
• Associated board memberships

Initially, the hacker used email addresses from already-breached databases and then expanded the attack. The hacker explained that Trello had an insecure API endpoint accessible without logins, allowing the hacker to link email addresses to Trello accounts, revealing user identities, resulting in the widespread breach.

“I originally was only going to feed the endpoint emails from ‘com’ (OGU, RF, Breached, etc.) databases, but I just decided to keep going with emails until I was bored. This database is very useful for doxing, find enclosed email address matched to full names and aliases matched to personal email addresses,” the hacker said.

Evan Dornbush, a former NSA cybersecurity expert offers comments:

   “Data disclosure like this is unfortunate.  The attacker was using an unauthenticated-yet-legitimate API call to obtain sensitive information. Considering we’re talking about text data, 21.2GB is a lot to leak.

   “For a long time, anomaly detection failed to live up to the hype.  Modern computational processing leveraging machine learning techniques in theory make alerting on these kinds of abnormal operating behaviors a reality.  If they can emerge onto the cybersecurity scene more aggressively, perhaps companies could more quickly detect this kind of behavior in the future.”

This is pretty bad. And Trello really has to not only explain how this specific hack happened, but what they are going to do to safeguard customer data going forward. Because a leak of this scale is completely unacceptable.

Recreational boat and yacht retailer MarineMax is notifying over 123,000 individuals whose personal information was stolen in a March security breach claimed by the Rhysida ransomware gang. The hack was discovered back in March but is only being reported now. More on that in a moment.

Rogier Fischer, CEO, Hadrian had this to say:

Any organization that faces such a situation should focus on both immediate and long-term corrective actions, according to Rogier Fischer, CEO of Netherlands-based cybersecurity service Hadrian.”In the short term, they need to enhance security measures, strengthen access controls, and provide employee training to prevent future breaches. They should also automate their monitoring and detection capabilities,” he said.”For the long term, conducting a comprehensive security audit, updating their incident response plan, and moving to an automated compliance and reporting process are crucial.”Additionally, investing in advanced cybersecurity technologies and establishing robust cybersecurity governance will help them mitigate future risks and improve their overall security posture, he added.

My problem with this is that this breach is that the hack was discovered in March. It’s July and we’re only learning of this now. There’s something seriously wrong with that and I along with those who have been affected would really like to know what the deal is with that.

Documents belonging to InHouse Physicians, a US healthcare provider that offers on-site medical services and wellness programs to organizations, have been exposed as reported by cybersecurity researcher Jeremiah Fowler.

What happened: 148,415 PDF documents totalling 12 GB were exposed. The database contained documents indicating if the person was cleared to enter an event or tested positive for COVID-19 and denied entry.

Why it matters: Documents in question included the name of the event and the phone number of the attendee along with their full name. This data exposure of COVID-19 era documents is a prime example of how healthcare organizations should prioritize auditing and reviewing what information they have stored.

If you want to know more about Jeremiah’s findings you can read the full report here: https://www.websiteplanet.com/news/inhousephysicians-breach-report/

It costs money to have good defences against cyberattacks. But it costs way more money to when you actually get pwned by hackers. United Healthcare who’s Change Healthcare unit got in a massive way a few months ago reported their Q2 2024 numbers. And in it was an update on the fact that they got pwned:

Cyberattack Update

The company has restored the majority of the affected Change Healthcare services while continuing to provide financial support to the remaining health care providers in need. To date, the company has provided over $9 billion in advance funding and interest-free loans to support care providers.

Total cyberattack impacts in the second quarter were $0.92 per share. This included $0.64 per share to support direct response efforts such as the Change Healthcare clearinghouse platform restoration and increased medical care expenditures. Additionally, Change Healthcare business disruption impacts, reflecting lost revenue and the costs of maintaining full readiness of the affected Change Healthcare services, were $0.28 per share in the second quarter.

The company currently estimates the total full year 2024 impact at $1.90 to $2.05 per share. Within this, direct response costs are estimated at $1.30 to $1.35, an increase of $0.40 to $0.45 from the initial estimate. The change is due to the company’s care provider financial support initiatives and consumer notification costs. Business disruption impacts are estimated at $0.60 to $0.70 per share.

To say that those are non-trivial numbers is an understatement. John Gunn, CEO, Token had this comment:

Today’s disclosure of the full cost of the Change Healthcare breach is a screamingly loud wake-up call to every organization to stop being penny-wise and dollar-foolish in not adopting phishing-resistant MFA. A small investment in next-generation MFA would have saved United Healthcare more than $2 billion. This disclosure should also allay the fears of those who fear the recent SCOTUS ruling overturning the Chevron deference will weaken the strength of cybersecurity regulations and lessen companies’ motivation to implement proper cybersecurity measures. The avoidance of massive losses such as this are the greatest motivators of all for CISOs, CEOs, and boards.

So, here’s my advice to any company who thinks that they can skimp on cybersecurity. Spend the money. Because if you don’t, you will eventually be the next United Health. And that’s not a good place to be.