The IT Nerd

On March 14th, Miami based Independent Living Systems (ILS) disclosed a healthcare data breach that impacted more than 4 million individuals, the largest reported healthcare data breach of 2023, so far. More on the so far part later.

Hackers were in their network from June 30th to July 5, 2020, when the company discovered that its network was accessed and employee data had been exfiltrated. Here’s a snippet of what the data breach notice said.

On July 5, 2022, ILS experienced an incident involving the inaccessibility of certain computer systems on its network. ILS responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed. Upon containing the incident and reconnecting its computer systems, ILS conducted a comprehensive review to understand the scope of potentially affected information and identify the individuals to whom such information relates. ILS received the results of this review on January 17, 2023, and then worked as quickly as possible to validate the results and provide notice to potentially impacted individuals and entities. 

The types of impacted information varies by individual and could have included: name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.  

But the part that catches my attention is this:

ILS previously notified potentially affected individuals on September 2, 2022 by posting a preliminary notice of this data event on its website. Additionally, ILS previously provided preliminary notice to its primary state and federal regulators. Now that its review and validation efforts are complete, ILS is notifying potentially affected individuals via this media release, posting supplemental notice on its website, and mailing letters to potentially affected individuals for whom ILS has address information. ILS is also providing supplemental notice to its primary state and federal regulators, initial notice to certain additional state regulators (as required), and initial notice to the three major consumer reporting agencies (i.e., Equifax, Experian, and TransUnion). 

Yeah, it took over six months to identify and notify victims. #Fail.

Tim Schultz, VP, Research & Development at SCYTHE had this to say:

   “Healthcare data – the most treasured record in the Underground Economy.

   “The healthcare industry is going to continue to be targeted by threat actors and I don’t see it stopping anytime soon. Similar to other industries where more restrictive cybersecurity controls may have a broader business impact, cybersecurity maturity lags behind. Since medical information can be leveraged in future attacks against individuals either for social engineering or extortion, the data stolen will be valuable for a long time.”

Healthcare is a huge target for threat actors as evidenced by these major breaches:

•    February, Heritage Provider Network – 3.3 million patients
•    February, Community Health Systems – 1 million patients
•    March, Cerebral – 3.1 million patients

The take home message here is that the healthcare sector needs to up its game to stop this from happening over and over again. Because with the scale of hacks that we see in this sector, there clearly isn’t enough being done to safeguard data.

In a Tweet last night, security researcher Dominic Alvieri posted a copy of the Play ransomware gang’s dark web posting threatening to publish the City Of Oakland’s data of 3/4/23, which is today. The posting was listed as of March 1st. So they got just three days’ notice to pay the ransom.

The city of Oakland first experienced the ransom attack in on Feb 14th and according to their latest status report on February 28th, city services remain primarily unchanged.

The gang claims to have stolen documents contain private data including financial and government papers, identity documents, passports, employee data and information regarding human rights violations. They’re attempting to use this data to get the administration to meet their demands and pay the ransom.

Ted Miracco, CEO of Approov Mobile Security had this to say:

The recent ransomware attack on the city of Oakland is a concerning issue, and we expect to see more attacks like this on Government offices, as they are quite vulnerable. The potential implications of giving in to these demands could encourage more cyberattacks on other cities and organizations, as hackers may see it as a profitable way to extort money. The fact that the gang claims to have access to sensitive information such as financial and government papers, identity documents, passports, and employee data is alarming.  However, the city of Oakland and other organizations must prioritize the security of their computer systems and data to prevent future attacks. Hopefully, the authorities can track down and bring the hackers to justice while also ensuring the safety of the stolen data.
 

David Mitchell, Chief Technical Officer of HYAS followed up with this comment:

   “This ransomware group likes to start by using remote code execution (RCE) attacks on Exchange servers to gain access and then deploy their ransomware. If that was the case with Oakland, not only do they need a protective DNS solution to prevent the outbound communications from the malware but they may have failed to update vulnerable software on internet facing systems, making this even easier than using email as the initial infection vector. If this was an RCE on Exchange, a protective DNS solution would have quickly identified and blocked the malicious DNS transactions and contained the problem to the initial infection vector.”
 

Morten Gammelgaard, EMEA, co-founder of BullWall had this comment:  

   “The ransom attack on the City of Oakland not only disrupted city services, but as is always the case in such events, the attackers have obtained private data, including financial and government papers, identity documents, passports, employee data, and information regarding human rights violations. Data breaches and identity theft resulting from such attacks cause significant harm to individuals and organizations alike. In this case, the attackers are using the stolen data as leverage to demand a ransom payment from the city, which could result in further financial loss and reputational damage.

   “In addition to the city services being out for a week prior to IT restoring access, the potential long-term impact of the attack on the city’s infrastructure and security cannot be ignored. For some companies, a week of downtime would be significant loss of revenue or worse yet, imagine if that was a hospital that was down for 6 days!

   “This incident underscores the importance of implementing robust cybersecurity defenses, including response and containment measures to safeguard against such attacks, as there is no end in sight to these sorts of attacks.”

I for one will be interested to see if this gang gets anything out of this, and if they follow through with their threat to release the data. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages ransomware gangs to target more victims and offers an incentive for others to get involved in this type of illegal activity. So this will be interesting to watch.

UPDATE: Darren Williams, CEO and Founder, BlackFog added this comment:

     “As cyber adversaries continue to focus on making the biggest impact by affecting the most people, it’s unsurprising that the public sector and government remains a compelling target. In 2022 for example, our State of Ransomware report observed a 17% increase in reported governmental cyber-attacks.

City councils and governments need to re-prioritize their cybersecurity as clearly, this isn’t an issue that will just go away. The effect of the attack on the City of Oakland last month appears to only now be setting in, as the stolen personal data of city workers have begun to be leaked by the attackers. 

Moreover, hackers often favor weekends and holidays to launch attacks, when the majority of employees are out of office, so newer technologies that focus on automated prevention 24/7 must be added to the security stack.”

The U.S. Marshals Service who are better known for getting their man is now known for being pwned in a ransomware attack:

In a statement Monday, U.S. Marshals Service spokesperson Drew Wade acknowledged the breach, telling NBC News: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

Wade said the incident occurred Feb. 17, when the Marshals Service “discovered a ransomware and data exfiltration event affecting a stand-alone USMS system.”

The system was disconnected from the network, and the Justice Department began a forensic investigation, Wade said.

He added that on Wednesday, after the agency briefed senior department officials, “those officials determined that it constitutes a major incident.”

Even if this was a stand alone system, this is still pretty bad. Though it looks like at first glance that this was contained. However there was data theft. And some sensitive stuff was stolen.

Jan Lovmand, CTO of BullWall had this to say:

   “Even organizations with extensive resources and expertise fall victim to ransomware attacks. The U.S. Marshals Service (USMS) is responsible for catching fugitives and handling federal prisons in the US and has all the resources of the US government at their disposal. Not unlike the cyber attack on the FBI’s New York Field Office last week, they are a high government profile target and not immune to determined malicious hackers. 

   “In addition to the theft of highly sensitive information, these ransomware attacks can cause significant operational disruption. The U.S. Marshals Service’s system contained sensitive information, including returns from legal processes, administrative information, and PII of USMS employees and subjects of investigations. 

   “Containment and after-action strategies are crucial for all organizations to mitigate the risks associated with ransomware attacks. Organizations must have a response plan in place to contain the attack, preventing further damage, as well as a strategy for recovery and restoration of data and systems. These plans should be regularly updated and tested to ensure their effectiveness.”

This incident is pretty bad and hopefully there’s a root cause analysis to allow this agency to ensure that this never happens again.

Food giant Dole has disclosed that they have been hit by a ransomware attack. But only after the news hit the media. Let’s start with what Dole had to say: 

Dole plc announced today that the company recently experienced a cybersecurity incident that has been identified as ransomware.

Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems. 

The company has notified law enforcement about the incident and are cooperating with their investigation.

While continuing to investigate the scope of the incident, the impact to Dole operations has been limited.

That’s your standard PR statement that basically says “nothing to see here, move along.” Except that CNN has a slightly different story:

A cyberattack earlier this month forced produce giant Dole to temporarily shut down production plants in North America and halt food shipments to grocery stores, according to a company memo about the incident obtained by CNN. 

The previously unreported hack — which a source familiar with the incident said was ransomware — led some grocery shoppers to complain on Facebook in recent days that store shelves were missing Dole-made salad kits. 

“Dole Food Company is in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America,” Emanuel Lazopoulos, senior vice president at Dole’s Fresh Vegetables division, said in a February 10 memo to retailers. 

Dole has four processing plants in the US and employs more than 3,000 people, according to a recent company press release.

After CNN published this story on Wednesday afternoon, Dole spokesperson William Goldfield sent CNN a statement confirming that ransomware was the cause of the incident.

“The company has notified law enforcement about the incident and are cooperating with their investigation,” Dole’s statement said in part. “While continuing to investigate the scope of the incident, the impact to Dole operations has been limited.”

However, two grocery stores in Texas and New Mexico contacted by CNN on Wednesday said they couldn’t stock Dole salad kits on their shelves for days.

So much for “the impact to Dole operations has been limited.” This is a classic case of a company trying to keep the fact that they got pwned quiet, and then scrambling to explain getting pwned after the news gets out.

Morten Gammelgaard, EMEA, co-founder of BullWall had this comment:

   “When ransomware attacks force giant food processing operators like Dole to shut down production, the effects can ripple through the entire economy. Threat actors have significantly accelerated their deployment of ransomware, from an average of 60 days per attack in 2019 to less than four days in 2021, according to a recent IBM report. Even for large multi-national companies such as Dole, staying on top of network vulnerabilities and updating prevention based security constantly is very difficult.  You will be breached and you’d best be prepared.”

   “The Dole ransom attack highlights how the just-in-time nature of food supply chains makes them particularly vulnerable to financially motivated cyberattacks, like ransomware. As production and distribution are tightly coordinated to minimize waste and cost, any disruption caused by a cyberattack can have a ripple effect throughout the supply chain, leading to shortages and inevitable price increases.”

   “Should Ransomware slip through any of the multitude of potential weaknesses in small and large environments it is very important to have Ransomware Containment in place (not the same as ransomware prevention). It acts as a Last Line of Defense against “active” attacks – i.e. when encryption starts to corrupt your data as a fully automated response. It has saved many well-prepared organizations millions of dollars.”

Finally Darren Williams, CEO and Founder of BlackFog said this:

“Similar to other devastating ransomware attacks we have seen recently these attacks are highly targeted, and existing technologies are insufficient to cope with these modern attack variants. The speed at which attackers can breach and leverage a network infrastructure is now unparalleled with the time to deployment down from 60 days to less than 4 days. Detecting and responding to these events manually is no longer feasible for an organization. Focus must be around prevention and stopping data exfiltration before any damage can be done. “

Because Dole isn’t a small food provider, I would hope that the relevant authorities are investigating this because with threat actors targeting operations like Dole, one of these attacks could result in things going very badly for millions of people.

It appears that video game company Activision has been pwned by hackers. And this hack is really bad. Here’s a quick synopsis:

• Sunday 2/19 – Cybersecurity research group vx-underground Tweeted screenshots of data purportedly stolen from Activision, including a content release schedule for Call of Duty.  “Activision did not tell anyone.”
• Monday 2/20am – Insider Gaming said it confirmed the Activision data breach after obtaining “the entirety” of the stolen data (not published by vx-underground).
• Monday 2/20pm – Nothing to see here: “Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.” Activision confirmed to Bleeping Computer that their systems were breached through an SMS text phishing attack on an HR employee, gaining access to their Slack on December 2 and tried to trick other employees into clicking malicious links..
• However, Insider Gaming claims to have reviewed the entirety of the stolen data, saying the data also contained sensitive employee information, including full names, emails, phone numbers, salaries, places of work, and more.

And seeing as they are being purchased by Microsoft, this could not have come at a worse time for the company. And Activision’s response to this has been, shall we say, sub-optimal.

David Maynor, Senior Director of Threat Intelligence at Cybrary had this to say:

   There is no one “SOP” for breaches. This timeline shows a typical public reaction to a breach. Some entity, in this case VX-Underground, notices something on a market and tells the world about it. Reporters that follow VX-Underground use it as a tip and suddenly the victims switchboard/email server gets loaded with requests for comment. 

   “There is also the fog of war effect where different people have different parts of a puzzle and make assumptions. This leads to different hot takes contradicting each other.

   “From the trial last year of the Uber CISO, Joseph Sullivan, we know that big corps can handle breaches differently. What I can say from personal experience is that the responses to questions as well as public statements are approved by if not written by a crisis communications team. The default response is deescalate, deflect, then deny. This is why the infosec community values technically insightful Root Cause Analysis (RCA) from a victim.”

Tim Morris, Chief Security Advisor, AMER at Tanium follows up with this:

   “There is conflicting information on this one. Specifically, about what was accessed /stolen. Regardless, the initial attack vector was a social engineered phishing/smishing attack, obtaining access via SMS / 2FA. Proving once more that SMS / 2FA isn’t the most robust form of authentications and other, stronger MFA methods should be used.

   “Also, training of users is still needed. Users should treat SMS messages with the same scrutiny as email phishing scams. Be wary of phone calls from “IT Support”. Unless initiated by the user, they should be suspect. Either ignore or call back to a known number. For SMS, ignore and never give out any 2FA codes sent via text.

   “Principle of least privilege needs to be implemented, so that if/when an employee’s account credentials are stolen the “blast radius” is small, i.e. what the attacker has access to is minimized. Threat hunting, good incident response, and monitoring are key to find these intrusions quickly, and limit their reach.

   “Have a good PR plan on what to do when a breach happens. This successful attack happened two and a half months ago, and is only public now because some leaked data was published on vx-underground.”

Given the profile of Activision who makes the Call Of Duty franchise, and their relationship with Microsoft, a lot of eyes are going to be on this one. If I were Activision, I’d be working very hard to find out what happened, what was stolen, and how to stop this from happening again. Then I would put all of that out in the public domain as quickly as possible. Because right now, Activision look like a bunch of n00bs.

Applied Materials is saying that a breach at one of its suppliers would cost them $250 million in sales in the second quarter:

In the second quarter of fiscal 2023, Applied expects net sales to be approximately $6.40 billion, plus or minus $400 million, which includes ongoing supply chain challenges and a negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers. Non-GAAP adjusted diluted EPS is expected to be in the range of $1.66 to $2.02.

A clue was dropped in the earnings call:

“Very recently, one of our major suppliers encountered a disruption that will impact our second-quarter shipments,”

Though not named in the announcement, the supplier is believed to be MKS instruments of Andover MA. MKS instruments was hit by a cyber-attack on February 3^rd. The attack caused the company to shut down operations at certain facilities while it tries to assess the damages. The company’s website was still down as of Thursday afternoon. The company has had to reschedule its fourth quarter earnings call and said the ransomware event had a material impact on its “ability to process orders, ship products and provide service to customers” in its vacuum and photonics divisions.

Here’s the connection between the two. In addition to Applied Materials, MKS supplies the world’s largest chip manufacturers with products, including Samsung Electronics and Taiwan semiconductor manufacturing the world’s two largest chip makers. Intel and ASML Holding NV are also customers. Meaning that this is very, very bad for a whole lot of people.

Ted Miracco, CEO, Approov:

   “The semiconductor supply chain remains one of the most complicated and most critical supply chains that underpin the entire global economy. As we witnessed last year, interruptions in the semiconductor market can have long term consequences that impact everything from automobiles to the price of food. 

   “With the ongoing “Chip War” between the US and China, we should expect more disruptions like this in the future, and quarterly earnings should be the least of our concerns. These attacks on the semiconductor supply chain deserve a lot more attention than the latest balloon incidents.”

Monti Knode, Director of Customer Success, Horizon3.ai:   

   “It’s interesting that MKS called out “had a material impact”, almost like they had to announce and clarify that a cyberspace attack could and did have a tangible outcome. We’re seeing this realization more in both public and private industry, especially in our Department of Defense which viewed as cross-domain operations; Russia has been doing this for years, and now the world is seeing it live in Ukraine and even here in the US (ref https://www.mirror.co.uk/news/us-news/breaking-russian-hackers-target-hospitals-29053567).

   “The days of presuming this to be an IT or cybersecurity problem are long gone.”

This is a clear example of what a supply chain attack can do to you if you and your partners aren’t careful. Thus you and those you work with have to make sure you’re on the same page from a cybersecurity standpoint. Otherwise, this is the sort of thing that can happen to you.