The IT Nerd

Macmillan, one of the largest book publishers in the US, have been hit by a ransomware attack causing book retailers nationwide the inability to place new orders from the publisher. The company first reported the incident Monday, noting that to prevent further damages to its network, it had taken its systems offline.

Darren Williams, CEO and Founder of BlackFog offered this perspective:

  “Taking systems offline post attack is a reassuring and necessary response to a ransomware attack such as this one against Macmillan, but as ever, prevention is better than cure. 

Organisations need effective, modern protective security measures in place to prevent attacks. A common challenge with traditional defensive approaches to cybersecurity is that they require too much time to adequately protect organisations from these types of attacks, and often lead to a reliance on post-attack measures such as taking systems offline.

Instead of waiting for an attack to happen and then responding, organisations should be focusKevin​,ed on newer technologies that prevent the exfiltration of data from the device, effectively stopping the attacker in their tracks. By looking at the mechanism of action across various ransomware gangs it is possible to stop these attacks at many stages of the attack life cycle and prevent a full blown incident such as the one against Macmillan.”

Hopefully they are able to get things sorted soon. Though I think it is safe to say that their long weekend is ruined.

Baptist Medical Center has suffered a malware attack, which involved the exfiltration of data affecting more than 1.24 million patients from two Texas hospitals, according to a statement from Baptist Medical Center:

On April 20, 2022, it was discovered that certain systems within our network may have been infected with malicious code as a result of potentially unauthorized activity. In response to this incident, user access was immediately suspended to impacted information technology applications, extensive cybersecurity protection protocols were executed, and steps were quickly taken to restrict further unauthorized activity. In parallel, an investigation of the incident was immediately launched, and a national forensic firm was engaged to assist with investigation and remediation efforts. Although the investigation is ongoing, it has been determined that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022. As a result of this review, it appears that your personal information may have been involved.

Clearly this isn’t a trivial event given the large number of people who were affected.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

     “Here is yet another example of a security lapse involving a third party. All network access should be monitored continuously in order to detect unauthorized access by malicious insiders, third party contractors, and cybercriminals. Insider threats can quickly become external threats as we’ve seen in this case. Organizations need to re-evaluate their threat detection, investigation and response (TDIR) programs to enhance insider risk and threat initiatives. The most effective defense is an advanced set of behavioral analytics, to baseline and monitor for unusual user behaviors and catch bad actors in real-time before data is exfiltrated.”

The second comment is from Artur Kane, VP of Product for GoodAccess:

     “Hospitals are a tempting target for financially oriented cyberattacks, as the records of malware and ransomware incidents from the past couple of years show. There are three main reasons why cyber criminals like to pick them:

• First, they have a lot of data to steal. Healthcare institutions contain enormous troves of patients’ personal data, which provides hackers with plenty of loot to sell, if not exploit directly. 
• Second, hospitals are more likely to pay a high ransom. Healthcare institutions often have large budgets that are required to sustain the large number of highly qualified staff in their employment and cover the upkeep of hi-tech medical equipment. But when a ransomware attack encrypts their sensitive information, hospitals face the threat of a data leak and, worse still, they can no longer provide treatment, which directly threatens human lives. Under such circumstances, healthcare institutions are pushed to comply with the ransom demands to allow them to resume providing medical services.
• Third, hospitals often lack defenses. Hospitals are similar to banks in how much sensitive data they curate, but they don’t have information protection so deeply rooted in their pedigree. Their purpose is to provide health care, not guard someone’s assets. This could be why their IT is often understaffed and their vast infrastructures often contain vulnerabilities or run-on legacy systems, offering exploitable points of entry for potential attackers. Some of their medical equipment can also harbor malware without it being detected, such as an MRI scanner that runs on Windows but doesn’t even have an antivirus. Their priority is uptime, not security.

However, healthcare institutions can still significantly reduce the risk of an attack by implementing a few security measures:

• The first is regular and thorough backup of all sensitive data. This is an absolute no-brainer. The likelihood of attacks on healthcare institutions borders on the inevitable and having the ability to recover lost data can save millions of dollars in ransom or damages.
• Next is adopting a zero-trust network access (ZTNA) policy, which on its own brings several benefits. Under ZTNA, users have to use strong authentication, typically reinforced by multiple identity factors (multi-factor authentication). This makes it much harder for attackers to exploit stolen access credentials. In addition, proper ZTNA keeps logs on all access attempts by users, which can be a helpful resource for tracing the progress of the breach during post-compromise analysis and patching up vulnerabilities thus discovered.

ZTNA operates on the least-privilege principle, which means that users can only access those systems they require for their work, but no others. This approach segments the network, confining the attacker only to a pool of systems to exploit, but denying them free rein of the network, causing difficulty escalating the attack further.

• Lastly, healthcare institutions need real-time end-to-end network-centric threat detection. Even with the latest patches and vulnerability updates in place, compromise is likely, and hospitals need to invest in solutions that can detect threat activity in network traffic, such as NDR (network detection and response). Given the exorbitant cost of damage that hospitals suffer as a result of malware and ransomware attacks, the investment pays for itself rapidly.”

Things really need to improve as these events keep happening and it is my perception that little is being done until after the event happens. That needs to change or else I suspect that events like this will become more frequent and more severe.

Security researchers with Cybereason have warned that the Black Basta ransomware-as-a-service group has been observed targeting manufacturing, construction, pharmaceuticals and other industries, in the latest update of the new threat group. Additionally, the ransomware syndicate has developed a Linux variant, designed to attack VMware ESXI virtual machines running on enterprise servers.

Chris Olson, CEO, The Media Trust had this to say:

“Today, data breaches aren’t just about stealing sensitive data for financial gain: they are also a danger to public safety. On average, cyber defenders have less than an hour to stop a ransomware event in progress. In addition to virtualization and cloud computing software, web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters. Businesses must pivot to prevention over treatment, monitoring IT and digital infrastructure in real time while working to harden entry points.”

I’ve written about the fact that you have less than an hour to stop a ransomware attack here. That alone makes defending against these attacks a must. I would read the warning and my previous story so that you can harden your enterprise accordingly.

UPDATE: I have additional commentary from Jake Williams who is the Executive Director of Cyber Threat Intelligence for SCYTHE:

The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations. 

Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.

And I have additional commentary from Robert Shaughnessy, VP, Federal for GRIMM:

“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (https://www.darkreading.com/threat-intelligence/black-basta-ransomware-esxi-servers-active-campaign), one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”

Reuters is reporting that Lithuania has been hit by a cyber attack. Specifically that Lithuanian state and a some private institutions were hit by a denial-of-service cyber attack on Monday the National Cyber Security Centre said in a statement released by the defence ministry. Considering that the country is in a “feud” with Russia over scansions related to Russia’s invasion of Ukraine, it’s likely not a shock that this happened. Nor is it a shock that a Russian linked hacker group has claimed responsibility for the attack.

Chris Clymer who is a Director & CISO at Inversion6 had this comment:

Every significant military power in the world has developed cyber capabilities. These have evolved from espionage tools into full fledged weapons to be used as part of a coordinated military response. Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks.  Russia has a collection of theoretically autonomous groups like Killnet which give it the ability to strike at its enemies while still denying responsibility – not a new tactic.  This year alone, Killnet has reportedly targeted Romania, Moldova, Czech Republic, and Italy with Lithuania now added to the list. This harassment will continue, and what’s more interesting is that it doesn’t seem to have targeted the US and major European powers as strongly as first expected. With what we know of internet infrastructure, it’s hard to believe this is because those targets are stronger. Perhaps the Russians are trying to stay focused on targets it feels it can afford to antagonize.

Clearly we live in an era where the battlefield includes cyberspace. Thus it makes anyone and everyone a target. Thus now is a really, really good time for everyone to review their cyber defences so that they aren’t the next target.

Japanese automotive hose maker Nichirin has been hit by a ransomware attack forcing it to shut down its computerized production controls, as reported by Reuters:

“We are investigating what impact this may have on our customers, and we will promptly disclose any necessary information,” the company said.

Nichirin also posted a warning on its website about possible spoof emails that appeared to be from the company and asked recipients not to open any attached files.

Darren Williams, CEO of BlackFog has offered some perspective on this:

“We continue to see threat actors targeting manufacturers in the automotive, infrastructure and government sectors. Cyber criminals continue to target organizations with older infrastructure, lack of investment in cyber security in terms of both product and personnel. These industries continue to outpace the rest of the market in terms of attacks. It should serve as a reminder that even the smallest contributors to the supply chain must do their part to defend against cyberattacks.”

Additionally, the UK has decided not to impose regulations on the cyber security profession after an 8-week consultation conducted by the Department for Digital, Culture, Media and Sport. The UK Cyber Security Council will its planned chartered standards, as the Government monitors its adoption. In response, an expert with GoodAccess has offered commentary.

Artur Kane, VP of Product of GoodAccess also offers some perspective:

“According to Forbes, there are nearly 465,000 unfilled cyber jobs across the US. At the same time, the number of cyber-attacks has never been so high in history. While society becomes more digitized and wars move more often to cybersecurity space, those nations who want to be relevant must support their digitalization notions with strong security legislation. The lack of unfilled jobs must be supported through investments in education, but without clear directives on what skills, roles and frameworks, graduates rarely leave school being fully prepared for their new jobs. Leaving much of work on recruiting and requalifying employees on organizations and inherently slowing down the whole process and raising costs. Also, the diversity in approaches leads to varying quality and leaves some organization more vulnerable. The UK’s Embedding Standards and Pathways Across the Cyber Profession by 2025 has the potential of filling those gaps. With the decision to postpone its enforcement the UK government heard the voices of organizations, which is a good thing in democratic society, but on the other hand we’ve learnt in history that for big changes to make impact, more swift adoption is required. With GDPR, being controversial, not ideally communicated and left quite big space for speculative understanding of some standards, we are now all thankful for this directive to exist. Yes, companies struggled at the beginning to adopt those standards, but by enforcing it and leaving a protective period when fines were waived, companies felt the urgency and acted swiftly towards full adoption. Postponing the enforcement of the Embedding Standards might be a generous thing but will inherently compromise the speed at which UK solves one of most crucial problems of fully digital and globally competitive country.”

You can see how crippling an attack like this can be. Thus every company needs to make sure that their defences are in tip top shape and that they have the people required to fight this sort of battle if they have to, or make sure that they are in a position never to have to fight this sort of battle.

Kaiser Permanente has issued a breach notice regarding a data breach which occurred in early April, exposing 70k patients’ names, medical record numbers, dates of service and lab test results. Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights confirms this as a result of the email security slip-up at Kaiser’s Washington unit that let threat actors get in and have a few hours of access before they were shut down. I use the words “slip-up” based on this from the breach notice:

The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.

That means that the employee was either phished or clicked on something that ran malware to allow this to happen.

Sanjay Raja, VP of Product, Gurucul:

“It is most likely that the threat actor(s) involved were already inside for some time and what was detected was the actual data being exfiltrated within hours. What is becoming more evident as we see attacks similar to the Kaiser disclosure is Identity Threat Detection and Response (ITDR) is a critical component of any security operations program. However, too many solutions are rushing to announce identity-based capabilities for XDR or SIEM, but are simply correlating Active Directory data, while claiming to offer ‘identity analytics. This does nothing to automatically detect a threat and leaves security teams to continue to manually determine if an attack is active, which also leaves them chasing a lot of false positives that can potentially waste a lot of time and resources. Incorporating a full-blown set of identity data ingestion, analytics on infrastructure activity, access privileges and entitlements, combined with user and entity behavior analytics can provide security teams with not only understanding of risky or suspicious activity, but rapidly determine if an actual attack is taking place. More importantly, the key to stopping data from being stolen is enabling identity-centric response based on a full understanding of the risk to an organization based on what the context discovered and analyzed. Unfortunately, the vendor marketing hype is in full force already.” 

Hopefully Kaiser Permanente does more than just do training on one employee. Because now that this is out there, a lot of patients are going to be worried about their personal information. Which will likely lead to some of them calling their lawyers. And that won’t end well for Kaiser Permanente.