The IT Nerd

Back in October of this year, 23andMe was pwned in a credential stuffing attack. Fast forward to today and it appears that 23andMe has put a number to the number of people affected by this attack:

On Friday, the California-based company said in a regulatory filing that the personal data of 0.1% of customers – or about 14,000 individuals – had been accessed by “threat actors”. But the filing warned that hackers were also able to access “a significant number of files containing profile information about other users’ ancestry”.

The company confirmed to TechCrunch on Saturday that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9m – or just less than half of 23andMe’s 14 million reported customers.

Another group of about 1.4 million people who opted in to 23andMe’s DNA relatives feature also “had their family tree profile information accessed”, the company also acknowledged. That information includes names, relationship labels, birth year, self-reported location and other data.

23andMe said in a statement: “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts.

“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”

That is a non-trivial number of people who have had been affected by this. And I don’t exactly see, nor have I heard of any direct communication to users of this service. George McGregor, VP, Approov Mobile Security concurs with that:

   “This is starting to look like a good case-study in how to not handle a breach. It’s difficult at this point to be confident that no more bad news will be forthcoming. In addition, there has still (as of December 4th) been no direct communication to users. Let it be a lesson for others to ensure a solid data breach plan is in place!”

23andMe really needs to get its act together as from what I can see, they have failed their user base miserably. And given the scope and scale of this hack, they need to do better. Much better.

UPDATE: Ted Miracco, CEO, Approov Mobile Security adds this:

   “With data breaches, the compromise of DNA connections, family tree information, and genetic data exceeds the conventional threat posed by compromised credit cards and social security numbers. The depth of personal insight inherent in one’s familial relationships (& genetic blueprint!) amplifies the potential for profound and lasting damage. 

   “As it has been said, ‘great power comes with great responsibility’, and the alarming lack of transparency surrounding this breach heightens the implications for individuals and their privacy. The repercussions of this breach extend far beyond casting a shadow on the company’s reputation and raising questions among shareholders about the adequacy of security measures, as this problem will not be fixed with an apology and 12 months of credit monitoring services. We should expect the consequences of this breach will be far reaching, and hopefully lead to better accountability. ”

North Texas Municipal Water District was recently pwned in a ransomware attack, causing operational issues and exfiltrated customer files:

Officials at North Texas Municipal Water District have confirmed that the water, wastewater, and solid waste management services provider had its business computer network impacted by a cyberattack, according to The Record, a news site by cybersecurity firm Recorded Future.

While phone services have been disrupted by the attack, there has been no impact on customers, said NTMWD Director of Communications Alex Johnson, who added that an investigation looking into the extent of the incident is already underway.

Ransomware operation Daixin Team has taken credit for the attack, which it claims has resulted in the exfiltration of more than 33,000 files with customer details from NTMWD’s systems.

Well that sucks for North Texas Water. Tom Marsland, VP of Technology, Cloud Range had this comment:

The breach of the North Texas Municipal Water District only breached the business network and phone system, and core water, wastewater, and solid waste services were unaffected. Kudos to the teams for strong isolation and/or practices that prevented a breach of the OT network. Municipal water and utility companies are a growing target due to limited staff – there is still a schism between IT and OT operations personnel in most organizations that I’ve worked with.

The recent publication by CISA regarding the exploitation of Unitronics PLCs used in water and wastewater systems highlights basic principles that highlight the schism between OT operations personnel and cybersecurity departments. Use of default passwords, multi-factor authentication, keeping backups of running configurations, practicing recovery, and keeping things off the open internet that do not need to be there are basic tenets of cybersecurity – the fact CISA has to remind organizations of these highlights the need for experienced professionals working in OT cybersecurity. All of these are low-hanging fruit for any organization to cover. 

We will continue to see more breaches of OT/ICS systems until these methods of protection are taken seriously. Devices should not be connected to the internet that could directly impact human life just for convenience. There needs to be wider, open-source security solutions provided to smaller organizations, both in ICS/OT and IT, to help with cybersecurity practices.  Too often we’re seeing the smaller organizations be the weak link in the chain that is then enabling wider breaches.

Seeing as a municipal water provider was the target of this attack, it highlights the fact critical infrastructure needs to be protected from attacks like this. But clearly that isn’t happening, and that needs to change. Now.

This week, human resources data analytics company Zeroed-In Technologies sent out data breach letters to 2 million people who were affected by an August breach of its systems, including customers of retailers Dollar Tree and Family Dollar. 

A Fort Myers, Florida-based data company, the company provides a cloud-based HR analytics platform to collect, analyze, and visualize workforce data. According to the company’s website, it has 30K registered users.

Zeroed-In discovered suspicious activity in some of their systems on August 8^th, 2023. Their investigation concluded August 31^st and three months later on November 27th, they informed the Maine Attorney General’s office and began sending out notification letters. The company claims it’s “providing notice to individuals and regulators, as required.” But Florida law requires companies to report breaches in 30 days or less:

Florida Statutes 501.171

• (3) NOTICE TO DEPARTMENT OF SECURITY BREACH.—
• (a) A covered entity shall provide notice to the department (of Legal Affairs) of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.

“… Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates.” Files accessed in the hack included:

• Names
• DOBs
• SSNs 

Troy Batterberry, CEO and founder, EchoMark:

   “When these serious breaches happen, “time to detect” and “time to remediate” are critical benchmarks to stop the “information bleeding”. Logging and monitoring are important aspects of the forensics analysis to detect and remediate breaches. However, we know they often do not go nearly far enough to pinpoint the source of data exfiltration quickly. This is especially true when an insider is involved, or their computing assets have been compromised. Information watermarking is a new technology that can help expedite time to remediate and help get the business up and running again.”

Let’s see what Florida does to Zeroed-In Technologies as it appears that Florida law was not followed in this case. And if that’s true, I hope that Florida makes an example of this company as that will give others a huge incentive to play by the rules and do what they are supposed to do when it comes to data breaches.

If there was any doubt that ransomware actors are in full attack mode, here are just some of my top recent fire drills:

• Ardent hospital ERs disrupted in 6 states after ransomware attack
  • On Thanksgiving day
• Healthcare giant Henry Schein hit twice by BlackCat ransomware
  • One month after initial attack and just prior to restoring their network
• 2 N.J. emergency rooms diverting patients after … cyber attack
  • Thanksgiving day
• Hospitals Across U.S. Forced to Divert Patients Due to Possible Cyber Attack
  • Thanksgiving day
• Notorious ransomware gang takes credit for cyberattack on Fidelity National Financial
  • a multibillion-dollar player in the real estate industry

May as well disconnect from the internet on holidays as it seems that you’re likely to get pwned.

Emily Phelps, Director, Cyware offered up this comment:

   “Cybercriminals are largely opportunistic, seeking the path of least resistance to execute an attack. They know that holidays can be a prime time to take advantage of potentially decreased defenses. Before the holidays, consider security awareness training and increase authentication and access controls. Patch and update systems and ensure incident response and recovery plans are current. Communicate with partners and vendors to ensure they are also maintaining strong security practices during the holiday season. Vigilance is critical year-round, and organizations must take additional steps before the holidays to safeguard against opportunistic threat actors. “

Stephen Gates, Principal Security SME, Horizon3.ai had this comment:

   “In the context of recent headlines about massive data breaches, disruption of life-saving medical services, and successful ransomware attacks against government, healthcare, finance, education, and so on, it’s a clear indication that organizations of all sizes and across all industries are losing the battle against their adversaries. From a simple, high-level observation, never in history have so many organizations – and the public at large – been impacted by the current onslaught of recent criminal activity. At this point, most would agree that the layer upon layer of cyber defenses commonly deployed to protect everyone are simply not working.

   “Almost all organizations today have no idea where their truly exploitable vulnerabilities exist, and due to this fact, it is supercharging attacker campaigns. If organizations cannot find that hidden chink in their armor, that crack in their layered walls of defense, that blind spot they didn’t even know existed, they will never be able to adequately defend themselves against a purposeful attacker with nothing but time on their side – and money on their mind. It’s time to go on the offensive and attack yourself with the same tactics, techniques, and procedures attackers use so you can see your networks through the eyes of an attacker – before they do.”

David Ratner, CEO, HYAS Infosec follows with this:

   “Attacks on critical infrastructure don’t only cause reputational and financial damage but have the ability to impact human life as well.  It’s vital that critical infrastructure providers everywhere follow the guidance of CISA and others and implement appropriate solutions for operational resiliency and business continuity — this is the only way they can ensure continual service, have the confidence to operate their businesses, and ultimately protect human lives.

   “All too often bad actors leave themselves hidden backdoors to continue to exploit an organization even after restoration and cleanup. It’s why service-assurance and continual monitoring post cleanup is so important. The best way to accomplish this is with visibility into the various traffic streams coming out of the enterprise, to properly identify bad actors communicating with their malware via command-and-control and shut it down before damage ensues.”

The fact that there are this many ransomware events shows just how out of control ransomware actors are. Clearly something needs to be done or else there’s going to be no hope for any of us.

The threat actor “IntelBroker” was seen on a hacker forum, peddling a database allegedly containing information from General Electric and DARPA, complete with critical access credentials like SSH and SVN, as well as DARPA-related military documents, SQL files, and more.

General Electric is probing the claims of a breach that allegedly resulted in the data theft.
The company is investigating the suspected breach and potential data theft from their development environment, traced back to a hacker’s attempt to sell access and data on multiple occasions

Initially, the threat actor attempted to hawk access to GE’s “development and software pipelines” for $500 on a hacker forum. Failing to sell the access, the actor returned, offering both network access and the purportedly stolen data. From the threat actor:

“I previously listed the access to General Electrics, however, no serious buyers have actually responded to me or followed up. I am now selling the entire thing here separately, including access (SSH, SVN etc),” the threat actor posted to a hacking forum.

“Data includes a lot of DARPA-related military information, files, SQL files, documents etc.”

Troy Batterberry, CEO and founder, EchoMark had this comment:

   “Unfortunately, we see this every day. Highly skilled and well-funded organizations are working hard to protect their data with security stacks that include security gap discovery and analysis, EDR, Cloud security, UEBA, Identity & Access Analytics, SOAR and even ransomware killswitches, but then leave much of their most sensitive data both unprotected and readily sharable. The recent leaks of sensitive government and judicial information are just a few examples.

   By digitally watermarking data and assets, organizations get several key benefits. First, they can help deter insider leaks from ever happening in the first place by motivating better stewardship of the private information. If malicious or accidental insider leaks do happen, the source can be quickly identified and remediated. In the case of a successful external attack, watermarks can help quickly identify the compromised assets for fast remediation.”

It will be interesting to see what General Electric reports back in terms of the extent of this hack and what was swiped. Because like other hacks we’ve seen lately, this one is far from trivial.

The Idaho National Laboratory got pwned over the weekend. Here’s what happened next:

Idaho National Laboratory experienced a massive data breach on Sunday night, leading to the leak of employee addresses, Social Security numbers, bank account information and much more.

INL media spokesperson Lori McNamara tells EastIdahoNews.com the breach is being investigated and federal law enforcement are involved.

“Earlier this morning, Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications. INL has taken immediate action to protect employee data,” says McNamara. “INL has been in touch with federal law enforcement agencies, including the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency to investigate the extent of data impacted in this incident.”

According to INL, more information will be shared as the situation progresses.

Slight problem though, they didn’t protect employee or any other data:

EastIdahoNews.com was able to download and view the hacked information. We have been able to confirm the authenticity of the leaked information from several employees. The information impacts thousands of local workers. 

A politically-motivated hacking group has claimed responsibility for the data breach on various social media platforms. EastIdahoNews.com is not naming the group, due to the nature of the sensitive information, which is now publicly available. 

As of 11 a.m., INL officials could not the confirm the identity of the hackers.

Lovely. John Gunn, CEO, Token has this comment:

90% of data breaches start with a successful phishing attack, yet most organizations are using 20-year old legacy multifactor authentication (MFA) technology as their primary means of securing access. So many headlines and so many breached companies. and all from the same vulnerability – people falling victim to sophisticated phishing attacks and it will only get worse as cybercriminals expand their use of AI.

This attack based on what we know is pretty bad. And I suspect that as more details emerge, the scope of how bad this is will become clear.

UPDATE: I did say that as more details emerged, the scope of how bad this is will become clear. Here’s some additional details. In a Telegram post on Sunday, hacking group SiegedSec claimed to be behind this hack.

The group claims to have accessed servers supporting its Oracle human resources applications, gaining access to detailed information of current and former employees.

Another data point, INL operates under the Department of Energy and scientists work on national security programs, including protecting critical infrastructure like the U.S. power grid. INL is also the premier lab for nuclear energy focusing on energy security, reliability and cybersecurity.

Corey Brunkow, Dir of Eng Operations, Horizon3.ai had this comment based on the above:

   “Oracle Human Capital Management is an application under the Oracle Fusion Cloud SaaS suite which is listed on the FedRAMP Marketplace with an agency authorized Authority to Operate (ATO). This SaaS has been provided authorization to operate by at least 5 separate Authorizing Agencies after going through an extensive and expensive FedRAMP process. The fact that this service was breached and could lead to the breach of the at least 10 other agencies that have provided an ATO or reused the ATO for this product leads me to conclude that the US Government’s over-reliance on exhaustive check-list based compliance and security theater through documentation is not a fail-safe against the myriad of negative outcomes in cybersecurity. Compliance programs like FedRAMP authorization is only one portion of a complete cybersecurity posture, and the current rate of threat generation and activity is much faster than any human auditor can keep pace with.

   “The negative outcome here beyond the initial breach of data is a clear national security concern due to the sensitive nature of the work and capable people that do the work at our national labs. With the data revealed through this hack, the Department of Energy should prepare for individual or organizational blackmail campaigns, individual threats, and possibly the departure of critical and highly skilled workforce members. The SiegedSec hacktivist group, now armed with detailed information about employees could pose a significant risk to the likelihood of insider threat problems due to the stress and situation that the newly breached employees now face with their personal sensitive data exposed to a hacktivist group that has previously targeted NATO entities and other government services.”

US, mail-order pharmacy provider Truepill is sending notification letters to more than 2.36 million individuals disclosing that their personal data has been compromised following a breach of its systems in late August.  

Truepill, also known as Postmeds, said data accessed by attackers who infiltrated network on August 30th included: 

• Full names 
• Demographic details 
• Medication types 
• Names of their prescribing physicians 

Truepill’s B2B-focused pharmacy platform uses APIs for direct-to-consumer healthcare brands’ order fulfillment and delivery services so some individuals receiving the notices had never heard of the company. 

The breach has prompted various class action lawsuits accusing Postmeds of providing incomplete information regarding the compromised data, failing to ensure the encryption of sensitive health data and delaying the company’s breach notification. 

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “Many healthcare organizations still rely on legacy systems and infrastructure that were not designed with modern cybersecurity practices in mind. API security today is of utmost importance, particularly in the context of mobile APIs, as these are often targeted by attackers due to their inherent vulnerabilities, widespread usage and wealth of sensitive data they can access.  While encryption is a basic aspect of API security for data storage, during transmission sensitive information must also remain secure even if intercepted by malicious actors. Strong encryption protocols such as HTTPS/TLS should be used to ensure the confidentiality and integrity of data exchanged between mobile devices and APIs. 

   “In addition to encryption, the use of secure short-lived tokens is an effective security practice. These tokens serve as access credentials and are typically issued for a limited duration. By using short-lived tokens, the window of opportunity for attackers to exploit stolen or compromised tokens is minimized. Regularly rotating these tokens further enhances security by reducing the potential impact of a token compromise. 

   “Implementing access controls and authorization mechanisms is another important aspect of API security. User credentials alone may not be sufficient to protect sensitive data. APIs should enforce granular access controls, ensuring that users or applications only have access to the specific resources and actions they require. This principle of least privilege helps limit the potential damage in case of a breach. By limiting the number of API requests that can be made within a specific time frame, these measures help safeguard the API infrastructure and protect businesses from costly data breaches like this one.”

Hopefully the class action lawsuits that have been filed teach this company and others a lesson. Which is that if you get pwned, you will pay one way or the other.

A couple of weeks ago, I wrote about the fact that the Toronto Public Library was pwned by ransomware. I’ve been tracking this story since and I haven’t updated you on this despite the fact that they’ve been silent since that went public. Today they said something new, and what they said isn’t good:

At this point in our investigation, we believe current and former staff employed by Toronto Public Library (TPL) and the Toronto Public Library Foundation (TPLF) from 1998 are impacted. Information related to these individuals was likely taken, including their name, social insurance number, date of birth and home address.

Copies of government-issued identification documents provided to TPL by staff were also likely taken.

Our cardholder and donor databases are not affected. However, some customer, volunteer and donor data that resided on the compromised file server may have been exposed. It will take us time to analyze data to determine who is affected and how. We will continue to be transparent and notify those affected as appropriate and in light of our findings.

That’s not good at all. And it seems like a well known threat actor is behind this according to Bleeping Computer:

While the library hasn’t yet attributed the attack to a specific ransomware operation, BleepingComputer has learned that the Black Basta ransomware gang was behind the October 28 attack after seeing a photo of a ransom note shown on a TPL workstation.

As a TPL employee told BleepingComputer, the attack occurred overnight on October 27, disrupting numerous services by Saturday morning.

It will be interesting to see what the Toronto Public Library does from this point onwards given the fact that they now know what’s out there. Will they alert these people? Will they offer free credit monitoring? Those are things that I’ll be looking for in the days and weeks to come.

Denmark’s, Non-profit SektorCERT reported on the nation’s largest cyber incident on record where attackers gained access to the systems of 22 Danish companies overseeing various components of energy infrastructure in May by exploiting a zero-day vulnerability in popular Zyxel firewalls.
 
Unfortunately, many of the observed attacks were possible because the companies had not updated their firewalls and had opted out of the software update because:

• There was a charge for installation  
• It was assumed the ‘new’ Zyxel firewall was the latest update
• It was believed Zyxel was responsible for implementing the updates

 11 companies were “immediately” and simultaneously compromised allowing the attackers to gain control of the firewall and access the critical infrastructure behind it while preventing the energy companies from warning others in advance.

Several of the breached companies avoided significant impact by disconnecting the local or national power networks.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “It comes as no surprise to see this attack linked to a Russian military group such as VooDoo Bear, as many European countries that have supported Ukraine have become targets, especially in the energy sector. With eyes now turned to the Middle East, we may see even more aggressive and increasingly sophisticated attacks on the Ukraine and its allies, as the Russians perhaps see support from the West potentially wavering or at least seeing signs of fatigue.

   “Another take away from this incident is the short-sighted decision making that led to critical infrastructure providers not patching a known zero-day vulnerability in the Zyxel firewalls.”

Dave Ratner, CEO, HYAS follows with this:

   “Bad actors will build their own databases of which organization utilizes which suppliers, so that when a new zero-day vulnerability becomes known they can strike almost instantaneously.  Staying current on patches is of course always recommended; however, even this may not be enough if the criminals exploit the zero-day first.  It’s just one more reason to implement an operational resiliency strategy and ensuring a complete security-in-layers approach.”

Really, in 2023 there should be no excuse for not being proactive about updates. At this example illustrates, bad things will happen to those who don’t update all the things.