Research, identify, write and post a summary, and be prepared to discuss in class an article you found about a current event in the Information Security arena. For this week’s theme, research a current cybercrime theme – such as a recent attack, or management research on how organizations are dealing with cybercrime.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Vanessa Marin says
CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients
On February 6, 2021 CaptureRx, a vendor for a variety of healthcare facilities that provides third-party healthcare administrative services, suffered a breach in their systems. The unusual activity however, was not immediately apparent and the conclusion of the pre-liminary analysis did not become known until February 19 in which the activity was identified. This was then followed by a thorough analysis of all CaptureRx systems which concluded on March 19. Notifications to healthcare providers ran from March 30 thru April 7 and has since been working with providers to inform patients and regulatory authorities of the breach. PII that was stolen include first and last names, dates of birth and prescription information. CaptureRx has committed to making their security more robust by reviewing and enhancing all their policies and procedures and introducing additional workforce training.
The most recent update posted by the HIPAA Journal on May 7 breach victims include 28,000+ patients across 5 healthcare facilities. CaptureRx also reports that their investigation has not found any evidence that suggests there has been a misuse of the stolen data but advises those impacted that they should monitor their accounts and insurance forma for any unexpected activity.
References:
https://www.inforney.com/texas/capturerx—notice-of-data-incident/article_e64f1310-7646-56e8-b7e9-961543132d2c.html
https://www.infosecurity-magazine.com/news/capturerx-data-breach-impacts/
https://www.hipaajournal.com/capturerx-ransomware-attack-affects-multiple-healthcare-provider-clients/
William Bailey says
When we read about these cybercrime incidents, we hope to learn the root cause(s) of the incident. CaptureRX doesn’t divulge the full details, only getting close to admitting the end user issue that contributed to the incident – “Following the attack, policies and procedures were reviewed and enhanced and additional training has been provided to the workforce.” During the course we’ll talk about ransomware, that it not only encrypts the data, but often will “acquire” a copy that is uploaded to the criminal’s server(s). CaptureRX suggests that the data has not been misused by the attackers, but quite often when data is stolen, it’s not used immediately; attackers will wait to use the stolen data, because when it’s immediately after the breach, the data is being monitored for misuse, but after a year, the identity protection services have likely expired, and less attention being paid to the misuse of the data.
Vanessa Marin says
Looking through the articles, you’re right! I couldn’t find the root cause in any of the articles despite each report that stated how long the analysis that CaptureRx was. Would you say it’s fair to assume that a company won’t divulge the root cause of an incident unless they are absolutely forced to? I too considered that the data breached in the incident could bubble back up in the future. What I also didn’t see was an offer by CaptureRx to provide monitoring measures at their own expense to those impacted individuals. That would at least help mitigate future misuse of data, if that ever went public.
Vanessa
Vincent Piacentino says
Vanessa\Bill,
It is interesting how life imitates art and vice versa.
All of these incidents like this one, the Colonial pipeline and SolarWinds, it is right out of an action movie. Cool and scary at the same time! Don’t forget the popcorn!
Vincent Piacentino says
This December 2020 article by Bruce Schneier in “The Guardian” discusses an espionage campaign so broad that security experts are still uncovering who was affected and what was stolen.
The massive computer breach perpetrated by the Russian SVR (formerly the KGB) and the group known as Cozy Bear\APT29 allowed hackers to spend months laterally moving through U.S. government and private company computers undetected. Federal agencies like the Treasury and Commerce Departments were hit, as were thousands of civilian networks. These nation state hackers gained access into these networks through an update from SolarWinds. Also, last year the company’s update server was protected by the password “solarwinds123”. That boggles my mind!
Ultimately, the United States needs to adopt a much more “defense-oriented” posture when it comes to cybersecurity. According to Schneier, peacetime espionage is normal business operations for any country. In addition, the U.S. government failed to detect the “supply chain” attack on SolarWinds. In fact, it was security giant, FireEye, that discovered the SolarWinds hack while investigating its own hack. Experts say organizations and agencies can either “spend time trying to eradicate every trace of the hackers and identify every possible backdoor or they can burn it all down and start over. “
https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols
https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/
https://en.wikipedia.org/wiki/Cozy_Bear
William Bailey says
Keep in mind, Vinnie, that most organizations in the supply chain, such as SolarWinds, often won’t allow scanning against their infrastructure. So, SolarWinds customers would be considered “hackers” if they had performed their own security assessment of SolarWinds.
There’s a “Need for Speed” that permutates through private industry, and at times, our government systemns.
At other times, the government will slow down – even though SolarWinds has released what they describe as a fixed version, there are still government restrictions from turning the patched SolarWinds back online.
-Bill
Vincent Piacentino says
Mr. Bailey,
Thank you for the insight! I did not look at it from that perspective.
Solarwinds faces the same fate as others: determining the full scope of their failures, increased insurance costs, loss of trust. regulatory concerns etc…
Amelia Safirstein says
solarwind123!? It seems that it’s easy to fall into the groove of finding the most efficient and easiest routes for completing work (or remembering passwords) without considering security. IT professionals and 3rd party suppliers tend to be assessed based on their performance metrics which either completely ignore or don’t lean heavily toward security. For organizations that have the resources, I think it’s important to have an employee or team dedicated to security to make these types of mistakes less likely to occur.
Jerry Butler says
This is a great article Vincent, there are so many takes from this story;
1. How does the internal control team miss such a password ?
2. How often are security reviews performed, because if they are performed on a regular basis, this should be captured in the configuration settings.
3. How competent is the admin or network team? having your password setup as “solarwinds123” given today’s environment to me is being tone deaf to current IT trends
Mei X Wang says
Try This One Weird Trick Russian Hackers Hate
Most of us heard about the Colonial Pipeline cyber attack, this attack was orchestrated by the new cybercrime group, Dark Side, which has been offering ransomware as a service. One of the biggest attacks leveraged was against the Colonial pipeline, shutting down 5,500 miles of fuel pipe. The pipeline shut down for almost a week, causing gas shortages and price spikes throughout the country.
DarkSide has released its statement saying the organization is apolitical and does not wish to participate in geopolitics. Their goal is “to make money, not create problems with society”. One trick discovered that may be helpful in protecting your system is to install one of their “off-limits” languages onto your machine. DarkSide, like many malware strains, has a hardcoded do-not-install list of countries, from the Commonwealth of Independent States – former Soviet allies of the Kremlin. Installing a Russian keyboard on your laptop may not be a permanent fix but it does help deter the attacks. The hackers may choose to forego your machine if it cannot differentiate if it’s a domestic machine or a foreign “off-limits” machine.
Installing a Russian keyboard onto your PC may seem like a meaningless trick but it’s one easy way to bypass the preliminary language checks malware do. Because of Russia’s unique legal culture, cybercriminals will have to choose to protect their personal safety and fortunes or attack your machine at the risk of getting reported domestically in Russia. These checks are a way to ensure they are only attacking victims outside the countries.
https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
Vincent Piacentino says
That was an interesting article. Krebs on Security is a good site! I love the click-bait title.
Amelia Safirstein says
This is so interesting! I had no idea that many of these organizations avoided attacking devices in certain countries like this. It’s a pretty ingenious way to attack others without risking the physical protection of your home country.
Krish Damany says
DarkSide, the ransomware group associated with the recent Colonial Pipeline breach, has struck the technology company Toshiba. The attackers struck the European branch of the company, and the company has admitted that there is a possibility that information and data of its customers may have been leaked, but no direct confirmation. The group in charge of restoration and recovery of Toshiba’s assets took measures to stop any communication between the European branch and the Japan branch, along with any other European company associated with Toshiba. Another report done by Reuters showed that over 740 GB of information such as passport scans and other PII were stolen, which is a more scary situation than the non-answer given by the Toshiba representatives. The report also received a tip from a senior malware analyst at Mitsui Bussan Secure Directions, where they stated that DarkSide has more than 30 groups attacking various organizations at any given moment, and succeeded with this Toshiba breach. It’s become difficult to 100% confirm the involvement of DarkSide, as their TOR site and servers have been shut down in a possible effort to distance themselves after the Colonial Pipeline breach.
https://www.infosecurity-magazine.com/news/toshiba-business-hit-darkside/
Mei X Wang says
Hi Krish, this was an interesting read. As technology helps regular businesses grow and mature, cybercrime is also developing its maturity as a business model. Dark Side is providing ransomware as a service to clients, as these attacks/exploits exchange different hands, they’re also able to detach themselves from the responsibility. Toshiba and Colonial Pipeline is only the beginning, I expect we’ll soon hear from them again.
Jerry Butler says
Malicious Office 365. Apps are the ultimate insiders
This one is interesting due to the level of persistence of the hacker after the exploit is successful. Currently, we are reviewing our user security awareness program. We have implemented a “Lunch and Learn” class to help combat some of the more advanced social engineering methods. In one session, I asked users to identify a fake website. I showed three websites that look very similar. I asked each user to see if they could tell the engineered site. We also showed users several screens shots of how applications ask for permission. We reiterated that if something is requesting permission for the first time, to call IT. We cover many other topics.
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.
These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might sees a prompt toallow app to install.
These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.
https://krebsonsecurity.com/2021/05/malicious-office-365-apps-are-the-ultimate-insiders/
Krish Damany says
Hi Jerry,
The pandemic has surely increased the amount of attempts and attacks on Microsoft applications, as many organizations solely rely on Exchange and Office 365 apps on a daily basis. Of course, a large solution would be multi-factor authentication, but these attackers seem to have found ways around certain methods of authentication. SMS based MFA has been deemed fairly insecure as attackers can spoof SIM cards to gain access to text messages. Most organizations are requiring users to download an external authenticator app or even a physical RSA key.
Brian Schneider says
Biden Proposes Billions for Cybersecurity After Wave of Attacks
Administration officials, speaking on the condition of anonymity to preview the outline of cybersecurity proposals, stressed that the jobs plan proposals are just one part of a broader effort to elevate cyber issues across the federal government. “Cybersecurity is one of the preeminent challenges of our time, which is why President Biden has made strengthening U.S. cybersecurity capabilities a top priority,” the White House said in the fact sheet.
Biden signed an executive order on May 12 intended to improve the federal government’s information sharing about cyberattacks with the private sector while adopting better safety practices throughout the government. The order is intended to help the U.S. respond more swiftly to attacks on both public and private infrastructure.
https://www.bloomberg.com/news/articles/2021-05-18/biden-proposes-billions-for-cybersecurity-after-wave-of-attacks
Amelia Safirstein says
Perfect timing for our graduation!
Jerry Butler says
This is a great step to improving security with government bodies because the most damaging attacks have happened to them. I would start with replacing all legacy machines and re-training of all employees because that’s where the weakest link is for government in my opinion.
Amelia Safirstein says
Ireland’s Health Service Executive computer systems were hit by a ransomware attack on Friday, May 14 around 4:30 AM. The attack was preceded by a few DDOS attacks on portions of HSE’s systems which were not seen as severe threats at the time. The DDOS attacks may have included port scanning as reconnaissance for the ultimate ransomware attack. When the HSE IT team realized that a ransomware attack had begun to take over their systems, they shut all systems down to limit the damage caused by the attack and to allow for time to assess the situation. Ireland’s state policies assert that they will not pay ransom to any ransomware attack and they don’t plan to make an exception in this case. Paying the ransomware in many cases is less expensive than recuperating systems or starting from scratch if the victim organization doesn’t have a backup set up. Because of this, many organizations end up paying the ransom, fueling criminals’ drive to continue ransomware attacks.
https://www.irishtimes.com/news/health/bitcoin-ransom-will-not-be-paid-following-cyber-attack-on-hse-computer-systems-1.4564957
Eugene Angelo Tartaglione says
https://wtop.com/local/2021/05/during-pandemic-dc-was-2nd-most-targeted-area-by-cybercrime/
During pandemic, DC was 2nd-most targeted area by cybercrime
According to this article, DC was the 2nd most targeted area by cybercrime. CrowdStrike, based in California, said D.C. residents lost over $18 million last year, most commonly to extortion scams. There were 2,132 DC residents that fell victim to cyberattacks and caused them to pay reparations of $18,942,722. This was only the amount reported, so the total amount could be even higher.
According to the article, “These are commonly referred to as ‘man in the email’ attacks, where scammers employ phishing and imitation techniques via email to encourage individuals or businesses to hand over sensitive information or conduct unauthorized transfer of funds on the basis of trust,” With this in mind, it seems that most users fell for phishing emails and most of these cyber attacks could have been avoided if the victims had some cybersecurity training to help prevent them from falling victim to these attacks. Next time hopefully they don’t take the bait!
Jerry Butler says
Wow! This article is a good read, i guess the next question here would be why DC?
Could it be because of it be being the governance district that has the most federal government employees?