Robin’s Newsletter #314

23 June 2024. Volume 7, Issue 25
Updates on significant healthcare incidents. US gov bans Kaspersky. Spoofing Microsoft.com emails.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Updates on three significant healthcare breaches in the UK, US and Australia…

Qilin ransomware group says Synnovis was planned to disrupt NHS

  • The Register says it has spoken to representatives of the Qilin ransomware group behind the attack on Synnovis, a blood testing firm that supplies NHS hospitals in the UK’s capital. The cybercriminals said the attack’s impact was not accidental and, when asked about the disruption to NHS services, said, “That was our goal.”
  • The group claimed their motivation was political, targeting organisations affiliated with ‘political elites’ where “[the] politicians of these countries do not keep their word, they promise a lot, but are in no hurry to fulfil their promises.” While Synnovis is a private company, the NHS is not for profit or affiliated with a political party.
  • So Qilin’s claimed motivation is at odds with their typical, financially motivated modus operandi, and they may be fabricating its position based on the impact and media attention surrounding the attack. Doubly so when considering that a $50 million ransom demand was made. LINK
  • The Guardian claims that records covering 300 million patient interactions were stolen by Qilin, including results of HIV and cancer blood tests. It also says that the National Crime Agency is working to remove the records published by the criminals this week from the Internet and may consider other retaliatory action. LINK, NCA

Change Healthcare confirms that a ‘substantial proportion’ of the US population is affected

  • Change Healthcare says medical records affecting a “substantial proportion of people in America” were stolen during a ransomware attack in February. The disruption caused by the ALPHV cybercriminals made it difficult for thousands of hospitals and pharmacies to service patients and highlighted the risk associated with the significant consolidation that’s occurring in parts of the US healthcare sector. 
  • The UnitedHealth Group subsidary said that personal and identity information, such as name, address, date of birth, contact details, drivers licence, passport and social security numbers were compromised, along side medical records, test results, treatment plans, and insurance policy details.
  • Affected individuals should receive notice by mail in late July once their investigation (now in its ‘late stages’) has been completed. LINK

Details of the Medibank attack emerge in court documents filed by the regulator

  • The release of 9.7 current and former Medibank customers, hot on the heels of another sizable breach at telco Optus, was front page news in Australia. Shortly after the attack, during ‘Operational Safeguard’, all systems were taken offline over a weekend to hard systems and implement multi-factor authentication. Thanks to court documents filed by the Office of the Australian Information Commissioner, we have more information on how the incident occurred.
  • The Information Commissioner alleges that an IT Service Desk agent at Medibank had saved their company credentials in their web browser on their company computer. However, the browser was logged in as their personal account, and the credentials were synced to their personal computer at home. Malware infected the home computer a few weeks before the attack on Medibank, and the cybercriminals gained access to the support agent standard and administrator accounts. (It’s good practice segregating accounts for standard and administrator duties). The attacker could straight-up login to Medibank’s email and VPN because they did not have MFA enabled. LINK
  • I’m sure Medibank is not alone in its exposure to this type of attack vector. I’ve seen similar instances first-hand with other clients. Web browsers want you to log in to offer consumer features and build their users’ advertising profiles. You should consider if you need multiple browsers installed and if or what accounts are authorised to log in to them.
  • Authorities named Russian citizen Aleksandr Ermakov as the perpetrator in January this year. vol. 7, iss. 4
  • Wired claims to have spoken to a representative of the ShinyHunters cybercrime group who has claimed responsibility for breaching multiple customers of data-as-a-service provider Snowflake. Companies like TicketMaster, Lending Tree and Advance Auto Parts have all said they are victims.
  • ShinyHunters claim they obtained access via EPAM Systems, an American digital and software engineering firm, with most of its staff based in Belarus, Ukraine, and formerly Russia. EPAM is an ‘Elite Tier’ Snowflake partner. LINK
  • Santander has confirmed that its data breach relates to data held in Snowflake’s platform. The global bank said that the personal data of 12,000 employees was taken during the incident, including name, social security number, and bank account information used in payroll. LINK

Interesting stats 

75% of Adobe Commerce and Magento websites remain unpatched almost two weeks after a ‘CosmisSting’ (CVE-2024-34102; 9.8/10) was patched. The vulnerability allows remote attackers to read private files and potentially achieve remote code execution. An estimated 250,000 e-commerce sites are running the affected Adobe software. LINK

346 million installs of ‘security-noteworthy extensions’ (SNE) in the last three years, according to researchers from Stanford University, who found that  380 days is the average time an SNE is available on the Chrome Web Store. 280 million of those were malicious software, and  63 million were for policy violations, however  <1% of all installs from the Chrome Web Store were found to include malware, according to Google. (See Interesting Reads below).

Other newsy bits / in brief

🤓 Interesting reads:

  • What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions. A study of global trends in the Chrome Web Store and their security implications. LINK (PDF)

⚠️ Incidents:

  • Massachusetts citizens needing emergency support could not place 911 calls this week after service provider Comtech misconfigured a firewall and blocked inbound telephone calls. The outage lasted two hours. LINK
  • Total Fitness suffered a data breach of member photographs after the database in which they were stored was left publicly accessible. Total Fiteness, a UK gym, claims 100,000 members and employees 600 staff. The company says that only a “subset” of customers were affected, at odds with the claims of the researcher who reported the issue that claimed 474,000 images totalling 47GB were exposed. LINK
  • Polish authorities say Russian attackers could be behind the recent DDoS attack that disrupted national broadcaster TVP’s online broadcast of the Poland-Netherlands match in the Euro 2024 tournament. LINK
  • The Association of Texas Professional Educators (ATPE) says that the details of 426,280 people may have been compromised following the detection of ‘suspicious activity’ on its network in February 2024. LINK

🏴‍☠️ Ransomware:

  • CDK Global, a car dealership software provider, has confirmed a cyberattack that has resulted in an outage of its customer’s systems. The company claims to run the software behind around 15,000 auto dealerships. The BlackSuit ransomware group has claimed responsibility. LINK
  • NHS Dumfries and Galloway is writing to 150,000 people to warn them that cybercriminals may have published their personal information. The NHS Trust, part of the UK’s universal health system, became victim to the ransomware group earlier this year and has refused to pay the criminal’s ransom demands. INC Ransomware stole millions of documents during the attack, covering all manner of personal and medical data from X-ray images and highly sensitive information. NHS Dumfries and Galloway will reach out directly to discuss the risks with those who had the most sensitive data exposed. LINK

🕵️ Threat Intel:

  • A researcher claims to have found a way to spoof @microsoft.com emails to Outlook users. Microsoft closed the bug report because they ‘could not reproduce’ despite receiving a video showing the required steps. As this gets public attention, I’d expect it to get fixed quickly, but it’s hardly a ringing endorsement of Microsoft’s ‘re-commitment’ to security. Be on the lookout for suspicious emails from legitimate Microsoft emails (he says as if that’s a simple matter). LINK, @slonser_
  • A Chinese espionage group dubbed ‘Velvet Ant’ used custom malware deployed on an F5 BIP-IP perimeter firewall as an internal command and control node and to exfiltrate data from a target organisation for three years, according to Sygnia. The compromise was possible because the victim had not patched against remote code execution vulnerabilities. LINK
  • The FT reports that Silicon Valley companies like Google, OpenAI, and Sequoia Capital are stepping up their staff vetting after the US government issued warnings about Chinese espionage. FBI director Christopher Wray and counterparts from across the Five Eyes intelligence network held an event in California last November. LINK

🪲 Vulnerabilities:

  • VMware is warning customers about a pair of critical vulnerabilities in its VCenter Server product. CVE-2024-37079 and CVE-2024-37080 (both 9.8/10) are heap overflow vulnerabilities that someone with network access can trigger. LINK, ADVISORY
  • SolarWinds Serv-U file transfer system has a high-rated path traversal vulnerability. CVE-2024-28995 (8.6/10) allows unauthenticated actors to read arbitrary files from the filesystem of the affected appliance. Attackers are actively exploiting the vulnerability following the publishing of a proof-of-concept exploit. LINK, ADVISORY
  • Researchers at Ecllypsium have found a buffer overflow vulnerability in the Phoenix SecureCore UEFI firmware using some Intel devices, including the popular Lenovo ThinkPad and Yoga laptops. CVE-2024-0762 (7.5/10) affects code relating to the Trusted Platform Module (TPM) used to validate software integrity and perform other security functions. LINK, ADVISORY, LENOVO

📜 Policy & Regulation:

  • The US government is banning the sale of Kaspersky antivirus software in the country on national security and users’ privacy grounds due to the company’s base in Russia. “Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans”, U.S. Commerce Secretary Gina Raimondo told reports. Security updates will be permitted until 29th September, when they will no longer be permitted. Kaspersky has been banned from federal government agencies since 2017. A dozen senior executives and leaders, excluding CEO Eugene Kaspersky, have been sanctioned by the Treasury Department. LINK, SANCTIONS
  • Signal president Meredith Whittaker criticises the latest EU position on end-to-end-ecrypted messaging: that imagery and URL sharing should only be accessible to those who opt-in to terms allowing the service provider to scan those for child sexual abuse material. LINK
  • The US Department of Homeland Security (DHS) has set out spending plans for the next two years. The threat to critical infrastructure, artificial intelligence, supply chain security, and geopolitical tensions with China are all focus areas. LINK

👮 Law Enforcement:

  • Guidehouse, the US public sector spin-out from PwC, and subcontractor Nan McKay have settled a case that they didn’t meet contractual cybersecurity requirements. The $11.3 million settlement, which does not include an admission of guilt, covers systems used to administer housing benefits to New Yorkers during the COVID-19 pandemic. A whistleblower notified authorities after both firms failed to conduct pre-deployment security tests. The system allowed search engines to index some records, which both firms admitted could have been prevented. LINK
  • Sellafield, operator of the UK’s largest nuclear waste site, has pleaded guilty to criminal charges brought by the nuclear regulator over security lapses. The Office for Nuclear Regulation (ONR) says the state-owned company failed to “ensure that there was adequate protection of sensitive nuclear information on its information technology network” and that it failed to arrange “annual health checks” of the security of its systems. The Sellafield site in Cumbria, northwest England, holds the world’s largest stockpile of plutonium, and the ONR describe it as “one of the most complex and hazardous nuclear sites in the world”. LINK

💰 Investments, mergers and acquisitions:

  • PQShield, a ‘post-quantum’ cryptography startup out of Oxford, UK, has raised a $37 million Series B funding round, led by Addition. LINK
  • Active Directory protection outfit Semperis has announced a $125 million Series D funding round on a valuation north of $1 billion. Mickey Bresman, the CEO, said, “I have a horn,” referring to the company’s unicorn status. The funds will be used for R&D, with acquisitions not off the table. LINK

And finally

  • I’d really appreciate it if you can give me some (anonymous) feedback on what you like, and what you think could be improved, about this newsletter. And/or share it with a friend or colleague. Thank you!
Robin

  Robin's Newsletter - Volume 7

  NHS Health care Synnovis Ransomware Qilin Change Healthcare UnitedHealth Group Medibank ALPHV Browser ShinyHunters Snowflake Adobe Commerce Chrome Web Store Browser Extension Poland Russia Velvet Ant SolarWinds Serv-U VMware UEFI Kaspersky End-to-End Encryption (E2EE) Child Sexual Exploitation Material (CSAM) Sellafield Nuclear
Next:
Robin’s Newsletter #315
Previous:
Robin’s Newsletter #313