data breach

Booz Allen says former staffer downloaded employees’ personal data • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in Booz Allen Hamilton, cybersecurity, data breach, defense contractors, government contracts, SecurityNo Comments

U.S. government contractor Booz Allen Hamilton has disclosed that a former staffer downloaded potentially tens of thousands of employees’ personal information from the company’s internal network. The government and defense contractor said that one of its staffers, while still employed by the company, downloaded a report containing the personal information of “active employees as of March 29, 2021.” A copy of Booz Allen’s website archived in March 2021 said the company had 27,600 employees, many of which are contracted to U.S. government, military and intelligence agencies and hold high-level security clearances. The notice said that the report downloaded by the employee contained, “your name, Social Security number, compensation, gender, race, ethnicity, date of birth, and U.S. Government security clearance eligibility and status as of March 29, 2021.” Booz Allen said the report containing the personal information was “improperly stored on an internal SharePoint site,” but did not say what circumstances led to the discovery of the data, only that it “recently learned” of the staffer’s activity. The data breach notice, filed with the California attorney general’s office this week, said Booz Allen discovered the data exposure on April 14, 2022. The data breach notice said the now-former staffer acted “in direct contradiction” of the company’s policies, but that the company does “not believe that the individual intended to misuse any of the personal information in the report to cause harm to Booz Allen employees.” It’s not clear if the individual has been charged with any criminal offenses.

‘We know who you are’ • ZebethMedia

By zebethcontrolPosted on November 11, 2022Posted in Australia, data breach, hackers, medibank breach, ransomware, SecurityNo Comments

The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers. AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries. In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice. The Australian Federal Police have identified the hackers, revealing they’re located in Russia. We know where they are. And we are working hard to bring them to justice. — Anthony Albanese (@AlboMP) November 11, 2022 Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims. “These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada. The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware. The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication,” the embassy said in a statement on Friday. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.” Russia’s federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges. “Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample,” Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells ZebethMedia. Kershaw said on Friday that the AFP, along with international partners such as Interpol, will “be holding talks with Russian law enforcement about these individuals.” “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” While the AFP has successfully extradited people from Poland, Serbia, and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone.” Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. “Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

Ransomware gang threatens to publish thousands of Australians’ health data • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in data breach, medibank breach, ransomware, SecurityNo Comments

A ransomware group with suspected links to the notorious Russia-speaking REvil gang has threatened to release the personal information of millions of Medibank customers after the Australian private health insurance giant pledged it would not pay the cybercriminals’ ransom demand. Medibank, Australia’s largest health insurance provider, first disclosed a “cyber incident” on October 13, saying at the time that it detected unusual activity on its network and took immediate steps to contain the incident. Days later, the company said that customer data might have been exfiltrated. In an update posted this week, the Melbourne-based Medibank admitted that the attackers accessed roughly 9.7 million customers’ personal information, including names, birth dates, email addresses, and passport numbers. The cybercriminals also accessed health claims data for almost 500,000 customers, including service provider names and locations, where customers received certain medical services, and codes associated with diagnosis and procedures administered. For 5,200 users of Medibank’s My Home Hospital app, the cybercriminals accessed some personal and health claims data and, for some, next of kin contact details. Medibank CEO David Koczkar said that while the health insurance giant believes that the attackers likely exfiltrated all of the data they were able to access, the organization would not pay the ransom demand. “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said. The chief executive added that paying could even encourage the hackers to adopt a triple-extortion tactic by attempting to extort customers directly. Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site, seen by ZebethMedia, listed Medibank as one of its victims and said it planned to release the exfiltrated data publicly. The gang did not say how much data it exfiltrated from Medibank’s network, and did not share evidence of its claims. The links between the new leak site and REvil, which went dark after U.S. authorities pushed the operation offline in October after the gang targeted ransomware attacks against Colonial Pipeline, JBS Foods and U.S. technology firm Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said that the new operation uses a variant of REvil’s file-encrypting website and that REvil’s old website now redirects to the new leak site. Medibank described the gang’s threats as a “distressing development,” in a second update published on Tuesday, and urged customers to be vigilant with all online communications and transactions. “We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them,” said Koczkar. “The weaponization of their private information is malicious, and it is an attack on the most vulnerable members of our community.” Medibank added that it is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police, in order to try and prevent the sharing and sale of customer data. News of the Medibank attack comes just weeks after Australia’s second largest telco Optus was breached. The Australian government confirmed an upcoming legislative change that would see companies that fail to adequately protect people’s data face fines of $50 million or more.

Twilio hack investigation reveals second breach, as the number of affected customers rises • ZebethMedia

By zebethcontrolPosted on October 28, 2022Posted in cybersecurity, data breach, Security, telecommunications, TwilioNo Comments

U.S. messaging giant Twilio confirmed it was hit by a second breach in June that saw cybercriminals access customer contact information. Confirmation of the second breach — carried out by the same “0ktapus” hackers that compromised Twilio again in August — was buried in an update to a lengthy incident report that Twilio concluded on Thursday. Twilio said the “brief security incident,” which occurred on June 29, saw the same attackers socially engineer an employee through voice phishing, a tactic whereby hackers make fraudulent phone calls impersonating the company’s IT department in an effort to trick employees into handing over sensitive information. In this case, the Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers. “The threat actor’s access was identified and eradicated within 12 hours,” Twilio said in its update, adding that customers whose information was impacted by the June Incident were notified on July 2. When asked by ZebethMedia, Twilio spokesperson Laurelle Remzi declined to confirm the exact number of customers impacted by the June breach and declined to share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio has only just disclosed the incident. Twilio also confirmed in its update that the hackers behind the August breach accessed the data of 209 customers, an increase from 163 customers it shared on August 24. Twilio has not named any of its impacted customers, but some — like encrypted messaging app Signal — have notified users that they were affected by Twilio’s breach. The attackers also compromised the accounts of 93 Authy users, Twilio’s two-factor authentication app it acquired in 2015. “There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys,” Twilio said about the attackers, which maintained access to Twilio’s internal environment for two days between August 7 and August 9, the company confirmed. The Twilio breach is part of a wider campaign from a threat actor tracked as “0ktapus,” which targeted at least 130 organizations, including Mailchimp and Cloudflare. But Cloudflare said the attackers failed to compromise its network after having their attempts blocked by phishing-resistant hardware security keys. As part of its efforts to mitigate the efficacy of similar attacks in the future, Twilio has announced that it will also roll out hardware security keys to all employees. Twilio declined to comment on its rollout timeline. The company says it also plans to implement additional layers of control within its VPN, remove and limit certain functionality within specific administrative tooling, and increase the refresh frequency of tokens for Okta-integrated applications.

New York Post says its site was hacked after posting offensive tweets • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in cyberattack, data breach, news organizations, SecurityNo Comments

New York Post, one of the biggest New York City daily newspapers, said it was hacked on Thursday after several offensive articles and tweets were published to the newspaper’s website and Twitter account. The articles and tweets, which were racist and sexually violent in nature, were pulled a short time later. ZebethMedia is not publishing the contents of the tweets, several of which called for the assassination of politicians and public figures. The New York Post has been hacked. We are currently investigating the cause. — New York Post (@nypost) October 27, 2022 It’s believed the New York Post’s content management system, used for publishing stories and articles, may have been breached. The offensive tweets were sent via SocialFlow, a popular website plugin used to push stories to social media sites. The tweets also contained links that pointed to web pages on the Post’s website, but which were no longer accessible at the time of writing. A spokesperson for News Corp, which owns the New York Post, did not immediately respond to a request for comment. The breach comes weeks after Fast Company’s content management system was breached to push offensive Apple News notifications to readers. Fast Company pulled its site down for more than a week to rebuild its systems following the compromise.

Hive ransomware gang leaks data stolen during Tata Power cyberattack • ZebethMedia

By zebethcontrolPosted on October 25, 2022Posted in cyberattack, data breach, ransomware, Security, Tata PowerNo Comments

The Hive ransomware group has claimed responsibility for the recent cyberattack on Tata Power, a leading Indian energy company, and has started leaking stolen employee data. Tata Power, which serves more than 12 million customers through its distributors, confirmed on October 14 that it had been hit by a cyberattack that impacted some of its IT systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” Tata Power said at the time, but did not confirm any specific details about the attack and its impact at the time. Hive, the ransomware gang that recently hit the Costa Rican government, this week listed Tata Power on its dark web leak site, which it uses to publicize attacks and stolen data. The group claims it encrypted the company’s data on October 3, suggesting Tata Power may have known about the breach two weeks prior to its initial filing, according to the listing, which ZebethMedia has seen. The listing of stolen data suggests any negotiations to pay a ransom failed. This data, reviewed by ZebethMedia, includes sensitive employee information, such as Aadhaar national identity card numbers, tax account numbers, salary information, home addresses and phone numbers. The leaked data, which was posted to Hive’s dark web leak site on October 24, also includes engineering drawings, financial and banking records, client records and some private keys. “The leak has sensitive data but nothing that affects power grids,” Rahul Sasi, co-founder and CEO of threat intelligence firm CloudSEK, who also reviewed the leaked data, told ZebethMedia. Sasi said that the group’s motivation appears to be purely financial. ZebethMedia contacted Tata Power but had not received a response at the time of publication. The Hive ransomware gang has been active since mid-2021. The gang and its affiliates started targeting organizations that experienced high downtime costs, such as healthcare providers, energy providers and retailers. The group is known for its aggressive tactics and has been observed using methods such as “triple extortion,” whereby the attackers seek money not only from the organization that was first targeted but also from anyone who might be impacted by the disclosure of that organization’s data. The attack on Tata Power is the latest in a series of attacks carried out by Hive. Last month, the group claimed an attack on the New York Racing Association just a few days after leaking data stolen from Bell Canada-owned subsidiary Bell Technical Solutions.

NHS vendor Advanced won’t say if patient data was stolen during ransomware attack • ZebethMedia

By zebethcontrolPosted on October 13, 2022Posted in Advanced, data breach, NHS, ransomware, SecurityNo Comments

The hackers used “legitimate” credentials to breach the vendor’s network Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised. Advanced first confirmed the ransomware incident on August 4 following widespread disruption to NHS services across the U.K. The attack downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information. In an update dated October 12 and shared with ZebethMedia on Thursday, Advanced said the malware used in the attack was LockBit 3.0, according to the company’s incident responders, named as Mandiant and Microsoft. LockBit 3.0 is a ransomware-as-a-service (RaaS) operation that hit Foxconn earlier this year. In its updated incident report, Advanced said that the attackers initially accessed its network on August 2 using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. The report implies there was no multi-factor authentication in place that would block the use of stolen passwords. “The attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware,” Advanced said in the update. Advanced said some data pertaining to 16 Staffplan and Caresys customers (referring to NHS trusts) was “copied and exfiltrated,” a technique known as double-extortion, where cybercriminals exfiltrate a company’s data before encrypting the victim’s systems. In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by ZebethMedia, Advanced chief operating officer Simon Short declined to say if patient data is affected, or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated. Lockbit 3.0’s dark web leak site did not list Advanced or NHS data at the time of writing. Short also declined to say if Advanced paid a ransom. “We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes,” Advanced said in the update. Advanced said its security team disconnected the entire Health and Care environment to contain the threat and limit encryption, which downed a number of services across the NHS. The extended outage left some trusts unable to access clinical notes and others were forced to rely on pen and paper, BBC News reported in August. Advanced said its recovery from the incident is likely to be slow, citing an assurance process set by the NHS, NHS Digital and the U.K. National Cyber Security Center. “This is time-consuming and resource intensive and it continues to contribute to our recovery timeline,” Advanced said. “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible.” The healthcare industry remains a top priority for ransomware actors. Earlier this month, U.S. hospital giant CommonSpirit was hit by a cybersecurity incident that is disrupting medical services across the country — which it later confirmed was a ransomware attack.