Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Operations. Show all posts

Florida Medical Lab Data Breach Exposes 300,000 Individuals’ Sensitive Information

 

Florida-based medical laboratory, American Clinical Solutions (ACS), recently experienced a significant data breach that exposed the sensitive information of approximately 300,000 individuals. The hacking incident, attributed to the criminal group RansomHub, resulted in the theft of 700 gigabytes of data, which has since been published on the dark web. The exposed data includes Social Security numbers, addresses, drug test results, medical records, insurance information, and other highly sensitive personal details. 

ACS specializes in patient testing for both prescription and illicit narcotics, offering its services to healthcare providers. On July 24, ACS reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights. The stolen data encompasses lab testing results from January 2016 until May 2024, the period during which the hacking incident allegedly occurred. Privacy attorney David Holtzman, from the consulting firm HITprivacy LLC, expressed concerns over the nature of the exposed information, highlighting the potential for reputational harm, financial compromise, and extortion due to the sensitivity of drug testing data. 

Despite the severity of the breach, ACS has not yet issued a public statement about the incident on its website, nor has it responded to requests for further details. This lack of communication has raised concerns among legal and regulatory experts, who warn that failing to alert patients about the breach may compound the potential harm. Holtzman emphasized the importance of transparency in such situations, suggesting that the absence of a breach notification may prompt investigations by HHS or state attorneys general to determine whether ACS has complied with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant state laws. 

The delay in notifying affected individuals may stem from various factors, including the possibility that law enforcement advised ACS to wait or that the total number of impacted individuals has not yet been determined. Regulatory attorney Rachel Rose pointed out that drug testing data, while not subject to the stringent federal 42 CFR Part 2 privacy regulations that govern substance disorder treatment facilities, is still considered highly sensitive. Rose compared the compromised information to reproductive health records, mental health records, and data related to diseases like AIDS. 

RansomHub, the group behind the attack, has rapidly gained notoriety within the cybersecurity community since its emergence in February. The gang has claimed responsibility for several major hacks across the healthcare sector, including a June attack on the drugstore chain Rite Aid, which compromised the data of 2.2 million individuals. Security firm Rapid7 recently identified RansomHub as one of the most notable new ransomware groups, underscoring the growing threat it poses to organizations worldwide.

DDoS Attacks: Becoming More Powerful & Shorter in Duration

 

Microsoft says that it witnessed distributed denial-of-service attacks turn shorter in duration in 2022 while also becoming more effective and capable of greater impact. As per Microsoft's DDoS trends report for 2022, the United States, India, and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice for launching these attacks. DDoS attacks in 2022 lasted less than an hour on average, and attacks lasting 1 or 2 minutes accounted for one-fourth of total attacks last year.

According to the tech giant, the attacks were shorter because bad actors required fewer resources to carry them out, and security teams are finding it difficult to defend against them using legacy DDoS controls. "Attackers frequently use multiple short attacks over the course of several hours to make the most impact while using the fewest resources," Microsoft says.

The daily average was 1,435 DDoS attacks, with the highest number being 2,215 on September 22. During the holiday season, the volume of DDoS attacks increased significantly until the last week of December.

In Azure Aloud, Microsoft documented a 3.25 terabyte-per-second attack as the "largest attack" in 2022. This is less than the previous largest known DDoS attack, which had an intensity of  3.47 TB per second at its peak.

TCP reflected amplification attacks are becoming more common and powerful, according to Microsoft, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." Attackers impersonate the target's IP address to send a request to a reflector, such as an open server or middlebox, which response to the target, such as a virtual machine.

TCP reflected amplification attacks can now reach "infinite amplification" in some cases. A reflected amplified SYN+ACK attack on an Azure resource in Asia in April 2022 reached 30 million packets per second and lasted 15 seconds.

The attack throughput was not particularly high, but there were 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure," according to the report.

Preferred Mode of Attack for IoT Devices

According to Microsoft, adversaries preferred IoT devices to launch DDoS attacks, a trend that has been growing in recent years. During the Russia-Ukraine war in 2022, the use of IoT devices increased.

Botnets used by nation-state actors and criminal enterprises, such as Mirai, have been adapted to infect a wide range of IoT devices and support new attack vectors. "While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.

TCP attacks were the most common type of DDoS attack in 2022, accounting for 63% of all DDoS attacks recorded, followed by UDP attacks at 22%.
 
Politically motivated DDoS attacks have risen to prominence, particularly in the year since Russia's invasion of Ukraine. KillNet, a Russian hacktivist group loyal to Moscow, actively recruited volunteers to launch DDoS attacks against Western nations.

KillNet has launched 86 attacks against pro-Ukraine countries since the war began in February, according to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war.

Altering Data Into Evidence May Elevate SecOps Success


We are a generation that lives in a data-driven world. It drives every critical decision-making process in a diversity of fields ranging from healthcare, and financial services to retail services. But is this data well protected in terms of cybersecurity? 

When dealing with alert overload, security operations (SecOps) require something more crucial than just the raw data. In reality, it is evidence – a contextual understanding of what the given data implies – that is required in order to strengthen the defenders’ and response capabilities. 

From Data to Evidence

Data can be evidently described to be a pioneer of evidence, for it is acquired from a collection of networks, endpoints, on-premises and cloud infrastructure, applications, or even individuals. 

One can estimate that the massive amounts of data could rapidly become overwhelming. However, where should this data be stored? How long must it be stored? How do you correlate it in order to comprehend it? Moreover, how can it be used as evidence to firmly shed light on what happened and when? 

While evidence begins with the data, it extends and advances via contextual enrichment and correlation. Here, adding context to data could be interpreted as utilizing relevant asset data from Configuration Management Databases (CMDBs) and the information present on CVEs, GeoIPs, block/allow-lists, etc. 

The goal of correlation is to link related events in a particular sequence. When assessing whether an event should be labelled as an incident, intrusion, or breach, organisations need this evidence, with its context and correlation. This will significantly impact how and to which relevant stakeholders should the information be disseminated. 

Streamlining Security Operations: 

One of the challenges confronting the SecOps team is how they frequently struggle to gather sufficient proof, so as to indulge and prioritize their detection and response operations. This is rather critical, for an average Security Operation Center (SOC) team has to monitor at least 51 incidents on a regular basis. According to recent research, almost half of these teams (46%) believe they are "inundated by a never-ending torrent of cyber-attacks." 

For better understanding, take a typical SIEM tool for an instance. The tool, in its simplest form, acquire data from varying sources and further sends cautionary alerts of potential security threats and vulnerabilities. Network data thus makes a crucial source of evidence, since gathering and monitoring the data passively aids to evade detection by threat actors or vulnerability. 

However, collecting and monitoring isolated data sets pertaining to protocols (HTTP, DNS for instance), the timing of network sessions (human keystrokes over SSH), or encrypted traffic metadata (SSL, RDP, SSH, etc.) is not enough. Since this would only load the SecOps team with alerts. 

Data instead should be segregated, analyzed, contextualized, and correlated in order to effectively enhance a defender’s capabilities. Moreover, with the help of machine learning analytics in an intuitive search platform, comprehensive network evidence as such could further enhance and accelerate the operations of SecOps. In addition to lessening the time for search and response, it will enable human analysts to prioritize actionable alerts and create a pool of raw data that can be analyzed to ascertain what happening and how. 

The evidence thus powers detection. Not only will this aid security in an organization, but will also assist better informed post-incident decision-making and notification. The reputational and financial ramifications of this alone make it a strategy worth pursuing in an environment where regulations are becoming more rigorous.  

Operation Chakra: CBI Searches 105 Locations, Targeting Cyber Crimes

 

The CBI, on Tuesday, has launched ‘Operation Chakra’ in order to debunk “cyber-enabled financial crimes,” carrying out raids at 105 locations across numerous states and Union Territories. The operations have been put to force in coordination with Interpol, the Federal Bureau of Investigation (FBI) along with state police forces. 
 
The action was taken after CBI busted two call centres in Pune and Ahmedabad, that allegedly targeted unsuspecting American citizens. The centres consisted of nearly 150 people, who would make fraudulent calls to prospective targets in the United States, enticing the victims into making transactions on various pretexts. The calls were allegedly made via Voice over Internet Protocol technology to dodge detection. The initial information regarding the scam was briefed by the FBI with the CBI, a few months ago. 
 
The raids were conducted in association with police forces of the six states and Union Territories, namely Andaman and Nicobar (raids at four locations), New Delhi (five locations), Chandigarh (three locations) and two locations each in the states of Punjab, Karnataka, and Assam. 
 
According to the sources, “Of all the locations, CBI alone has conducted searches at around 80 locations spread states. The agency also received inputs from the raids from the Royal Canadian Mounted Police.” 
 
“From one location in Rajasthan, CBI uncovered Rs. 1.5 crores cash and 1.5 Kg gold. The accused person had been running an illegal call centre. Two such call centres were also busted in Ahemdabad and Pune. They were involved in call centre fraud in the US. The FBI has been informed and they are taking follow up action,” stated the CBI official. 
 
CBI has also retrieved digital evidence, including details pertaining to bank transactions and dark web cybercrime activity. In this regard, “a person of interest has also been identified in Punjab in this connection” the official added. 
 
The agency has carried on with the operation, seizing digital proofs including mobile phones, laptops and hard disks, for further investigation.

Anonymous Hacking Group Targets Controversial Web Hoster Epik

 

US-based web host and domain registrar Epik has confirmed an “unauthorized intrusion” in its systems, a week after members of hacktivist group ‘Anonymous’ claimed that the group had obtained and leaked gigabits of data from the hosting company, including 15 million email addresses.

The firm initially denied reports of the breach by saying, “'we are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation.”

According to data breach monitoring service HaveIBeenPwned, the leaked information, comprising 180 GB of information, includes not just information on Epik's own customers, but also millions of other people and organizations' details, whose information Epik scraped via 'Whois' queries from other domain name registrars. 

The group claimed the attack was in retaliation for Epik’s habit of hosting questionable alt-right websites. “This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet. Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole,” the group said. 

However, Anonymous did not reveal when the attack took place, but timestamps on the most recent files indicated that it likely occurred in late February.

Epik, which was founded in 2009 by current CEO Rob Monster, is known to serve a variety of far-right clients, including Parler, Texas GOP, Gab, and 8chan - all of which are said to have been turned down by mainstream IT providers due to objectionable content. 

Epik has started sending emails to impacted customers regarding an 'unauthorized intrusion', according to screenshots shared by cybersecurity expert Adam Sculthorpe and data scientist Emily Gorcenski. “As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services,'” reads Epik's email notice. 

Although the firm did not say in the message if customers' credit card details were exposed, it encouraged users to contact their credit card providers and “notify them of a potential data breach to discuss your options with them directly.”

US Senate's Selection Committe Raises Some Serious Concerns Regarding SolarWinds Attack

 

The US Senate’s select committee has blamed Russia for the massive intelligence operation that infiltrated SolarWinds, a Texas-based software company, to steal data from various governments and nearly 100 companies. Threat actors exploited the vulnerabilities in SolarWinds and Microsoft programs to penetrate the companies and government agencies. 

Some key issues were raised during a hearing of US Senate’s select committee:

• Threat actors conducting a “dry run”; 
• The true motive behind an attack; 
• Threat actors exploiting Amazon Web services vulnerabilities; 
• Improvement in cyberthreat and intelligence information sharing.

Kevin Mandia, CEO of FireEye revealed the methodology used by threat actors for conducting a “dry run” in October 2019. He stated during his testimony that “they put an innocuous build in to make sure that it made it to the [production] environment,”. He also added that his company’s engineers have worked day in, day out, spending more than 10,000 hours to analyze the source of the data breach and how it led the threat actors to the SolarWinds server.

Many witnesses blamed the Russian-based hacking group for data breach, Microsoft’s President Brad Smith testified: “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else.” 

Senator Marco Rubio, the vice chairperson of the intelligence committee said there is conclusive evidence to suggest that the attack was more than a cyberespionage campaign. Hence, to draw any conclusions at this point is not justified. “While I share the concern that an operation of this scale with a disruptive intent could have caused mass chaos, those are not the facts that are in front of us. Everything we have seen thus far indicates this was an intelligence operation – a rather successful one – that was ultimately disrupted.”

Senators slammed Amazon Web Services for declining to testify given the company’s infrastructure was used in the attack. Sen. Rubio stated that “we had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful. Apparently, they were too busy to discuss that here with us today, and I hope they’ll reconsider that in future.”

Sen. Richard Burr said, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack, which raised questions about how much Amazon and its executives have revealed about what they know. 

During the hearing, witnesses agreed with many of the committee members regarding the strengthening of cyberthreat and intelligence information sharing. Kevin Mandia, CEO of FireEye said that 2015 Cybersecurity Information Sharing Act should be updated which will make it easier to share intelligence and provide protection to data breach and gather the initial intelligence. Anne Neuberger, Deputy National Security Adviser said earlier this month that nine federal agencies and 100 private organizations, were compromised as part of the attack.