Woesnotgone Meadow; December 24, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Our residents regularly visit the doctors. Not that we are overly concerned to a fault, however, we do attend our regularly scheduled appointments. One area we pay particular attention to is our eyesight. Without our eyesight, we can’t read the menu at Margie’s Coney Island. The local eye clinic is managed by Gerry, who pays particular attention to detail. There was an eye clinic that has had issues though.

Redwood Eye Center is located in Vallejo, CA, and is an ophthalmology practice. The practice contracted with IT Lighthouse to host and store the electronic patient records.

Ransomware is a relatively easy tool to implement in an attack. The attackers are able to phish a list of targets without a mass amount of effort, in comparison with attacks on an enterprise system. Dependent on the tool, there is a limited success rate. Bearing this in mind, all it does take is a few people to click in the right department and the business functionality may be shut down.

In this case, the issue is with IT Lighthouse. This business hosts and stores Redwood Eye Center’s patient records. There certainly can be benefits to having a third party host the electronic health records (EHR), which is why this has become relatively popular. The eye clinic learned of the breach on September 20, 2018. Sometime during the evening of September 19^th the ransomware attack was detected. This was detected on the server which stored a portion of their patient’s records.

It appears the patient data was not exfiltrated. This affected 16,055 patients. This is, as noted and fortunately, only a portion of the office’s patient records. The data enclosed with this included the usual patient’s name, addresses, date of birth, health insurance information, and medical treatment information. Post detection, the clinic contracted with a computer forensic company to deconstruct the ransomware attack. The eye clinic also had the medical records company restore access to the patient’s information for the clinic.

This is another example of a third party being the weakest link. This has happened multiple times in recent years. Too often companies contract with a third party business and don’t check the other company’s cybersecurity practices. When the company allows the third party access to their system, the company allows everything with the system in also. All the issues accompany the third party when they access the system. This includes any malware they already have in their system. With any third party granted access, a due diligence should be completed to the company’s acceptance prior to any connection.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Dissent. (2018, December 7). Redwood eye center notifies 16,000 patients after EMR vendor experiences ransomware attack. Retrieved from https://www.databreaches.net/redwood-eye-center-notifies-16000-patients-after-emr-vendor-experiences-ransomware-attack/

Leventhal, R. (2018, December 11). Eye center in california switches her vendor following ransomware incident. Retrieved from https://www.healthcare-informatics.com/news-item/cybersecurity/eye-center-california-switches-ehr-vendor-following-ransomware-incident

McGee, M.K. (2018, December 7). Another electronic health records vendor hacked. Retrieved from https://www.careersinfosecurity.com/another-electronic-health-records-vendor-hacked-a-11823

Woesnotgone Meadow; December 23, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we have three nearby universities. Most visitors there are on-campus for a robust, enlightening education. At times, we do need to visit the hospital for care with the university cases, which require a bit more expertise than at the local urgent care facility.

The University of Maryland hospital system was recently attacked with malware. This took the form of ransomware. The attack infected 250 of the hospitals 27k devices. These were mostly desktop computers. As part of the remediation process these were quarantined. The infected systems were not encrypted by the malware. Thus they did not need to pay for a decryption key. The virus was isolated before it could spread to other systems. Fortunately, this did not affect patient care. There was also no direct evidence patient data or other information was compromised with the attack. The medial system was working with the FBI and US Department of Homeland Security regarding the issue.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Davis, J. (2018, December 11). Malware attack hits university of maryland medical system. Retrieved from https://healthitsecurity.com/news/malware-attack-hits-university-of-maryland-medical-system

Dissent. (2018, December 10). University of Maryland medical system investigating malware attack. Retrieved from https://www.databreaches.net/university-of-maryland-medical-system-investigating-malware-attack/

Meeham, S. (2018, December 10). University of Maryland medical system investigating malware attack. Retrieved from https://www.baltimoresun.com/news/maryland/education/higher-ed/bs-md-umms-hack-20181210.html

Zumer, B. (2018, December 10). UMD medical system restores computer systems after malware attack. Retrieved from https://foxbaltimore.com/news/local/umd-medical-system-restores-computer-systems-after-malware-attack

Woesnotgone Meadown; December 22, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Baylor Scott & White Medical Center is located in Texas. This is far from the northern region where the Meadow is located and the winter is long and cold. The medical center was organized as a joint venture managed by the United Surgical Partners International (USPI). As we know from the prior attacks on medical facilities and offices, these are rather blatant targets due to several factors, including the cash flow through the facility, and let us not forget the medical records themselves.

The facility’s credit card processing was done by a 3^rd party. This same credit card system was breached. The attackers sought to secure the patient’s and guarantor’s payment and credit card data. The hospital detected the attack on September 29, 2018. The breach, while significant, was open from September 22 – 29.

The issue was with the 3^rd party’s credit card processing system. This is not a new concept for the attacker’s.  This same vector has been exploited a number of times over the years. One of the larger and more prolific breaches in recent memory occurred using this method. The timing for this was near the end of the year holiday season, with Target being breached. One of their vendors, who had access to the Target system, had a corrupt system, which allowed the attack in.

The breach affected 47,984 persons. These were the patients and/or the guarantors. The medical practice reported the issue to the US Department of Health and Human Services. Per the HIPAA breach notification rule, the affected persons were notified with letters. Fortunately for the patients and guarantors, there has been no evidence to date the data had been misused. Although this is good news, the attackers may use the data at a later point in time, until the payment information changes.

The data that may have been accessed by the attackers includes the name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number, and status of transaction. While the credit card information would need to be used prior to the credit cards being replaced, the data in its entirety could be used with phishing for the longer term. This could also be used for fraudulent transactions and potentially for identity theft for the skilled phishers. A positive point with this is the data did not include the social security numbers or medical record information.

Although the data is inherently pertinent, the attack could have been much worse. The hospital’s systems other systems were not affected by this.

Once the breach was detected, the hospital notified the vendor and terminated the credit card processing handled by the vendor. The medical center is providing a one year free credit monitoring service for the affected parties.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

CBS DFW. (2018, December 10). Data breach could impact 47k patients treated at north texas hospital. Retrieved from https://dfw.cbslocal.com/2018/12/10/data-breach-texas-hospital/

Cyware. (2018, December 11). Data breach at baylor scott & white medical center impacts nearly 47,000 patients. Retrieved from https://cyware.com/news/data-breach-at-baylor-scott-white-medical-center-impacts-nearly-47000-patients-646520aa

Davis, J. (2018, December 11). Third-party vendor hack breaches 48,000 baylor frisco patients. Retrieved from https://healthitsecurity.com/news/third-party-vendor-hack-breaches-48000-baylor-frisco-patients

Dissent. (2018, December 10). Baylor Scott & White Medical Center-Frisco notifies 47,000 patients after third-party bill payment vendor was hacked. Retrieved from https://www.www.databreaches.net/baylor-scott-white-medical-center-frisco-notifies-47000-patients-after-third-party-bill-payment-vendor-was-hacked/

McGee, M.K. (2018, December 10). Credit card system hack led to HIPAA breach report. Retrieved from https://www.databreachtoday.com/credit-card-system-hack-led-to-hipaa-breach-report-a-11830

Woesnotgone Meadow; December 21, 2018

In the Meadow, we enjoy driving our vehicles. Sometimes on the weekends, we just get in the car and drive to the lake. This provides for a nice getaway. As we are as familiar with these, a new shift with the vehicles is occurring. These vehicles are moving towards being autonomous. The residents could tell the vehicle to “Go to Margie’s Market” and they could knit the whole way there and back. Most residents are suspicious of this until this is fully vetted.

One aspect of this not overly-analyzed has involved the police. With autonomous vehicles, in theory, the police could in very limited circumstances, take control of the autonomous drive vehicles. These would be exceptionally limited and may include, but not limited to the driver having a medical emergency, driver refusing to stop, vehicle endangering other people near the roadside, or a pedestrian crossing the street. This would drastically reduce the opportunity, liability, and potential loss of life with a high-speed chase.

The residents may not quite appreciate Police Chief Jerry pulling someone over for driving by the grocery store at 48 mph, in the 45 mph zone. This, however, would only be used in much more dire circumstances.

The autonomous vehicles are on their way with varying capabilities initially, advancing to a fully autonomous vehicle. There are many known and unknown use cases with this, however, that have been and will be thought through. 

Resources

Libicki, M.C. (2016, April 4). The police could be controlling your self-driving car. Retrieved from https://www.rand.org/blog/2016/04/the-police-could-be-controllering-your-self-driving-car.html

Merending, A. (2016, September 30). Autonomous vehicles will mean the end of traffic stops. Retrieved from https://www.wired.com/2016/09/autonomous-vehicles-will-mean-end-traffic-stops

Peterson, G. (2017, July 10). Envision an autonomous car chase scene. Retrieved from https://www.forbes.com/sites/georgepeterson1/2017/07/10/evision-an-autonomous-car-chase-scene/#70bd20873a1b

Posky, M. (2018, July 2). Should police have the ability to track and disable self-driving vehicles. Retrieved from https://www.thetruthaboutcars.como/2018/07/should-police-have-the-ability-to-track-and-disable-self-driving-vehicles/

Washington, R. (2016, September 29). Driverless cars are coming. What does that mean for policing? Retrieved from https://www.themarshallproject.org/2016/09/29/driverless-cars-are-coming-what-does-that-mean-for-policing

Woesnotgone Meadow; December 20, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the one service we don’t have on-ground is a University. The Meadow does have an extension office where we can take certain classes and there’s always the online option. These institutions have a plethora of data on the students, which could be targeted. The colleges also hold a significant amount of money from the student’s tuition and other sources. There is a college in the northeast which experienced a successful attack.

Cape Cod Community College is located in West Barnstable, Massachusetts. There are approximately 4,900 students, 68 full-time faculty, and 159 full-time staff. The college offers associate degrees.

The college did experience a breach. The attackers used for their tool a phishing campaign. With this mode of attack, the human element continues to be the greatest vulnerability. As noted previously, phishing continues to be a very effective method to attack an organization, especially the medium- and large-sized organizations. The phishing emails contained malware. This was coded to avoid their anti-virus (AV) and anti-malware programs. This was coded to exploit their banking relationships. With this incident, the funds were transferred from their account at TD Bank to other banks.

Mechanically, the attackers “allegedly” set up a phishing site which appeared to be the college’s bank by overwriting the bank’s URL. The attackers also social engineered the bank workers to get the transfers to clear in a timely manner. The attackers were able to have nine separate validated transfers. Three others were blocked.

Altogether, $807,130 was stolen from the college. This was a significant amount as their operating budget was approximately $35M. On a positive note, they were able to recover $278,887. With the attackers, the target was money, not personally identifiable information (PII). There was no evidence that PII or any employee records were compromised. Other operation centers were not affected.

When the attack was discovered, the college identified the malware and replaced the infected hard drives. The malware used for this attack was believed to be the Emotet banking Trojan. The college is continuing on with their plan to install the next-generation endpoint protection software (AppGuard). The college is also continuing with cybersecurity training for their staff. Due to the nature of the attack, the college did contact the state and federal authorities to assist with the investigation. While doing forensic work, other attacks were detected.

This should be another example of the potential effects from a simple click on a link or file.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Cape Cod Today Staff. (2018, December 7). Breaking-Data breach at cape cod community college. Retrieved from https://www.capecodtoday.com/article/2018/12/07/243699-Breaking=data-Breach-Cape-Cod-Community-College

Cyware. (2018, December 11). Cape cod community college was hit by hackers who stole over $800,000. Retrieved from https://cyware.com/news/cape-cod-community-college-was-hit-by-hackers-who-stole-over-800000-aef6345c

Dissent. (2018, December 8). Hackers steal $800,000 from cape cod community college. Retrieved from https://www.databreaches.net/hackers-steal-800000-from-cape-cod-community-college/

Gatlan, S. (2018, December 10). $807,130 stolen by hackers after cape cod community college phishing attack. Retrieved from https://news.softpedia.com/news/807-130-stoeln-by-hackers-after-cape-cod-community-college-phishing-attack-524208.shtml

Gurubaran, S. (2018, December 12). Hackers steal over $800,00 by dropping malware on cape cod community college computer systems. Retrieved from https://gbhackers.com/hackers-steal-cape-cod-community/

Krantz, L. (2018, December 7). Hackers steal $800,000 from cape cod community college. Retrieved from https://www.bostonglobe.com/metro/2018/12/07/hackers-steal-from-cape-cod-community-college/

MCormick, C. (2018, December 8). More than $800k stolen in data breach at cape cod community college. Retrieved from https://www.capecodtimes.com/news/20181208/more-than-800k-stolen-in-data-breach-at-cape-code-community-college

Nation, J. (2018, December 11). Sophisticated phishing attack costs cape cod community college over $800,000. Retrieved from https://medium.com/metacert/sophisticated-phishing-attack-costs-cape-cod-community-college-over-800-000-33717f502cd

Panettieri, J. (2018, December 11). Ernst & young investigates cape cod community college hack. Retrieved from https://www.msspalent.com/cybersecurity-news/ey-investigates-cape-cod-community-college-hack/

Radolec, M. (2018, December 11). Hackers steal $800,000 from cape cod community college through phishing. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/hackers-steal-800000/

Woesnotgone Meadow; December 19, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents take care of their health, for the most part. When we need to, the doctor is always available for our visits, complaints, and general layman conjecture on the root causes of our ailments. At times, Dr. Gerry even listens to us ask if we need a drug that we had just seen on the television the night before.

The Elizabethtown Community Hospital (ECH), which is part of The University of Vermont Health Network had the opportunity to work through an incident response recently. ECH operates six community based primary healthcare centers, and an ER and outpatient center.

ECH had, what they termed, a “data security incident” aka compromise, recently. This was detected in October 2018. This has affected an estimated 32k patients. Although the system was compromised, ECH did not have any clear evidence any individual patient record was accessed. Although there is no clear evidence, to be conservative, ECH is still publicizing this so the potentially affected clients may be prepared.

This event was due to an ECH email account being compromised. The email account did contain client’s names, dates of birth, addresses, and limited medical information (i.e. billing, medical record numbers, dates of service, and a brief summary of rendered services). Unfortunately, a portion of the patients (approximately 1,200) did have their social security number included with the compromised data.

Once this was detected, nine days after the compromise, ECH changed the affected account(s) password(s), made the security features more robust, and contracted with a forensic cybersecurity firm to analyze the incident. This did not, fortunately, spread to the computer network or electronic medical records (EMR)

To assist with the issue, the affected patients are being offered free credit monitoring services. The length of time was not noted for this service to be provided. For the patient’s, this is of marginal value, as the attackers could use this data a day, week, or month after the credit monitoring service has lapsed.

This continues the lesson of staff training for phishing attacks. This attack protocol continues to be prominent and not slowing down any in its usage. All this attack needs, to be successful, is for a few of the targets to click on the link or attachment!

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources
Demol, P. (2018). ECH data breach exposes patient info. Retrieved from https://www.suncommunitynews.com/articles/the-sun/ech-data-brach-exposes-patient-info/

Woesnotgone Meadow; December 18, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our travel is somewhat limited. A number of the residents are retired and just enjoy our simple, natural environment. We may take a walk to Margie’s Ice Cream Parlor and talk about the leaves changing color, or take the short drive to Jerry’s Barbershop for the quick haircut, and catch up on the local gossip.

Other times, we just like to watch television. In this part of the state we don’t have the best reception. Most people subscribe to a paid service for their viewing pleasure. In Brazil, people can subscribe to SKY Brasil. Although a valued service for their television, there has been a relatively serious cybersecurity oversight found.

SKY Brasil is a subscription television service in Brazil. This service is one of the largest in the country. With the issue at hand, Elasticsearch servers were the focal point for the problem. These are used, as the name implies, for powering search functions. For better or worse, this data leak is not the first with this technology.

The term attack is used very loosely with this circumstance. In the traditional sense, this was not truly an attack. There were a number of records open to anyone with internet access for over a week. With the open access for this period, the access and unauthorized exfiltration is expected and likely. This is notable, as anyone who knew where the cache of data was or could search for it, was able to have full access at their whim. The “attackers” only needed use a tool, e.g. Shodan, and search for servers running Elasticsearch.

For access to their system, there was no authentication required. The servers were not configured to require this, which is surprising on many fronts. The researchers happened to find these by searching for servers titled “digital-logs-prd”. Specifically, with these, there was no authentication required. The attacker merely needed to enter a simple command and the indices were available. One of these held 429.1GB of data.

The affected data included up to 32M of SKY Brasil’s client base. This happened to contain, to the benefit of the attackers, the PII for the clients. This included the full name, email address, service login password, client IP address, payment method, phone number, and street address. All of this would be exceptionally useful for the attackers, especially in the short-term, for phishing and other attacks. This included both consumer and business clients.

As if this was not bad enough, this is not the first issue with Elasticsearch. There was also Brazil’s Federation of Industries of the State of Sao Paulo (FIESP) exposing the data of 34.8M users, Fit Metrix exposing 35M records, and a data analytics firm leaked over 57M US clients and 26M companies data.

This unfortunate data compromise brings together the need for cyber- and Info-Sec to be actively applied, not just when there is an issue.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Cimpanu, c. (2018, November 29). Sky brasil exposes data of 32 million subscribers. Retrieved from https://www.zdnet.com/article/sky-brasil-exposes-data-of-32-million-subscribers/

Dissent. (2018, November 29). Sky brasil exposes data of 32 million subscribers. Retrieved from https://www.databreaches.net/sky-brasil-exposes-data-of-32-million-subscribers/

Ilascu, I. (2018, November 29). SKY brasil exposes 32 million customer records. Retrieved from https://www.bleepingcomputer.com/news/security/sky-brasil-exposes-32-million-customer-records/  

Threat Brief. (2018, November 30). SKY brasil exposes 32 million customer records. Retrieved https://threatbrief.com/sky-brasil-exposes-32-million-customer-records/