Woesnotgone Meadow; April 29, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we have a mix of residents. One thing we all have in common is investments. The residents want to retire in luxury, eat caviar, and travel. To follow this dream takes one common element-money. Jerry has the Meadow’s investment firm and manages the funds and futures. Black Rock, Inc. is the world’s largest asset manager. With this title, it is no wonder the target on the firm.

Black Rock was not the victim of an attack, per se. This, however, was still an issue. The compromise was due to human error. Black Rock inadvertently published thousands of advisor’s confidential client data on its public website. This was in located in three spreadsheets. These were available via links on the company’s iShares exchange-traded funds. These links were dated December 5, 2018, however, these may have been posted earlier. Based on this, the issue was not truly an attack in the real-world sense, but more of an oversight.

These spreadsheets did not have an average, boring data. The three spreadsheets did include the financial advisor’s name and the email addresses for those who purchased Black Rock’s EFT for their clients. One of the three spreadsheets contained more than 12k advisors and their sales representative’s information. In another spreadsheet, the advisor’s were categorized as dabblers or power users. Another column indicated the financial advisor’s club level as being in the Patriot’s or Director’s Club, assumptively based on their sales level. Black Rock is reviewing what happened, which was primarily human error based.

This simple oversight will provide for many awkward moments in the upcoming months. This is much like the holidays when your off uncle stops by, and everyone looks. This does appear to be a simple case of unfortunate human error. When there are sensitive issues within documents or files, there should be some form of a check, even a short and simple one, in place. Without this in place, there is an opportunity for many not-fun future meetings and situations.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Durden, T. (2019, January 19). Black rock accidentally exposes confidential sales data for thousands of financial advisors. Retrieved from https://www.zerohedge.com/news/201901-19/blackrock-accidentally-exposes-confidential-sales-data-thousands-financial-advisors

Massa, A. (2019, January 19). Black rock exposes confidential data on thousands of advisors on iShares suite. Retrieved from https://www.msn.com/en-us/money/companies/blackrock-exposes-confidential-data-on-thousands-of-advisors-on-ishares-site/ar-BBSrfx9

Woesnotgone Meadow; April 26,2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Cebuana Lhuillier is located in the Philippines and is one of the leading and largest financial services firm. Cebuana Lhuillier is differentiated as this is not a bank. The firm has nearly 2,500 branches throughout the nation. The services include a pawn service, remittance, micro-insurance, and micro-loans.

With the business operations, the data held by the firm is exceptionally valuable to the attackers who successfully compromise the system. There were attempted connections to the business servers was detected on January 15, 2019. There was a previous attack that was successful, which led to unauthorized downloads from the business servers on August 5, 8, and 12, 2018. It is curious why the second compromise was not deterred. When there is a significant compromise, as a rule of thumb the cybersecurity staff or at least the IT staff harden the systems so the business is not compromised again.

We should persevere to learn from not only our mistakes but others. With at least the second compromise, the attack vector and method were not published.

More than 900,000 clients were affected by the breach. This is approximately 3% of the entire clientele. Although 3% is not that high of a percent relative to the entire clientele, this is still a rather large number of clients. The attackers may have accessed the client’s personal data, including the dates of birth, addresses, and sources of income. Thankfully, the details for the transactions were not included with the potentially compromised client data.

The firm was surprised by the compromise. The firm, as a result of the compromise, coordinated efforts with the National Privacy Commission (NPC). The firm also contracted with a third party to manage the compromise. The parties were investigating the issue. The company has already implemented safety measures to protect the client’s data. The firm did suggest to the clients for them to change their passwords.

This compromise emphasizes the need for a strong perimeter defense.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

References

Cyware Hacker News. (2019, January 22). Data breach at cebuana lhuillier affects over 900,000 clients. Retrieved from https://cyware.com/news/data-breach-at-cebuana-lhuillier-affects-over-900000-cleints-b247b34b

Langsdon, M. (2019, January 19). Philippine financial service firm flags data breach affecting 900,000 clients. Retrieved from https://www.reuters.com/article/us-hilippines-cebuana/huillier-data-idUSKCNIPD078

Merey, A. (2019, January 19). Over 900,000 affected by ceduana lhuillier data breach. Retrieved from https://news.abs-cbn.com/business/01/19/19/over-900000-affected-by-cebuana-lhuillier-data-breach

Philstar. (2019, January 19). Cebuana lhuillier hit by data breach. Retrieved from https://www.philstar.com/business/2019/01/19/1886427/cebuana-lhuillier-hit-data-breach

Woesnotgone Meadow; April 25, 2019; Vendor Cybersecurity Issues affecting Eye Institute!

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

The day started out like any other day. Get up, get ready, load the vehicle, work, return home, repeat. On this day though, I went to the mailbox, just as I have done for years. Today though, there was a letter from the Wolverine Solutions Group. Not recognizing the name, curiously I opened the letter. It seems as though my healthcare provider, Michigan Eye Institute, used Wolverine Solutions Group for mailing services. Wolverine Solutions Group happens to have had a minor, itsy issue with cybersecurity-they were successfully attacked with ransomware, locking up their servers along with workstations. But other than that, everything was fine.

There are three businesses involved with the cybersecurity oversight.

a.            Michigan Eye Institute. The medical practice focussing on the eye, located in Flint, MI.

b.            Client Financial Services. This was a vendor for the Michigan Eye Institute.

c.            Wolverine Solutions Group. They provide mailing services to the businesses in the health-related industry. This includes health-insurers and providers. The business is located in Detroit. They also provide billing services. A sample of their clients include Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Plan, Three Rivers Health, and North Ottawa Community Health System.

Timeline

On or about September 23, 2018, Wolverine Solutions Group (WSG) had the opportunity to experience a ransomware attack. The attack primarily focussed on encrypting their records. This locked up their servers and workstations, which was clearly bad. WSG hired on October 3, 2018 a forensic subject matter expert to review and analyze the events and attack. They began the decryption process and restoring files and other affected areas. The expert did not identify any evidence any data had been exfiltrated.

Due to the effort, most of the programs were restored by October 25, 2018. The critical operations were up and operating on November 5, 2018. WSG notified on November 28, 2018 Client Financial Services (CFS), who is a vendor to the Michigan Eye Institute, of the cybersecurity issue. WSG provided on February 5, 2019, Michigan Eye Institute the final list of affected users and the categories of data affected.

Ransomware is seen so often in nearly all industries. This is partially due to this being such a cost effect attack, with results. The operations of this involve encrypting the data and attempting to force the target, post-successful attack, to pay the fee. In this case, however, allegedly weak encryption was used.

Data

Unfortunately for the patients, it appears the data involved would be the patient’s name, address, date of birth, social security number, insurance contract information and numbers, and medical information. This is truly bad for the patient’s involved. This data is very saleable and marketable multiple times, depending on how it is bundled.

Help for the Patients

The patients are being offered identity theft protection through AllClear ID for 12 months. This also allows for an annual credit score and credit report, and a $1M identity theft insurance policy. Although this sounds good, the length honestly should be much longer. Any person with the patient’s data will probably wait for one year and one month before using this, to the patient’s detriment.

Questions/Concerns/Comments

In the review of the overall environment, there are a few questions. The business used WSG for mailing services. This is perfectly acceptable and a part of the natural operations. As WSG focus is mailing, why would they have access to medical records, and why were they on WSG’s system? The medical records are not associated with a list of people to mail information to. Possibly they were mailing bills, however, this would be the only circumstance for a viable reason.

It took the business over five months to notify the users/patients of the cybersecurity issue. The patients were exposed for over five months. During this time, they were unaware of the data being out there sold.

The forensic team did not believe any data was exfiltrated or “extracted” yet the patient’s information was affected. Thinking through the events, if the attacker is focused on the system and risking federal prison, is the attacker really going to not secure the data and walk away once they finally compromised the perimeter defense? This is not a viable option.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

1051 The Bounce. (2019, March 11). Are you one of the 600,00 michigan residents affected in data breach. Retrieved from https://1051thebounce.com/2019/03/11/are-you-one-of-600000-michigan-residents-affected-in-data-breach/

13ABC. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.13abc.com/content/news/Michigan-residents-warned-about-health-care-data-brech-506985321.html

62CBS Detroit. (2019, March 11). Health care data breach affects 600k michigan residents. Retrieved from https://detroit.cbslocal.com/2019/03/11/health-care-data-breach-affects-600k-michigan-residents

Davis, J. (2019, March 12). More than 600,000 affected by michigan health care data breach. Retrieved from https://securitytoday.com/articles/2019/03/12/more-than-600000-affected-by-michigan-health-care-data-breach.aspx?m=1

Goedert, J. (2019, March 15). 600,000 affected by huge data breach in michigan. Retrieved from https://www.healthdatamanagement.com/news/600-000-affected-by-huge-data-breach-in-michigan

Scott. (2019, March 12). Data breach may have exposed 600,000 michigan residents. Retrieved from https://smallbusinessbigthreat.com/blog/2019/03/12/data-breach-may-have-exposed-600000-michigan-residents/

Strachan, J. (2019, March 11). More than 600,000 in Michigan Affected by health care data breach. Retrieved from https://patch.com/michigan/across-mi/more-600-000-michigan-affected-health-care-data-breach

The Associated Press. (2019, March 11). Michigan residents warned about health care data breach. Retrieved from https://www.kansas.com/news/business/article22740489.html

Wolverine Solutions Group. (2019, February 27). Notice of breach/cybersecurity incident-updated 02.27.2019. Retrieved from https://www.wolverinemail.com/cyber-security-event/

Wolverine Solutions Group. (2019, February 28). Letter signed by Robert Tokar.

Woesnotgone Meadow; April 18, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we occasionally have the storm roll through the area. There may be high winds, hail, and the power may occasionally go out. We have become so used to these harsh winters of the north, not much really bothers us anymore.

Just in case a large storm would come through, the council had an early warning device set up. We have never used it for an event yet. The police chief every three months on the first Tuesday tests the noisemakers (these are so loud) and the text service. Margie’s cats lose their minds during these two minutes of wonderment. Jerry’s dogs howl like it is the full moon. That’s about the only exercise they get these days though.

The Meadow’s system is basic, nothing like the warning network in Australia. The early warning system had a little issue earlier this year. Like numerous areas throughout the globe, there is the opportunity for a serious storm to affect an area. This could be manifested with heavy rains or snow, flooding, hail, tornado, or any other significant storm. So that the local residents are aware of the circumstances, an early warning system generally is put in place. These measures may not give hours of notice, however, some notice is better than none. The system may be audible based with the exceptionally loud horns. These may also send emails or texts to the residents to let them know of the issue. Both may be implemented also, in an attempt to reach everyone possible.

Australia has this service in place. This is offered by the Australian company Aeeris. In Queensland, the municipality uses an SMS system. This sends the emergency messages to those who have signed up for it. These messages may be oriented with extreme weather, fires, evacuations, information, and incident responders. The local citizens depend on this when there are significant weather issues.

Unfortunately, the warning system in Queensland, Australia was attacked. The attack vector involved the unauthorized parties using credentials secured through illicit means. They are not sure of the method used to steal the affected credentials. The attackers accessed without authorization the Queensland EWN (Early Warning Network) on 1/5/2019. The attackers on the successfully compromised system were able to send spam alerts to the service subscribers. These were sent with SMS, landlines, and email. The fake SMS message was moderately short with “EWN has been hacked. Your personal data is not safe.” The alerts also provided instructions on how to unsubscribe to the service. With this attack, it does not appear to be malicious, as the attack apparently did not access or exfiltrate any personal data.

The successful compromise was initially detected by the staff. They noted the unauthorized alerts rather quickly, which I would have hoped was the case. To immediately resolve the issue, the staff did turn off the system. This served to cease any potential further spam messages. This was done soon enough to limit the scope and exposure of the attack. They are also investigating the attack with the police and the Australian Cyber Security Centre.

This unfortunate attack further illustrates the need for a strong perimeter defense and staff training for attacks. Clearly, the tools and methods used to attack the system have not been identified. A strong defensive posture would include these measures. When these areas, and others, are ignored, certain mayhem follows.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Abrams, L. (2019, January 7). Hacker uses Australian early warning network to send spam alerts. Retrieved from https://www.bleepingcomputer.com/news/security/hacker-uses-australian-early-warning-network-to-send-spam-alerts/

Crozier, R. (2019, January 7). Hack spam sent via Australian hazard alert service. Retrieved from https://www.itnews.com.au/news/hack-spam-sent-via-australian-hazard-alert-service-517552

Cyware. (2019, January 7). Cybercriminals hacked WEN’s systems and sent spam alerts to thousands of people across Australia. Retrieved from https://cyware.com/news/cybercriminals-hacked-wens-systems-and-sent-spam-alerts-to-thougsands-of-people-acrss-australia-0aae601e

McLean, A. (2019, January 7). Emergency warning network confirms breach. Retrieved from https://www.zdnet.com/article/emergency-warning-network-confirms-breach/

Wiggins, N., Hendry, M., McCoskor, A., et al. (2019, January 7). Emergency text and email service hacked, thousands receive warning message about their personal data. Retrieved from https://www.abc.net.au/news/2019-01-07/emergency-text-service-hacked-warning-about-personal-data-sent/10688748

Woesnotgone Meadow; April 14, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents are generally healthy. At times, we have issues requiring surgery and later rehabilitation. Based on the injury, this could be a short or long journey. Regardless of the length of rehabilitation, the patient does need to provide certain data and information to the facility where the treatment will take place. This data is personal and confidential and should be protected with all appropriate levels of security. Unfortunately, a rehabilitation center in Michigan system was compromised.

This affected the Sacred Heart Rehabilitation Center. As noted, this is located in Michigan in Macomb County (Richmond) on Stoddard Road. The facility provides HIV/AIDS care. There is also substance abuse treatment services. This operates as a non-profit, beginning in 1967. As this is a non-profit, the last thing they needed was the expense of a compromise, incident response, and placing new controls and policies in place. This is only on the internal administrative side. There will be more issues with the US Department of HHS, as this involved HIPAA data and information.

Attack

The tool the attackers used is too familiar. This, unfortunately, has a great ROE (return on equity), and ease of use, which makes it a favorite choice. This successful compromise shows the phishing attack is alive and well and works well. The compromise was due to a simple, yet successful phishing campaign. The estimated attack period was between April 5-7, 2018. From the forensic work already done, it appears as though one employee’s email was compromised.

This significant, deep compromise is another example of what can go wrong when one employee’s email is compromised. All it takes is the right person in the right position and department to click once.

Data Exfiltrated

The compromised employee’s email account, unfortunately, contained the patient’s information. This included the patient’s full names, addresses, health insurance information, medical treatment information, medical diagnosis, and/or social security number. This is just the right combination of data to make someone’s life even more interesting. As the patients are exceptionally sick, they and their families did not need this stress. On the other side of the coin, the data and information is very valuable to the attackers and could be sold in a lot, or divided into sections and sold to many persons.

Remediation

Once the administration learned of the issue on November 16, 20118, the rehabilitation center began an investigation, which is a great idea. The rehabilitation center contracted with third parties to complete the cybersecurity forensic work. The Sacred Heart Rehabilitation Center noted the affected parties. The forensic work indicated the affected parties, thankfully, were limited. Letters were mailed to the affected parties on January 9, 2019. With the patients whose social security numbers were exposed, they were offered a credit monitoring service and identity theft restoration for a year, free of charge. The patients also have been given a best practices document to show them how to best defend their data. The rehabilitation center is also providing additional training for the staff.

???

The compromise itself brings up many issues. Since the successful attack and compromise took place in April, why did it take seven months for them to figure it out? If there was a SIEM in place, and being monitored, it seems as though this should have not taken nearly this long. Even if there was not a SIEM in place, which sounds odd, there should have still been a periodic log review. Surely the mass amount of data flowing to an odd IP address would not indicate something odd or unique was going on.

The credit monitoring sounds good to the consumer and patient, however, a year does not mean much. The data exfiltrated for the unfortunate patients is static for that point in time, and some of this is permanent. If the attackers were to attach a disclaimer onto the data as they sell it to the many people and organizations interested to wait one year and one week to do anything with it, the defensive measure would be an epic fail.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Brown, B. (2019, January 10). Sacred heart rehabilitation center breach exposed patients’ information. Retrieved from https://nbc25news.com/news/local/sacred-heart-rehabilitation-center-breach-exposed-patient-information

Fox News. (2019, January 10). Breach exposes some michigan patient’s personal information. Retrieved from https://fox17online.com/2019/01/10/breach-exposes-some-michigan-patients-personal-information/

Laine, C. (2019, January 10). Security breach involved patients’ names, medical, information, social security numbers. Retrieved from https://www.whem.com/news/security-breach-involved-patients-names-medical-information-social-security-numbers/

Jordan, H. (2019, January 10). Security breach exposed patient information at sacred heart rehabilitation sites in michigan. Retrieved from https://www.mlive.com/news/saginaw-bay-city/2019/01/security-breach-exposed-patient-information-at-sacred-heart-rehabilitation-sites-in-michigan.html

Midland Daily News. (2019, January 10). Sacred heart rehabilitation center reports online security incident. Retrieved from https://www.ourmidland.com/news/article/Sacred-Heart-Rehabilitation-Center-reports-online-13523247.php

Voice News. (2019, January 10). Patient info breach at sacred heart rehabilitation center in richmond township. Retrieved from http://www.voicenews.com/news/patient-info-breach-at-sacred-heart-rehabilitation-center-in-richmond/

WWJ. (2019, January 10). Security breach exposes some michigan patients’ personal information. Retrieved from https://wwjnewsradio.rdio.com/articles/security-breach-exposes-some-michigan-patients-personal-information

Woesnotgone Meadow; April 5, 2019

In the Meadow, we are online quite frequently. One headache the residents have dealt with has been with passwords. Some of our residents have found it difficult to remember all the passwords they have for the different sites. Most of the residents have begun using a password manager. Margie from the library recommended using a password manager. Generally, these work fine. This was not the case, however, with Blur.

Abine is the corporate entity behind Blur, a password manager, and DeleteMe, an online privacy protection service. Abine functions to encrypt the user’s passwords used with Blur. Blur’s service is to improve the user’s privacy with its secure password management service.

There was a rather significant compromise recently. This was not actually an attack, but more of a case of negligence. A reasonably prudent person would secure the cloud platform where the data was located. If the person was not exactly secure on how to do this, they would then research this or hire a party to do this. After all, the company is the steward of the data and is responsible for it.

This did not exactly happen here. An Amazon S3 storage bucket contained the subject file. This was unfortunately misconfigured. On December 13, 2018, the business was notified by a security researcher there was an issue. The business had no idea. A server was accessible and exposed a file with sensitive client information. The business, post-notification, did examine this, as you would expect instead of just taking the word of a researcher, and found the assertion was correct. This was announced on their business blog.

Of all the potential companies to have an insecure file open and accessible, this was the one. This should not have been misconfigured and insecure, given what the company focused on.

In this specific instance, there were 2.4M Blur users affected. The affected users were the ones who registered prior to January 6, 2018. The user data was left exposed and accessible. This included the user’s email address, a portion of the user’s first and left name, the user’s password hints, the user’s last two IP addresses used to login for the Blur app, and the user’s encrypted password. In this case, no DeleteMe user data was involved.

As noted, this was not exactly an attack. The data was openly exposed and accessible, however, there was no direct evidence the data was exfiltrated.

This was another example of a misconfigured AWS bucket which was not configured correctly. There may have been a time issue, or other factors involved. One of the managers should have actually reviewed this, and not just checked the box.

Resources

Abrams, L. (2019, January 2). Abine blur password manager user data exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/abine-blur-password-manager-user-data-exposed-online/

Cimpanu, C. (2019, January 2). Data of 2.4 million blur password manager users left exposed online. Retrieved from https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/

Smith, A. (2019, January 2). Data on 2.4M gbine blur user’s ‘potentially exposed’. Retrieved from https://www.pcmag.com/news/365672/blur-users-personal-details-potentially-exposed

Waqas. (2019, January 3). Abine blur password manager exposed data of 2.4M users. Retrieved from https://www.hackread.com/abine-clur-password-manager-exposed-data-of-users/