At a glance.
- Shanghai National Police breach traced to exposed database dashboard.
- Update on the Marriott International breach.
- California community college suffers malware attack.
- Maui ransomware is no vacation.
- NPM supply chain attack appears to be part of a large-scale campaign.
Shanghai National Police breach traced to exposed database dashboard.
In what many are calling the largest data breach in history, a hacker claims to have stolen the data of a staggering one billion Chinese residents from a Shanghai National Police database. Cybersecurity experts have verified that the breach was the result of an oversight that left a dashboard used to manage the data exposed on a public web address without password protection, essentially making it fair game to anyone with basic technical knowledge. Vinny Troia, founder of dark web intelligence firm Shadowbyte, told the Wall Street Journal, “That they would leave this much data exposed is insane.” The data remained exposed for over a year, until the hacker in question wiped it clean, replacing the data with a ransom note demanding ten bitcoin for its return. Names, addresses, national identification numbers, phone numbers, and criminal case details are among the compromised data, and the Christian Science Monitor notes that dates of birth indicate the trove includes information on minors.
Though the Shanghai government has not yet spoken publicly about the incident, at a State Council meeting led this week by Premier Li Keqiang, lawmakers emphasized the need “to improve security management provisions, raise protection abilities, protect personal information, privacy and commercial confidentiality in accordance with the law.” Kendra Schaefer, a partner at Beijing-based consultancy Trivium China, told Bloomberg, “The breach has clearly caught the attention of China’s top leadership — and no wonder. It is particularly embarrassing for a government body to be the source of the largest known data breach in China’s history, particularly at a time when data security has become one of China’s top policy priorities.”
Daron Hartvigsen, Managing Director at StoneTurn, wonders whether the criminals’ business model will play in Shanghai:
“China is long overdue for experiencing a breach of this scale – many are calling this compromise of the Shanghai Police records the single largest data theft of personal data to date, perhaps the biggest hack in history. Historically, China is often disregarded as a viable target for criminal cyber exploitation. Threat actors typically focus on targets likely to cave to ransom and extortion demands. It is not clear if this business model will result in similar financial returns in China. This doubt is likely evident by the threat actors themselves as they are now seeking to monetize the stolen information through sale on the open market rather than attempting to extort the Shanghai government.
“Recently, the US government, Law Enforcement and service providers have partnered to counter cyber criminals and have successfully pursued and taken down threat actor infrastructures. It will be interesting to watch whether China borrows from that playbook and goes on the offensive by identifying and targeting the entities responsible for the Shanghai Police compromise.”
Update on the Marriott International breach.
As we noted yesterday, an unnamed hacker group informed DataBreaches.net that it had infiltrated the servers of hospitality giant Marriott International and exfiltrated 20GB of employee and hotel guest data. The Register explains that a member of the gang says they’re a red hat organization, indicating they’re not as ethical as white hat hackers, but avoid encrypting data or targeting governments or critical infrastructure. The Record by Recorded Future reports that Marriott confirmed the breach was the result of a successful social engineering attack, and that between three hundred and four hundred individuals were impacted. A spokesperson added Marriott refused to meet the hackers’ ransom demands, and that the stolen data “primarily contained non-sensitive internal business files regarding the operation of the property.”
Many security experts have offered their observations on the incident. Arti Raman, CEO and Founder, Titaniam, thinks the incident is another reason to look into encryption of data-in-use. She wrote:
“In the recent data breach confirmed by Marriott, hackers claimed to have stolen 20 gigabytes of sensitive data including guests’ credit card information. As hacks and extortion become more and more frequent, to truly minimize the risk of potential extortion and minimize lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is the only option for complete protection and peace of mind.
“Utilizing data-in-use encryption technology provides unmatched immunity. Should adversaries gain access to data, by any means, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”
Steve Moore, chief security strategist, Exabeam, lists the characteristics of the unknown group behind the incident. They seem to know what they’re doing:
“According to the unnamed group that claimed responsibility for this attack, their ‘patient zero’ was tricked into providing access to the computer on Marriott’s network – this is common and often defeats even the best security controls. Even with social engineering, there’s typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next – credential theft and misuse, along with deviant behavior. Some interesting attributes of this new, unnamed adversary group include:
- “They seem very disciplined and measured in their actions – a sign of maturity.
- “They don’t want a high profile, to the point they aren’t sharing a moniker.
- “They aren’t new; they claim they’ve worked successfully for five years, an incredibly long tenure.
- “They also don’t go after governments, only businesses – this is likely a self-preservation method.
- “They focus not on encryption, but instead on theft and extortion to not impact operations.
- “Lastly, they begin with social engineering and likely persist with credentials.”
Roger Grimes, data-driven defense evangelist at KnowBe4, observes that social engineering is usually the point of entry in such attacks.
“The most common method by hackers for breaching data is social engineering, just like what happened in this instance. The particular method, where an employee is contacted and tricked into providing access to a hacker, which then accesses data files has happened many times in the past. Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training. Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to put these types of attacks.”
James McQuiggan, security awareness advocate, also at KnowBe4, sees the case as providing another reason to limit privileges:
“Organizations need to identify and isolate critical data to only those required to access it. Too often, in data breaches, it is discovered that users have access to more data required to do their tasks effectively, and it is only found after the breach when it’s on the dark web being copied around that the user did not need it.
“Any sensitive data, like names, emails, or other personnel data like HR reviews, are to be protected with multi-factor authentication to increase the protection and reduce the risk of an attacker having easy access.”
Amit Shaked, CEO of Laminar, offered some reflections on the importance of transparency:
“Visibility into a company’s data is undeniably important but has gotten a lot more complicated in recent years. Data visibility was once limited to a self-contained, on-premises system. This is now extremely hard to come by in our multi-vendor, multi-cloud world.
“With the cloud allowing businesses to work from anywhere at any time, greater access drives higher levels or risk. The increased pace of change, as well as the sprawl of new cloud tech, has allowed data to spread around various places, leaving some data to be more-or-less invisible in a “dark corner.” Most breaches happen in these hiding places in the shadows.
“The key for business leaders to combat this and rise above data breach culture is having the tools to provide visibility into all of an organization’s cloud data. By doing so, data protection teams can understand where their ‘shadow’ data stores are, their security posture and who owns them. Doing so leads to data flowing smoothly and safely and allows teams to be able to identify when something goes amiss.”
California community college suffers malware attack.
The College of the Desert, a 12,500-student community college in the US state of California, was hit with a cyberattack that shut down the school’s online services and campus phone lines.
Speaking to the Record by Recorded Future, the college referred to the incident only as “computer network disruption” and on social media reported a “systemwide outage of most online services,” but the school’s public information officer identified the incident as a “malware attack” in an interview with a local newspaper. This is the school’s second attack in the past two years, further evidence that community colleges make attractive targets for cybercriminals.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, wrote to point out that the College of the Desert is by no means alone. Other schools around the US have also been victimized over the past year:
“College of the Desert public information officer has confirmed that the school has been hit by a malware attack potentially affecting 12,500 students, following a similar attack on the school two years ago. Deemed a “computer network disruption” by other school officials, some essential school systems have been forced offline, while other programs such as Canvas, Microsoft Teams and Adobe are still available for student use.
“This attack on College of the Desert follows a string of similar cyberattacks in the last year– Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College, North Carolina A&T University, Florida International University, Stratford University, Austin Peay State University and Kellogg Community College have also suffered recent ransomware attacks. This increasingly hot target on universities should be taken seriously by IT and security teams and motivate them to ensure that cybersecurity best practices are top-of-mind.
“Falling victim to a malware attack is no guarantee that it won’t happen again in the near future, and attacks should be learning opportunities used to review incident response procedures and strengthen security posture. The first step in being proactive against these attacks is to invest in cybersecurity solutions that detect malicious behavior and enable network infrastructure to block any further access attempts. Additionally, authentication and access controls, detection and response capabilities and real-time monitoring and visibility are absolutely crucial to ensuring that higher education systems remain up and running. Prioritizing security controls helps organizations prepare for and thwart hazards and make certain that crucial practices remain undisrupted.”
Maui ransomware is no vacation.
Yesterday the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the US Department of the Treasury issued a joint cybersecurity advisory warning of a Pyongyang-led malware operation employing Maui ransomware. The campaign targets healthcare and public health organizations and has been in operation since at least May 2021. The advisory states that the state-sponsored threat actors “encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services, and intranet services,” but the initial access vector is unknown. Silas Cutler, principal reverse engineer at security outfit Stairwell, explained to the Register that Maui is one of the lesser known families of ransomware and is unique in its lack of service-oriented tooling, indicating it is operated by individuals who manually select files for encryption and exfiltration.
North Korean intelligence services are as financially motivated as any cybercriminal gang, since theft is one of the principal ways Pyongyang seeks to compensate for the financial effect of the sanctions it labors under. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, commented on why healthcare organizations are particularly attractive targets:
“Healthcare is a frequent target for cybercriminals and geopolitical adversaries both due to the sensitivity of information they have, the criticality of services they deliver, and the relative ease of compromise compared with other verticals. The more sensitive and detailed the information an attacker is able to steal, the more valuable it is, both for potential resale as well as for constructing highly tailored secondary social engineering attack campaigns. Highly targeted social engineering like spear phishing can be incredibly convincing to even the wariest of targets and detailed medical information is a perfect way to create compelling lures. A person normally on guard for more easily identified phishing or scams like the untold number of fake contest winning or gift card messages that routinely fill the spam folder may be completely fooled by a targeted social engineering message spoofed to appear to come from their healthcare provider referencing actual information about their medical conditions, procedures, or billing.
“The criticality of the services delivered by many healthcare providers also contributes to those organizations being targeted for two main reasons. First, the need to restore operations as quickly as possible can drive healthcare organizations to more readily and swiftly pay any extortion demands stemming from ransomware. This is unfortunately sometimes the case even for organizations that have known good backups. Restoring from backups can be a lengthy undertaking, especially if it’s never been tested at organization-wide scale. A restoration process that’s tried and true for restoring a server here or there can fail completely when there’s suddenly a need to restore hundreds or thousands at once. To a victim finding themselves in a situation where rebuilding from backups may take weeks or even months, paying a ransomware demand can unfortunately appear to be an “easy button” to restoring operations. The second way that the criticality of healthcare service delivery can make these institutions targets can simply be the motivation to harm geopolitical adversaries in any way possible and disrupting access to medical care can be incredibly damaging. Finally, healthcare providers can commonly be easier targets to compromise than similarly size organizations in other verticals. Often medical provider technology environments can have dependencies on software packages or computing devices that are older and be affected by more vulnerabilities that can be difficult to patch assuming they are even supported by the original manufacturer at all. It’s not uncommon to find legacy software packages that only support older unsupported operating systems such as Windows Server 2008 or even 2003. Some medical devices like diagnostic equipment can also be notoriously bad, being built with integrated computing platform firmware like Windows 7 Embedded or even Windows XP Embedded. These legacy unsupported systems are at much higher risk of compromise should an attack gain initial access to networks where they reside. Worse, many of the devices affected by similar issues have no upgrade path to more modern and secure versions. This leaves care providers to go at risk or face the prospect of replacing what are typically very expensive machines that otherwise work perfectly well.”
Avishai “Avi” Avivi, CISO at SafeBreach, thinks paying ransom is generally a losing game.
“We certainly agree with the agencies’ recommendations to avoid paying the ransom. There is a real risk that the malicious actors will not provide the decryption key, and if they exfiltrated any of the data, there is no guarantee that they won’t share it with the dark web. Rather than investing in a pool of Bitcoins in advance of a ransomware attack, organizations should invest in a solid backup strategy. The strategy must include frequent, at least monthly, recovery testing to ensure the backups are viable.
“Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware. These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack. We still see organizations fail to take the basic steps mentioned above. This, unfortunately, means that when (not if) ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization’s networks.”
Stephan Chenette, Co-Founder and CTO, AttackIQ, notes that the value of health information continues to rise:
“The healthcare industry is one of the largest targets for cybercriminals due to protected health information (PHI) being extremely profitable on dark web marketplaces. This is because healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come.
“Since the onset of the COVID-19 pandemic, we’ve seen threat actors leverage this global crisis to target healthcare organizations — stealing this highly valuable patient data and creating general unrest. This alert serves as the latest reminder that organizations simply don’t exercise their defenses enough, and healthcare organizations, in particular, should be evaluating their existing security controls to uncover gaps before an attacker finds them. To best defend against Maui ransomware attacks, it’s important to understand the common tactics, techniques and procedures used by the adversary. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors.
“Organizations that manage sensitive health information must adopt a threat-informed cyber-defense strategy tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK® framework, to measure an organization’s cybersecurity readiness for the attacks that are sure to come. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”
NPM supply chain attack appears to be part of a large-scale campaign.
As we noted yesterday, researchers at ReversingLabs have uncovered a widespread supply chain attack aiming to install malicious JavaScript packages delivered via the open source NPM package manager. “This attack marks a significant escalation in software supply chain attacks,” the researchers warned. Security Week notes the attack coincides with a recent advisory from global software security company Checkmarx on the discovery of a number of suspicious NPM uses and packages indicating preparations for a large-scale crypto mining campaign. Checkmarx explained, “[We] detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point.”
Tim Helming, cybersecurity evangelist with threat intelligence specialists DomainTools, had some kind words for the researchers at ReversingLabs, and he notes that for the crooks, a simple but workable approach is best:
“This great work by ReversingLabs highlights an important point: among all of the sophisticated technology used by cybercriminals, they often still make use of surprisingly simple methods to initiate hostile actions—in this case, creating malicious packages with names that closely imitate legitimate packages.
“This is very similar to the tactic used by many phishing campaigns where imitative domain names can deceive web users into clicking on a malicious URL. Criminals recognize and prey on the fact that when people are moving fast, under pressure, it’s easy to make small mistakes that can add up to much larger consequences.
“Users of all forms of computer technology should be on heightened lookout for spoofs, be they of domains, software packages, or other objects.”