Global Cyber News Digest

An NTSB for cyber attacks?

FBI employee i ndicted for stealing classified info on FBI cybersecurity work

Microsoft is finally getting rid of its most-hated product

Microsoft Exchange admin portal blocked by expired SSL certificate

Bay Area water supply targeted by cybercriminals

• Similar to the Oldsmar water treatment attack in Florida, the threat actor used legitimate credentials to break into remote access tool TeamViewer. After logging in, they deleted programs that the plant used to treat drinking water.
• The unidentified criminal used a former plant employee's username and password to gain entry to the unidentified Bay Area water treatment facility on Jan. 15.
• “The consequences of a data breach can vary greatly depending on the intention of the adversary. Some hackers simply aim to cause disruption. Others extract valuable PII to sell on the Dark Web, while others look to extort money due to ransomware. When a cyberattack is attempted against critical infrastructures such as hospitals, electrical grids, or water systems, the potential repercussions can affect thousands of individuals like you and me. It can be devastating — or even deadly. In fact, the 2020 Global State of Industrial Cybersecurity report found that 74% of IT security professionals are more concerned about a cyberattack on critical infrastructure than an enterprise data breach." - Bill O'Neall, VP - ThycoticCentrify
• "Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.” - Sam Humphries, Exabeam

CVS Health Faces Data Breach,1B Search Records Exposed

• More than 1 billion CVS Health search records were accidentally posted online in a data breach incident in late March by an unnamed third party vendor.
• The records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications.
• Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.
• Fowler and the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st. Their findings uncovered CVS’ configuration settings and backend operations—information that could be used for phishing attacks if it were obtained by bad actors.
• Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.
• Fowler did not download the entire database due to ethical concerns. Because of this, it is unclear exactly how many CVS customers were impacted by the data breach.

Over 30,000 Fertility Clinic Patients Hit by Ransomware Data Breach

• Reproductive Biology Associates (RBA) was the first organization of its kind to offer IVF in the US state of Georgia and is the founding partner of the nationwide fertility clinic network My Egg Bank.
• In a new breach notification, RBA claimed to have first become aware of a cyber-incident on April 16 this year, when it discovered that a file server containing embryology data had been encrypted.
• "We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day. Based on our investigation, we believe the actor first gained access to our system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021.”
• 38,000 patients were exposed in the incident, with full names, addresses, Social Security numbers, lab results and “information related to the handling of human tissue” potentially impacted.

South Korea's Nuclear Research agency hacked using VPN flaw

• South Korea's 'Korea Atomic Energy Research Institute' disclosed yesterday that their internal networks were hacked last month by North Korean threat actors using a VPN vulnerability.
• KAERI states that they have updated the undisclosed VPN device to fix the vulnerability. However, access logs show that thirteen different unauthorized IP addresses gained access to the internal network through the VPN.
• One of these IP addresses is linked to a North Korean state-sponsored hacking group known as 'Kimsuky' that is believed to work under the North Korean Reconnaissance General Bureau intelligence agency.
• In October 2020, CISA issued an alert on the Kimsuky APT group and stated that they are "likely tasked by the North Korean regime with a global intelligence gathering mission."
• More recently, Malwarebytes has issued a report on how Kimsuky (aka Thallium, Black Banshee, and Velvet Chollima) has been actively targeting the South Korean government using the 'AppleSeed' backdoor in phishing attacks.

Ransomware Attacks Don’t Only Happen To Other Organizations…

• Forty-one percent of insurance claims in the first quarter of 2021 were related to ransomware, as highly skilled criminals now target all industries, from banks to hospitals and national health services, industrial systems, oil pipelines or even meat processing plants, often creating widespread chaos in the process.
• Washington is considering measures ranging from making the reporting of such incidents mandatory for companies, which have traditionally tried to deal with this type of situation discreetly, to fine those who pay ransoms, along with diplomatic actions towards the countries harboring these cybercriminals or even the possibility of a military response.
• The reality is that cyberattacks are extremely versatile, since they can be prepared far in advance and activated at a crucial moment.
• Cyber-attacks are relatively easy to carry out, and protecting society is complex, requiring anything from adopting zero-trust architectures to a complete rethink of systems and, above all, of the training of employees, who are often the weakest link in security.
• Prepare your organization: train staff, develop a culture that values security, create efficient backup procedures, keep all systems properly updated, hire cybersecurity experts or consultants… don’t ever think that it can’t happen to you.

McDonald's becomes latest company to be hit by data breach

• McDonald's has become the latest company to be hit by a data breach after unauthorized activity on its network exposed the personal data of some customers in South Korea and Taiwan.
• The fast-food giant said Friday that it quickly identified and contained the incident and that a thorough investigation was done.
• "While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data," the burger chain said.