McLaren Health Care Notifies User of Data Breach

Health Care delivery system, McLaren Health Care has sent out an incident notification letter stating that roughly 2.2 million individuals in their system have had their personal information compromised. The data breach, which occurred earlier this year has been confirmed to be related to an unauthorized access to the company’s network, which was determined to have taken place between July 28th and August 23rd of 2023.

The user information has not been shown to have been misused in any way but ransomware group Alphv/BlackCat has claimed to be the organization that stole the data and is threatening to auction it. No further insight on how the breach occurred, but McLaren has been working with the Maine Attorney General and disclosing information regarding the leak.

AI Company ChatGPT Experiencing Regular Outages

Generative application ChatGPT has reported that they were experiencing outages on both the ChatGPT interface and the associated APIs, that allow other programs to directly interface with ChatGPT. According to parent company OpenAI, the outages were due to continual DDoS attacks. They have claimed that the incident has been resolved, but security experts warn that this is the beginning of attention directed at OpenAI and other AI companies.

Leading experts agree that as AI grows and garners more attention, attacks like these will be more commonplace and used to hide attempts to perform data exfiltration efforts. AI is a prime target for threat agents and ransomware groups, as these companies have access to massive amounts of valuable data.

OpenAI did not confirm who the attacker was, but a group known as Anonymous Sudan has claimed responsibility, citing political reasons as the primary motive behind the attack.

SEC Draws Line in the Sand With Latest Suit

Over the years, organizations dealing with sensitive data from the government have flouted cybersecurity risk regulations from Department of Defense (DoD) contracts and other federal contracts by simply entering perfect scores, knowing that no true audit would be conducted. However, as the SEC has shown with the recent lawsuit against SolarWinds for the exact thing many are guilty of, they have shown that the government is coordinating to enforce cybersecurity regulations and hold those organizations accountable.

The self attestation that the DoD has required for prime and subcontractors are rooted in the lucrative contracts these organizations sign, but as of last year, only 36% of those contractors were reporting scores to the federal database, according to a study conducted by Merrill Research. These guidelines are due to get an overhaul in the new Cybersecurity Maturity Model Certification (CMMC) 2.0 regulation that is pending.

The CMMC will institute a new program that will enforce and audit the contractors, holding them truly accountable for the first time, as cybersecurity becomes more and more of a concern for the United State’s government. In a worst case scenario, if the contractor is found to not be in compliance, the organization will be subject to action by SEC and the cancellation of current and future contracts with the DoD and United State’s government.

Cyber Defense is available to discuss and to help implement these updated regulations to avoid any negative consequences from not being in compliance. Please reach out, if you require assistance!

Defensible Strategies

Learn from those who have been attacked

Data of Aerospace Company Boeing Leaked by Ransomware Group

After a cybersecurity event that occurred in late October, aerospace giant Boeing has had more than 43 gigabytes of data leaked by LockBit. LockBit is a ransomware-as-a-service group that has been one of the largest and most resilient groups, having been active for more than four years and having thousands of victims. The information the group was able to secure after the attack was posted to their website after not receiving any contact from Boeing, according to the ransomware group.

The data, while not confirmed by Boeing, seems to be of system information, configuration backups, and logs for monitoring and auditing tools. Some of the data published are backups from Citrix appliances, which has sparked speculation that the attack may have been perpetuated by the ransomware group taking advantage of a recently disclosed Citrix vulnerability (CVE-2023-4966), but no confirmation of the method of the attack has been made by either LockBit or Boeing.

Data Breach Disclosed by State of Maine, 1.3 Million People Impacted

The government organization of the State of Maine has disclosed a data breach that has occurred after a large scale hacking campaign targeting the use of the MOVEit file transfer tool. The attack took place between May 28th and May 29th of 2023, but the data breach was only confirmed in a recent notice of Security Incident.

According to the State, the incident was limited to only the file transfer tool, but that sensitive data include Social Security numbers, driver’s license/state identification numbers, and other data of 1.3 million people was compromised. According to the notice, the State of Maine moved to immediately block internet access to and from the MOVEit server and other methods to secure the information.

Due to the attack, the State of Maine has set up a call center to help people determine if their data was involved. The state has also offered two years of complimentary credit monitoring and identity theft protection services to those who had their data exposed.

NOTICE

New York has implemented an amendment to the DFS Regulation that may significantly impact your operations. Many of these changes were original proposed in the regulation proposal stage.

For a comprehensive overview of these changes, we have prepared a detailed web page where Jim has outlined the amendments section-by-section. You can access this valuable resource at the following link: https://cyberd.us/dfs-reg-500-2nd-amendment

Cyber Defense is happy to assist with navigating these changes and getting your company, so please do not hesitate to contact us as soon as possible!

Unpatched Cisco Zero-Day Vulnerability Actively Targeted

A critical, unpatched security flaw found within Cisco’s IOS XE software has been found and announced by the company. The flaw, that is being tracked as CVE-2023-20198, has been assigned the severity level of 10.0, which is the maximum rating that something can receive on the CVSS scoring system.

The vulnerability is allowing threat agents to create accounts on affected systems with the highest privilege level and gain control of the system. There isn’t a true fix out currently, but Cisco is suggesting to disable the HTTP server feature on internet-facing systems.

Similar vulnerabilities have been seen in other firewall brands such as WatchGuard which impacted several local businesses at the time.  Cyber Defense has long suggested removing administrative based systems from the internet as a best practice and highlight this in penetration test reports. 

Zoom Links Offer Exploitation Point for Organizations

Zoom has offered the ability to create Personal Meeting ID’s (PMI) to allow for quick and easy meetings to be scheduled or created. These IDs have created a personal meeting room that is available around the clock for both you and your clients to access, but because they are a static ID, anyone can gain access to that meeting room if they find out the PMI or receive an embedded passcode link.

Thanks to a security researcher, it has been found that many organizations can have their meetings accessed by threat agents looking to gain private information that could be shared over these meetings through impersonation or joining an ongoing meeting. The solutions to avoiding this are fortunately included in Zoom already and the researcher suggests implementing at least one of the following:

• Require a Passcode to Join

• Only Allow Registered Users

And of course, there is always the choice to disable the Personal Meeting ID for public meetings altogether.

CISA Shares Knowledge of Vulnerabilities and Misconfigurations

CISA launched an initiative this year known as the Ransomware Vulnerability Warning Pilot to bring more attention to known vulnerabilities and hopefully prevent ransomware incidents. This week, they have added new resources to this program, the “Known Exploited Vulnerabilities Catalog” and a “Misconfigurations and Weaknesses List”.

The Known Exploited Vulnerabilities Catalog, or KEV, details existing exploits that CISA has determined and whether or not they are known to have been used in ransomware campaigns. The Misconfiguration and Weaknesses List bolsters the KEV Catalog by including non-CVE based exploits and weaknesses created by misconfigurations.

Defensible Strategies

Learn from those who have been attacked

Genetic Testing Provider 23andMe Facing Lawsuits After Hack

Last month, a threat agent released a large file that included customer data gathered from the genetic testing provider. The company announced that the attack happened by using compromised user credentials to gain access into weakly secured accounts. The original threat agent retracted the document to sell off the data of specific profiles, but other agents have continued to post the original file.

Despite certain users having taken the additional step of implementing user side security measures such as Multi-factor authorization, they still found themselves victims of the breach due to a lack of data safety implemented on 23andMe’s side. This has caused multiple lawsuits to be filed, along with the lack of information regarding the current safety of user data and the lack of information regarding details of the attack itself, and the delay in 23andMe’s reporting of the incident.

This illustrates the value of reporting early and often to manage the reputational impact of a data breach, but to also reduce the liability associated with a data breach. In case of a data breach, it is important to engage a breach coach as soon as possible in the incident response process.  Breach coaches, who are privacy trained attorneys are often included as a part of most cyber liability insurance policies.

2017 Equifax Data Breach Incurs $13.5 Million Fine

In 2017, Equifax was the victim of a data breach that occurred from improper management of data. The Financial Conduct Authority (FCA_ of the United Kingdom determined that the leak happened due to a failure in managing and monitoring of consumer data that had been outsourced to the United States portion of the company.

The FCA also determined that Equifax’s security systems were “plagued with known weaknesses” and that no action was taken to rectify those issues. Due to the negligence and mishandling of data, the FCA has fined Equifax a total of $13.5 Million on top of the $700 million settlement that occurred in the United States. The US courts also required the company to invest a minimum of $1 billion in improving its data security stance.