The Week in Breach News: 07/19/23 – 07/25/23
This week: Two ransomware attacks with disputed provenance, three major medical data breaches, the tale of a phishing email in Mississippi and three cyberattacks trends to watch in 2023.
See what the biggest cybersecurity challenges are right now in our Mid-Year Cyber Risk Report 2023. DOWNLOAD IT>>
Estée Lauder
https://www.securityweek.com/cosmetics-giant-estee-lauder-targeted-by-two-ransomware-groups/
Exploit: Ransomware
Estée Lauder: Beauty Company
Risk to Business: 1.734 = Severe
Legendary beauty brand Estée Lauder has disclosed that it has been the victim of a cyberattack that has resulted in data loss after an unauthorized third party gained access to some of its systems. The company warns that this incident will have an impact on its consumer-facing operations as well as its business operations. In an interesting twist, two different cybercrime gangs are claiming to have conducted successful attacks on Estée Lauder at virtually the same time. Cl0p claims to have hit the company as part of its MOVEit exploit spree. BlackCat/Alphv claimed that they’d attacked separately, saying on July 18 that they still had access to the company’s systems. Estée Lauder is working with Microsoft and Mandiant to investigate and remediate the incident.
How It Could Affect Your Customers’ Business: Zero-day exploits are cybercriminal gold mines, but there are measures that can be taken to reduce risk.
Kaseya to the Rescue: Explore how security awareness training helps organizations defend against today’s most dangerous cyber threats in this infographic. DOWNLOAD IT>>
Tampa General Hospital (TGH)
https://cybernews.com/security/choice-hotels-radisson-guest-info-breached-in-moveit-attacks/
Exploit: Ransomware
Tampa General Hospital (TGH): Medical Center
Risk to Business: 1.876 = Severe
TGH reports that information of up to 1.2 million people may have been compromised in a cyberattack on the hospital that went on for over a week. Hospital officials confirmed that an unauthorized party accessed TGH’s network and stole data from its systems between May 12th and May 30th, 2023. The Snatch ransomware group is claiming to have 4T of compromised patient data. However, another up-and-coming ransomware group, Nokoyawa, has also added TGH to their dark web leak site. Stolen patient information may have included patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record and patient account numbers, dates of service and treatment information.
How It Could Affect Your Customers’ Business Up-and-coming ransomware groups will try to pull off large or high-profile attacks to gain notoriety.
Kaseya to the Rescue: Credential compromise isn’t the only risk that businesses face from the dark web. Learn about five dark web dangers for businesses in this infographic. GET INFOGRAPHIC>>
George County, Mississippi
Exploit: Ransomware
George County, Mississippi: Regional Government
Risk to Business: 1.302 = Extreme
George County, MS is undertaking recovery efforts after a ransomware attack over the weekend. County officials said the trouble began when a county employee received a phishing message that they needed to download an update but actually downloaded ransomware. The trouble began last Saturday night and continued into Sunday. The county admits that its three servers are encrypted. In an interview, an official said that a ransom note had been left behind by the attackers but did not name the gang or share the amount of the ransom demand. The U.S. Federal Bureau of Investigation and agencies from the State of Mississippi are assisting in the investigation.
How It Could Affect Your Customers’ Business: Governments and government agencies have been prime targets for ransomware attacks and need to take precautions to reduce risk.
Kaseya to the Rescue: Learn more about how our Security Suite can help MSPs protect their clients from expensive and damaging cyberattacks and other information security trouble. GET THE FACT SHEET>>
1st Source Corporation
https://uk.sports.yahoo.com/news/1st-source-says-450-000-191428238.html
Exploit: Hacking
1st Source Corporation: Financial Services
Risk to Business: 2.149 = Severe
1st Source Corp has fallen victim to the MOVEit exploit. The lender said on Monday that about 450,000 records had been exposed in the incident. The bank told the Maine Attorney General’s Office that attackers may have accessed individuals’ names, dates of birth, SSNs, driver’s license or state identification card numbers, and other government identification numbers. Affected individuals are being offered identity monitoring services.
How It Could Affect Your Customers’ Business: Obtaining names and social security numbers enables bad actors to facilitate identity theft.
Kaseya to the Rescue: Learn more about the dark web economy and see how data like this gets bought and sold on the dark web in The IT Professional’s Guide to the Dark Web. DOWNLOAD IT>>
Imagine360
https://cybernews.com/security/imagine360-data-breach/
Exploit: Ransomware
Imagine360: Health Plan Solutions Company
Risk to Business: 1.637 = Severe
Imagine360 has also fallen victim to CL0p’s MOVEit hacking campaign. The company admitted that it experienced a data breach first noticed in its Citrix that tracked back to MOVEit. In the January incident, sensitive files were copied by bad actors. Compromised information about policyholders includes names, medical information, health insurance information, and Social Security numbers. According to a data breach notification filed with Maine’s Attorney General’s Office, the incident has affected over 130,000 customers.
How it Could Affect Your Customers’ Business: Healthcare data can contain several data types, making it especially attractive to bad actors.
Kaseya to the Rescue: Our eBook How to Build a Security Awareness Training Program helps IT professionals design and implement an effective training program quickly. DOWNLOAD IT>>
PokerStars
https://www.jdsupra.com/legalnews/pokerstars-confirms-moveit-data-breach-8718130/
Exploit: Hacking
PokerStars: Gaming Platform
Risk to Business: 1.766 = Severe
TSG Interactive US Services Limited, the U.S. -registered company behind popular gambling platform PokerStars in the U.S. has begun notifying users of a data breach caused by the MOVEit file transfer exploit. The company said that the data was snatched between May 30 and May 31, 2023. Personal user details, including names, addresses and Social Security numbers belonging to an estimated 110,291 people were exposed.
How it Could Affect Your Customers’ Business: Companies need to take smart precautions now to minimize their risk of trouble from zero-day exploits.
Kaseya to the Rescue: See how the solutions in Kaseya’s Security Suite help IT professionals minimize risk, avoid cyberattacks and build a cyber-savvy workforce. WATCH THE WEBINAR>>
Charter Oak Federal Credit Union
https://www.wtnh.com/news/connecticut/charter-oak-bank-website-back-online-after-cyber-attack/
Exploit: Hacking
Charter Oak Federal Credit Union: Financial Institution
Risk to Business: 1.707 = Severe
Connecticut-based Charter Oak Federal Credit Union was forced to shut down operations on a busy Friday after being hit by a cyberattack. Credit union officials said that the credit union was forced to shut down its IT systems, access to the website and its online banking portal on Friday because of the attack. The credit union’s 80,000 members can only bank in person or by phone. The U.S. Federal Bureau of Investigation and the National Credit Union Administration are involved in the investigation.
How it Could Affect Your Customers’ Business: the financial services and banking sector has been pummeled by cybercriminals for the last few years.
Kaseya to the Rescue: Follow the path to see how Managed SOC defends businesses from cyberattacks efficiently and effectively without breaking the bank in a handy infographic. GET IT>>
Learn about SMB attitudes toward cybersecurity and other growth opportunities for MSPs. GET INFOGRAPHIC>>
Norway – TOMRA
https://www.theregister.com/2023/07/18/tomra_cyberattack/
Exploit: Ransomware
TOMRA: Mining & Recycling
Risk to Business: 1.713 = Severe
Norwegian mining and recycling giant TOMRA says it has shut down and isolated some systems after a cyberattack. The attack began on July 16, impacting internal IT services and some back-office applications, and potentially causing supply chain management problems. TOMRA’s office locations are offline with staff working remotely. The company’s reverse vending machines and non-mining divisions like Recycling and Food are also experiencing intermittent difficulties, but the bulk of the damage appears to be in the company’s mining operations. TOMRA said it is working with external specialists to resolve the situation.
How it Could Affect Your Customers’ Business: Industrials have been facing an increased risk for cybersecurity trouble and increased threats to operational technology (OT).
Kaseya to the Rescue: In today’s volatile cybersecurity landscape, insurers are requiring businesses to have certain solutions in place. See how Datto EDR satisfies insurance requirements. LEARN MORE>>
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a range of factors for each incident
Explore how AI technology helps businesses mount a strong defense against phishing GET INFOGRAPHIC>>
Take a Look at the Benefits of Datto EDR with Ransomware Rollback
Datto EDR is an easy-to-use, advanced endpoint detection and response solution that detects evasive cyberthreats quickly, enabling timely response and remediation before damage is done. Ransomware Detection is an included feature with Datto EDR. This must-have monitors for the existence of crypto-ransomware on endpoints by using proprietary behavioral analysis of files.
Now, another unbeatable feature is available, and it’s also included with Datto EDR: Ransomware Rollback. With one click, instantly revert files to their original state after a ransomware attack and ensure normal business operations are up and running without any loss of time, money or data.
Dive into the details of Ransomware Rollback in the datasheet. GET THE DATA SHEET>>
Learn more about this amazing new feature in this blog post. LEARN MORE>>
How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>
3 Guides to the State of Cybercrime Right Now
The Mid-Year Cybercrime Report 2023: Take a look at six notable breaches and cybercrime trend data from the first half of 2023 to be ready for the next half. DOWNLOAD IT>>
What Phishing Tricks Do Employees Fall For?: We crunched a year’s worth of BullPhish ID phishing simulation data to show you the phishing lures that employees fell for the most. MSPs, share this infographic with your clients! DOWNLOAD IT>>
Top Phishing Scams Employees Fall for Webinar: See real-life phishing scams that have cost businesses a fortune and the phishing simulations that employees are falling for. WATCH IT>>
Did you miss… the infographic How Managed SOC Defends Against Cyberattacks? GET IT>>
Find out about five of today’s biggest dark web threats to businesses in this infographic. DOWNLOAD IT>>
3 Cyberattacks Trending Right Now to Watch
Cyberattacks are something that every business has to worry about. Overall cyberattack rates climbed by 7% globally in Q1 2023, and when Q2’s data is tallied, that number is likely to be even bigger. While cyberattacks of all sorts are always a risk, some cyberattacks are trendier than others. In our Mid-Year Cybercrime Report 2023, we looked at the cybercrime landscape for H1 2023 and some of the cybercrime trends that we observed. Drilling down, we explored six cyberattack trends through real-life examples. Here are three examples of devastating cyberattack vectors that we expect to continue to cause trouble for businesses this year.
Cybercrime trend: Major service disruptions
Ransomware attacks on big, public-facing service providers are a cybercriminal favorite, and they’ve been busy in 2023. The February 2023 attack on TV and telecom service provider Dish Network is a fitting example of that tactic. In one fell swoop, bad actors knocked out television and phone service for a wide swathe of Americans. The goal here was to wring a large ransom payment out of the victim quickly while its customers were making noise about the service disruption, impacting the company’s reputation.
Victim: Dish Network
Date of initial report: March 7, 2023
Exploit: Ransomware
At the time we wrote: Major U.S. satellite television provider Dish Network has been knocked off the air by a suspected ransomware attack. Customers first noticed the service outage last Thursday and the problem persisted through the weekend. The outage appears to affect most parts of the company, including online bill payment services, customer service and Boost Mobile, the prepaid wireless carrier Dish acquired in 2020. Dish has not made a formal statement about the incident and no ransomware group has claimed responsibility.
The aftermath: Beyond the multi-day service outage that drew unflattering press attention, Dish Network has had other major problems to contend with as a result of this incident. The company’s investigation uncovered an estimated 300,000 customers had their personal data stolen in the attack. Dish subsequently told customers it did not have evidence that their stolen data had been misused; instead, the company said that it had received assurance that the data was deleted. This points to the unfortunate likelihood that Dish paid the ransom. The company is also facing a bevy of class-action lawsuits from investors.
What cybercriminal tricks do employees fall for in phishing simulations? Find out in this infographic. GET IT>>
Cybercrime trend: Zero-day exploits
Bad actors are always looking for new ways to penetrate a target’s security to obtain access to their systems and data. They often find that opening by taking advantage of a previously unknown vulnerability, called a zero-day exploit. One of this year’s widest cyberattack sprees is a prime example of exactly how powerful and damaging a zero-day exploit can be. Cl0P, a major ransomware gang, was able to leverage a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software to perpetrate hundreds of attacks against organizations and government agencies across the globe, including Hitachi Energy in Switzerland.
Victim: Hitachi Energy
Date of initial report: March 21, 2023
Exploit: Hacking
At the time we wrote: Hitachi Energy is the latest company to admit that they fell victim to an attack by the Cl0p ransomware group. The gang has been on a spree, exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT software. Cl0p claims to have breached more than 100 organizations through the vulnerability. California-based digital bank Hatch Bank, healthcare provider Community Health Systems and cybersecurity firm Rubrik have publicly admitted to being hit in that wave of attacks. Hitachi said that the incident may have resulted in the exposure of employee personal data but not consumer data, and that its network operations were not impacted.
The aftermath: The security flaw, categorized as high-severity, is being tracked as CVE-2023-0669. The vulnerability gave attackers the ability to remotely execute code on unpatched GoAnywhere MFT instances with their administrative console connected to the internet. Fortra released a patch for the issue in version 7.1.2 of the software in February 2023, but not fast enough to outrun the bad guys who weaponized it as a zero-day starting around January 18. Cl0P has claimed responsibility for 130 ransomware attacks carried out through exploitation of the vulnerability, including hits on the City of Toronto, Community Health Systems (one of the largest health systems in the United States), Investissement Québec and Rio Tinto (the world’s second-largest metals and mining corporation).
Right now: This scenario is once again playing out on a much larger scale as the MOVEit exploit continues to haunt businesses and provide the Cl0p ransomware gang with a steady stream of targets. As of press time, they’ve snagged more than 350 organizations in their net from a variety of sectors including government, retail and transportation. We’ll stay with the story as it continues to develop, and bring you an in-depth analysis soon.
See the keys to selecting a Managed SOC to find the perfect one for your clients & your MSP. GET CHECKLIST>>
Cybercrime trend: Attacks on business service providers
Ransomware groups face increasing legal pressure around the world, spurring some cybercriminals to carefully plan strategic attacks to get maximum benefit for the risk. Business service providers are prime targets for those attacks. Unfortunately, attacks on service providers can lead to a cascade of negative consequences for their customers. That is illustrated in one of the biggest breaches so far in 2023 at Capita, a U.K. pension services company. Ultimately, the impact of this breach was felt widely by businesses, government agencies and their employees as well as consumers across the United Kingdom.
Victim: Capita
Date of initial report: April 4, 2023
Exploit: Ransomware
At the time we wrote: London-based business services giant Capita has disclosed that it has been hit by a cyberattack that has caused disruption to some of its internal processes. The company said in a statement that the cyberattack primarily impacted access to internal Microsoft 365 applications and some online services for customers for about three days. Capita serves dozens of high-profile clients in the UK including the NHS and the military.
The aftermath: So far, the investigation has revealed that hundreds of thousands of people had their personal information exposed in this incident. At the time of the incident, Capita provided pension administration services to the largest private pension program in the United Kingdom, the Universities Superannuation Scheme (USS), with 470,000 members. Capita also provided services for other major pension schemes, including those of Marks and Spencer, Diageo, Unilever and Rothesay. The company said in mid-May that it expected to incur costs of up to $25 million to resolve the incident. The Black Basta ransomware group initially claimed responsibility, threatening to sell Capita’s data. However, the gang has removed Capita from its dark web leak site, an indication that Capita may have paid the ransom.
Kaseya’s Security Suite Features the Right Tools to Manage Risk & Stop Cyberattacks
Get powerful protection and must-have tools for keeping businesses out of cybersecurity trouble with Kaseya’s Security Suite.
Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents cyberattacks and reduces an organization’s chance of experiencing a cybersecurity disaster by up to 70%.
Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.
Kaseya Managed SOC powered by RocketCyber — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud.
Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).
July 26: Combatting Advanced Threats with Datto EDR and Managed SOC REGISTER NOW>>
July 27: Cybersecurity Round Table: Cyber Insurance 101 REGISTER NOW>>
August 3: Kaseya + Datto Connect Local Doral Miami REGISTER NOW>>
August 15: Kaseya + Datto Connect Local Detroit REGISTER NOW>>
August 17: Kaseya + Datto Symposium Long Branch REGISTER NOW>>
August 22: Kaseya + Datto Connect Local Kansas City REGISTER NOW>>
August 29: Kaseya + Datto Connect Local San Diego REGISTER NOW>>
September 14: Kaseya + Datto Connect Local San Antonio REGISTER NOW>>
September 21: Kaseya + Datto Connect Local Nashville “Building the Business” Series REGISTER NOW>>
September 26: Kaseya + Datto Connect Local Sugarland Sales & Marketing Series REGISTER NOW>>
September 28: Kaseya + Datto Connect Local Charlotte REGISTER NOW>>
October 2 – 4: Kaseya DattoCon in Miami REGISTER NOW>>
November 14 – 16: Kaseya DattoCon APAC REGISTER NOW>>
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>
Do you have comments? Requests? News tips? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.
Partners: Feel free to reuse this content. When you get a chance, email [email protected] to let us know how our content works for you!