Week in Breach 2022 Review

Risk to Business: 1.227=Extreme

School website services provider FinalSite has suffered a ransomware attack that disrupted access to websites for thousands of schools worldwide. FinalSite provides solutions for over 8,000 K – 12 schools and universities in 115 countries. School districts that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors. Bleeping Computer reports that in addition to the website outages the attack prevented schools from sending closure notifications due to weather or COVID-19. FinalSite says that approximately 5,000 school websites went offline as a result of the ransomware attack and no data was stolen. An investigation is ongoing. 

Risk to Business: 1.204= Extreme

A threat actor has stolen approximately $80 million from Qubit Finance after exploiting a flaw in the De Fi platform. Qubit said the attacker was able to steal 206,809 Binance coins (BNB) from its wallet on January 27, 2022. The hacker used a vulnerability in one of its Ethereum blockchain contracts to do the deed. The company has issued a public plea for the threat actor to return the stolen funds, asking them to get in contact with its team to “disclose the bug and receive a bounty reward”. This is sometimes used as a means of circumventing legal trouble for paying a ransom.

Risk to Business: 1.661=Severe

An estimated 10 thousand people found themselves without internet access after a cyberattack took down service to fixed broadband customers in Ukraine and elsewhere on its European KA-SAT network. The attack, starting about the same time as the Russian invasion of Ukraine, is suspected to be the work of Russia-aligned nation-state threat actors. No data was accessed or stolen in the incident, which is still under investigation.

Risk to Business: 1.271 = Extreme

The Conti group has claimed responsibility for a ransomware attack on the federal government of Costa Rica that has caused trouble in several government agencies for more than a week. Government ministries impacted include Finance, experiencing impacts in customs and tax collection, Labor and the social security agency’s human resources system. Conti’s extortion site claims that the group has published 50% of the stolen data including more than 850 gigabytes of material from the Finance Ministry and other institutions’ databases. Reports say that the group has demanded a $10 million ransom, which the Costa Rican government has stated it will not pay.  

Risk to Business: 1.917 = Severe

A cyberattack at the National Bank of Zambia has played out with a bizarre twist. After experiencing a ransomware attack by the Hive ransomware outfit that purportedly encrypted the bank’s Network Attached Storage (NAS) device, officials responded to the cybercriminals’ ransom demands with a refusal to pay. Bloomberg reports that the refusal was accompanied by images of male genitalia and a message referencing a common NSFW insult about what the bad guys could do with their demands. In a statement, the bank said that it had experienced an incident that impacted some systems such as the Bureau De Change Monitoring System and the bank’s website.  

Risk to Business: 1.349 = Extreme

A major factory for Foxconn located in Tiajuana, Mexico near the California border was hit by a ransomware attack in late May that resulted in a shutdown. The plant specializes in the production of medical devices, consumer electronics and industrial operations. The operators of LockBit have claimed responsibility for the attack.  

Risk to Business: 1.780 = Severe

Handa Hospital in Tsurugi, Tokushima Prefecture, Japan has announced that it has been the victim of a ransomware attack. Investigators say that the October 2021 cyberattack occurred after a company that was involved in providing an electronic medical record system for the hospital had disabled anti-virus software on the hospital’s computers. Investigators laid out the chain of events and it is a lesson in security woes. Before the cyberattack occurred, the service provider configured the Windows settings of about 200 computers connected to the electronic medical record system to disable functions including anti-virus software and regular Windows updates because they made the electronic medical record system unstable. Investigators also determined that other circumstances contributed to the problem. Windows was never updated on the computers at the hospital and the hospitals’ VPN had never been updated. The investigation ultimately determined that the cybercriminals exploited defects in the hospital’s VPN device and made an unauthorized intrusion to have the ransomware infect the hospital’s system. 

Risk to Business: 1.772 = Severe

In this week’s most interesting breach tale, the city of Amagasaki, Japan has found itself embroiled in a data breach thanks to the actions of one careless worker. A contractor who was working for this city to disburse pandemic subsidies took a USB drive containing numerous city records out of the office. But rather than heading straight home, the worker decided to go out on the town. That resulted in the worker passing out in the street and losing the bag containing the USB and all that city data.

Individual Risk: 1.613 = Severe

The USB contained names, birth dates, addresses, tax details, banking information and social security records for city residents.  

Risk to Business: 1.102 = Extreme

Australia’s second-largest telecom Optus has been hit by a ransomware attack. One of the largest data breaches in Australian history, the incident impacts an estimated 10 million customers or about one-third of Australia’s population. A bad actor using the moniker “optusdata” claimed to be the force behind the attack and initially posted a ransom demand of $1.5 million as well as the personal data of about 10k people on a dark web forum. They’ve since withdrawn that post. Some news articles have pointed at an API interface configuration error as the access point for the bad guys, but that has not been confirmed. The incident is under investigation.

Risk to Business: 1.236 = Extreme

Customer data has been exposed including home addresses, drivers’ licenses, passport numbers. names, addresses, phone numbers, email addresses and individuals’ preferred pronouns. The company says that no financial or commercial account data was accessed.

Risk to Individual: 2.406 = Severe

Exposed taxpayer data includes names, contact information, and financial information about IRA income The exposed data did not include Social Security numbers, full individual income information, detailed financial account data, or other information that could impact a taxpayer’s credit.

Risk to Business: 1.361 = Extreme

Classified NATO documents belonging to the Armed Forces General Staff agency of Portugal (EMGFA) were spotted for sale on the dark web, leading the agency to discover that it had experienced a data breach. First spotted by US Information Services, hundreds of sensitive documents have apparently been snatched by bad actors. The documents were exfiltrated from systems in the EMGFA, in the secret military (CISMIL) and in the General Directorate of National Defense Resources. Investigators determined that security rules for the transmission of classified documents had been broken, and threat actors were able to access the Integrated System of Military Communications (SICOM) and receive and forward classified documents.

Risk to Business: 2.771 = Extreme

One of the largest healthcare systems in the US is experiencing outages impacting patient care after a suspected ransomware attack knocked some hospital systems offline. Subsidiaries of CommonSpirit have reported being affected by the attack including CHI Health facilities in Nebraska and Tennessee, Seattle-based Virginia Mason Franciscan Health providers, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. The company disclosed that it has rescheduled some patient procedures because of an inability to access electronic medical records or lab results. Some hospitals are using paper charts. The company says it is working to restore systems and the incident is under investigation.