Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.


On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.


Other trending cybercrime events from the week include:

  • Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.
  • Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.
  • Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.
  • Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-09-01_RiskScoresThe FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.

Weekly Cyber Risk Roundup: Industroyer Malware and Fines for Delayed Breach Notification

Ukrainian power utility Ukrenergo was back in the news as the top trending cybercrime target after researchers analyzed new samples of a destructive malware, dubbed “Win32/Industroyer,” which they said was likely used in the December 2016 attack against the Ukrainian power grid.


“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly,” ESET researchers wrote. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

The Industroyer malware uses four payload components designed to gain control of switches and circuit breakers, with each component targeting a particular communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). The malware is notable as it “is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”

Hackers may have hidden in Ukrenergo’s IT network undetected for six months before carrying out their December 2016 attack, which led to a power blackout in Kiev that lasted a little over an hour. Although it’s not confirmed, it is “highly probable” that Industroyer was used in that incident. The Ukrenergo attack occurred a year after a similar attack against Prykarpattyaoblenergo, which caused approximately 230,000 people to lose power. Researchers have warned that both of those incidents in Ukraine could be tests for potential attacks against Western countries’ critical infrastructure facilities in the future.


Other trending cybercrime events from the week include:

  • FIN10 targeted mining companies and casinos: A financially-motivated hacking group known as FIN10 spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data, and then holding it for ransom. According to researchers, the attacks targeted sensitive files such as corporate records, private communications, and customer information, and the ransom demands ranged between 100 and 500 bitcoin. The hackers were also able to essentially shut off the production systems of some mines or casinos that did not comply, making them unable to operate for a period of time.
  • Updates on previously disclosed attacks: The attackers behind the 2015 attack against TV5Monde conducted reconnaissance inside the TV5Monde network for three months before launching a sabotage operation that knocked multiple channels offline and compromised multiple social media accounts. France’s national cybersecurity agency said that the attackers used a compromised third-party account that allowed them to connect to the TV5Monde VPN and that once they were inside the network they used one of two camera-control servers as a beachhead for privilege escalation. The agency also noted that the attackers were able to create their own admin-level account in Active Directory and used the IT department’s wiki to gain information. GameStop is notifying an undisclosed number of online customers that their payment card details were stolen between August 10, 2016 and February 9, 2017. The breach was acknowledged by GameStop in April, but the company only recently began notifying affected customers. Cowboys Casino in Alberta said that data stolen from a breach last year has been posted online and that the hackers are threatening to post more data next week. WikiLeaks’ latest dump of CIA documents is CherryBlossum, a project that is focused on compromising wireless networking device.
  • Universities targeted: Southern Oregon University said it sent $1.9 million to a malicious actor impersonating Andersen Construction, a contractor that is working on the McNeal Pavilion and Student Recreation Center construction project. University College London said that a major ransomware attack occurred on June 14 and disrupted access to a number of users’ personal and shared drives for several days after UCL users visited a compromised website. Ulster University in Northern Ireland was infected with ransomware that affected a “significant number of file shares” due to a “zero day attack.” The initial attack occurred on June 14, and the university said it believes they are will be in a position to restore the file share service by late morning on June 19.
  • Other notable incidents: A database containing the personal information of 6 million users of online survey site CashCrate was stolen by hackers due to an apparent compromise of third-party forum software. A developer at Tata Consultancy Service in India posted the source code and internal documents for a number of unnamed financial institutions to a public GitHub repository. Italy’s data protection authority said that Wind Tre, the country’s biggest mobile operator in terms of mobile SIMs, must notify customers of a March 20 data breach that affected 5,118 customers. A hacker pleaded guilty to the 2014 theft of hundreds of user accounts from a U.S. military communications system, an intrusion that the Department of Defense said cost $628,000 to fix.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.



Cyber Risk Trends From the Past Week

2017-06-16_RiskScoresNew York’s attorney general Eric Schneiderman announced last Thursday that CoPilot Provider Support Services must pay $130,000 in penalties as well as reform its legal compliance program over violations related to delayed notification of a breach.

According to the attorney general, an October 2015 data breach of CoPilot’s website administration interface, PHPMyAdmin, allowed an unauthorized user to download reimbursement-related records for 221,178 patients, including their names, genders, dates of birth, addresses, phone numbers, and medical insurance card information. However, CoPilot did not begin formally notifying affected consumers until January 2017, more than a year after the incident occurred — an “unacceptable”  violation of New York law.

“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” New York’s attorney general wrote. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”

In January, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a $475,000 fine to Presence Health for similar reasons. OCR said that it was the agency’s first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information and that the settlement amount “balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

That regulatory scrutiny may get more intense with the enforcement of the EU’s General Data Protection Regulation (GDPR) next year. The GDPR requires companies notify the appropriate authorities of a breach within 72 hours of discovery if that company collects, stores, or processes personal data for people residing in the EU. As SearchSecurity noted last month, that could force a change for the better when it comes to prompt breach notification by companies since the monetary penalties associated with violating the GDPR are much harsher than the current regulations.

Weekly Cyber Risk Roundup: Internet of Things Sparks Security Concerns

There has been growing concern around distributed denial-of-service (DDoS) attacks this week as the source code for the Internet-of-Things (IoT) driven botnet “Mirai” has been publicly released by a user on Hackforums. The Mirai botnet has been tied to the recent massive DDoS attack against Brian Krebs website and is made up of a growing number of Internet-connected devices.

2016-10-07_ITT.pngThe botnet includes a variety of compromised home and small office items such as routers, DVRs and security cameras – many of which use default usernames and passwords. The IoT devices are aimed at users often more concerned about convenience than security, and as Brian Krebs pointed out, even if users do take steps to secure devices by changing default credentials the malware may still spread.

Cybercriminal actors may use botnets like Marai to create more powerful DDoS attacks against industries that are traditionally vulnerable to extortion, such as gaming and ecommerce, but the Marai source code release also empowers actors looking to disrupt organizations for ideological or political reasons. For example, Newsweek alleged it was the victim of such an attack this week when its website was hit with a DDoS attack after publishing a story claiming that one of Donald Trump’s companies violated the Cuba trade embargo in 1998. In part due to that attack, consumer publishing was the most discussed industry group associated with cybercrime over the past seven days.

With Marai added to the growing list of free tools available to actors, expect to see more DDoS attacks like the ones against KrebsOnSecurity and Newsweek, which appear to be aimed at silencing or punishing critics.


Other trending cybercrime events from the week include:

  • Another week, another list of companies hit with ransomware: Cloud service provider VESK paid £18,600 after being infected with a new strain of the Samas DR ransomware. The New Jersey Spine Center paid an undisclosed amount after a July CryptoWall attack encrypted all electronic medical records and the most recent backup as well as disabled the phone system. The forest department of the state government of Kerala in India was infected with ransomware known as RSA-4096. Urgent Care Clinic of Oxford is notifying patients that their data may have been compromised by what appears to be a ransomware attack. A “glitch” after a ransomware attack led the Marin Healthcare District and Prima Medical Foundation to notify more than 5,000 patients that some of their medical data has been lost, even though they paid the ransom.
  • Data exposed through mistakes and flaws: C&Z Tech Limited acknowledged that a database of more than 1.5 million user records was exposed online, but said that the leak was from a test database; however, ZDNet disputes that claim, writing that their own verification of the data found “no reason to believe that this is test or dummy data.” Census data on 96,000 employees of the Australian federal government was downloaded nearly 60 times before being removed from official websites.  A vulnerability discovered in the Charter Communications website could have exposed the personal information of customers. Customers of Ottawa marijuana dispensary chain Magna Terra Health Services had their email addresses exposed when an employee sent an email with 470 of their customers cc’d.
  • Alleged political dumps, both old and new: A hacker who goes by the name Guccifer 2.0 published an 860-megabyte file of donor information allegedly stolen from the Clinton foundation servers; however, a variety of news outlets have reported that the data appears to actually be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee. Berat Albayrak, Turkey’s Energy Minister and son-in-law of President Erdoğan, is the week’s second highest trending new target (after Newsweek) on the heels of hacking group RedHack leaking 17 gigabytes of data, which the group said was stolen by discovering Albayrak’s mobile operating system, writing an exploit to steal his password, and gaining access to his iPad after several weeks of attempts.
  • More data breach announcements: Hutton Hotel is notifying customers of a payment card breach affecting guests who placed hotel reservations during the period from September 2012 to April 2015, as well as those who made purchases at the onsite food and beverage outlets from November 2015 to June 2016. Hackers gained access to computer systems at Wheeler & Egger, CPAs and used the information to fraudulently file 45 tax returns. Apria Healthcare, a provider of home respiratory services and other medical equipment, is notifying patients that an employee’s email account was compromised.
  • Out with the old hacktivists, in with the new: Federal authorities in Chicago have charged two suspected members of the hacking group Lizard squad for operating DDoS-for-hire websites. Although Lizard Squad has been quiet of late, other hacking groups continue to disrupt organizations. For example, OurMine defaced and deleted several articles on the BuzzFeed website in retaliation for a story claiming to have identified one of the group’s members as a Saudi teen called “Ahmad Makki.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Insulin Pump Vulnerability and Other Advisories

The focus on IoT devices was prevalent throughout SurfWatch Labs’ data this week. In addition to all of the botnet-related discussion, Johnson & Johnson announced that a security vulnerability in its Animas OneTouch Ping insulin pump that could be exploited to overdose diabetic patients with insulin.

2016-10-07_advisoriesThe Reuters story cited medical device experts who claim this is the first time a manufacturer has issued such a warning to patients about a cyber vulnerability in their devices; however, the company’s letter to patients described the risk as “extremely low.”

“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter said.

The issue, which was discovered by Rapid7 researcher Jay Radcliffe, is that a hacker can spoof communications between a wireless remote control and the insulin pump since that communication is not encrypted. About 114,000 patients use the device in the United States and Canada.

The company said that if patients were concerned, they could stop potential attacks by discontinuing use of the wireless remote control and programming the pump to limit the maximum insulin dose. Johnson & Johnson said it first reviewed the vulnerability with the FDA, which issued draft guidance on managing cybersecurity vulnerabilities in medical devices in January.


Other noteworthy advisories and cybercrime news from the week include:

  • 68 million stolen Dropbox credentials published online: The previously stolen database of more than 68 million user records has been published online by Thomas White on his I’m Cthulhu blog. Nearly half of the passwords are secured with the strong hashing function bcrypt, Motherboard wrote. The other half appear to use the older SHA-1 algorithm. The publication adds to the already massive list of now-public user credentials.
  • Vulnerability discovered in OpenJPEG: Cisco Talos researchers have disclosed a zero-day vulnerability in the jpeg2000 image file format parser as implemented in the OpenJpeg library. The vulnerability can lead to an attacker executing arbitrary code. “For a successful attack, the target user needs to open a malicious jpeg2000 file,” the researchers wrote. “The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.”
  • Users report suspected malvertising on Spotify: Users of Spotify’s free desktop streaming service are reporting strange behavior that is suspected to be related to malvertising. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm,” wrote one user. “I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify – I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it – fast.”
  • TalkTalk fined £400,000 over data breach: The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to TalkTalk over a data breach that “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.” In October 2015, a hacker used SQL injection to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In more than 15,000 cases, bank account details and sort codes were also compromised. “The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009,” the ICO said. “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”

SurfWatch Labs collected data on a variety of cybercrime advisories over the past week. Some of the trending practice tags associated with those advisories are shown in the chart below.


Short Selling Vulnerabilities Latest in String of Stock Market Manipulation

Medical device company St. Jude filed a lawsuit yesterday against Muddy Waters and MedSec Holdings over a “false” report about cybersecurity issues in St. Jude’s cardiac devices. The August report caused the company’s stock to drop more than ten percent on the heels of those allegations and raised questions around a pending $25 billion deal to be acquired by Abbott Laboratories.

The heart of the issue is that MedSec Holdings, which discovered the alleged flaws, did not disclose them to St. Jude; rather, they took their findings to short-selling firm Muddy Waters in order to short St. Jude stock and turn a profit from the public disclosure.

MedSec contacted Muddy Waters with the proposal to short St. Jude stock after spending 18 months doing research and not generating any revenue, CEO Justine Bone said. Money made from shorting the stock will help finance development of secure medical device technology.

In its lawsuit, St. Jude said, “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

The public battle has been at the center of an ongoing debate over the past two weeks — once again putting the issue of manipulating the stock market via cyber front and center.

Malicious Actors Profit From Stock Market

It’s no secret that malicious actors seek similar types of non-public information that can be used to leverage big profits in the stock market.

Perhaps the most famous recent case involves the theft of press releases from various newswire services. According to an August 2015 complaint filed by the Securities Exchange Commission (SEC), hackers gained access to the services, stole more than 100,000 press releases for publicly traded companies, and then used that information – often quarterly or annual earnings data – to reap over $100 million in unlawful profits.

As we noted in our 2015 Cyber Risk Report, the hackers worked with a network of traders to capitalize on the window between when a draft of a press release was provided and when it was made available to the public. In some instances that window was only a few minutes, but having that knowledge was extremely profitable, as the SEC complaint demonstrated.

By using non-public earnings information, the network of traders listed above were able to generate millions of dollars in profits through illegal trades.

Additionally, last summer reports of the hacking group Fin4 breaking into corporate email accounts to steal mergers and acquisitions data sparked the SEC to approach companies about possible breaches.

“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” John Reed Stark, a former head of Internet enforcement at the SEC, told Reuters.

Other cybercriminals have used less sophisticated methods to manipulate stock prices.

In July Gery Shalon, 32, and Ziv Orenstein, 41, were extradited from Israel and pled not guilty to charges that included a breach at JPMorgan Chase, which authorities described as the  “largest theft of customer data from a U.S. financial institution in history.” The stolen contact information was used to send deceptive communications in order to inflate stock prices, a practice known as pump and dump.

First, they would execute prearranged manipulative trades to cause the stock’s price to rise small amounts on successive days. Then they would send spam emails — sometimes millions a day — touting the stock. Finally, after artificially pumping up the price, they would dump their shares of the stock for huge profits.

A New White-Hat Shorting Strategy

While cyber-experts have long-pointed to the massive profits criminals can make from combining cyber-attacks with strategies such as shorting, the move towards white-hat hackers doing the same thing has created some concern.

MedSec CEO Justine Bone said she knows the approach they used will lead to criticism, but that it was the most powerful way to inflict pain on St. Jude over the company’s “negligent level of attention to cybersecurity.”

Although many companies have implemented bug bounties in an effort to encourage researchers and other hackers to disclose vulnerabilities in a responsible manner, those programs often don’t come with big payouts or spur the change desired by the person who disclosed the bug. Those players may attempt to copy the MedSec strategy — resulting in more profits and more public pressure to respond to alleged vulnerabilities. That gives yet another reason for investors to be concerned over potential cyber issues.

Medical device consultants Billy Rios and Jonathan Butts told Bloomberg that traders were clearly blindsided and scrambling over this new idea, having been inundated with requests from hedge funds, short sellers and other investors about the Muddy Waters report.

“This is almost like The Big Short,” Butts said. “Someone saw something that nobody else did.”

Banner Health Data Breach Leads to Series of Class Action Lawsuits

Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.

The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.

The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.

Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.

“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”

Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.

“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”

Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.


Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

“The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

Ransomware Is Not the Top Cybersecurity Threat Facing the Healthcare Sector

Ransomware is making all the headlines so far in 2016. This threat has become so mainstream it has caused both the FBI and US-CERT to issue ransomware alerts, with the healthcare sector being mentioned in both.

On March 31, 2016, the United States Computer Emergency Readiness Team (US-CERT) issued a ransomware warning concerning the Locky and Samas ransomware variants – both of which have been used to target hospitals and other healthcare targets.

On April 29, 2016, the FBI wrote a post warning of the rise in ransomware threats, saying that ransomware attacks were prevalent in 2015 and will continue to grow in 2016.

“Ransomware attacks are not only proliferating, they’re becoming more sophisticated,” the FBI post read. “Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.”

However, when you look at the biggest data breaches in healthcare, are ransomware attacks really deserving of all the headlines?

Despite Ransomware Trend, Healthcare Most Impacted By Data Loss

SurfWatch Labs has collected data on 141 healthcare cybercrime targets so far in 2016, and the ransomware attacks against Hollywood Presbyterian Medical Center and Medstar Health have been the top two most discussed industry targets to date.

Ransomware attacks such as the ones against Hollywood Presbyterian Medical Center and MedStar Health have dominated the discussion around healthcare sector cybercrime in 2016.

Both Hollywood Presbyterian Medical Center and MedStar health made huge headlines this year after being victimized with ransomware. Hollywood Presbyterian paid the ransom demand to get their data back. Medstar Health was able to get their systems operational without paying a ransom.

While infected assets leads the way in terms of chatter around healthcare sector cybercrime effects this year – largely due the high level of ransomware discussion – stolen or leaked personal information and data are leading the way when looking at the total number of distinct healthcare targets being impacted by cybercrime so far this year.

Although not receiving the most discussion (CyberFacts), the stolen personal information and stolen data tags are associated with the highest number of healthcare targets impacted by cybercrime in 2016.

Similarly, while malware dominates the chatter around healthcare sector cybercrime practices, unauthorized access is the top trending practice category in terms of the actual number of affected targets.

Malware is leading the way in terms of discussion for the Healthcare sector in 2016; however, unauthorized access was the leading practice used in attacks against healthcare by total number of industry targets.

While everyone is talking about malware – more specifically, ransomware – affecting healthcare targets, if we dig deeper into that top practice category it’s clear that the old-fashioned, tried-and-true methods used by cybercriminals are causing the most damage in the healthcare sector in 2016.

Physical theft was the top trending unauthorized access practice tag to date in the healthcare sector. 

Criminals Are Still Seeking Healthcare Data

While it is still important for hospitals and healthcare companies to worry about the threat of ransomware, as SurfWatch Labs’ data shows, ransomware attacks are just the tip of the iceberg when it comes to cyber threats facing the healthcare industry.

Several attack vectors are present in the healthcare industry. Phishing and social engineering attempts are still the primary cybersecurity threat concerning healthcare facilities, with stolen laptops and flash drives also creating a severe issue protecting data.

W-2 data breaches have made several headlines this year, affecting organizations throughout all sectors – including healthcare. Healthcare companies Main Line Health, York Hospital, E Clinical Works, Endologix, Care.com, CareCentrix, and Magnolia Health Corporation all suffered W-2 data breaches in 2016 that stemmed from a simple phishing email.

The verdict is in; ransomware isn’t going anywhere and will continue to trend throughout 2016. However, we can’t forget about the old-fashioned methods used by hackers since the dawn of the Internet when it comes to protecting organizations from cybercrime. Ransomware has become popular due to its ease of execution and potential to make a quick buck, but the valuable data stored throughout the healthcare sector is still the holy grail for cybercriminals looking for a bigger score.

Talking MedStar, Ransomware and Healthcare with Arbor Networks’ Dan Holden

On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.

Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.

“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”

Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.

“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”

Warnings About Samas and JBoss

Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.

The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.

As Reuters reported,  “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

A Decade of Ransomware

Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.

“It’s likely,” the agent said, “that this will be the decade of ransomware.”

So far in 2016, the healthcare sector has been a major focus of that trend.

“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”

Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.

“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”

He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”

Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:

About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.

On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.