InTegriLogic Blog
The Week in Breach News: 06/14/23 – 06/20/23
This week: MOVEit exploit attacks snowball, snagging Shell as well as U.S. federal and state government agencies, and a malicious insider is suspected of facilitating a ransomware attack against the Chilean army.
U.S. Department of Agriculture (USDA)
https://edition.cnn.com/2023/06/17/us/department-of-agriculture-possible-data-breach/index.html
Exploit: Ransomware
U.S. Department of Agriculture (USDA): Federal Government Agency
Risk to Business: 1.886 = Severe
The U.S. Department of Agriculture has been added to the growing list of victims of cyberattacks by the Cl0p ransomware group that are fueled by the MOVEit exploit. USDA has confirmed that it is investigating a data breach after one of its vendors fell victim to Cl0p. The agency says that a small amount of personal data about USDA employees may have been exposed in the incident. Other federal government agencies including The US Office of Personnel Management (OPM) and arms of The Department of Energy (DoE), Oak Ridge Associated Universities research center and its Waste Isolation Pilot Plant in New Mexico have also been identified as federal agency or agency adjoined victims.
How It Could Affect Your Business: This exploit continues to snag organizations with Cl0P claiming to have hit hundreds of entities.
Onix Group
https://www.bankinfosecurity.com/real-estate-firm-hack-affects-319500-patients-employees-a-22306
Exploit: Ransomware
Onix Group: Real Estate Company
Risk to Business: 1.876 = Severe
Onix Group, a Pennsylvania-based real estate firm that also operates a chain of substance misuse treatment centers, has reported a data breach to the Department of Health and Human Services (HHS). The company said that a ransomware attack discovered on March 27 had corrupted some systems and resulted in data exfiltration. Onix’s investigation ultimately determined that an unauthorized actor had accessed Onix’s network between March 20 and March 27. The stolen files contained employee information including names, Social Security numbers, direct deposit information and health plan enrollment information.
How It Could Affect Your Business A data breach that involves employee information can be just as costly as a data breach that exposes consumer information.
Louisiana Office of Motor Vehicles (OMV)
https://www.bleepingcomputer.com/news/security/millions-of-oregon-louisiana-state-ids-stolen-in-moveit-breach/
Exploit: Ransomware
Louisiana Office of Motor Vehicles (OMV): Regional Government Agency
Risk to Business: 1.369 = Extreme
The Louisiana Office of Motor Vehicles has disclosed that it too has fallen victim to Cl0p and the MOVEit exploit. The agency said that it expects that every Louisianan with a state-issued driver’s license, ID, or car registration likely had their data exposed to the threat actors. The OMV says that those impacted likely had personal data exposed including their name, address, social security number, birth date, height, eye color, driver’s license number, vehicle registration information and handicap placard information. Many other U.S. federal, state and local agencies have also been swept up in the MOVEit breach. The Oregon Department of Motor Vehicles released a similar statement noting that 3,500,000 Oregonians with an ID or driver’s license had similar data exposed too.
How It Could Affect Your Business: Many exploits can be avoided by regularly patching and updating software and systems.
Intellihartx
https://www.securityweek.com/intellihartx-informs-490k-patients-of-goanywhere-related-data-breach/
Exploit: Ransomware
Intellihartx: Debt Collector
Risk to Business: 2.149 = Severe
Intellihartx, a provider of patient balance resolution services to hospitals, is informing roughly 490,000 individuals that their personal information was compromised after the company discovered that it had become caught up in the GoAnywhere zero-day exploit flood that occurred earlier this year. Exposed data includes names, addresses, insurance data and medical billing, diagnosis and medication information, birth dates and Social Security numbers of patients carrying medical debt. Cl0p has already made the stolen data available on its leak site
How It Could Affect Your Business: an exploit doesn’t have to be a zero-day anymore to still be problematic for businesses.
Zacks Investment Research
https://www.bleepingcomputer.com/news/security/have-i-been-pwned-warns-of-new-zacks-data-breach-impacting-8-million/
Exploit: Hacking
Zacks Investment Research: Data and Analysis Firm
Risk to Business: 2.737 = Moderate
Internet researchers at Have I Been PWNED announced that they’ve discovered that Zacks Investment Research (Zacks) has allegedly experienced a previously undisclosed data breach that impacts 8.8 million of its customers. The researchers said that a database of Zacks customers’ information was dumped on the dark web last week. The database contained clients’ email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names and other data. Zacks had previously disclosed another data breach in January 2023.
How it Could Affect Your Business: A second big breach of customer data in just six months may damage Zacks’ reputation and turn potential customers off.
Chile – Chilean Army
https://www.bleepingcomputer.com/news/security/rhysida-ransomware-leaks-documents-stolen-from-chilean-army/
Exploit: Ransomware (Malicious Insider)
Chilean Army: Military
Risk to Business: 1.126 = Extreme
A newer ransomware group named Rhysida has leaked a trove of documents that they claim to have stolen from the network of the Chilean Army (Ejército de Chile). The Chilean Army did confirm on May 29 that its systems were impacted in a security incident detected over the weekend on May 27 and data was likely stole. Interestingly, in the days following the announcement of the hack, an Army corporal was arrested and charged for his involvement in the incident, suggesting that the ransomware was deployed by a malicious insider. Rhysida ransomware has since published around 360,000 Chilean Army documents on its dark web leak site and claimed that they comprise about 30% of the data that was stolen. The incident is under investigation by Chile’s Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Ministry of National Defense.
How it Could Affect Your Business: Every organization is susceptible to malicious insider threats no matter how loyal its employees seem to be.
UK – Shell
https://therecord.media/shell-impacted-in-clop-ransomware-attack
Exploit: Ransomware
Shell: Fuel Company
Risk to Business: 1.607 = Severe
Oil and gas behemoth Shell has announced that it too is a victim of Cl0p’s cybercrime spree using the MOVEit exploit. The company says that there was no damage to its internal systems but that a small amount of employee data was stolen. Shell is among the hundreds of companies that have been added to Cl0p’s dark web leak site. Those companies have been given a deadline of June 21 to pay a ransom or have their data exposed. However, Cl0p posted that Shell was refusing to negotiate on its site last Friday.
South Africa – Development Bank of Southern Africa (DBSA)
https://therecord.media/development-bank-of-southern-africa-akira-ransomware-attack
Exploit: Ransomware
Development Bank of Southern Africa (DBSA): State-Owned Bank
Risk to Business: 1.783 = Severe
The state-owned Development Bank of Southern Africa has disclosed that it was hit with a ransomware attack by the Akira group last month. The bank says that the attack occurred around May 21. In the incident servers, logfiles and documents were encrypted. DBSA says that sensitive information about its clients including business names, the names of directors and shareholders, addresses, identification documents and contact information like phone numbers and email addresses was stolen in the incident. Many of the documents purportedly also included details of commercial or employment relationships with DBSA and financial information of stakeholders. The attack is under investigation by South African law enforcement agencies and regulators as well as third-party forensic investigators.
How it Could Affect Your Business: Banks and other financial institutions have been at the top of cybercriminal hit lists for the past few years.