In a recent cybersecurity incident, Ascension, a major health system, has disclosed that cybercriminals stole files potentially containing personal information. This comes about a month after Ascension initially reported falling victim to a ransomware attack.
Ascension revealed that the attackers managed to extract files from seven of its 25,000 file servers. While the investigation is ongoing, preliminary findings suggest that these files may include protected health information and personally identifiable information. However, Ascension has yet to determine the exact data compromised or the specific patients affected.
Despite the breach, Ascension reported no evidence indicating that data from its electronic health records were stolen. The attack was traced back to an employee inadvertently downloading a malicious file, mistaking it for a legitimate document.
In response to the attack, Ascension is offering free credit monitoring and identity theft protection services to patients and employees. Those interested in these services can call 1-888-498-8066 to enrol.
The attack, discovered on May 8, caused paradigm altering disruptions across Ascension’s network. Some elective surgeries and appointments were postponed, and one hospital in Illinois temporarily redirected ambulances to other facilities. Nurses at several hospitals faced challenges, such as difficulties in accessing doctors’ orders for medications and tests, and issues with their standard procedures for medication administration.
Ascension Illinois has recently restored its primary technology for electronic patient documentation, allowing hospitals and doctors' offices to resume electronic documentation, charting, and order sending. This restoration marks a crucial step in returning to normal operations.
This incident at Ascension is part of a troubling trend of cyberattacks targeting healthcare institutions. Earlier this year, Lurie Children’s Hospital in Chicago and the University of Chicago Medical Center also faced cyber incidents. Healthcare systems are prime targets for cybercriminals due to their size, reliance on technology, and the vast amounts of sensitive data they handle, according to the U.S. Department of Health and Human Services.
As cyber threats expand their territory, healthcare systems must remain vigilant and enhance their cybersecurity measures to protect sensitive patient information. The Ascension attack underscores the critical need for robust security protocols and employee awareness to prevent future breaches.
Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.
The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.
The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.
Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.
Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.
1. Legitimate Tools and Utilities
The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:
Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.
Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.
Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.
Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.
The ransomware group NoName has reportedly launched cyberattacks against key institutions in Denmark and Finland, citing their support for NATO as the provocation. The alleged attacks targeted Denmark’s digital identification system MitID, the Finland Chamber of Commerce, and Finland’s largest financial services provider, OP Financial Group.
On a dark web forum, NoName announced these attacks, positioning them as a reaction to Denmark and Finland's recent military and infrastructural actions favouring NATO. The group specifically called out Denmark for training Ukrainian specialists in F-16 fighter jet maintenance:
"Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark.”
They also criticised Finland for infrastructure upgrades intended to support NATO troops:
“Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work.”
NoName concluded their message with a warning, suggesting that Denmark and Finland's governments had not learned from past mistakes and threatened further actions.
Potential Impact on Targeted Entities
MitID: Denmark's MitID is a crucial component of the country's digital infrastructure, enabling secure access to various public and private services. An attack on this system could disrupt numerous services and damage public trust in digital security.
Finland Chamber of Commerce: The Chamber plays a vital role in supporting Finnish businesses, promoting economic growth, and facilitating international trade. A cyberattack could destabilise economic activities and harm business confidence.
OP Financial Group: As the largest financial services group in Finland, OP Financial Group provides a range of services from banking to insurance. A successful cyberattack could affect millions of customers, disrupt financial transactions, and cause significant economic damage.
Despite the claims, the official websites of MitID, the Finland Chamber of Commerce, and OP Financial Group showed no immediate signs of being compromised. The Cyber Express Team has reached out to these institutions for confirmation but has not received any official responses as of the time of writing, leaving the allegations unconfirmed.
The timing of these alleged cyberattacks aligns with recent military and infrastructural developments in Denmark and Finland. Denmark's initiative to train Ukrainian specialists in F-16 maintenance is a significant support measure for Ukraine amidst its ongoing conflict with Russia. Similarly, Finland's infrastructure enhancements in Lapland for NATO troops reflect its strategic alignment with NATO standards following its membership.
The NoName ransomware group's alleged cyberattacks on Danish and Finnish institutions highlight the increasing use of cyber warfare for political and military leverage. These attacks aim to disrupt critical infrastructure and send a strong message of deterrence and retaliation. The situation remains under close scrutiny, with further updates expected as more information or official responses become available.
With over half a million members affected, the situation underscores the critical importance of robust cybersecurity measures for financial institutions. In this blog post, we delve into the details of the attack, its implications, and the lessons we can learn from Patelco’s experience.
Four days after a ransomware attack disabled its systems, Patelco Credit Union could not inform its members when banking activities would resume.
The Dublin-based credit union has yet to provide additional information on the security incident that has prevented members from making electronic payments, deposits, or transfers since last weekend.
Customers continued to wait in lines to use bank ATMs on Tuesday, forcing them to visit Patelco locations around the state to withdraw cash, even though they can still not view their statement balances or any other information about their online banking.
The Lockdown: Patelco’s online banking services ground to a halt as the attack unfolded. Members were unable to make electronic payments, access their account balances, or conduct transactions. The situation escalated rapidly, leaving customers frustrated and anxious.
Phishing Email as the Gateway: Cybersecurity experts suspect that the attackers gained entry through a phishing email. These deceptive emails trick recipients into revealing sensitive information or clicking on malicious links. In Patelco’s case, an unwitting employee may have inadvertently provided the attackers with a foothold.
Encryption and Ransom Demand: Once inside Patelco’s systems, the hackers encrypted critical data, effectively locking the credit union out of its own infrastructure. The term “ransomware” aptly describes their next move: they demanded payment in cryptocurrency in exchange for decrypting the files.
Member Disruptions: Patelco’s half a million members faced significant disruptions. Unable to check balances, transfer funds, or pay bills online, they turned to ATMs and physical branches. The inconvenience was palpable, highlighting the importance of uninterrupted digital services.
Assets and Vulnerabilities: Patelco manages a substantial $9 billion in assets across its 37 branches. The attack raises questions about the security posture of financial institutions. Are credit unions like Patelco adequately protected? Or are they, as some experts suggest, “soft targets” compared to larger banks?
Transparency and Communication: Patelco responded swiftly by creating a dedicated website to keep members informed. Regular updates on the security breach, restoration efforts, and collaboration with cybersecurity experts demonstrate transparency and a commitment to resolving the crisis.