Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label social engineering attacks. Show all posts
US
Data Breach medical records Payment Data social engineering attacks UnitedHealth US

UnitedHealth Cyberattack Becomes Largest Health Data Breach in History

 



The recent cyberattack on UnitedHealth has now been confirmed as the biggest health care data breach ever recorded, affecting more than 192 million people, over one-third of the U.S. population.

When news of the incident first broke in 2023, reports estimated around 100 million individuals had been impacted. Updated figures released by the U.S. Department of Health and Human Services now show the scale was nearly twice as large, with 192.7 million people’s personal and medical information exposed.

The stolen data is said to include highly sensitive details such as medical records, diagnoses, test results, treatment information, and insurance identifiers. In addition, Social Security numbers, driver’s license details, billing information, payment data, and claims history were also compromised. The breadth of this information makes the breach especially serious, as it extends beyond health data into financial and personal identity details.

The attack targeted Change Healthcare, a technology subsidiary of UnitedHealth that processes payments for many major health insurance providers. According to congressional testimony earlier this year, hackers gained access to company systems through stolen employee login details. Critically, the system they broke into did not have multi-factor authentication enabled, making it easier to exploit.

The group responsible, known as BlackCat, used ransomware to disrupt claims processing and patient care systems nationwide. UnitedHealth paid a ransom reportedly worth $22 million to secure deletion of the stolen files, but investigators later found the attackers had not honored the agreement. After receiving payment, the group disappeared and shut down its servers.


What this means for individuals

Given the enormous number of people affected, many Americans may find their private information exposed. While there is no way to undo the breach, individuals can take steps to reduce risks.

Experts recommend:

1. Identity protection services: These can alert you to unusual use of your information and often provide insurance against fraud.

2. Stronger device security: Reliable antivirus programs help block malware and often include additional tools such as virtual private networks (VPNs) for safer browsing.

3. Account monitoring: Keep a close eye on bank, insurance, and medical accounts for suspicious activity.

4. Vigilance against scams: Many attackers follow up breaches with phishing emails or fake offers. Do not click links or open attachments from unknown sources, even if they appear official.


It is also important to remain cautious on social media and to avoid offers or messages that appear too good to be true, as these are common tactics in social engineering attacks.

The UnitedHealth incident underscores how cyberattacks on critical infrastructure can have wide-reaching consequences. For the millions affected, awareness and proactive security measures are now essential in limiting further damage.



Read more »
Windows malware
fake error messages malware PowerShell malware ransomware distribution social engineering attacks Windows malware

Crafty Criminals Use Fake Error Messages to Deploy Malware via PowerShell

 

Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader
ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration
cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions
In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature. 
Read more »
Subscribe to: Comments (Atom)