The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Daixin Team: Active threat. CISA and FBI warn of ransomware group targeting healthcare sector.
- Nuclear security meltdown. Sensitive documents leaked from Atomic Energy Organization of Iran.
- Medibank breach. Personal and health claims data of all 3.9 million customers accessed.
- Regulators toughen up. ICO fines Interserve Group and FTC takes aim at ‘careless’ Drizly CEO.
- All systems down. Cyber attack on international wholesaler Metro AG leads to IT outages.
- Stop, thief! Point-of-sale based malware used to steal over 167,000 credit card numbers.
1. DAIXIN TEAM TARGETING HEALTHCARE SECTOR
US government agencies CISA and FBI have issued a joint warning regarding Daixin Team, a ransomware group actively targeting healthcare organisations since at least June 2022. Daixin Team typically gains initial access to its victims’ systems by exploiting vulnerabilities in, or leveraging leaked credentials for, remote access solutions such as VPN servers.
SO WHAT? Ensure the latest patches for operating systems, firmware, and software are applied as soon as they become available. Multi factor authentication (MFA) should also be enforced for all remote access services.
|
2. SENSITIVE IRANIAN NUCLEAR DOCUMENTS LEAKED AFTER EMAIL HACK
A hacktivist group calling itself Black Reward has leaked 50GB of sensitive data allegedly exfiltrated from the Atomic Energy Organization of Iran's email servers. The leak includes contracts and construction plans relating to a Russia-backed nuclear power plant. The group had threatened to leak the data if the Iranian government did not release political prisoners.
SO WHAT? Emails contain a vast amount of sensitive data and are regularly targeted by cyber criminals. Organisations should ensure they have appropriate security measures in place, particularly in light of recent advances in phishing-as-a-service toolkits such as EvilProxy.
|
3. MEDIBANK’S WORST FEARS CONFIRMED
Listed Australian health insurance provider Medibank has confirmed hackers had access to data from all 3.9 million of its customers. This includes both personally identifiable information and highly sensitive health claims data. The company did not have cyber insurance at the time of the incident, for which initial remediation costs alone are estimated to be between AUD 25 million and AUD 45 million. Medibank’s share price has also dropped, losing AUD 1.8 billion in value since the attack.
SO WHAT? It is increasingly difficult to obtain adequate cyber insurance coverage. Organisations should ensure they have robust cyber security measures in place before attempting to secure a policy, and consider alternative means of protection such as an incident response retainer.
|
4. REGULATORS TAKE AIM AT CARELESS DATA SECURITY
- In the UK, the Information Commissioner’s Office fined construction company Interserve Group GBP 4.4 million following a data breach in May 2020. An investigation found that Interserve failed to follow-up on the original alert, used outdated software systems and protocols, and had a lack of adequate staff training.
- Separately, US-based alcohol delivery platform Drizly reached a settlement with the Federal Trade Commission over a data breach that exposed the personal information of around 2.5 million individuals. In a rare move, the FTC specifically named CEO James Cory Rellas in its complaint over the company’s “carelessness”.
SO WHAT? The ICO warned that the biggest cyber risk to businesses is internal complacency, not external attackers. It is essential that companies follow appropriate data security practices, and properly prepare for a data breach ahead of time.
|
5. METRO’S IT SYSTEMS DOWN AFTER CYBER ATTACK
A recent cyber attack has left German wholesale multinational Metro AG experiencing store payment issues and IT infrastructure outages. Since 17 October, stores in Austria, Germany, and France have been forced to set up offline payment systems. Additional delays are also expected for online orders.
SO WHAT? Cyber attacks may result in unexpected disruptions to business operations. Business continuity plans and other redundancy measures should be in place to ensure minimal impact on business operations in the event of a cyber incident.
|
6. POINT-OF-SALE MALWARE STEALS CARD DETAILS
Cyber criminals have stolen over 167,000 credit card numbers using two strains of point-of-sale (POS) malware since February 2021. The campaign targeted 212 infected payment devices, primarily in the US. According to security researchers, the card details could be worth over USD 3.3 million if sold on the dark web.
SO WHAT? While POS malware is not as prevalent as it used to be, the new campaign shows that organisations should remain vigilant, conduct random investigations into POS devices, and use network protection techniques such as firewalls and network segmentation to defend themselves.
|