Security News Bytes for the Week Ending June 7, 2019

June 7, 2019 CyberCecurity Leave a comment

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom. The attackers only wanted $103,000 or less than 1 percent of what they are going to spend. Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore. Who’s fault is that? Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data. Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop. Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the ransomware after an 18 month run. The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”. Of course, other malware will replace it, but the sheer magnitude of this one is amazing. Source: Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised. Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency. Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk. In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that. That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA. Remember, you can outsource the task, but not the liability. Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong. Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks. The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch. Shodan shows 4.8 million servers running the software and only 588,000 running the fix. Most of those servers are in the U.S. Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week. They are a medical claims collection agency. As I said above, first it was Quest with 12 million customers affected; then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised. Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage. If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late. Source: Bleeping Computer.