Apparent Blackcat ransomware attack demonstrates risk for health care sector, vendors
An apparent ransomware attack on a major electronic health records company demonstrates the health care sector’s vulnerability to potentially devastating cyberattacks.
The cyber incident affected NextGen Healthcare last week. It apparently came from the hands of a ransomware group that the Department of Health and Human Services warned about earlier this month.
The company says it does not appear the hackers obtained any customer data, though it did not say anything about patient or employee data. The suspected Russian ransomware group that claimed responsibility, Blackcat, put up a purported sample of NextGen information on its extortion site – usually to force victims to pay or risk further exposure – but later NextGen listings swept aside.
However the NextGen incident finally unfolds, it highlights trends in attacks on major vendors and the health care system.
what happened (according to those involved)
Founded in 1974, Atlanta-based NextGen Healthcare boasts 2,800 employees and projects revenue of nearly $600 million in 2022. It says it provides software and technology services in “ambulatory” settings, a term that ranges from physician offices to outpatient clinics, and has helped more than 2,500 health care organizations worldwide.
Here’s what NextGen told media outlets in response to inquiries about the Blackcat extortion site listing:
- “NextGen Healthcare is aware of this claim and we are working with leading cyber security experts to investigate and remediate. We quickly contained the threat, secured our network and returned to normal operations. Our forensic review is ongoing and to date, we have not uncovered any evidence of access to or removal of customer data. The privacy and security of our clients’ information is of the utmost importance to us.”
The statement is silent on whether any patient or employee data was affected, Databreaches.net told. Company spokespeople did not respond to questions Sunday about those elements of the incident. and an alleged spokesperson for the Black Cat (also known as ALPHV) and refused to give evidence To get customer data.
It is not uncommon for companies to later learn that the breach was more extensive than originally believed. It is also not uncommon for cyber criminals to lie about the type of data they stole, or to boast that they stole something they never did.
Blackcat is “a relatively new but highly capable ransomware threat to the healthcare sector,” According to the HHS threat briefing on Jan. 12. This is not the first time US authorities have issued warnings about the group.
- HHS dubbed it a “triple-extortion” group, marked by ransomware attacks that come with threats to leak data and conduct distributed denial-of-service attacks aimed at knocking websites offline.
- It has ties to older, notorious Russian ransomware gangs, such as Darkseid/Black Matter and ReVille.
- The group has stated that it “does not attack state medical institutions, ambulances, hospitals,” but that “the rule does not apply to pharmaceutical companies, private clinics.” HHS notes that ransomware gangs have repeatedly broken these promises.
- According to HHS, Blackcat favors US targets, which is not uncommon for ransomware gangs, many of which are believed to be based in Eastern Europe.
The risks of ransomware to health care organizations are serious, including potentially resulting in patient death. North Korean and Iranian hackers have shown particular interest in mounting attacks on the region.
Companies that are vendors for other firms are a major way for ransomware gangs and other cyber criminals to expand their reach. Notable events include:
- In 2021, REvil joined a software system developed by Kasia, which in turn owned Kasia’s estimated 800 to 1,500 businesses.
- Suspected Russian hackers used SolarWinds software as a means to gain access to US government agencies, government organizations around the world, and major tech companies.
- In the health care sector in particular, a ransomware incident affecting a service provider in the United Kingdom last summer caused problems for the country’s National Health Service.
Regardless of how the NextGen event pans out, this is but one episode of an eventful 2023 for ransomware. This year has seen the usual array of attacks and revelations mixed with some unusual twists.
- The company said on Wednesday that restaurants including KFC, Pizza Hut and Taco Bell in Britain had to close following a ransomware attack on parent company Yum.
- The Los Angeles Unified School District acknowledged earlier this month that ransomware hackers stole employees’ Social Security numbers last year.
- On New Year’s Eve, the Lockbit gang apologized for what it said was an affiliate hacking a children’s hospital in Canada, and offered a decryptor to the hospital To unlock its system.
- A study released over the weekend by blockchain analytics company Chainalysis suggested that ransomware payments were set to decline in 2022, as more victims appear to refuse to pay ransoms to the miscreants who hold their networks hostage. But ransomware criminals continue to use cryptocurrencies, contributing to illegal crypto activity last year, the firm concluded in another report this year.
Cyber criminals steal over $500,000 from GOP senator’s campaign committee
He stole the money by sending fake invoices to the campaign committee of Moran, Congress, Sen. jerry moran (r-kan.), raw storyDave Levinthal reports. Federal Election Commission filings say the committee has recovered about a quarter of the stolen funds, valued at $690,000.
“Cybercriminals targeted an accounting firm employed by Moran for Kansas and sent money to fraudulent bank accounts,” Moran for Kansas spokesperson tom brandt told Raw Story in an email. “As soon as a discrepancy was realized, it was reported to law enforcement. We are currently pursuing all available means to recover the funds and an investigation with the FBI is ongoing. Consulted with the FEC on how to report.”
Cyber criminals have also targeted other political campaigns. “Joining Moran among federal-level politicians to experience theft from their campaign accounts in recent years is President Joe Bidenwhose 2020 Democratic presidential campaign committee lost at least $71,000,” Levinthal writes. “Republican National Committee, Rep. Diana Hershberger (R-TN), former Democratic presidential candidate and Congresswoman Tulsi Gabbard and rapper-turned-2020 presidential candidate Yeh, formerly Kanye WestThey are among others who have reported money stolen from their political accounts.
T-Mobile got hacked – again
T-Mobile said the hacker stole information such as names, addresses, emails, phone numbers, dates of birth and account numbers for 37 million customers. techcrunchLorenzo Franceschi-Bicchierai reports. It is the eighth time the phone carrier – which has 110 million customers – has been hacked since 2018.
“Our investigation is still ongoing, but at this time the malicious activity has been fully contained, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company said in a Securities and Exchange Commission statement. Told. Exchange Commission Filing.
A spokesperson for the company did not respond to TechCrunch’s request for comment.
A hacker found a sensitive US no-fly list on an open server
swiss hacker maya arson offense The list was found on a server run by a regional US airline – which includes people who are not allowed to fly into the US or into the United States daily dotMichael Thalen and David Covucci report.
“The server contained data from the 2019 edition of the federal no-fly list that included first and last names and dates of birth,” CommuteAir spokesman Eric Kane told the Daily Dot. “In addition, some CommuteAir employee and flight information was accessible. We have submitted notification to the Cyber Security and Infrastructure Security Agency and we are continuing a full investigation.”
The Transportation Security Administration told the Daily Dot that it is “aware of a potential cybersecurity incident with CommuteAir, and we are investigating, in coordination with our federal partners.”
US law enforcement has seen the hacker, CrimeU, before. In 2021, a grand jury indicted the hacker for the crime, accusing him of breaching “dozens of companies and government agencies”. Crimeau was also a member of a group of hackers that broke into security camera firm Verkada.
Hackers penetrated LAUSD computers much earlier than previously known, district probe finds (Los Angeles Times)
Riot Games Hacked, Game Patch Delayed After Security Breach (Bleeping Computer)
A hacked police raid on ODIN Intelligence exposes a vast trove of files (TechCrunch)
Most of GAO’s cyber recommendations since 2010 remain unresolved (next government)
- CIA Deputy Director for Analysis Linda Weisgold speaking at an event organized by the Intelligence and National Security Alliance on Tuesday at 9 a.m.
Thank you for reading. see you tomorrow.