Cybercrime

Millions of Americans impacted by debt collector data breach

A massive data breach has hit Financial Business and Consumer Solutions (FBCS), a debt collection agency, affecting millions of Americans. Initially reported in February 2024, the breach was found to have exposed the personal information of around 1.9 million individuals in the US, which later increased to 3 million in June. Compromised data includes full names, Social Security numbers, dates of birth, and driver’s license or ID card numbers. FBCS has notified the affected individuals and relevant authorities.

The breach occurred on 14 February but was discovered by FBCS on 26 February. The company notified the public in late April, explaining that the delay was due to their internal investigation rather than any law enforcement directives. The leaked information could include various personal details such as names, addresses, Social Security numbers, and medical records, though not all affected individuals had all types of data exposed.

FBCS has strengthened its security measures in response to the breach and built a new secure environment. Additionally, they offer those impacted 24 months of free credit monitoring and identity restoration services. The company advises everyone affected to be vigilant about sharing personal information and to monitor their bank accounts for any suspicious activity to protect against potential phishing and identity theft.

Cyberattack on London hospitals leads to data leak

Cybercriminals claiming responsibility for the recent hack on London hospitals have reportedly released stolen data from the incident. England’s National Health Service (NHS) acknowledged the publication of this data, allegedly belonging to Synnovis, the pathology provider targeted in the 3 June attack. NHS officials are working closely with Synnovis, the National Cyber Security Centre, and other partners to verify the content of these files swiftly. Their focus includes determining if the data originates from Synnovis systems and if it pertains to NHS patients.

According to reports, the hackers have disclosed nearly 400GB of data on their darknet website and Telegram channel. The published information supposedly includes patient names, dates of birth, NHS numbers, and descriptions of blood tests, alongside financial spreadsheets. However, the NHS has not confirmed whether medical test results are part of the exposed data.

The attack has been attributed to the Russian-speaking hacker group Qilin, which has demanded a $50 million ransom to halt further disclosures. Synnovis, a provider jointly operated by Synlab UK & Ireland and NHS trusts, is crucial in delivering lab testing services to healthcare facilities in London and Kent. The breach has severely impacted its blood transfusion and testing capabilities, leading to the postponement of over 1,000 operations and more than 2,000 appointments at affected hospital units.

Conclusions on the UN Security Council’s open debate on cybersecurity

The UN Security Council held an open debate on cybersecurity as part of South Korea’s presidency for the month of June. The day-long debate centred on the evolving threat landscape in cyberspace, emphasising the need for digital advancements to be directed towards positive outcomes. During the ensuing debate, nearly 70 speakers shared national perspectives on the growing threats posed by rapidly evolving technologies wielded by state and non-state actors. 

UN Secretary-General António Guterres highlighted the rapid pace of digital breakthroughs, acknowledging their ability to unite people, disseminate information rapidly, and boost economies. However, he cautioned that the connectivity that fuels these benefits also exposes individuals, institutions, and nations to significant vulnerabilities. Guterres pointed to the alarming rise of ransomware attacks, which cost an estimated $1.1 billion in ransom payments last year. Nonetheless, he noted that the implications extended beyond financial costs to impact peace, security, and overall stability.

In response to these challenges, Guterres referenced the ‘New Agenda for Peace,’ which calls for concerted efforts by states to prevent conflicts from escalating in cyberspace. He stressed the importance of upholding the rule of law in the digital realm and highlighted ongoing discussions among member states regarding a new cybercrime treaty. Recognising the interconnectedness of cyberspace with global peace and security, he urged the Security Council to incorporate cyber-related considerations into its agenda.

Stéphane Duguin, CEO of the CyberPeace Institute, briefed the council, offering valuable insights into recent cyberattacks, including the ‘AcidRain’ incident affecting Ukraine and cybercriminal activities linked to the Democratic People’s Republic of Korea. Duguin emphasised the necessity of attributing cyberattacks to perpetrators to facilitate de-escalation efforts. In turn, Nnenna Ifeanyi-Ajufo, an expert in Law and Technology, highlighted the misuse of cyber technology by terrorist groups in Africa and the risks posed by states infringing on human rights under the guise of cybersecurity. She called for enhanced mechanisms to understand the cyber threat landscape across different regions.

In deliberating the Council’s role in the cyber domain, some representatives advocated for inclusive processes within the UN, particularly under the General Assembly, to establish equitable arrangements in addressing cyber threats. Others urged the Security Council to take a more active role. Several speakers stressed the Council’s potential to lead in building a secure cyberspace, bridging with existing UN efforts in cybersecurity and ensuring Global South perspectives are considered at every step of the process.

In contrast, the representative from Russia highlighted a lack of clarity in determining which malicious digital technology use could threaten international peace and security. In this regard, Russia criticised the West for attributing cyberattacks to what they called ‘inconvenient countries.’ Moreover, the representative opposed the Council’s involvement in this matter, stating that such a move would exclude states not part of the Council from the discussion.

Why does it matter?

Highlighting the urgency of addressing cyber threats, representatives stressed the need for the Council to facilitate dialogue and support capacity-building efforts, especially in developing countries lacking the resources and expertise to combat cyber threats. 

The discussions highlighted the critical need for proactive measures to address cyber threats, promote cybersecurity, and safeguard global peace and stability in an increasingly interconnected digital landscape.

Cyber incident at CDK Global disrupts auto dealership operations across US and Canada

On Wednesday, a cyber incident at CDK Global, a software provider for 15,000 auto dealerships, disrupted operations at numerous dealerships in the USA and Canada. CDK spokesperson Lisa Finney confirmed the company is investigating the incident and has shut down most systems to protect customers, with efforts underway to restore functionality as soon as possible.

Jeff Ramsey from Ourisman Auto Group in Maryland stressed that essential information, typically stored digitally, is now inaccessible, impacting their ability to close deals. Despite understanding the need for caution, Ramsey expressed concerns about potential business losses as customers might turn to unaffected dealers. The timing is particularly critical during the peak car-buying season.

Brian Benstock of Paragon Honda and Paragon Acura in New York added that while his team can resort to manual processes, the real burden falls on accountants and business staff. He also stressed ongoing worries about customer data security. CDK later announced partial restoration of some systems, though not all have been fully operational yet.

Why does it matter?

CDK’s software is essential for various dealership operations, from record-keeping to service scheduling. The disruption has caused significant inconvenience, especially since many dealers rely on these systems daily.

Ransomeware group involved in cyberattack to London hospitals declares political motives

A ransomware group known as Qilin has recently come under fire for its involvement in a cyberattack that caused significant disruptions at London hospitals. In a surprising turn of events, the group expressed remorse for the harm caused by the attack but vehemently denied any responsibility. Instead, the group framed the incident as a form of political protest. The group engaged in a conversation with the BBC via an encrypted chat service, qTox, where they attempted to justify their actions as a retaliatory measure against the UK government’s involvement in an unspecified war.

Despite Qilin’s claims of seeking revenge, cybersecurity experts, including Jen Ellis from the Ransomware Task Force, remain skeptical of the group’s motives, explaining cyber gangs often lie. Above all, she emphasises that the consequences of the attack carry more weight than understanding the reasons behind the attack. The cyberattack resulted in the postponement of more than 1,000 operations and appointments, prompting the healthcare system to declare a critical incident. The disruption caused by the attack has raised serious concerns about the vulnerability of critical infrastructure to malicious cyber activities in the country.

Qilin, believed to be operating from Russia, has refrained from disclosing specific details about its location or political affiliations. The lack of transparency has added to the complexity of the situation, as authorities and cybersecurity experts work to understand the group’s objectives and the potential future attack vectors. This represents the group’s first declaration of a political motivation behind their cyber intrusions. Qilin has been under observation since 2022, during which time it has executed targeted attacks at educational establishments, medical facilities, corporations, governmental bodies, and healthcare organisations.

Why does it matter?

The aftermath of the cyberattack demonstrates the urgent need for cybersecurity  preparedness within critical sectors such as healthcare. As organisations strive to recover from such incidents, the focus remains on safeguarding sensitive data, restoring disrupted services, and preventing future attacks. The evolving nature of cybercrime, as seen with groups like Qilin, shows the ongoing challenges faced by cybersecurity professionals in protecting critical infrastructure from malicious actors.

Financial sector faces phishing attacks targeting Microsoft 365 accounts

According to a recent report by BleepingComputer, organisations within the financial sector have been targeted in a sophisticated attack campaign since February, where employees’ Microsoft 365 accounts were compromised using the ONNX phishing-as-a-service platform, suspected to be a revamped version of the Caffeine phishing kit. 

The attackers, posing as human resources departments, sent deceptive emails regarding salary updates with PDF attachments containing QR codes. Upon scanning these codes, recipients were redirected to a counterfeit Microsoft 365 login page undetected by standard phishing protections. EclecticIQ’s findings reveal that login credentials and two-factor authentication tokens entered on these fake pages were extracted by the attackers for subsequent email account hijacking and data theft activities. 

The ONNX PhaaS platform, accessible through Telegram, not only offers customisable Microsoft Office 365 phishing templates and various webmail services but also employs encrypted JavaScript code, Cloudflare services, and a bulletproof hosting service to evade detection.

Key player in semiconductor industry targeted in major data breach

The infamous threat actor Intelbroker has purportedly masterminded a data breach targeting Advanced Micro Devices (AMD), a prominent player in the semiconductor industry. The alleged breach of AMD’s systems was disclosed on BreachForums alongside detailed information about the intrusion and various data samples.

In response to these claims, AMD officials have issued a statement acknowledging the reported data breach by a cybercriminal group. The company stated that it is collaborating with law enforcement authorities and a third-party hosting partner to investigate the alleged breach and assess the nature and impact of the compromised data.

Intelbroker asserts that the leaked AMD data includes a wide range of sensitive information stolen from AMD’s databases. The data includes technical specifications, product details, and internal communications allegedly sourced from AMD’s secure servers. These disclosures not only point towards the possible extent of the breach but also raise concerns about potential vulnerabilities within AMD’s cybersecurity infrastructure.

The following incident is not the first cybersecurity challenge faced by AMD. In 2022, the company reportedly fell victim to the RansomHouse hacking group. Following the 2022 breach and the current incident, AMD initiated thorough investigations to evaluate the breach’s implications and in turn enhance its defences against cyber threats. These disclosures can potentially compromise AMD’s competitive edge and raise concerns about intellectual property theft and corporate espionage.

Who is Intelbroker?

Intelbroker, the alleged perpetrator behind the recent AMD data breach, has a track record of targeting critical infrastructure, major tech companies, and government contractors. The hacker operates as a lone wolf and employs sophisticated tactics to exploit vulnerabilities and access sensitive information. Previous breaches include infiltrations at Los Angeles International Airport (LAX) and US federal agencies via Acuity, emphasising the widespread impact of their activities.

The motives driving Intelbroker’s cyber campaigns range from financial gain through the sale of stolen data on dark web platforms to potential geopolitical agendas aimed at disrupting critical infrastructure and corporate operations. 

Philippine Maritime Authority hit by system breach

The Maritime Industry Authority (MARINA) in Philippines, a government agency responsible for integrating the development, promotion, and regulation of the maritime industry in the country, acknowledged on Monday that its online platforms encountered a security breach during the weekend. The breach impacted four of MARINA’s systems, prompting an immediate response from the agency to ensure the security of its data.

Upon detecting the attack, MARINA swiftly deployed personnel to its central office in Manila’s Port Area on Sunday. The agency highlighted its quick actions in implementing protective measures. Presently, MARINA’s IT team is working in conjunction with the Department of Information and Communications Technology-Cybercrime Investigation and Coordinating Center (DICT-CICC) to probe the breach and mitigate potential risks to sensitive information.

While MARINA did not disclose the specific systems affected or the extent of the breach, these systems handle crucial data such as vessel registrations, seafarers’ information documents, and record books. As the regulatory body overseeing maritime activities, MARINA aims to have its systems fully operational by Tuesday to resume normal processing of applications.

This security incident adds to a string of cyberattacks targeting Philippine government entities. In May, the Philippine National Police (PNP) halted its online services following breaches that impacted its Logistics Data Information Management System and the Firearms and Explosives Office. Furthermore, in October 2023, a ransomware attack compromised the data of over 13 million members of the Philippine Health Insurance Corp.

UnitedHealth discloses potential theft of data from one-third of Americans

The Centres for Medicare and Medicaid Services have announced the discontinuation of a program designed to assist Medicare providers and suppliers impacted by disruptions at UnitedHealth’s technology division, Change Healthcare. 

Initiated in response to a hack at Change Healthcare on February 21st by threat actor ‘BlackCat’, the program will now cease accepting new applications as of July 12. It has distributed over $2.55 billion in expedited payments to 4,200 providers such as hospitals and $717.18 million to suppliers including doctors, non-physician practitioners and durable medical equipment suppliers, with a significant portion of these funds already recovered. Providers are now able to effectively submit claims to Medicare.

The cyber incident in February affected a key player in processing medical claims. The US Change Healthcare handles approximately half of all medical claims in the United States, serving about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, adding to the growing cyber threat posed to the healthcare industry.

Mediabank faces legal action in Australia over massive data breach

Following the 2022 Mediabank’s cyber incident, the Office of the Australian Information Commissioner has initiated legal proceedings against the company, alleging the significant data breach impacted a vast number of customers, including 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers, totalling 9.7 million individuals. 

While Mediabank initially blamed a third party contractor and a ‘misconfigured firewall’ for the incident, a federal court case in Australia has revealed that the breach originated from an IT service desk operator at Medibank who stored multiple account credentials on his work computer which provided a gateway for a hacker to illicitly access Medibank’s systems. The hacker exploited this access for nearly two months and managed to extract a substantial amount of personal data, estimated at around 520GB.

The breach was aggravated by the absence of multi-factor authentication on Medibank’s Global Protect VPN, a security loophole that had been previously flagged in reports by KPMG and Datacom in 2020 and 2021. The Office of the Australian Information Commissioner has criticised Medibank for failing to promptly address these known security vulnerabilities. Legal action has been taken against Medibank in response to the breach. Moreover, the government has identified the alleged perpetrator as a Russian citizen named Aleksandr Gennadievich Ermakov and will be imposing sanctions against him under the new autonomous sanctions law. The incident stresses the critical importance of proactive risk mitigation strategies to safeguard sensitive customer information from malicious cyber threats.