Eliana Willis

Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks.LifeLong Medical Care, a California health center, is sending letters to about 115 000 people about a ransomware attack that took place on November 24, 2020. The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021. It took until August 9, 2021, for Netgain and LifeLong Medical Care to complete their investigation, and the companies eventually found that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment and diagnosis information were “accessed and/or acquired” during the attacks.LifeLong Medical Care urged those affected to enroll in credit monitoring services, place fraud alerts or security freezes on credit files, obtain credit reports and “remain vigilant” when it comes to “financial account statements, credit reports and explanation of benefits statements for fraudulent or irregular activity.”A toll-free response line at (855) 851-1278 has been created for anyone with questions.Arizona-based Desert Wells Family Medicine was forced to send out a similar letter to 35 000 patients after they too were hit by a ransomware attack that exposed sensitive patient information. 

Desert Wells Family Medicine discovered it was suffering from a ransomware incident on May 21 and immediately hired an incident response team to help with recovery. Law enforcement was also notified of the attack. Still, the healthcare facility found that the ransomware group “corrupted the data and patient electronic health records in Desert Wells’ possession prior to May 21.”The data held by the healthcare facility and their backups were unrecoverable after the threat actors accessed it.”This information in the involved patient electronic health records may have included patients’ names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information,” Desert Wells Family Medicine said in its letter. The organization said it is still in the process of rebuilding its patient electronic health record system and said it would also offer victims “complimentary credit monitoring and identity theft protection services.””Patients also are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see any medical services they did not receive,” the letter added. Ransomware groups have shown no signs of slowing down in their attacks on healthcare facilities during the COVID-19 pandemic. With the Delta variant of the virus causing hospitals to fill up with patients, ransomware actors have stepped up their attacks. Knowing the urgency of the situation will force hospitals to pay ransoms. Sascha Fahrbach, cybersecurity evangelist at Fudo Security, said these latest attacks show that the healthcare industry, with its valuable personal information, continues to be a tempting and lucrative target for hackers and insiders.  “There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data,” Fahrbach said. “In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk.”  The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.”Unfortunately, many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Memorial Health System CEO Scott Cantley said.  More

Google has introduced new features to Android’s Private Compute Core, a secure environment currently in the beta stages of development.

On Thursday, Suzanne Frey, VP, Product, Android & Play Security and Privacy said in a blog post that the new suite will “provide a privacy-preserving bridge between Private Compute Core and the cloud.” Currently in Android 12 Beta, Private Compute Core is an open source platform that aims to isolate itself from other apps and the main operating system on an Android device to improve privacy and security.  The new features are: Live Caption: Captions added to media using on-device speech recognitionNow Playing: Machine learning (ML) algorithms able to recognize music playing nearbySmart Reply: Suggests relevant responses based on the messaging and active conversations While these features, in themselves, aren’t privacy-based, Google says that new functionality will be implemented with each Android release — and each one brings the sandboxed Android area closer to completion.  Each feature utilizes ML and to keep data gathered by them private and secure — including speech records, environmental noise detection, and the context of conversations, should users enable it — they will be processed in the Private Compute Core and will not be shared with other apps unless expressly permitted by the handset owner.  Frey added that the core will “let your device use the cloud (to download new song catalogs or speech-recognition models [for example]) without compromising your privacy.”

Google intends to publish the source code of Private Compute Services to allow third-party researchers the opportunity to perform audits.”We’re enthusiastic about the potential for machine learning to power more helpful features inside Android, and Android’s Private Compute Core will help users benefit from these features while strengthening privacy protections via the new Private Compute Services,” Frey commented.  Google outlined plans to improve Android security in February. A particular focus for the tech giant is to tackle memory problems — such as corruption and buffer overflows — as over half of vulnerabilities impacting the operating system are related to this area. In addition, media, Bluetooth, and NFC are also on the radar for hardening. The firm is encouraging developers to take advantage of programming languages including Java and Rust, and Google is also working on ways to improve the security of C and C++ applications.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new study from HP has highlighted the precarious — and often contentious — situations IT teams are facing when trying to improve cybersecurity for remote workers.  The new Rebellions & Rejections report from HP Wolf Security surveyed 1100 IT decision-makers and also gleaned insights from a YouGov online survey of 8443 office workers who now work from home.  The study found that IT workers often feel like they have no choice but to compromise cybersecurity in order to appease workers who complain about how certain measures slow down business processes. Some remote workers — particularly those aged 24 and younger — outright reject cybersecurity measures they believe “get in the way” of their deadlines.  More than 75% of IT teams said cybersecurity took a “backseat to business continuity during the pandemic,” and 91% reported feeling pressured into compromising security for business practices.  Nearly half of all office workers under the age of 24 said cybersecurity tools were “a hindrance”, and 31% admitted to outright bypassing certain corporate security policies to get work done.  Unfortunately, almost half of the office workers of all ages believe cybersecurity measures waste their time, and the figure increases to 64% among those under the age of 24. The survey found that 54% of 18-24-year-olds cared more about their deadlines than causing a data breach.  Researchers found that 39% of respondents did not fully know what their organization’s security policies are, causing 83% of all IT workers surveyed to call remote work a “ticking time bomb” for data breaches. 

Ian Pratt, global head of security for personal systems at HP, said the fact that workers are actively circumventing security should be a worry for any CISO.  “This is how breaches can be born,” Pratt said. “If security is too cumbersome and weighs people down, then people will find a way around it. Instead, security should fit as much as possible into existing working patterns and flows with unobtrusive, secure-by-design and user-intuitive technology. Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up.” IT leaders have had to take certain measures to deal with recalcitrant remote workers, including updating security policies and restricting access to certain websites and applications.  But these practices are causing resentment among workers, 37% of whom say the policies are “often too restrictive.” The survey of IT leaders found that 90% have received pushback because of security controls, and 67% said they get weekly complaints about it.  More than 80% of IT workers said, “trying to set and enforce corporate policies around cybersecurity is impossible now that the lines between personal and professional lives are so blurred”, and the same number of respondents said security had become a “thankless task.”  Nearly 70% said they were viewed as “the bad guys” because of the restrictions they impose to protect workers.  “CISOs are dealing with increasing volume, velocity and severity of attacks. Their teams are having to work around the clock to keep the business safe while facilitating mass digital transformation with reduced visibility,” said Joanna Burkey, HP’s CISO. “Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage.” Burkey added that IT teams need to engage and educate employees on the growing cybersecurity risks while understanding how security impacts workflows and productivity.  Cybersecurity experts like YouAttest CEO Garret Grajek said every new access method, user pool and technology adds attack vectors and vulnerabilities for hackers.  “We just saw that even the best WFH plans might be vulnerable w/ over 500k of Fortinet VPN users being exposed,” Grajek noted. “As with the other attack vectors, enterprises have to assume they will be breached and then ensure that rogue users access and actions are mitigated or limited.” More

A former US Army reservist has been charged and sent behind bars for scams that targeted the lonely, the elderly, and businesses. 

US prosecutors said this week that Joseph Iorhemba Asan Jr. will spend 46 months — or over three-and-a-half years — in prison for conducting both romance and Business Email Compromise (BEC) scams. According to the US Department of Justice (DoJ), from around February 2018 until October 2019, the former serviceman worked with a co-conspirator, named as Charles Ifeanyi Ogozy — another member of the US Army Reserves — to commit fraud “against dozens of victims across the United States, defrauded banks, and laundered millions of dollars in fraud proceeds to co-conspirators based in Nigeria.” The 24-year-old, based in Daytona Beach, Florida, worked with Ogozy to operate romance scams that focused on older men and women. Fake profiles were used to rope in these victims, who believed they were genuinely talking to love interests — and once trust was established, so did the requests for money.  BEC scams were also being conducted by the pair. These forms of attack are usually based on phishing and social engineering and they will target businesses with fake correspondence requesting payment for invoices and services. The more sophisticated BEC groups out there may also compromise emailed communication streams between employees and tamper with bank details used to pay supplier invoices, directing funds, instead, to accounts they control. “Notably, one of the victims of the defendants’ business email compromise scheme included a US Marine Corps veteran’s organization,” prosecutors say. Money fraudulently obtained through these schemes was sent to bank accounts controlled by Asan, Ogozy, and other criminal participants. At least 10 accounts were set up in eight banks, all of which were in the names of non-existent businesses including Uxbridge Capital LLC and Renegade Logistics LLC.

In total, the DoJ says the scam artists transferred and received at least $1.8 million, a large proportion of which was withdrawn in cash and cannot be traced. Asan was arrested on October 31, 2019. He pled guilty to charges of conspiracy to commit bank fraud and wire fraud on December 23, 2020. After serving his prison sentence, Asan must also submit to three years of supervised release. However, there is a financial penalty, too. The scam artist has been ordered to forfeit $184,723 to the United States government and must pay his victims damages of $1,792,015.  “Among the many victims of the internet scams facilitated by Joseph Asan were elderly women and men who were callously fooled into believing they were engaging online with potential romantic interests,” commented US Attorney Audrey Strauss. “[…] Asan’s crimes have indeed led to his own reversal of his fortune, as this former defender of this country now becomes a federal prisoner.” In July, Houston, Texas resident Akhabue “David Harrison” Ehis Onoimoimilin was issued a prison sentence of over seven years and was ordered to pay over $865,000 for conducting both romance and BEC scams. Onoimoimilin netted over $2.2 million by scamming his targets. The US Federal Trade Commission (FTC) estimates that in 2020, romance scams cost the average victim $2,500, with the overall loss of reported cases alone reaching $304 million in the United States. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Ukrainian man was arrested in Poland and extradited to the US to face charges as an alleged botnet operator. 

The US Department of Justice (DoJ) said this week that Glib Oleksandr Ivanov-Tolpintsev was taken into custody in Korczowa, Poland, on October 3 last year. As the US and Poland have an extradition treaty, the 28-year-old was then sent to the US to face charges that could land him up to 17 years in federal prison, if found guilty.  Originally from Chernivtsi, Ukraine, Ivanov-Tolpintsev is suspected of being the operator of a botnet that was able to enslave devices infected with malware and automatically perform brute-force attacks against other internet-facings systems.  If there is no protection in place to stop these attacks from occurring, brute-force attacks will try out username and password combinations in the hopes of finding the right key. Once secured, these login details can be used to access the target system — or, as in Ivanov-Tolpintsev’s case — can be sold on to other cyberattackers.  According to the indictment, Ivanov-Tolpintsev, also known as “Sergios” and “Mars” online, was using an e-commerce front called “The Marketplace” to sell on the information stolen by his botnet.  The alleged botnet operator claimed that his creation was capable of stealing up to 2,000 sets of credentials each week. Cyberscoop reports that investigators were able to track him down with the help of an email address used by the suspect to purchase vape products. The receipt contained within listed his home address and linked him to a phone number and passport. Prosecutors were also able to find other email addresses and a Gmail account connected to online retailers and his conversations with individuals in the dark web. 

Two other co-conspirators, allegedly the operators of The Marketplace, have also been charged but are yet to be named.  Ivanov-Tolpintsev was presented to US Magistrate Julie Sneed on September 7 and has been detained ahead of his trial date.  He faces charges of conspiracy, trafficking in unauthorized access devices, and trafficking in computer passwords, according to the DoJ. Alongside a potentially hefty prison sentence, if found guilty, US prosecutors also intend to pursue forfeiture of $82,648, the amount that was able to be traced as allegedly linked to the sale of data stolen by the suspect.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

MyRepublic says almost 80,000 of its mobile subscribers in Singapore have had their personal data compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of national identity cards and residential addresses of foreign residents.  The “unauthorised data access” incident was uncovered on August 29 and the relevant authorities had been informed of the breach, said MyRepublic in a statement Friday. It pointed industry regulator Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission, which oversees the country’s Personal Data Protection Act (PDPA).  MyRepublic said personal data of its mobile customers were stored on the affected system, adding that “unauthorised access to the data storage facility” since had been plugged. The incident had been “contained”, it said. Asked how long it had used the third party’s data storage service and whether it was a cloud-based service, MyRepublic told ZDNet it was unable to share these details, citing confidentiality. It also declined to say “for security reasons” if it was the only customer affected by the breach at the data storage facility. 

Asked when it last assessed security measures implemented by the data storage vendor, MyRepublic did not specify a date, saying only that it “regularly” reviewed such measures for both its internal and external systems, including that of the third-party vendor implicated in the breach.  MyRepublic also declined to reveal further details about how the data breach was discovered, saying only that it was informed of the incident by “an unknown external party” on August 29. It reiterated that the data storage facility since had been secured.  It said it was contacting all mobile customers via email about the breach, but did not confirm when this would be completed. 

In its statement, MyRepublic noted that an incident response team had been activated, which included external advisers from KPMG in Singapore, and would work with the broadband operator’s internal IT and network personnel to resolve the incident.  Its own investigations determined that the unauthorised data access affected 79,388 of its mobile subscribers in Singapore. Apart from details of local customers’ national identity cards, information from documents required to verify foreign workers’ residential address, such as copies of utility bills, also were affected. The names and mobile numbers of customers porting an existing mobile service also were compromised.  MyRepublic said there were no indications other personal data, such as payment details, were affected. It added that none of its systems were compromised. It said affected customers would be offered a complimentary credit monitoring service, provided by Credit Bureau Singapore, which would monitor customers’ credit report and send out alerts of suspicious activities.  MyRepublic CEO Malcolm Rodrigues said in the statement: “My team and I have worked closely with the relevant authorities and expert advisors to secure and contain the incident, and we will continue to support our affected customers every step of the way to help them navigate this issue. “While there is no evidence that any personal data has been misused, as a precautionary measure, we are contacting customers who may be affected to keep them informed and provide them with any support necessary,” Rodrigues said. “We are also reviewing all our systems and processes, both internal and external, to ensure an incident like this does not occur again.” In a recent interview with ZDNet, MyRepublic said it was looking for new revenue in Singapore’s enterprise space, and planned to ramp up its service offerings with particular focus on cybersecurity, where it might look to make acquisitions to plug product gaps.  RELATED COVERAGE More