Tag Archive for: theft

Systems hack enables data theft, access for 8.9M MCNA Dental patients

/in


The health information tied to 8.9 million patients enrolled in Florida Healthy Kids Corporation (FHKC) and the Florida Agency for Health Care Administration’s Medicaid insurance programs was stolen after a systems hack on MCNA, their dental benefits and services provider.

MCNA Dental works with state Medicaid agencies, Children’s Health Insurance Programs, private entities, and other insurance plans. The notice only refers to FHKC and Florida’s HCA.

With nearly 9 million impacted, the incident is now the largest healthcare data breach reported by a single entity so far this year, followed by Pharmerica (5.2 million patients), Regal Medical Group (3.3 million), Cerebral (3.18 million), and NationsBenefits (3.04 million).

Discovered on March 6, a threat actor gained access to the MCNA system to both access and exfiltrate copies of data stored in the network for several weeks between Feb. 26 and March 7. The investigation also found certain systems were “infected with malicious code.”

The stolen data varied by individual included full names, contact details, dates of birth, email addresses, Social Security numbers, driver’s license numbers or other government-issued ID numbers, health insurance plan data, conditions, diagnoses, treatments, and insurance claims. The data was tied to children and their guardians.

Upon discovery, MCNA contacted law enforcement and has been cooperating with their investigation. The benefits manager has since bolstered its systems security.

For FHKC, this is the second vendor-related breach affecting its patients in the last two years. Reported in early 2021, its vendor, Jelly Beans Communications Design, failed to patch multiple website vulnerabilities and enabled a threat actor to access and tamper with patient data for more than seven years. The incident was one of the largest healthcare data breaches in 2021.

Idaho Falls Community Hospital diverting patients after cyberattack

Mountain View Hospital, Idaho Falls Community Hospital, and its partner clinics are working to recover from an ongoing cyberattack in electronic health record downtime procedures, diverting ambulances and canceling some appointments to ensure patient safety.

Medford Radiology…

Source…

Researchers Uncover New Data Theft Capabilities

/in


Predator Android Spyware

Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox).

Predator was first documented by Google’s Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android.

The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram.

Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset.

“A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims,” Cisco Talos said in a technical report.

Spyware like Predator and NSO Group’s Pegasus are carefully delivered as part of highly-targeted attacks by weaponizing what are called zero-click exploit chains that typically require no interaction from the victims and allow for code execution and privilege escalation.

“Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous,” Talos explained.

Both Predator and Alien are designed to get around security guardrails in Android, with the latter loaded into a core Android process called Zygote to download and launch other spyware modules, counting Predator, from an external server.

It’s currently not clear how Alien is activated on an infected device in the first place. However, it’s suspected to be loaded from shellcode that’s executed by taking advantage of initial-stage exploits.

“Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features,” the company…

Source…

Industrial Giant ABB Confirms Ransomware Attack, Data Theft

/in


Swiss industrial giant ABB confirmed this week that it was recently targeted in a ransomware attack and that the cybercriminals exfiltrated some data.

The company has issued a press release and an FAQ describing the incident, with many details — including indicators of compromise (IoCs) — being withheld due to the ongoing law enforcement investigation. 

“ABB has determined that an unauthorized third-party accessed certain ABB systems, deployed a type of ransomware that is not self-propagating, and exfiltrated certain data,” ABB said. “The company is working to identify and analyze the nature and scope of affected data and is further assessing its notification obligations.” 

The malware was allegedly only deployed on a ‘limited number’ of servers and endpoints. The malware was distributed via manual intervention and it could not automatically spread through emails or on the local network, ABB said.

“All of ABB’s key services and systems are up and running, all factories are operating, and the company continues to serve its customers. The company also continues to restore any remain- ing impacted services and systems and is further enhancing the security of its systems,” the company noted.

In private notifications sent to customers, ABB said its forensic investigation found no evidence of customer systems being directly impacted. In addition, there is no indication that it’s unsafe to connect to ABB systems. 

Bleeping Computer was the first to report that ABB was targeted by the Black Basta ransomware group. Kevin Beaumont, a reputable cybersecurity researcher, has independently confirmed it

Advertisement. Scroll to continue reading.

Beaumont said on Friday that the company has paid the ransom, which would explain why it has not been named on Black Basta’s leak website. 

SecurityWeek reached out to ABB for comment on these claims, but the company said it’s not commenting beyond the information in its press release. 

ABB provides electrification and automation solutions in many countries around the world. The company has more than 100,000 employees. 

Related: Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin

Related:

Source…