Hello and welcome to the April NewsScam.
The most impactful story continues to be the massive hack suffered by US healthcare leader Change Healthcare. Not only is the cost approaching one billion, the attackers were paid $22 million, and now many, many Americans have likely had their data pilfered. It’s an ugly situation but the company is making good progress restoring systems and processes prior to the attack back in February.
In other healthcare related attacks, a French hospital serving Cannes has seen its service greatly disrupted.
Also this month, another US water facility was attacked and like another incident that took place in January, this new event also appears to be state-sponsored.
The UN reported a data leak of one of its departments which ended up enabling attackers to get away with human resource and procurement information.
Also, some lights in the UK city of Leicester won’t turn off due to a recent attack.
But on a positive note, an international collaboration – 19 countries in fact – took part in a successful takedown this month of a major phishing operation. As a result, a top phishing-as-a-service platform is out of comission. The service had deployed at least 40,000 fraudulent sites – with hundreds of thousands of victims impacted globally.
Read on to learn all about April’s most impactful cybersecurity events.
The Ongoing Saga of the Change Healthcare Attack
The colossal ransomware attack on Change Healthcare in February – now linked to a lack of Multifactor Authentication - has cost its owner UnitedHealth at least $872 million, and the cost will likely continue to rise as it repairs the damage. It’s also been widely reported the company paid the attackers $22 million to BlackCat/ALPHV, and now the company has revealed that “a substantial proportion of people in America” could have had their protected health information (PHI) or personally identifiable information (PII) exposed. This is on top of the fact that the data has now been leaked by another threat group, RansomHub, on Tor/the dark web. However, it’s not all bad, as the company has made lots of progress in the last several weeks. This page from Change Healthcare explains how pharmacy services have been returned to near-normal levels, the amount of medical claims are now flowing at near-normal pace and the rate of payment processing is also increasing, now at the point of 86% of pre—attack.
New Attack on US Wastewater Treatment Plant Appears to be State Sponsored
Russian hackers say they are behind a cybersecurity attack on a wastewater treatment plant in Tipton, Indiana. The attack has been acknowledged by Tipton Municipal Utilities, but fortunately it says the water supply was never compromised. Utility General Manager Jim Ankrum said the Tipton West Wastewater Treatment Plant attack occurred the night of Friday, April 19, but the incident only caused minimal disruption to the operation of the plant. This incident comes on the heels of a report from security firm Mandiant, which says there is strong evidence - but not 100 percent proof - that a January cyberattack on a water facility in Mulesshoe, Texas was conducted by Sandworm, a top Russian state sponsored threat group.
According to U.S. News, the attack impacted one of three small towns in the Texas Panhandle. “There were 37,000 attempts in four days to log into our firewall,” said Mike Cypert, city manager of Hale Center, which is home to about 2,000 residents. The attempted hack failed as the city “unplugged” the system and operated it manually, he added. Sandworm also goes by the names BlackEnergy, Seashell Blizzard, Voodoo Bear and has been active since at least 2009. The group is also believed to be connected with a Telegram account called CyberArmyofRussia_Reborn, which posted a video allegedly showing that hackers were able to manipulate settings on the Texas facility’s human-machine interface. Mandiant has not been able to verify the hack or its connection to Sandworm, but since CyberArmyofRussia_Reborn posted the video of the attack, it could be true that Sandworm is indeed responsible. Increasing concern about the risks nation-state actors pose to U.S. critical infrastructure are fueling government departments such as the Environmental Protection Agency (EPA) to propose a new task force to strengthen security measures for the nation’s water treatment facilities.
Phishing Platform is Taken Down After Impacting “Hundreds of Thousands” Worldwide
On April 18, law enforcement authorities from 19 countries were successful in taking down Phishing-as-a-service Platform (PhaaP) LabHost. Following a year-long operation coordinated at the international level by Europol, between April 14-17, seventy locations were searched across the world by participating authorities. The effort resulted in the arrest of 37 suspects, including four individuals in the United Kingdom suspected of running the site, and possibly the individual who developed LabHost. For a monthly subscription of about $249, HelpNetSecurity says the phishing platform provided phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services. According to Trend Micro, LabHost (also known as LabRat), emerged in late 2021, offering “dozens of phishing pages targeting banks, high-profile organizations, and other service providers located around the world.” Trend Micro estimates that at the time of the takedown, LabHost likely had a customer base of at least 2,000 users worldwide who used the service to deploy at least 40,000 fraudulent sites – with hundreds of thousands of victims impacted globally.
Cyber-Attack on French Hospital Halts Some Medical Procedures, Forces Staff to Resort to Pen and Paper
On April 16, a hospital in Cannes, France announced it was the victim of a significant cyber-attack. The Hospital Simone Veil (CHC-SV) says the incident severely impacted its operations, forcing it to limit emergency medical procedures, while non-urgent procedures were cancelled. Some procedures were performed, but only if they were not dependent on computer systems, since all of them were taken offline. The hospital has been relying on telephones for communications and staff are forced to use pen and paper. Hospital Simone Veil is considered to be an important medical establishment in France, particularly in the region of Cannes as it offers a broad range of medical specialties, normally handling 150,000 outpatient and 50,000 emergency room visits annually. As of this writing the hospital still has not received a demand for ransom and it’s also unclear who is responsible for the attack.
Cybercriminals Leave the Lights on in Leicester 24/7
It wouldn’t surprise anyone if a cybercrime group decided to flip off the switch to power to leave people in the dark. But the BBC is reporting the opposite scenario: a cyber-attack on a city council which has left a number of street lights lit day and night. The Leicester City Council says a March 7 breach was "highly sophisticated" the effects of which include street lights staying on round-the-clock. A city council spokesperson tells the BBC its aware of the problem and “due to a technical issue connected to the recent cyber-attack, when we were forced to shut down our IT systems.” The spokesperson added that"It means we are currently not able to remotely identify faults in the street lighting system.” The Council is working through the issue to ensure “roads are not left completely unlit” or ”become a safety concern.” As to whom is responsible for the incident is not yet clear, but it appears to a group that is well-known.
Data Swiped from the United Nations
In mid-April the United Nations reported that a large volume of data was stolen on March 2. The UN’s Development Programme (UNDP) said that data related to staffers and other internal operations was stolen and posted to an un-named ransomware website. In a statement issued on X (formerly Twitter), the UNDP said, “local IT infrastructure in UN City, Copenhagen, was targeted,” and that a “data extortion actor had stolen data which included certain human resources and procurement information.” The exact details of the information stolen has not been released, but an article in CyberScoop reported that attackers were able to “access a number of servers” and steal “a large volume of data.” It is also now believed that the cybercrime group “8Base” is responsible for the attack.
But Wait There’s More
Cisco urges immediate software upgrade after state-sponsored attack – CSO Online
US Congress Passes Bill to Ban TikTok – Infosecurity
Roku activates 2FA for 80M users after breach of 576K accounts - SC Media
Ransomware Group Claims Theft of Data From Chipmaker Nexperia - SecurityWeek
Cyberattack on UK’s CVS Group disrupts veterinary operations – Bleeping Computer
NY governor says cyberattack on legislative office is holding up state budget – The Record
Fake Lawsuit Threat Exposes Privnote Phishing Sites – Krebs on Security