In one look.
- The FBI intercepts a cyberattack against an American hospital.
- The Mexican bank calls the hacker’s bluff and loses.
- MailChimp data breach impacts DigitalOcean customers.
The FBI intercepts a cyberattack against an American hospital.
Becker Hospital Review reports that the US Federal Bureau of Investigation (FBI) prevented an attempted cyberattack targeting Butler County Health Care Center, a hospital in the US state of Nebraska. The FBI agents were acting on a tip from Irish investigators who said six different co-ops under their jurisdiction, including the healthcare provider in question, had been targeted by threat actors. Once informed of the threat, the hospital’s IT manager identified and protected the compromised server before patient data was exposed. The attackers have not yet been identified.
The Mexican bank calls the hacker’s bluff and loses.
Grupo Financiero Banorte, Mexico’s second-largest bank, found out the hard way that cease-and-desist orders don’t necessarily work when it comes to cybercriminals. Earlier this month, Singapore-based cybersecurity firm Group-IB sent a letter to hacker forum Breached on behalf of the bank, claiming that an auction on the site for a database containing allegedly the stolen data of 10 million bank customers had been fabricated and should be taken. down. “The Group-IB team discovered a resource containing a fraudulent publication offering to purchase the leaked databases of Grupo Financiero Banorte,” the letter states. “We ask you to delete this message containing Banorte data.” The administrator of Breached, the infamous hacker Pompompurin, not only refused to cancel the auction, but also bought the database himself, making it available to all forum users. Pompompurin wrote, “Be sure to tell Banorte that they now have to worry about data leaking instead of just being sold.”
KrebsOnSecurity Explain that the hacker who originally put the database up for sale, Holistic-K1ller, made a name for himself selling stolen data to Mexican institutions like the Telcel phone company and the Yotepresto lending platform on the forum (and its predecessor, RaidForums) over the past two years. When asked why Group-IB felt that stop and forbear was the best course of action, CEO Dmitriy Volkov said: “It is not common practice to send withdrawal notifications to such forums demanding that such content be removed. But these abuse letters are legally binding, helping to lay the groundwork for further action by law enforcement. Actions contrary to international rules in the regulated space of the Internet only lead to more serious crimes, which – as we know from the Raidforums case – are successfully investigated and stopped by the law enforcement.
MailChimp data breach impacts DigitalOcean customers.
Cloud infrastructure provider DigitalOcean has released a statement confirming that some of its customers have been impacted by the recent security incident at MailChimp, a leading US email marketing platform. MailChimp revealed earlier this month that it suffered a cyberattack targeting its crypto-related customers. The marketing manager told BleepingComputer that hackers used phishing and social engineering tactics to gain access to more than two hundred MailChimp accounts. “We recently encountered a security incident in which unauthorized actors targeted Mailchimp’s crypto-related users using sophisticated phishing and social engineering tactics. Based on our investigation to date , it appears that 214 Mailchimp accounts were affected by the incident,” MailChimp said.
Digital Ocean explains that the company discovered that its Mailchimp account had been compromised earlier this month. They determined that some DigitalOcean customer email addresses may have been exposed and that attackers had previously attempted to compromise the accounts of a small number of DigitalOcean customers through password resets. The company goes on to say that an email address from the domain @arxxwalls.com, which has been used in numerous scams in the past, has been added as a sender to its MailChimp account. DigitalOcean customers are advised to use multi-factor authentication on their accounts, if they haven’t already, as it appears the security protocol has protected a number of accounts from being compromised.
We have received a number of comments from industry experts on the incident. Michael Oglesby, EVP, Security Services & Innovation at Cerberus Sentinel wrote to describe the severity of the effects of a vulnerable email system. “Attacks on email systems are one of the most impactful security events a business can face. We believe that protecting our passwords is what keeps our online accounts secure; However, if you forget your password, most accounts have a password reset feature that relies on your email account. Access to your email is arguably more important than knowing your password, and attackers know that. Email has been around since the beginning of the internet and sending email seems commonplace today, but email security is often overlooked, leaving it a significant target for attackers. Businesses should ensure they have robust email security controls in place and regularly review the security of their email providers.
James McQuiggan, Security Awareness Advocate at KnowBe4, reminds us of the importance of well-understood incident response plans. “Organizations should have well-documented and repeatable incident response plans for security events with clear lines of communication and reporting. In addition, these procedures should also include public relations responses for any event to effectively handle questions from customers, third parties and the media. No organization wants to experience a data breach and loss of customer or employee information. However, the management of the organization must view cybersecurity operations as essential to effectively protect the organization. Too often, executives view cybersecurity and risk as an IT issue, not a boardroom issue. If this view persists, more organizations will experience a similar situation.
His KnowBe4 colleague, Erich Kron, put the incident in the context of the supply chain:
“This is another example of a situation where a security incident at one point in the supply chain caused significant problems for their customers. Unfortunately, the Mailchimp incident may have potentially led to downstream breaches by DigitalOcean customers generating password reset requests, through no fault of their own. For cybercriminals, access to an email service such as Mailchimp could bring huge benefits as they could send phishing emails to customers from a known and trusted account. In the event that DigitalOcean customers fall for a phishing attack resulting from Mailchimp’s breach, the most likely scenario would be that the customer is unhappy with DigitalOcean, not really knowing Mailchimp. While helpful, these types of vendor partnerships can unfairly taint an otherwise trustworthy brand, highlighting the importance of choosing vendors wisely.
“DigitalOcean customers should be alert to potential phishing emails that appear to originate within the organization, and organizations using the Mailchimp service should ask the provider tough questions. Educate employees on how to detect and report Phishing email is an important security check for organizations of all sizes, especially considering the damage incurred by falling for a phishing attack.