Monthly Breach Report: February 2022 Edition

According to the Allianz Risk Barometer, cyber perils are the biggest concern for companies globally this year. Ransomware, data breaches, and major IT outages are proving more worrisome than supply chain disruption or even COVID-19. Review some of the top breaches reported last month, and it’s easy to see why cyber attacks cause such concern.

Another Log4j Vulnerability Victim

French luxury skincare brand Clarins admitted in January that it suffered a data breach due to the well-known log4j vulnerability that weeks earlier created a stir at some of the world’s most famous companies. Clarins’ vulnerability was discovered in the log4j code used to manage its database of customers in Singapore. The hackers exploited the vulnerability to obtain Singaporean customers’ personal information, including names, addresses, telephone numbers, and loyalty program numbers. However, Clarins asserted that passwords and credit information were secure.

Log4j is a widely used piece of open-source software helps companies like Clarins use software applications to track their past activities. Back in December, security experts discovered that log4j contained a bug that created a vulnerability of “apocalyptic” proportions due to the code’s ubiquitousness across the Internet and cloud services. Experts realized that when log4j was asked to log something new and add it to a record, bad actors could simply ask the program to log a line of malicious code and log4j would execute that code, allowing criminals to hack into and take control of servers running the code. Experts suggest it could take years to fully address the security flaw.

Sources

• The Washington Post
• CNBC
• Global Cosmetics News
• Federal Trade Commission

Indonesia’s Central Bank Confirms Attack

Last month, Wizard Spider, the notorious Russian ransomware group, claimed responsibility for an attack on the central bank of the Republic of Indonesia. Bank Indonesia (BI) recognized unusual behavior on its network and thwarted the gang’s attempt to use Conti, Ransomware-as-a-Service, to steal critical employee data and hijack public services. Despite their failed attempt to extract a ransom, Wizard Spider added the bank to their ever-growing public list of victims on a Tor leaks site. The group boasted they stole 14 GB (13.88 GB) worth of files.

The criminal group behind the attack typically uses malware strains, such as BazarLoader and Ryuk, to compromise large, highly visible organizations like BI. The Federal Bureau of Investigation (FBI) warns that the attackers then confiscate and leak data to their C2 (Command and Control Infrastructure) before deploying ransomware payloads on the network. Victims receive a ransom letter instructing them to “contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published” to the Tor site. FBI officials state that ransom demands have been issued to more than 500 organizations worldwide and have gone as high as $25 million. Miftah Fadhli, a cybersecurity expert at Indonesia’s NGO Institute of Policy Research and Advocacy, publicly warned BI to continue to fully investigate the attack and monitor for future risks and impacts.

Sources

• Federal Bureau of Investigation
• Reuters

Cybercriminals Hack Red Cross Data Storage

The International Committee of the Red Cross (ICRC) announced in January it suffered a cyberattack targeting the data of 515,000 “highly vulnerable” people. The humanitarian network confirmed that criminals breached servers hosting the personal information of people “who have been separated from their families due to conflict, migration, and disaster as well as missing persons, their families, and people in detention.”

The breach occurred on January 18, when the ICRC’s security team detected an anomaly in the system underpinning a program called “Restoring Family Links.” No other information was compromised because of the segmentation of the systems. After an investigation, the team determined the attack was on the contractor in Switzerland that was storing the data. ICRC officials noted that while cyberattacks are usually financial in nature, this attack was especially pernicious because the stolen information could be used to harm unaccompanied children.

The attack also halted the Red Cross’ current ability to trace missing people and families in conflict zones like Afghanistan as well as disaster victims of the tsunami in Tonga. ICRC officials are scrambling to determine the extent of the data exposed and to inform affected clients who already often have fear and mistrust of large agencies and organizations. ZDNet reports that the crime was not a ransomware attack, and no one has claimed responsibility. The Red Cross attack is part of a growing trend of cybercriminals targeting hospitals and humanitarian organizations, warns the ICRC.

Sources

• International Committee of the Red Cross
• ZDNet
• NPR
• TechCrunch

OpenSubtitles Admits Data Breach Led to Ransomware Payments

OpenSubtitles, a popular website providing free subtitles for movie fans, recently announced that the organization was hacked back in August of last year. To keep the attacker silent about the theft of data for 7 million users, the company paid the ransom but only after their stolen files were leaked on the HaveIBeenPwned website. Stolen information included emails, country names, IP addresses, usernames, and MD5 password hashes (a widely used hash function producing a 128-bit hash value).

Payment information is not stored on the site and remains safe. The company admits that the website was created in 2006 with little thought for security and blames the incident on an administrator who used a weak password. The hacker initially sent a message to the company, providing proof he had gained access to the site’s user table. He promised that if he received a bitcoin ransom of an undisclosed sum that he would not disclose the extortion to the public and would delete the stolen data.

Sources

• The Record
• Security Week

Goodwill Hacked Again in Recent Ecommerce Site Breach

Goodwill, a US nonprofit organization, recently disclosed that cybercriminals hacked into its ShopGoodwill.com ecommerce platform, affecting customer accounts. Payment information was not stolen because the site does not store the data on its servers. However, compromised information stolen includes first and last name, email address, phone number, and mailing address.

The company sent out email notifications to affected customers. No further updates—such as number of customers impacted—have been provided. This is the second time the website has been breached. In 2014, information for an estimated 868,000 credit and debit cards was stolen after the company’s computer network was infected with malware.

Sources

• Bleeping Computer
• Security Week 
• Consumer Affairs

Email Breach Exposes Thousands of Patients’ Data at Georgia Hospital

Cybercriminals recently stole the protected health information (PHI) of thousands of patients from Ciox Health of Alpharetta, Georgia. The healthcare information management company announced that the following had been compromised:

• clinical information
• social security numbers
• driver’s license numbers
• birth dates
• service dates
• provider names
• patient names

The hacker accessed a Ciox employee’s email account in late June of 2021. Emails and attachments containing patient information related to billing inquiries were stolen. Approximately 12,493 individuals were affected. Ciox has recognized that it must provide regular cybersecurity training to its employees, particularly related to email security.

Sources

• Infosecurity
• Ciox Health
• HIPAA Journal

 

Reading about breaches can certainly be nerve-wracking, but you’re not alone in the fight to protect your most valuable data. Let the PKWARE team show you how you can automatically discover and protect sensitive and private data. Try a free personalized demo now.