Tag Archives: LabCorp

Security News Bytes for the Week Ending June 7, 2019

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom.  The attackers only wanted $103,000 or less than 1 percent of what they are going to spend.  Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore.   Who’s fault is that?  Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data.  Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop.  Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the  ransomware after an 18 month run.  The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”.  Of course, other malware will replace it, but the sheer magnitude of this one is amazing.  Source:  Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised.  Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency.  Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk.   In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that.  That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA.  Remember, you can outsource the task, but not the liability.  Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong.  Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks.  The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch.  Shodan shows 4.8 million servers running the software and only 588,000 running the fix.  Most of those servers are in the U.S.  Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week.  They are a medical claims collection agency.  As I said above, first it was Quest with 12 million customers affected;  then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised.  Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage.  If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Lessons From LabCorp

As I wrote last week, LabCorp, the mega medical lab testing company (mega as in revenue around $10 billion last year) was breached and  they have provided some interesting insights as they have been forced to detail to the SEC some of what happened last week when they had to shut down large parts of their network unannounced, putting a stop to testing of lab samples, both in house and on the way.

From what we are gleaning from their filings, they were hit with a ransomware attack, likely a SamSam variant which seems to have an affection for the healthcare industry.

They claim that their Security Operations Center was notified, we assume automatically, when the first computer was infected.

That, by itself, is pretty amazing.  I bet less than one percent of U.S. companies could achieve that benchmark.

Then, they say, they were able to contain the malware within 50 minutes of the first alert.  That too is pretty amazing.  In order to that, you have to know what you are dealing with and how it spreads.  Then you have to figure out which “circuit breakers” to trip in order to contain the malware.  The City of Denver was hit with a Denial of Service attack a couple of years ago and it took them, they say, a couple of hours to figure out how to disconnect from the Internet.  That is more typical than what LabCorp was able to do.

The attack started at around midnight, of course, when the least number of people were around to deal with it.  If you factor that in to the 50 minute containment time, that is pretty impressive.

However, in that very short 50 minute interval, 7,000 systems were infected including 1,900 servers.  Those numbers are not so good.  Of the 1,900 servers, 300 of these were production servers.  That is really not so good.

One of the attack vectors of SamSam is an old Microsoft Protocol called Remote Desktop protocol or RDP.

RDP should never  be publicly accessible and we don’t know if it was here and if used internally, it should be severely limited and where it is needed, it should require multifactor authentication.  While we don’t know, it is likely that this was the attack vector and they did not have multifactor authentication turned on.  Hopefully as part of their lessons learned, they will change that.

Within a few days they claimed they had 90% of their systems back.  It is not clear whether that is 90% of 7,000, which would be quite impressive or 90% of 300, which would be much less impressive but still good.

So what are the takeaways from this?

These conclusions are based mostly on what we can interpret, since they are not saying much.  This is likely because they are afraid of being sued and also what HIPAA sanctions they might get.

  • They seem to have excellent monitoring and alerting since they were able to detect the attack very quickly.
  • They also must have a good security operations center since they were able to identify what they were dealing with and contain it within 50 minutes.
  • On the other end of the spectrum, the malware was able to infect 7,000 machines including some production machines.  They probably need to work on this one.
  • Assuming RDP was the infection vector, that should not have happened at all – they lose points for this one.
  • They were able to restart a significant number of machines pretty quickly so it would appear that they have some degree of disaster recovery.
  • On the other hand, given that they had to shut down their network and stop processing lab work, it says that their business continuity process could use some work.
  • Finally, they claim that they were able to KNOW that none of the data was removed from the network.  I would say that 99% of companies could not do that.

Overall, you can compare how your company stacks up against LabCorp and figure out where you can improve.

Using other company’s bad luck to learn lessons is probably the least expensive way to improve your security.

I suggest that this is a great breach from which to learn lessons.

Information for this post came from CSO Online.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.

Facebooktwitterredditlinkedinmailby feather