Feb 222019
 

Sergiu Gatlan reports:

Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

Read more on BleepingComputer.
It’s 2019.  Why is this still a thing?
Here is Intuit’s notification to Vermont:
Feb 222019
 

LawFuel reports:

Geoffrey S. Berman, the United States Attorney for the Southern District of New York, and William F. Sweeney Jr., Assistant Director-in-Charge of the New York Office of the Federal Bureau of Investigation (“FBI”), announced that STANISLAV VITALIYEVICH LISOV, a/k/a “Black,” a/k/a “Blackf” (“LISOV”), pled guilty today to conspiring to deploy and use a type of malicious software known as NeverQuest to infect the computers of unwitting victims, steal their login information for online banking accounts, and use that information to steal money out of the victims’ accounts.  NeverQuest has been responsible for millions of dollars’ worth of attempts by hackers to steal money out of victims’ bank accounts.  LISOV pled guilty before United States District Judge Valerie E. Caproni.

Read more on LawFuel.   The full press release from SDNY appears below.

Geoffrey S. Berman, the United States Attorney for the Southern District of New York, and William F. Sweeney Jr., Assistant Director-in-Charge of the New York Office of the Federal Bureau of Investigation (“FBI”), announced that STANISLAV VITALIYEVICH LISOV, a/k/a “Black,” a/k/a “Blackf” (“LISOV”), pled guilty today to conspiring to deploy and use a type of malicious software known as NeverQuest to infect the computers of unwitting victims, steal their login information for online banking accounts, and use that information to steal money out of the victims’ accounts.  NeverQuest has been responsible for millions of dollars’ worth of attempts by hackers to steal money out of victims’ bank accounts.  LISOV pled guilty before United States District Judge Valerie E. Caproni.

U.S. Attorney Geoffrey S. Berman said:  “As he admitted today, Stanislav Vitaliyevich Lisov used malware to infect victims’ computers, obtain their login credentials for online banking accounts, and steal money out of their accounts.  This type of cybercrime extends across borders, poses a malicious threat to personal privacy, and causes widespread financial harm.  For his audacious crime, this Russian hacker now faces justice in an American court.”

FBI Assistant Director William F. Sweeney Jr. said:  “’In addition to creating and maintaining a botnet infected with NeverQuest malware, Stanislav Lisov, a Russian national, gathered personally identifiable information of NeverQuest victims and discussed illegally trafficking that information.  As today’s plea should demonstrate, the FBI and our partners will continue to bring these actors to justice, regardless of where they may hide.”

According to the Indictment, Complaint, and other statements made during public court proceedings:

NeverQuest is a type of malicious software, or malware, known as a banking Trojan.  It can be introduced to victims’ computers through social media websites, phishing emails, or file transfers.  Once surreptitiously installed on a victim’s computer, NeverQuest is able to identify when a victim attempts to log onto an online banking website and transfer the victim’s login credentials – including his or her username and password – back to a computer server used to administer the NeverQuest malware.  Once surreptitiously installed, NeverQuest enables its administrators remotely to control a victim’s computer and log into the victim’s online banking or other financial accounts, transfer money to other accounts, change login credentials, write online checks, and purchase goods from online vendors.

Between June 2012 and January 2015, LISOV was responsible for key aspects of the creation and administration of a network of victim computers known as a “botnet” that was infected with NeverQuest.  Among other things, LISOV maintained infrastructure for this criminal enterprise, including by renting and paying for computer servers used to manage the botnet that had been compromised by NeverQuest.  Those computer servers contained lists of millions of stolen login credentials – including usernames, passwords, and security questions and answers – for victims’ accounts on banking and other financial websites.  LISOV had administrative-level access to those computer servers.

LISOV also personally harvested login information from unwitting victims of the NeverQuest malware, including usernames, passwords, and security questions and answers.  In addition, LISOV discussed trafficking in stolen login information and personally identifiable information of victims.

On January 13, 2017, LISOV was arrested in Spain pursuant to a provisional arrest warrant.  On January 19, 2018, LISOV was extradited from Spain to the United States.

*                *                *

LISOV, 33, a citizen of Russia, pled guilty to one count of conspiracy to commit computer hacking, which carries a maximum sentence of five years in prison.  The statutory maximum sentence is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.  LISOV’s sentencing is scheduled for June 27, 2019 at 11:00 a.m. before Judge Caproni.

Mr. Berman praised the outstanding investigative efforts of the FBI.  Mr. Berman also thanked the DOJ Office of International Affairs for its assistance in this case.

The matter is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant U.S. Attorney Michael D. Neff is in charge of the prosecution.

Feb 222019
 

On Feb. 20,  Rutland Regional Medical Center in Vermont posted a notice on its web site that says, in pertinent part:

Rutland Regional Medical Center (“Rutland Regional”) recently discovered an incident that may affect the security of personal information of certain individuals who received care from its facility. We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward. Rutland Regional is also contacting the appropriate regulators regarding this incident.

What happened?

On December 21, 2018, a Rutland Regional employee identified a high volume of spam emails being sent from their email account. The employee reported this activity to Rutland Regional’s IT Department on December 29, 2018. Subsequently, on December 31, 2018, Rutland Regional’s IT Department determined the employee’s email account was subject to unauthorized access and immediately changed the employee’s password and locked the account.

Rutland Regional enlisted the assistance of a third-party forensic expert to further investigate this incident. Although the investigation is ongoing, Rutland confirmed on February 6, 2019 that an unauthorized actor or actors had access to nine (9) employees’ email accounts at certain times between November 2, 2018 to February 6, 2019. No Electronic Medical Record systems or other Rutland Regional internal systems were affected.

What information may have been affected by this incident?

Though the investigation into this matter is ongoing, currently it is believed that the unauthorized actor may have had access to information related to certain individuals who were treated at Rutland Regional, including the following types of information: name, contact information, Social Security number, financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, and health insurance information.

Rutland Regional cannot confirm whether any specific information within the affected email accounts was actually accessed, viewed, or acquired without permission. They are providing this notification out of an abundance of caution to anyone whose information was accessible within the email accounts.

Read more on RRMC. The number of patients being notified was not disclosed and the incident is not on HHS’s breach portal (yet).

Feb 222019
 

Matt Pilon reports:

UConn Health on Friday disclosed that an unauthorized third party had accessed employee email accounts, potentially breaching the privacy of 326,000 patients and others.

Of that number, 1,500 could have had their social security numbers exposed, UConn Health said. For others, potentially acquired details include names, dates of birth, addresses, and billing and appointment information, according to a forensic investigator’s findings just before Christmas. Most of those that could be affected are patients, while a small portion are UConn employees, the state-led, Farmington-based health system, anchored by John Dempsey Hospital, said.

Read more on Hartford Business.

The following  statement appears on UConn Health’s  site:

Notice of Data Security Incident

UConn Health recently learned that an unauthorized third party illegally accessed a limited number of employee email accounts. Upon learning of the incident, we immediately took action, including securing the impacted accounts to prevent further unauthorized access and confirming the security of our email system. We also notified law enforcement and retained a leading forensic security firm to investigate and conduct a comprehensive search for any personal information in the impacted email accounts.

On December 24, 2018, we determined that the accounts contained some personal information, including some individuals’ names, dates of birth, addresses and limited medical information, such as billing and appointment information. The accounts also contained the Social Security numbers of some individuals.

At this point, we are not aware of any fraud or identity theft to any individual as a result of this incident, and do not know if any personal information was ever viewed or acquired by the unauthorized party. Nevertheless, because we cannot isolate exactly what, if any, information may have been accessed, we notified individuals whose information was in the impacted accounts. The incident had no impact on our computer networks or electronic medical record systems.

We have mailed notification letters to potentially impacted individuals for whom we have a valid mailing address. That notice includes information on steps individuals can take to protect themselves against potential fraud or identity theft. In addition, we are offering free identity theft protection services to individuals whose Social Security numbers may be impacted. As a general matter, we recommend that individuals regularly monitor credit reports, account statements and benefit statements. If individuals detect any suspicious activity, they should notify the entity with which the account is maintained, and promptly report the suspicious activity to appropriate law enforcement authorities, including the police and their state attorney general. In addition, anyone looking for information on fraud prevention can review tips provided by the FTC at www.ftc.gov/idtheft.

We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause. We have taken and will continue to take steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.

Individuals with questions may call our dedicated toll-free inquiry line at 1-877-734-5353 between 9 a.m. and 9 p.m. Eastern Time, Monday through Friday.

Feb 222019
 

I’ve  been told that at times, I can be tough on those who have had breaches.  But I actually do feel sympathy for some victims.

Read this notification from Martin Hutchison & Hohman, a firm of certified public accountants in Eureka,  California. I found it actually painful to read.  When conscientious people fall for scams, it reminds us that “there but for the grace….”

The breach occurred on Feb.15 and notification was submitted to the California Attorney General’s Office on Feb. 21.

MHH Security Breach