Dec 132018

One of the newer incidents appearing on HHS’s public breach tool this week is a report from Mind & Motion, LLC in Georgia.  Mind & Motion offers various types of therapeutic modalities. 

On September 30th, 2018,  they discovered that their server had been attacked with ransomware.

In a notification to patients, they write:

We have learned that your personal information potentially including: name, address, birthday, gender, medical history, social security number, medical diagnosis, insurance information, and medical records may have been compromised.

Ouch. It’s a great notification letter in terms of transparency, though, as it also details findings by the external consultants they brought in to assist and the steps they are taking to prevent a similar incident in the future. I’m sure some readers will pick up on all the past detritus from attacks and wonder why nothing got detected or prevented sooner, but it is what it is and it sounds like they have taken serious steps to improve their data security. I wish them well.

According to their report to HHS, 16,000 patients have been notified.

You can read their entire web site notice, below:


Dec 132018

From the maybe-if-we-just-say-it’s-not-our-fault? dept, Gareth Corfield reports:

Ticketmaster is telling its customers that it wasn’t to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.

In a letter to Reg reader Mark, lawyers for the controversy-struck event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”.

They were referring to the June 2018 infection of its UK website with the Magecart payment credential-stealing malware. At the time, Ticketmaster publicly blamed “a customer support product hosted by Inbenta Technologies” for the infection. Inbenta chief exec Jordi Torras immediately hit back, telling us in June: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

Read more on The Register.

Dec 112018

Catalin Cimpanu reports:

A Russian cyber-security firm says it discovered login credentials for more than 40,000 accounts on government portals in more than 30 countries. The data includes usernames and cleartext passwords, and the company believes they might be up for sale on underground hacker forums.

Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB), says these account details have been collected over time by cyber-criminals with the help of off-the-shelve malware strains such as the Pony and AZORult infostealers, but also the Qbot (Qakbot) multi-purpose trojan.

Read more on ZDNet.

Dec 102018

Sarah Meehan reports:

The University of Maryland Medical System is investigating a malware attack on its computer system that occurred early Sunday, according to the hospital network.

A ransomware-style attack affected about 250 of the hospital system’s 27,000 devices, said Jon Burns, the hospital system’s senior vice president and chief information officer. Because the group’s computers were not encrypted, no ransom was required to unlock the devices, and the hospital system was able to isolate the virus before it spread further, Burns said.

After the medical system became aware of the attack at about 4:30 a.m. Sunday, the hospitals took their networks and devices offline by about 7 a.m. The 250 affected devices — primarily desktop computers — were quarantined, and the remainder of the system was back online by Monday morning, Burns said.

Read more on Baltimore Sun.

Dec 082018

Ionut Arghire reports:

A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.

The attackers use spear-phishing emails that link to a website where a lure document attempts to trick users into installing a malicious Google Chrome extension. Following initial compromise, off-the-shelf tools are used to ensure persistence. 

The campaign likely hit other targets as well, though NetScout says that only those domains targeting academia were intended to install a malicious Chrome extension. Many of the intended victims, across multiple universities, had expertise in biomedical engineering. 

The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean. 

Read more on SecurityWeek.