Category: Data Breaches

In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.

On March 6, federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as “Victim-1,” but according to blockchain security research ZachXBT the theft was perpetrated against Chris Larsen, the co-founder of the cryptocurrency platform Ripple.

ZachXBT was the first to report on the heist, of which approximately $24 million was frozen by the feds before it could be withdrawn. This week’s action by the government merely allows investigators to officially seize the frozen funds.

But there is an important conclusion in this seizure document: It basically says the U.S. Secret Service and the FBI agree with the findings of the LastPass breach story published here in September 2023. That piece quoted security researchers who said they were witnessing six-figure crypto heists several times each month that they believed all appeared to be the result of crooks cracking master passwords for the password vaults stolen from LastPass in 2022.

“The Federal Bureau of Investigation has been investigating these data breaches, and law enforcement agents investigating the instant case have spoken with FBI agents about their investigation,” reads the seizure complaint, which was written by a U.S. Secret Service agent. “From those conversations, law enforcement agents in this case learned that the stolen data and passwords that were stored in several victims’ online password manager accounts were used to illegally, and without authorization, access the victims’ electronic accounts and steal information, cryptocurrency, and other data.”

The document continues:

“Based on this investigation, law enforcement had probable cause to believe the same attackers behind the above-described commercial online password manager attack used a stolen password held in Victim 1’s online password manager account and, without authorization, accessed his cryptocurrency wallet/account.”

Working with dozens of victims, security researchers Nick Bax and Taylor Monahan found that none of the six-figure cyberheist victims appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto theft, such as the compromise of one’s email and/or mobile phone accounts, or SIM-swapping attacks.

They discovered the victims all had something else in common: Each had at one point stored their cryptocurrency seed phrase — the secret code that lets anyone gain access to your cryptocurrency holdings — in the “Secure Notes” area of their LastPass account prior to the 2022 breaches at the company.

Bax and Monahan found another common theme with these robberies: They all followed a similar pattern of cashing out, rapidly moving stolen funds to a dizzying number of drop accounts scattered across various cryptocurrency exchanges.

According to the government, a similar level of complexity was present in the $150 million heist against the Ripple co-founder last year.

“The scale of a theft and rapid dissipation of funds would have required the efforts of multiple malicious actors, and was consistent with the online password manager breaches and attack on other victims whose cryptocurrency was stolen,” the government wrote. “For these reasons, law enforcement agents believe the cryptocurrency stolen from Victim 1 was committed by the same attackers who conducted the attack on the online password manager, and cryptocurrency thefts from other similarly situated victims.”

Reached for comment, LastPass said it has seen no definitive proof — from federal investigators or others — that the cyberheists in question were linked to the LastPass breaches.

“Since we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,” LastPass said in a written statement. “To date, our law enforcement partners have not made us aware of any conclusive evidence that connects any crypto thefts to our incident. In the meantime, we have been investing heavily in enhancing our security measures and will continue to do so.”

On August 25, 2022, LastPass CEO Karim Toubba told users the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

Experts say the breach would have given thieves “offline” access to encrypted password vaults, theoretically allowing them all the time in the world to try to crack some of the weaker master passwords using powerful systems that can attempt millions of password guesses per second.

Researchers found that many of the cyberheist victims had chosen master passwords with relatively low complexity, and were among LastPass’s oldest customers. That’s because legacy LastPass users were more likely to have master passwords that were protected with far fewer “iterations,” which refers to the number of times your password is run through the company’s encryption routines. In general, the more iterations, the longer it takes an offline attacker to crack your master password.

Over the years, LastPass forced new users to pick longer and more complex master passwords, and they increased the number of iterations on multiple occasions by several orders of magnitude. But researchers found strong indications that LastPass never succeeded in upgrading many of its older customers to the newer password requirements and protections.

Asked about LastPass’s continuing denials, Bax said that after the initial warning in our 2023 story, he naively hoped people would migrate their funds to new cryptocurrency wallets.

“While some did, the continued thefts underscore how much more needs to be done,” Bax told KrebsOnSecurity. “It’s validating to see the Secret Service and FBI corroborate our findings, but I’d much rather see fewer of these hacks in the first place. ZachXBT and SEAL 911 reported yet another wave of thefts as recently as December, showing the threat is still very real.”

Monahan said LastPass still hasn’t alerted their customers that their secrets—especially those stored in “Secure Notes”—may be at risk.

“Its been two and a half years since LastPass was first breached [and] hundreds of millions of dollars has been stolen from individuals and companies around the globe,” Monahan said. “They could have encouraged users to rotate their credentials. They could’ve prevented millions and millions of dollars from being stolen by these threat actors. But  instead they chose to deny that their customers were are risk and blame the victims instead.”

A recent cyberattack targeting the PowerSchool software, widely used by K-12 schools across the United States, has led to a significant data breach that could affect over 45 million students and educational staff nationwide. The breach has sparked widespread concerns both among the general public and within political circles, as the compromised data may have long-term consequences for the future of American citizens, particularly when it comes to privacy and security.

PowerSchool is a cloud-based platform that helps schools manage student information such as grades, attendance, medical history, social security numbers, student profiles, and communications between parents and educators. While designed to streamline administrative tasks, the software has now raised alarms due to its vulnerability to cyberattacks. The breach could lead to increased risks of phishing attempts and identity theft, as the stolen personal data could be exploited for malicious purposes.

Recent reports indicate that schools in North Dakota may have been particularly hard-hit by this breach. West Fargo Public Schools, for example, notified parents that the security incident could have far-reaching implications across the entire state’s educational districts. The breach’s scope and severity suggest that schools nationwide are facing a potential crisis in safeguarding sensitive data.

Data breaches of this scale often lead to a cascade of consequences for those affected. Victims of such breaches may experience a range of issues, including phishing scams, financial fraud, and even threats to their personal security. The stolen data could be used in attack campaigns not only targeting individuals but also sectors such as healthcare, manufacturing, transportation, and finance. With such wide-ranging implications, the breach is a reminder of how interconnected and vulnerable critical infrastructures are in today’s digital age.

Given the increasing frequency of cyberattacks targeting educational institutions, it is imperative to raise awareness within the school community about the current digital threats. Educators, administrators, and parents must be equipped with the knowledge and training to recognize potential risks and prevent similar breaches in the future. Additionally, adopting stronger cybersecurity measures—such as multi-factor authentication—can enhance the protection of sensitive school data. Limiting access to personal information to only necessary parties, and ensuring that parents and staff are properly vetted, will help reduce the likelihood of exploitation by cybercriminals.

Moreover, schools should have a data continuity plan in place to mitigate the impact of ransomware attacks, which are increasingly common. These plans, along with proactive measures to strengthen data security, can help ensure that in the event of an attack, the institution can quickly recover with minimal damage. By taking such precautions, schools can safeguard their data and the privacy of students and staff, ultimately reducing the risks associated with cyber threats.

The post PowerSchool software cyber attack might impact 45m students in the United States appeared first on Cybersecurity Insiders.

As we approach the end of 2024, it’s clear that the landscape of cyber threats has continued to evolve at an alarming pace. With an increasing reliance on digital infrastructures, both private and public sectors have become prime targets for malicious actors, leading to some of the most devastating ransomware attacks and data breaches in recent history. This article takes a closer look at the top ransomware attacks and data breaches of the year 2024, examining their impact, the methods used, and what organizations can learn from these incidents.

1. The HealthCorps Ransomware Attack: A Blow to the Healthcare Sector

Date: March 2024

Ransomware Group: Conti (Rebranded as Hades)

Victims: 5.6 million patient records

Sector: Healthcare

One of the most significant ransomware incidents of 2024 occurred in March, when the HealthCorps healthcare network, which operates across multiple states in the U.S., fell victim to a targeted Hades ransomware attack (formerly linked to the notorious Conti group). The cybercriminals gained access to 5.6 million patient records, including highly sensitive medical histories, insurance details, and personal identifiers.

The attackers initially demanded a ransom of $50 million but, after intense negotiations, the amount was reportedly reduced to $12 million. Despite this, HealthCorps ultimately decided against paying, relying instead on their backup systems and crisis response teams to mitigate the damage.

The breach led to widespread disruption, with many hospitals and medical facilities unable to access patient records for days. This attack highlights the growing vulnerability of the healthcare sector, where ransom demands not only threaten organizational integrity but also put patients’ health at risk.

Lessons Learned:
•    Stronger cybersecurity hygiene in healthcare is crucial, especially given the sensitive nature of patient data.
•    Implementing multi-layered defenses can slow down or even stop ransomware attacks before they escalate.

2. MetroLink Data Breach: The Digital Backbone of Public Transportation Hacked

Date: June 2024

Hack Group: Lazarus Group (Attributed to North Korea)

Victims: 15 million riders’ data

Sector: Public Transportation

In June 2024, MetroLink, a major public transportation network in the United States, was hit by a sophisticated data breach orchestrated by the Lazarus Group, a hacking collective linked to North Korea. This breach compromised the personal data of over 15 million riders, including names, contact information, payment details, and travel history.

The cyberattack reportedly stemmed from a supply chain vulnerability, with the attackers gaining access via a third-party vendor that had access to MetroLink’s customer database. The hackers also threatened to release ransomware if their demands for cryptocurrency were not met.

Although MetroLink responded swiftly by informing customers and offering credit monitoring services, the breach underscored the vulnerabilities in transportation networks, especially with the rise in smart ticketing and IoT (Internet of Things) devices used in public transit systems.

Lessons Learned:
•    Third-party risk management is a critical component of cybersecurity strategies, as attackers frequently exploit supply chain vulnerabilities.
•    Public sector organizations need to allocate more resources to cyber defense and resilience planning, particularly with the growing use of digital infrastructure.

3. BluePeak Financial Data Breach: Insider Threat and Vulnerability Exploitation

Date: April 2024

Attack Type: Insider Threat + Vulnerability Exploitation

Victims: 2.3 million customers

Sector: Finance

In one of the most high-profile data breaches of 2024, BluePeak Financial, a major investment firm, was infiltrated by a former employee who used stolen credentials to gain access to the company’s internal network. This insider threat, compounded by a critical vulnerability in BluePeak’s customer portal, allowed the attacker to exfiltrate data related to 2.3 million customers, including bank account numbers, transaction histories, and tax records.

While BluePeak initially believed the breach was a result of external hacking, further investigation revealed that the insider had collaborated with an external hacker group, REvil, to orchestrate the attack.

The breach triggered investigations by regulatory bodies, including the SEC, and led to a class-action lawsuit filed by affected customers.

The breach severely damaged the company’s reputation, and the data exposed led to widespread identity theft.

Lessons Learned:
•    Employee training and monitoring must be prioritized, especially in industries with access to sensitive financial data.
•    Regular vulnerability assessments and patch management processes are critical to prevent the exploitation of known vulnerabilities.

4. GlobalBank Ransomware Attack: A Global Financial Crisis Averted

Date: July 2024

Ransomware Group: BlackCat (ALPHV)

Victims: 50+ countries, 30 financial institutions

Sector: Banking and Finance

In a coordinated and global attack, GlobalBank, a multinational financial institution, was targeted by the BlackCat (also known as ALPHV) ransomware group in July 2024. The attack, which began with the breach of a cloud-based third-party service provider, affected over 30 financial institutions across 50 countries.

The ransomware encrypted critical banking systems, affecting everything from transaction processing to ATM operations, and demanding a ransom of $80 million in Bitcoin. The attack sent shockwaves through the financial industry, as millions of customers faced disruptions in their daily banking operations, including delays in fund transfers and blocked access to online accounts.

Fortunately, GlobalBank had invested heavily in its incident response infrastructure, including a robust disaster recovery plan, which allowed them to restore most of their systems with-in 48 hours without paying the ransom. The cybercriminals, however, leaked personal banking details of several high-profile customers online, further complicating the situation.

Lessons Learned:
•    Financial institutions must implement comprehensive incident response plans and da-ta backups that ensure quick recovery in case of a major breach.
•    The use of cloud-based services requires strict controls and monitoring, as vulnerabilities in third-party providers can be exploited.

5. eComX Data Breach: Massive Customer Data Leak from an E-Commerce Giant

Date: September 2024

Hack Group: REvil

Victims: 110 million customer accounts

Sector: E-commerce

In September 2024, eComX, one of the world’s largest e-commerce platforms, suffered a devastating data breach that exposed 110 million customer accounts. The hackers, identified as the REvil ransomware group, had been silently exfiltrating data over several months, gathering names, addresses, payment card information, and purchase histories.

The breach was eventually discovered after unusual traffic was detected on eComX’s network, leading to an investigation that uncovered the extent of the attack. Although eComX had encrypted customer payment details, the leak still exposed a significant amount of personally identifiable information (PII).

Despite efforts to reassure customers, the breach caused a major public relations disaster, especially in the holiday shopping season. The company faced both regulatory fines and class-action lawsuits from affected customers.

Lessons Learned:
•    E-commerce platforms must prioritize data encryption and multi-factor authentication for both users and employees.
•    Timely detection is essential—businesses should implement advanced intrusion detection systems (IDS) to monitor unusual activity.

Conclusion: The Growing Threat of Ransomware and Data Breaches in 2024

The ransomware and data breach landscape in 2024 has been marked by increasingly sophisticated attacks, greater international coordination among cybercriminal groups, and growing concerns over the vulnerability of critical industries such as healthcare, finance, and public services. The impact of these breaches is not just financial—companies face reputation damage, legal consequences, and, in some cases, regulatory action.

For organizations, the key to mitigating such risks lies in proactive cybersecurity measures: regular software updates, strong access controls, employee education, and an effective incident response plan. As ransomware groups continue to evolve and target high-value sectors, staying ahead of the curve is crucial to safeguarding both sensitive data and organizational integrity.

The post Top 5 Ransomware Attacks and Data Breaches of 2024 appeared first on Cybersecurity Insiders.

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

In a written statement in response to questions about the incident, Finastra said it has been “actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.” The company also shared an updated communication to its clients, which said while it was still investigating the root cause, “initial evidence points to credentials that were compromised.”

“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continues. Here is the rest of what they shared:

“In terms of eDiscovery, we are analyzing the data to determine what specific customers were affected, while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised. The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products, so we are working as quickly as possible to rule out affected customers. However, as you can imagine, this is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications.

Importantly, for any customers who are deemed to be affected, we will be reaching out and working with them directly.”

On Nov. 8, a cybercriminal using the nickname “abyss0” posted on the English-language cybercrime community BreachForums that they’d stolen files belonging to some of Finastra’s largest banking clients. The data auction did not specify a starting or “buy it now” price, but said interested buyers should reach out to them on Telegram.

abyss0’s Nov. 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers. Image: Ke-la.com.

According to screenshots collected by the cyber intelligence platform Ke-la.com, abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31, but that earlier sales thread did not name the victim company. However, it did reference many of the same banks called out as Finastra customers in the Nov. 8 post on BreachForums.

The original October 31 post from abyss0, where they advertise the sale of data from several large banks that are customers of a large financial software company. Image: Ke-la.com.

The October sales thread also included a starting price: $20,000. By Nov. 3, that price had been reduced to $10,000. A review of abyss0’s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six months.

The apparent timeline of this breach suggests abyss0 gained access to Finastra’s file sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 activity cited by Finastra may have been the intruder returning to exfiltrate more data.

Maybe abyss0 found a buyer who paid for their early retirement. We may never know, because this person has effectively vanished. The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists, and all of their sales threads have since disappeared.

It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time. The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.

In March 2020, Finastra suffered a ransomware attack that sidelined a number of the company’s core businesses for days. According to reporting from Bloomberg, Finastra was able to recover from that incident without paying a ransom.

This is a developing story. Updates will be noted with timestamps. If you have any additional information about this incident, please reach out to krebsonsecurity @ gmail.com or at protonmail.com.

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

Mikhail “Mike” Shefel’s former Facebook profile. Shefel has since legally changed his last name to Lenin.

Mr. Shefel, who recently changed his legal surname to Lenin, was the star of last year’s story, Ten Years Later, New Clues in the Target Breach. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at ChronoPay, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.

Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named Aleksandr Ermakov, who was sanctioned by authorities in Australia, the U.K. and U.S. for stealing data on nearly 10 million customers of the Australian health insurance giant Medibank.

But not long after KrebsOnSecurity reported in April that Shefel/Rescator also was behind the theft of Social Security and tax information from a majority of South Carolina residents in 2012, Mr. Shefel began contacting this author with the pretense of setting the record straight on his alleged criminal hacking activities.

In a series of live video chats and text messages, Mr. Shefel confirmed he indeed went by the Rescator identity for several years, and that he did operate a slew of websites between 2013 and 2015 that sold payment card data stolen from Target, Home Depot and a number of other nationwide retail chains.

Shefel claims the true mastermind behind the Target and other retail breaches was Dmitri Golubov, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Mr. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.

Shefel asserts he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals, and that at the time he was technical director of a long-running Russian cybercrime community called Lampeduza.

“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”

Dmitri Golubov, circa 2005. Image: U.S. Postal Investigative Service.

A week after breaking the story about the 2013 data breach at Target, KrebsOnSecurity published Who’s Selling Cards from Target?, which identified a Ukrainian man who went by the nickname Helkern as Rescator’s original identity. But Shefel claims Helkern was subordinate to Golubov, and that he was responsible for introducing the two men more than a decade ago.

“Helkern was my friend, I [set up a] meeting with Golubov and him in 2013,” Shefel said. “That was in Odessa, Ukraine. I was often in that city, and [it’s where] I met my second wife.”

Shefel claims he made several hundred thousand dollars selling cards stolen by Golubov’s Ukraine-based hacking crew, but that not long after Russia annexed Crimea in 2014 Golubov cut him out of the business and replaced Shefel’s malware coding team with programmers in Ukraine.

Golubov was arrested in Ukraine in 2005 as part of a joint investigation with multiple U.S. federal law enforcement agencies, but his political connections in the country ensured his case went nowhere. Golubov later earned immunity from prosecution by becoming an elected politician and founding the Internet Party of Ukraine, which called for free internet for all, the creation of country-wide “hacker schools” and the “computerization of the entire economy.”

Mr. Shefel says he stopped selling stolen payment cards after being pushed out of the business, and invested his earnings in a now-defunct Russian search engine called tf[.]org. He also apparently ran a business called click2dad[.]net that paid people to click on ads for Russian government employment opportunities.

When those enterprises fizzled out, Shefel reverted to selling malware coding services for hire under the nickname “Getsend“; this claim checks out, as Getsend for many years advertised the same Telegram handle that Shefel used in our recent chats and video calls.

Shefel acknowledged that his outreach was motivated by a desire to publicize several new business ventures. None of those will be mentioned here because Shefel is already using my December 2023 profile of him to advertise what appears to be a pyramid scheme, and to remind others within the Russian hacker community of his skills and accomplishments.

Shefel says he is now flat broke, and that he currently has little to show for a storied hacking career. The Moscow native said he recently heard from his ex-wife, who had read last year’s story about him and was suddenly wondering where he’d hidden all of his earnings.

More urgently, Shefel needs money to stay out of prison. In February, he and Ermakov were arrested on charges of operating a short-lived ransomware affiliate program in 2021 called Sugar (a.k.a. Sugar Locker), which targeted single computers and end-users instead of corporations. Shefel is due to face those charges in a Moscow court on Friday, Nov. 15, 2024. Ermakov was recently found guilty and given two years probation.

Shefel claims his Sugar ransomware affiliate program was a bust, and never generated any profits. Russia is known for not prosecuting criminal hackers within its borders who scrupulously avoid attacking Russian businesses and consumers. When asked why he now faces prosecution over Sugar, Shefel said he’s certain the investigation was instigated by  Pyotr “Peter” Vrublevsky — the son of his former boss at ChronoPay.

ChronoPay founder and CEO Pavel Vrublevsky was the key subject of my 2014 book Spam Nation, which described his role as head of one of Russia’s most notorious criminal spam operations.

Vrublevsky Sr. recently declared bankruptcy, and is currently in prison on fraud charges. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market at the time. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.

However, in 2022 KrebsOnSecurity reported on a more likely reason for Vrublevsky’s latest criminal charges: He’d been extensively documenting the nicknames, real names and criminal exploits of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), and operating a Telegram channel that threatened to expose alleged nefarious dealings by Russian financial executives.

Shefel believes Vrublevsky’s son Peter paid corrupt cops to levy criminal charges against him after reporting the youth to Moscow police, allegedly for walking around in public with a loaded firearm. Shefel says the Russian authorities told the younger Vrublevsky that he had lodged the firearms complaint.

In July 2024, the Russian news outlet Izvestia published a lengthy investigation into Peter Vrublevsky, alleging that the younger son took up his father’s mantle and was responsible for advertising Sprut, a Russian-language narcotics bazaar that sprang to life after the Hydra darknet market was shut down by international law enforcement agencies in 2022.

Izvestia reports that Peter Vrublevsky was the advertising mastermind behind this 3D ad campaign and others promoting the Russian online narcotics bazaar Sprut.

Izvestia reports that Peter Vrublevsky is currently living in Switzerland, where he reportedly fled in 2022 after being “arrested in absentia” in Russia on charges of running a violent group that could be hired via Telegram to conduct a range of physical attacks in real life, including firebombings and muggings.

Shefel claims his former partner Golubov was involved in the development and dissemination of early ransomware strains, including Cryptolocker, and that Golubov remains active in the cybercrime community.

Meanwhile, Mr. Shefel portrays himself as someone who is barely scraping by with the few odd coding jobs that come his way each month. Incredibly, the day after our initial interview via Telegram, Shefel proposed going into business together.

By way of example, he suggested maybe a company centered around recovering lost passwords for cryptocurrency accounts, or perhaps a series of online retail stores that sold cheap Chinese goods at a steep markup in the United States.

“Hi, how are you?” he inquired. “Maybe we can open business?”

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI did not respond to a request for comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPPA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

USDoD’s InfraGard sales thread on Breached.

The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

In 2023, the healthcare sector continued to face significant challenges with data breaches, exposing sensitive information and highlighting vulnerabilities in cybersecurity practices. Here’s a look at some of the largest healthcare data breaches of the year, reflecting the increasing sophistication of cyberattacks and the critical need for robust data protection measures.

1. Health Systems Group Cyberattack

In one of the most significant breaches of the year, Health Systems Group, a major provider of electronic health record (EHR) services, suffered a massive cyberattack in March. The breach compromised the personal and medical information of over 2 million patients. The attackers exploited a vulnerability in the company’s network, gaining access to patient names, Social Security numbers, medical records, and insurance details. The breach prompted widespread concerns about the security of third-party health data providers and led to a comprehensive review of cybersecurity protocols across the industry.

2. State Health Department Data Leak

In June, a prominent state health department experienced a substantial data leak due to a ransomware attack. This incident affected approximately 1.5 million individuals. The attackers gained access to sensitive data, including health records, mental health information, and contact details. The department’s response included notifying affected individuals and offering free credit monitoring services. The breach underscored the vulnerability of public health systems to cyber threats and the need for enhanced protective measures.

3. MedTech Solutions Breach

MedTech Solutions, a leading medical technology company, faced a significant data breach in August. Hackers targeted the company’s cloud storage systems, extracting the personal health information of around 1.2 million patients. The stolen data included medical histories, treatment plans, and patient demographics. The breach highlighted the risks associated with cloud-based storage solutions and the importance of securing cloud environments against unauthorized access.

4. National Health Network Incident

In September, the National Health Network, which connects numerous healthcare providers and institutions, was hit by a sophisticated cyberattack that affected over 800,000 patients. The breach was attributed to a phishing scheme that led to unauthorized access to multiple provider systems. Compromised data included patient names, medical histories, and prescription information. The incident emphasized the need for enhanced employee training on cybersecurity and more rigorous monitoring of network activities.

5. PharmaCare Systems Attack

PharmaCare Systems, a major player in pharmaceutical data management, reported a severe data breach in November. The attack compromised the information of 700,000 individuals, including prescription histories, personal identification details, and payment information. The breach was attributed to a coordinated attack by a well-known hacking group, leading to a significant disruption in the company’s operations and a major push for improved data encryption and incident response strategies.

Implications and Moving Forward

These breaches underscore a growing trend of cyberattacks targeting the healthcare industry. With the increasing digitization of health records and reliance on electronic systems, the healthcare sector remains a prime target for cybercriminals. The year 2023 has highlighted several critical areas for improvement, including:

•    Enhanced Cybersecurity Measures: Strengthening defenses against ransomware and other cyber threats through advanced encryption, multi-factor authentication, and regular security audits.
•    Employee Training: Providing ongoing training for healthcare staff to recognize and respond to phishing attempts and other cyber threats.
•    Incident Response Plans: Developing and regularly updating incident response plans to ensure quick and effective action in the event of a breach.
•    Regulatory Compliance: Adhering to regulatory requirements and industry standards to ensure robust data protection practices.

As the healthcare sector continues to navigate these challenges, the focus on improving cybersecurity will be essential in safeguarding sensitive patient information and maintaining trust in the digital age.

The post Largest Healthcare Data Breaches of 2023 appeared first on Cybersecurity Insiders.

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”

“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”

The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.

The best advice for those concerned about this breach is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.

There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.

In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.

The point is, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.

If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, EquifaxExperian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.

In today’s digital landscape, Chief Information Officers (CIOs) face unprecedented challenges in safeguarding their organizations from cyber threats and data breaches. As technology evolves, so do the methods employed by cybercriminals, making it crucial for CIOs to adopt a proactive and comprehensive approach to cybersecurity. While it’s impossible to guarantee complete immunity from all threats, a well-strategized and multi-layered defense can significantly mitigate risks and enhance organizational resilience.

1. Implement a Robust Cybersecurity Framework- A solid cybersecurity framework is the foundation of any effective defense strategy. Adopting widely recognized frameworks such as the NIST Cybersecurity Framework or ISO/IEC 27001 helps CIOs create structured and standardized security protocols. These frameworks offer guidelines for identifying, protecting against, detecting, responding to, and recovering from cyber threats.

2. Prioritize Employee Training and Awareness- Human error remains one of the most common causes of data breaches. Regular training and awareness programs are essential for educating employees about cybersecurity best practices, phishing scams, and safe data handling procedures. Ensuring that staff are well-informed and vigilant can significantly reduce the likelihood of security breaches caused by human factors.

3. Invest in Advanced Threat Detection Tools- Advanced threat detection tools and technologies, such as intrusion detection systems (IDS), security information and event management (SIEM) solutions, and artificial intelligence (AI)-powered analytics, play a crucial role in identifying and responding to potential threats in real time. Investing in these technologies allows CIOs to monitor network activity, detect anomalies, and respond to incidents more effectively.

4. Ensure Regular Software Updates and Patch Management- Outdated software and unpatched vulnerabilities are common entry points for cyber attackers. CIOs should establish a routine for regular software updates and patch management to address security vulnerabilities promptly. Implementing automated patch management systems can help streamline this process and reduce the risk of exploitation.

5. Enforce Strong Access Controls and Authentication- Robust access controls and authentication mechanisms are vital for protecting sensitive data. Implementing multi-factor authentication (MFA), enforcing strong password policies, and using role-based access controls (RBAC) can help ensure that only authorized personnel have access to critical systems and data.

6. Develop a Comprehensive Incident Response Plan- Despite best efforts, breaches may still occur. Having a well-defined incident response plan is essential for minimizing damage and ensuring a swift recovery. This plan should include clear procedures for identifying, containing, and mitigating the impact of a breach, as well as communication strategies for notifying stakeholders and regulatory bodies.

7. Conduct Regular Security Audits and Assessments- Regular security audits and assessments help identify vulnerabilities and gaps in the current security posture. Engaging with third-party security experts to perform penetration testing and vulnerability assessments can provide valuable insights and recommendations for strengthening defenses.

8. Foster a Culture of Security- Creating a culture of security within the organization is crucial for long-term success. This involves not only implementing technical solutions but also embedding security practices into the organizational culture. Encouraging employees to take ownership of their role in cybersecurity and fostering an environment where security is a shared responsibility can enhance overall security posture.

9. Stay Informed and Adapt- Cyber threats are constantly evolving, and staying informed about the latest trends and emerging threats is essential for effective risk management. CIOs should participate in industry forums, collaborate with cybersecurity professionals, and continuously adapt their strategies to address new challenges.

10. Leverage Cyber Insurance- While not a substitute for strong security measures, cyber insurance can provide financial protection in the event of a breach. CIOs should evaluate their organization’s risk profile and consider investing in cyber insurance to help mitigate potential financial losses and facilitate recovery efforts.

Conclusion

While complete avoidance of cyber threats and data breaches may not be feasible, CIOs can significantly reduce their organization’s risk by implementing a comprehensive and proactive cybersecurity strategy. By focusing on robust frameworks, employee training, advanced tools, and regular assessments, CIOs can build a resilient defense against the ever-evolving landscape of cyber threats. In an era where data security is paramount, a vigilant and informed approach is the best defense against potential breaches.

The post Can a CIO Avoid Cyber Threats and Data Breaches? appeared first on Cybersecurity Insiders.