Cyber Incident Weekly Report - Week of April 22, 2024

MITRE Corporation Confirms Breach Following Vulnerability Exploitation

WHAT HAPPENED: In their blog released on Friday, April 19, 2024, the MITRE Corporation explained that unidentified threat actors exploited one of the company’s Virtual Private Network (VPN) by exploiting a vulnerability in Ivanti Connect Secure. According to their CTO, the threat actors exploited the vulnerability in early January. Then, they moved laterally into their VMware infrastructure before the zero-day CVE was disclosed and reported by Ivanti. It is believed that the threat actors accessed “deep” parts of MITRE Corp.'s unclassified networks. An investigation is ongoing, but the firm wanted to disclose the incident rapidly, and it will provide more technical details in the coming weeks.

CONCERNING: MITRE, Cyber Incident, Vulnerability Exploitation, Nation-state Hackers

SENSCY'S ANALYSIS: MITRE is one of the most trusted names in the world of information security and cybersecurity. It is also known for its MITRE ATT&CK framework, providing cyberattack guidelines and instructions. This attack is an important reminder that even sophisticated threat actors can breach even the most cyber-mature companies. The vulnerabilities used to breach MITRE impacted thousands of VPN instances before a patch was released. The irony is that the threat actors used eight MITRE techniques to breach MITRE itself. The impact of such an attack should not be taken lightly; MITRE conducts research and development in various fields and supports the U.S. in many research programs, including national defense programs. Since the threat actors had access for over three months, they likely tampered with the data, which could have a significant ripple effect since MITRE is an integral part of many organizations' supply chains. Threat actors, especially those sponsored by nation-states, usually have strategic motivation, and targeting MITRE is highly likely to be one aspect of a much larger operation.

Indiana Water Plan Suffers Cyber Attack from Russian Hackers.

WHAT HAPPENED: The Tipton Municipal Utilities (TMU) water plan and wastewater treatment suffered a cyber attack claimed by the Russia-linked threat actor known as Cyber Army of Russia. The group posted a video on its Telegram account showing how they interacted with the Tipton Wastewater Treatment Plant system. TMU’s general manager commented on the incident: "TMU experienced minimal disruption and remained operational at all times.” The Cyber Army of Russia is believed to be linked to another Russian hacking group, Sandworm, and was also responsible for a cyber attack on a water plant in Texas that caused one of the tanks to overflow.

CONCERNING: Water Agency, Critical Infrastructure, State-Sponsored Hackers, Tipton Municipal Utilities

SENSCY'S ANALYSIS: SensCy continues to monitor increased cyber attacks targeting U.S. water plant and water waste management organizations. The majority of the recent hacks were claimed by state-sponsored hacking groups, which raises national security concerns since any compromise or disruption of water supplies could significantly impact public safety and health. Most state-sponsored hacking groups have a geopolitical motivation rather than a financial one. Their objectives are exerting influence, projecting power, or attempting to undermine its adversaries. Targeting parts of the critical infrastructure, such as a water plant, is likely part of a broader strategy to assert dominance and gain leverage over diplomatic negotiation. While the investigation is ongoing, and the first reports indicate a limited amount of damages, the attack on TMU likely served as a form of deterrence or coercion to signal the groups’ capabilities and willingness to use cyber means to achieve their objectives. The Cyber Army of Russia is known for carrying attacks against countries it deems unfriendly to Russia, and it often collaborates with other Russian hackers. To combat the rise of cyber attacks against waste management organizations in the U.S., all organizations must share intelligence on cyber incidents to better prepare, detect, and respond to a potential attack and safeguard national security interests in an increasingly interconnected and digitally dependent world.

Kaiser Permanente Confirms Data Breach May Impact 13.4 Million Patients

WHAT HAPPENED: Kaiser Permanente, an integrated managed care consortium and one of the largest nonprofit health plans in the U.S., confirmed the information of 13.4 million current and former members and patients was leaked to third-party vendors and trackers on its websites and mobile applications. The personal data was transmitted to third-party vendors, including Google, Microsoft, and X (formally Twitter). The information may include IP addresses, names, search terms used in the health encyclopedia, and details showing how a member or patient interacted with and navigated through the website. The statement released highlights that the data exposed does not include usernames, passwords, Social Security numbers, or financial information. The trackers have now been removed.

CONCERNING: Kaiser Permanente, Data Breach, Third-party Vendor, Healthcare.

SENSCY'S ANALYSIS: Kaiser Permanente is not unfamiliar with managing data breaches; in June 2022, a breach exposed the health information of over 69,000 patients caused by unauthorized access to an employee’s email account. This time, the data was leaked to third-party vendors, who typically collect data using trackers to share it with an extensive network of data brokers, advertisers, and marketers. This exposes Kaiser Permanente patients and staff to potential targeted advertising, phishing campaigns, targeted marketing scams, and identity theft. Organizations like Kaiser Permanente should make an extensive effort to limit the data shared with trackers on their websites by implementing a combination of technical measures, privacy policies, and user controls to protect patient data. Here are a few steps an organization can take: Conduct a comprehensive audit of all third-party trackers used on websites and mobile applications to evaluate the necessity of each tracker and assess the type of data it collects, how it is used, and whether it complies with privacy regulations. Then, limit the number of trackers to only the essential ones, and ensure you remove or fully disable all unnecessary trackers. Choose trackers that prioritize user privacy and comply with privacy regulations such as GDPR or HIPAA. Finally, a process to anonymize patient and employee data before it is shared with third-party trackers should be implemented, and all personally identifiable information (PII) should be removed to minimize the risks of a data breach and privacy violations.

Interested in understanding the threat level of cyberattacks at your organization? Access our free cyberhealth evaluation here: https://senscy.com/free-cybersecurity-assessment-senscy-score/