Cyber Incident Weekly Report - Week of April 8, 2024

Home Depot Suffers Supply Chain Data Breach

WHAT HAPPENED: Home Depot, North America's largest home improvement retailer, confirmed it suffered a data breach this week after a third-party software vendor (SaaS) exposed employee data. While Home Depot did not disclose which vendor was breached, it explained that the exposed data includes names, corporate IDs, and email addresses of a "small sample" of its employees. The threat actor IntelBroker disclosed limited data of around 10,000 employees.

CONCERNING: Data Breach, Home Depot, Third-party Risk, SaaS

SENSCY'S ANALYSIS: Mitigating third-party cyber risk can be extremely challenging for organizations of all sizes, but it becomes crucial to safeguard data against data breaches. Conducting thorough assessments of third-party vendors before engaging in business relationships is a great way to evaluate their cybersecurity protocols, data handling practices, and compliance with relevant regulations. This gives the organization a good understanding of their potential gaps and exposure when engaging with a new vendor. If a decision is made to start a partnership, establishing clear contractual agreements with the vendors outlining cybersecurity responsibilities, including data protection measures, incident response procedures, and liability in the event of a breach, is critical. Next, implementing a process for regular audits and continuous monitoring of third-party vendors, including vulnerability scanning, penetration testing, and periodic assessments, would significantly reduce the likelihood of a successful data breach. Finally, SensCy recommends the implementation of data encryption and access control protocols, enforcing encryption for sensitive data transmitted and stored by the third-party vendor. Implementing strict access controls limits the exposure of sensitive data and ensures that only authorized personnel can access it. While there are more measures a company can take, including training and cyber insurance, SensCy believes these measures can effectively mitigate third-party risks and reduce the likelihood and impact of a data breach

.

Investigation Confirms Data Breach at Wisconsin Healthcare Organization

WHAT HAPPENED: Group Health Cooperative of South Central Wisconsin (GHC-SCW) is notifying impacted individuals following an investigation into an incident that occurred on January 25, 2024. According to the notice, Group Health Cooperative of South Central Wisconsin (GHC-SCW) identified unauthorized access to its network, and while the hacker was unable to deploy file-encrypting ransomware, the investigation confirms that “the attacker had copied some of GHC-SCW’s data, which included protected health information (PHI).” The incident impacts 530,000. The BlackSuit ransomware gang claimed the attack.

CONCERNING: Non-profit Healthcare Cooperative, Wisconsin, Data Breach, Protected Health Information (PHI)

SENSCY'S ANALYSIS: The ransomware group that claimed responsibility for the attack, BlackSuit, is suspected by the US cybersecurity agency CISA and the FBI to be a rebrand of the notorious ransomware group Royal ransomware. Since it became active in September 2022, the group targeted at least 350 organizations and demanded over $275 million in ransoms. The suspicion around Royal’s rebranding is supported by the fact that “BlackSuit ransomware shares a number of identified coding characteristics similar to Royal.” In addition, BlackSuit and Royal have aggressively targeted healthcare organizations and the public health sector. SensCy recommends that all healthcare organizations, especially non-profits, review and implement recommendations from the US Health Department on BlackSuit and Royal. Threat actors regard healthcare organizations as high-reward targets due to the immense amount of personal information they store. Recent attacks reported by SensCy, including the attack on the UnitedHealth Group subsidiary Change Healthcare, highlighted the potentially disastrous consequences of a successful attack on a healthcare organization

.

East Central University, Oklahoma, Investigates Ransomware Attack

WHAT HAPPENED: An ongoing investigation is taking place at East Central University (ECU) in Oklahoma after an incident in February. In multiple advisories, the school explained that threat actors were able to access information “of individual names and Social Security numbers.” The advisories also mentioned the BlackSuit group as being responsible for the attack. The school’s IT team worked with external cybersecurity specialists to stop the attack and already enforced a password reset.

CONCERNING: East Central University, Oklahoma, Ransomware, BlackSuit, Academia.

SENSCY'S ANALYSIS: While information on the investigation is limited, the notice provided by the school gives us enough information to begin a potential analysis. Although ECU does not know how the ransomware group accessed the school’s systems, the notice indicates an increase in phishing emails in the days leading up to the attacks. Threat actors will flood potential targets with phishing emails before an attack for several reasons. The most obvious is to increase the chances of reaching a wider audience, including individuals with access to valuable information or resources the threat actors can exploit. Phishing campaigns are also used to test the effectiveness of the targets. By observing the response rate to different phishing emails, threat actors can refine their techniques and tailor future attacks for better success. Finally, phishing campaigns can create noise and confusion among security teams and IT, making detecting and responding to legitimate threats more challenging. This tactic can serve as a smokescreen to divert attention from the threat actors’ target.

Interested in understanding the threat level of cyberattacks at your organization? Access our free cyberhealth evaluation here: https://senscy.com/free-cybersecurity-assessment-senscy-score/