Cyber Incident Weekly Report - Week of December 11, 2023

The Holiday Season has Brought Ransomware Attacks Against Multiple Schools

WHAT HAPPENED: Schools nationwide are struggling to battle ransomware attacks. Henry County Schools, a school district outside of Atlanta, the K-12 Hermon School Department in Maine, and Taylor University in Indiana reported a ransomware attack. The notorious ransomware gang BlackSuit claimed the attack on Henry County Schools, causing disruption for students and staff to access Chromebooks and forcing the school to change their end-of-the-year exam schedule. Hermon School Department was breached when hackers exploited a vulnerability in the outdated Windows 2012 used by the school. While Taylor University was breached between February and May 2023 with hackers accessing personally identifiable information (PII) of students and staff.?

CONCERNING: Academia, Universities, K-12, Ransomware, Holidays

SENSCY'S ANALYSIS: SensCy continues to monitor the sharp increase in cyber attacks on schools in the U.S., from K-12 to higher education institutions. While disclosed breaches are closing on 250 in 2023, SensCy believes that the end of the year will likely see hackers push for more targeted attacks on schools. Here are a few reasons why hackers will target schools during the holiday season:

• Schools are a data-rich environment; they store a lot of data, including student and staff information. Hackers seek personal data for various reasons like identity theft, financial gain with ransomware attacks, or selling stolen information on the dark web.?
• Timing: timing is a key factor for any successful attack. End-of-year periods are often hectic with exams, holiday preparations, and increased administrative tasks, making schools more vulnerable as the attention and awareness of cyber issues might divert from cyber security measures.
• Increased exploitation of known vulnerabilities: Schools are known to use older software and hardware versions, making them an easier target.

Academic institutions must enhance their cyber security measure, increase awareness, and stay vigilant, especially during the end-of-year period.

A Florida Water Agency Suffered a Cyberattack

WHAT HAPPENED:? The St. Johns River Water Management District, a regulatory agency in Florida in charge of the long-term drinking water supply, confirmed it was responding to a cyber attack. A spokesperson confirmed it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.” While an undisclosed ransomware gang claimed responsibility for the attack, the group didn’t disclose the extent of the stolen information. This attack comes only a couple of weeks after an Iranian-based ransomware group attacked a water agency in Pennsylvania, while another water agency in Texas announced on Tuesday it was dealing with a cyber attack, and after many U.S. officials raised their concerns last week after several incidents impacted water agencies.??

CONCERNING: Water Agency, Critical Infrastructure, Florida, Ransomware

SENSCY'S ANALYSIS: Last week’s Incident Weekly Report mentioned that water supply agencies and systems are part of the U.S.’s critical infrastructure, making them attractive targets for threat actors seeking to create widespread disruption. It seems that hackers targeting water agencies aren’t necessarily financially motivated, as shown by the Iranian-based group with a political motive behind their attacks.? The attack on the St. Johns River Water Management District is likely linked to the Iranian-based group since most water agencies in the U.S. use the?Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). Federal agencies working with the Cybersecurity and Infrastructure Security Agency (CISA), including the FBI, NSA, and EPA, released an advisory. SensCy believes more water agencies will be targeted in the coming weeks as hundreds of Unitronics PLC instances are publicly exposed worldwide.

Michigan Healthcare Companies Impacted by Data Breach

WHAT HAPPENED: In an announcement by the Michigan Attorney General, the software company contracted by Corewell Health suffered a data breach. The software company, Welltok, Inc., provides communication services to Corewell Health’s properties in southeastern Michigan. The breach occurred on May 30, 2023, when the MOVEit Secured file transfer software was exploited. The stolen data includes names, dates of birth, email addresses, phone numbers, medical diagnoses, health insurance information, and Social Security numbers of around one million Corewell Health patients.?

CONCERNING: Third-party Risk, MOVEit, Corewell Heath, Data Breach

SENSCY'S ANALYSIS: The Cl0p gang’s exploitation of the MOVEit vulnerability continues to claim more victims months after the disclosed exploitation of the secured file transfer software. The MOVEit vulnerability exposed many issues related to third-party risk management and is already considered one of the most advanced supply chain attacks. While Corewell Health wasn’t directly targeted, as a healthcare organization, it is subject to strict regulations like HIPAA, and a third-party data breach could lead to severe legal consequences and fines. The breach also exposes customers' personal and sensitive data, leading to privacy violations and identity theft. The delayed communication by Corewell Health exposes its customers to additional risks, such as more targeted attacks, like blackmail or phishing. If you are a Corewell Health customer, SensCy recommends that you change your account credentials (user name and password) as soon as possible to ensure that you are using a complex, never-used password and to implement Multi-Factor Authentication. Additionally, please monitor any changes related to your credit information and enroll in credit monitoring subscriptions.