Cyber Incident Weekly Report - Week of January 01, 2024

Ohio Lottery Hit by Ransomware Attack?

WHAT HAPPENED: On December 24th, the Ohio Lottery was forced to shut down most of its systems due to a ransomware attack by the ransomware group DragonForce. In a press release, the lottery announced, “Mobile cashing and prize cashing above $599 at Super Retailers are currently not available." According to the statement by DragonForce, more than 3 Million individuals could be impacted by the breach. They also claimed that the total breach could include over 600 gigabytes of data, including “first name, last name, mail, addresses, winning amounts, SSN + DOB records of employees and players.”

CONCERNING: Ohio Lottery, Ransomware, DragonForce

SENSCY'S ANALYSIS: While the investigation into the ransomware attack on the Ohio Lottery is ongoing, we can already identify some potential motivating factors that made the lottery an attractive target for a hacking group. Financial gain is the primary motivating factor for DragonForce since lotteries handle vast amounts of money and customer data. The group also gave the lottery three days to pay the ransom, putting intense pressure on the victims to force them to act rapidly.? Even if the Ohio Lottery pays the ransom, DragonForce will likely resale the data on the black market. This would put Ohio Lottery’s customers and employees at risk of additional cyber attacks, including identity theft, blackmail, and phishing. While little is known about the DragonForce group, cyber experts believe that the group is likely a rebranding of a previously known and experienced group, given their data leak site, tactics, techniques, and procedures (TTP). According to Daily Dark Web, DragonForce is becoming one of the most active gangs.

Second Data Breach is in two months for Corewell Health????????????

WHAT HAPPENED: HealthEC, a vendor providing services for Corewell Health, a Michigan-based healthcare organization, reported a cybersecurity breach affecting more than one million Michigan residents, according to Attorney General Dana Nessel. The stolen data includes medical information, Social Security numbers, birthdates, health insurance information, and medical record numbers. The incident also impacted several Beaumont ACO patients under a separate contract with HealthEC. HealthEC began notifying the affected patients on December 22.? In this case, HealthEC provides services to Corewell Health to “identify high-risk patients, close gaps in care, and recognize barriers to optimal care.

CONCERNING: Third-party Risk, HealthEC, Corewell Health, Data Breach

SENSCY'S ANALYSIS: SensCy reported the data breach on Welltok, Inc. earlier this month, where the Cl0p gang exploited the MOVEit vulnerability to access data shared by Corewell Health to Welltock, Inc. While it is unlikely that the two events are related, similar pathers of mismanagement of third-party vendors are apparent. The breach on HealthEC occurred between July 14, 2023, and July 23, 2023. Like in the Welltok, Inc. breach, the delayed communication exposes its customers to additional risks, such as more targeted attacks, like blackmail or phishing. HealthEC offers affected individuals complimentary credit monitoring and identity theft protection services for 12 months. The breach on HealthEC also impacted Beaumont ACO. You may receive two notification letters if you previously received services from Corewell Health and Beaumont ACO. Michigan residents are experiencing a surge in healthcare-related cyber attacks and data breaches. As mentioned in a statement by the Michigan Attorney General, it is now critical that the Michigan legislature requires companies and business associates of HIPAA-covered entities to inform the Department of Attorney General immediately.

Xfinity Data Breach Affects 36 Million Individuals

WHAT HAPPENED: The telecommunications giant and Internet provider Xfinity disclosed a data breach that impacted 35,879,455 people. The breach occurred on December 18, 2023, when hackers accessed customer usernames and hashed passwords, names, dates of birth, contact information, secret questions and answers, and the last four digits of social security numbers in some cases. Hackers exploited a known vulnerability of Citrix Netscaler ADC and Gateway, named CitrixBleed. While a patch was released in October, the vulnerability had been exploited since August.

CONCERNING: Xfinity, Comcast, Data Breach, Vulnerability Exploitation

SENSCY'S ANALYSIS: Exploiting known vulnerabilities is one of the most popular attack vectors used by hackers and threat actors. SensCy had reported the mass exploitation of the CitrixBleed vulnerability, tracked as CVE-2023-4966,? where hackers could perform session hijacking, allowing them to bypass authentication, including Multi-Factor Authentication (MFA). Hackers will use publicly available information, including tools and techniques, to exploit known vulnerabilities. Although Xfinity explained that they “promptly patched and mitigated” the exposure within its systems, they were still too late. The breach was discovered on October 25, and the hackers accessed its systems between October 16 and 19. However, patches were released on October 10, 2023. This indicates that Xfinity waited at least ten days to install the necessary security patches, giving skilled hackers plenty of time to gather large amounts of data.?

Xfinity began notifying customers and is forcing them to reset their passwords. Xfinity is also advising to enable multi-factor authentication on their account. Xfinity is one of the victims of the CitrixBleed vulnerability, as many experts believe it has been exploited to attack high-profile organizations like Toyota.?

Interested in understanding the threat level of cyberattacks at your organization? Complete our cyberhealth self-assessment here.