Cyber Incident Weekly Report - Week of July 15, 2024

CrowdStrike Windows Outage

WHAT HAPPENED: CrowdStrike reported that a Windows update combined with an update deployed by CrowdSrike caused widespread disruptions to Windows workstations globally on Friday, 07/19/2024. This was not a cyberattack. To explain further, the issue has been traced to a misconfigured .sys file deployed by CrowdStrike to customer devices running the Falcon endpoint sensor. Although the faulty file was automatically distributed to endpoint devices, there is no automated solution for repairing the crashed computers. Each workstation must be manually restarted in safe mode followed by the removal of the faulty software.? The recovery is anticipated to take several days since the issue must be resolved manually, one endpoint at a time. Customers are urged to refer to the CrowdStrike support portal for the latest updates.

CONCERNING: All users who have Microsoft Windows and CrowdStrike Falcon

SENSCY'S ANALYSIS: SensCy reiterates that CrowdStrike has acknowledged the issue and clarified that this is not a cyberattack. That being said, The CrowdStrike update failure is a stark reminder of how interconnected and fragile modern IT systems are. This disruption has affected virtually all industries, illustrating how a single software flaw can have extensive and devastating consequences. SensCy emphasizes the importance of thoroughly testing updates and monitoring their impact before full deployment. The one exception to this is security updates related to Zero-Day vulnerabilities. Additionally, diversifying IT infrastructure can also help mitigate the impact of failures and increase resilience by ensuring that an issue in one system does not incapacitate the entire infrastructure.

Rite Aid Confirms Ransomware Incident

WHAT HAPPENED: The pharmacy chain Rite Aid confirmed in a data breach notification to the Office of the Maine Attorney General that it suffered a “data security incident” in June, impacting 2.2 million individuals. The incident occurred on June 6, 2024, when an unauthorized threat actor gained access to “data associated with the purchase or attempted purchase of specific retail products was acquired by the unknown third party.” The stolen data includes the purchaser's name, address, date of birth, and driver’s license number or other forms of government-issued ID presented at the time of purchase between June 6, 2017, and July 30, 2018. No Social Security numbers or financial information was leaked. The ransomware group RansomHub claimed the attack.

CONCERNING: Rite Aid, Pharmacy, Healthcare, Ransomware, RansomHub

SENSCY'S ANALYSIS: SensCy continues to observe the rapid increase of healthcare organizations targeted by the Ransomware-as-a-Service (RaaS) group Ransomhub. In last week’s report, we analyzed the incident and data leaked on the Florida Department of Health, while the group became known worldwide for its involvement in the UnitedHealth Group data breach. This spree of cyber attacks impacts the healthcare industry as a whole, including attacks directly targeting hospitals, pharmacies, insurance companies, and all third-party suppliers along the healthcare supply chain. Rite Aid is unfortunately familiar with such incidents as it is already facing lawsuits for a data breach in May 2023. The company had previously suffered data breaches in 2015, 2017 and 2018. While these attacks can dramatically impact healthcare organizations on a financial level, with additional fines and lawsuits, they can put people’s lives at risk, making this issue a patient safety issue. The Rite Aid attack now adds to the conversation for additional federal cyber regulation to overview the healthcare sector. The main issue is the voluntary nature of cybersecurity in healthcare, notably when reviewing and assessing third-party risks.

Furniture Manufacturer Shuts Down IT Systems Following Ransomware Attack

WHAT HAPPENED: Bassett Furniture Industries, one of the largest furniture companies in the U.S. was forced to shut down some of its information technology (IT) systems this week after a threat actor gained unauthorized access on July 10. In an 8-K filing, the company explained that its “retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted.” Bassett Furniture believes that the attack will likely have “a material impact on the Company’s business operations until recovery efforts are completed.” At the time of writing, no ransomware group has claimed the attack.

CONCERNING: Bassett Furniture Industries, Manufacturing, Ransomware, Incident Notification

SENSCY'S ANALYSIS: Manufacturing organizations continue to be a primary target for threat actors and hacking groups since their operations rely heavily on continuous production processes. Disrupting these processes can cause significant financial losses. Threat actors use ransomware to encrypt critical systems and data and demand payment for the decryption key to restore operations, knowing that companies are likely to pay to avoid downtime. While the investigation is ongoing and we do not know the methods used by the threat actors responsible for the attack, we can already observe interesting details in the 8-K filing. Since December 18, 2023, the SEC has required companies to disclose any financially “material” cybersecurity incidents immediately. While since this rule was introduced the number of 8-K filings has increased, organizations and lawmakers are still battling over the definition of “material cybersecurity incident.” Most organizations like UnitedHealth have waited over a month to report significant financial impacts caused by cyber incidents, Bassett Furniture Industries disclosed in its initial disclosure that the attack had a “material impact” on the company. This new rule aims to increase the visibility of a company’s cyber incident, whether the victim has remediated or is currently remediating the incident, rather than waiting months to disclose a data breach.

Disney Investigates Potential Data Breach

WHAT HAPPENED: The entertainment giant Disney has launched an investigation after a threat actor known as NullBulge, claiming to be a hacktivist group, announced that they allegedly stole 1.1Tb of data from Disney’s internal Slack channels. While the leak has yet to be verified, it allegedly includes messages and files from 10,000 channels, including information on unreleased projects, source code, login credentials, and links to internal APIs and web pages.

CONCERNING: Disney, Data Breach, Hacktivists.

SENSCY'S ANALYSIS: Hactivists are individuals or groups who use hacking techniques to promote political, social, or ideological agendas. Unlike “traditional hackers” who mostly focus on financial gain, hacktivists aim to bring awareness, change, or protest an issue they oppose. The NullBulge group describes themselves as a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.” SensCy believes it is highly likely that the hacktivist group gained access to the Slack channels by initially using exploited credentials before potentially exploiting a misconfiguration in Disney Slack settings, allowing the hacktivist to escalate their privilege and gain access to more channels.? It is also likely that organizations like Disney drew attention to themselves following the Hollywood writer's strike over AI concerns. Hacktivists advocating for digital rights are likely to target Diusnet if they believe the company is involved in censorship, digital rights management (DRM) practices that restrict users' freedoms, or other activities they see as contrary to their principles.? If the breach is confirmed, it will be a great lesson for even the biggest companies with the largest cybersecurity budgets and the most advanced technology can suffer cyber incidents.