Cyber Incident Weekly Report - Week of July 3, 2023

Cyber Attack on DMVs in Louisiana and Oregon Leak Data of Nearly 10 Million Driver's Licenses

WHAT HAPPENED: Oregon and Louisiana are the latest victims of the Russian-linked Cl0p ransomware gang and their exploitation of the MOVEit vulnerability CVE-2023-34362. The vulnerability is in the secure file transfer services used by both DMVs. In both attacks, the Cl0p gang stole information, including names, addresses, Social Security Numbers, driver’s license numbers, dates of birth, height, vehicle registration information, and handicap placard information.?

CONCERNING: Oregon, Louisiana, Patch Management, MOVEit, Clop Gang

SENSCY'S ANALYSIS: The list of victims related to the MOVEit vulnerability and the Cl0p gang continues to grow as expected.? If you have an active Oregon or Louisiana driver’s license or ID card, you should assume your personal information was exposed. You should monitor any financial accounts and prevent the opening of any unauthorized accounts or loans, freeze your credit if necessary, and immediately change all your passwords. Although the Cl0p gang has disclosed that it would not be targeting any government agencies due to the potential sanctions and involvement of federal agencies, it is now clear that this “rule” does not apply anymore. Regarding government agencies, protecting citizens' personal information should be a priority. U.S. citizens have a choice when it comes to using private organizations that might be unable to protect their data. Still, they do not have a choice regarding government organizations.

Fort Worth is a Recent Victim of a Cyber Attack

WHAT HAPPENED: This week, the city of Fort Worth started investigating the scope of a cyber attack that targeted one of the city’s websites. According to the city’s Chief Technology Officer, the threat actors accessed a municipal website that helps manage transportation, public work, parks and recreation maintenance. He also explained that they have found no indication that there has been sensitive information” released. The threat actor is a known group called SiegeSec.?

CONCERNING: Cities, City Officials, Fort Worth

SENSCY'S ANALYSIS: According to the ongoing investigation, the data stolen by the group did not come from the city’s “public facing intranet website.” This would indicate that to gain access to those websites; the threat actor likely used one of the following methods: phishing, looking for a list of stolen credentials with credential stuffing, or a brute force entry by trying to crack the password. The best protection against these methods is enabling Multi-Factor Authentication (MFA). Threat actors only have to be right once with passwords, but with MFA, you add another layer of protection to your systems. Although there is no identification that this was a ransomware attack, this was likely a first try for the SiegeSec group to identify potential additional vulnerabilities and potentially a way to add an unknown backdoor to the system so they can conduct major sophisticated attacks in the near future.?

Third-Party Breach Leads to Pilot’s Application Leaked for American and Southwest Airlines.

WHAT HAPPENED: Last week, American Airlines and Southwest Airlines filed a data breach notification with Maine’s Office of the Attorney General. The breach impacts 5745 records for American Airlines and 3009 for Southwest Airlines. The breach was on Pilot Credentials, a third-party tool used by both airlines where pilots can store information relevant to their profile, experience, and education. The data breached include personal identifiable information (PII), Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers.

CONCERNING:?Third-party Breach, American Airlines, Southwest Airlines

SENSCY'S ANALYSIS: There is still little information regarding the breach of Pilot Credentials. The notification indicates that an “unauthorized individual” accessed the data for at least a day. Once the data is stolen, it can be sold on the dark web to other threat actors, or hackers to then use the stolen information to conduct additional attacks on Pilot Credentials users, including scams, phishing, and potentially identity theft. Pilots that use the tool should be on heightened alert, even if they did not submit applications to the two airlines. This attack indicates the risks related to third-party vendors and the potential exposure they create for organizations. SensCy has observed that third-party and supply-chain risks remain the leading reason for data and security breaches. Organizations should focus on increasing their visibility to better asses their third-party tool and partners. Monitoring the data access of each third party by creating a single standard workflow based on the zero-trust concept can help organizations implement better vendor data access. In addition, the sensitive data should be replaced by a non-sensitive token, making the stolen data useless to hackers. The data should be encrypted at all stages to keep it secure and usable.??