Cyber Incident Weekly Report - Week of May 20, 2024

New Jersey School Confirms Data Breach with Potential Exposure of SSNs.???????????????????????????????????????????????????????????????????????????????????????????????????????????

WHAT HAPPENED: Shore Regional High School District in New Jersey confirmed in a data incident notice that it experienced “unauthorized access” to its network. The incident occurred “on our about” April 13, 2023, and an investigation determined on March 28, 2024, “that certain impacted files containing personal information may have been removed from our network by the unauthorized individual(s).” The stolen information includes full names, date of birth, Social Security number, driver’s license or state identification, financial information, medical treatment or diagnosis, medical and/or health insurance information. The school district began notifying impacted individuals earlier this week.

CONCERNING: Shore Regional High School District, New Jersey, Data Breach, Academia.

SENSCY'S ANALYSIS: With the upcoming end of the school year, finals, and graduations in for many U.S. high schools, SensCy believes it is highly likely that threat actors will target school districts and high schools at a higher rate. The attack on Shore Regional High School District is a reminder that the academic field continues to be a primary target for hackers. Schools have become more reliant on digital tools and online platforms for educational purposes. This dependency increases the attack surface for threat actors, giving them more opportunities to exploit vulnerabilities. This dependency on digital tools is often paired with outdated systems and software no longer supported or patched against new vulnerabilities. In addition, SensCy has observed the rise of cybercrime as a service (CaaS), making it easier for less technically skilled threat actors to conduct and launch sophisticated attacks. These services provide tools and infrastructure for cyber attacks, making it more accessible for various threat actors to target schools. A combination of these factors continues to lead to new attacks on school districts in the U.S. SensCy recommends that schools invest in robust cybersecurity measures, regularly train staff and students, and stay updated on the latest threat intelligence to counter these threats.?

Omnivision Suffers Ransomware Attack.?

WHAT HAPPENED: The semiconductor manufacturer of sensing, analog, and touch and display solutions Omnivision, confirmed in a notification letter that personal information was stolen in a ransomware attack. An investigation completed on April 3, 2024, determined that the hackers accessed Omnivision’s systems between September 4 and September 30, 2023. The Cactus ransomware gang claimed responsibility for the attack and claimed to have stolen 3.5 terabytes of data, including confidential documents, non-disclosure agreements, and passport scans.?

CONCERNING: Omnivision, Data Breach, Cactus, Ransomware.??

SENSCY'S ANALYSIS: The Cactus ransomware group is relatively new but is already a notable player in the cybersecurity landscape. The group uses double extortion tactics, encrypting the data on the victim’s systems and stealing it. They then threaten to release the data publicly if the ransom is unpaid. While the group uses common vectors like phishing, exploitation of known vulnerabilities, or compromised remote desktop protocol (RDP) credentials to gain initial access, they are known for their advanced encryption techniques. The Cactus group uses AES (Advanced Encryption Standard) for file encryption and RSA (Rivers-Shamir-Adleman) to encrypt the AES keys, making decryption without the key practically impossible. Like many other groups, Cactus uses custom-built tools and scripts to disable software and evade detection, allowing the ransomware payload to spread effectively within the network. The Catcus represents a significant threat; SensCy recommends that organization strengthen their cybersecurity defenses by regularly parching their systems, employing robust email filtering, using multi-factor authentication (MFA), and conducting regular backups of critical company data.?

Data Breach at WebTPA Impacts 2.4 Million??

WHAT HAPPENED: WebTPA Employer Services, a third-party administrator that processes health plan claims, disclosed this week that it suffered a data breach that impacted the personal information of more than 2.4 million individuals. In a notice on its website , WebTPA explained that the incident was discovered on December 28, 2023, when suspicious activity was detected on its network. The investigation revealed that a threat actor stole personal information stored on the systems from April 18 and April 23, 2023. The stolen data includes names, contact info, dates of birth, dates of death, insurance information, and Social Security numbers. Financial information was not affected by the incident.?

CONCERNING: WebTPA, Data Breach.

SENSCY'S ANALYSIS: While the notice does not share information regarding the clients working with WebTPA, many organizations have already confirmed that they have been affected by the breach. In addition, several law firms have filed lawsuits against WebTPA. The large gap between the incident and the discovery is a classic indicator that WebTPA had inadequate cybersecurity measures. Furthermore, it has been over a year since the individuals and companies connected to WebTPA have had their Personally identifiable information (PII) stolen, exposing them to potential additional cybercrime, including identity theft and blackmail. It is not uncommon to see threat actors in a victim’s systems for months because avoiding detection has become a specialty for threat actors, and it requires as much technical knowledge as the initial exploit. Threat actors can stay in systems long before conducting an attack or repeating a previous exploitation. Based on the information stolen and the timeframe, it is highly likely that the threat actors had done significant information gathering before attacking WebTPA. Once in the systems, they likely moved laterally while escalating their privileges before installing a backdoor for future exploitation. The detection on December 28, 2023, was likely due to the threat actors attempting to extract more information. WebTPA clients, employees, or partners are recommended to enroll in the two-year free identity monitoring program offered by WebTPA. Individuals impacted should also closely monitor any suspicious activity on credit reports or their benefit plan

.