Cyber Incident Weekly Report - Week of October 28, 2024

Oregon Department of Correction Confirms Data Leak

WHAT HAPPENED: The Oregon Department of Corrections (ODOC) reported a data breach caused when an employee accidentally sent email containing sensitive information of 861 individuals who had recently completed background checks. This incident occurred on August 28-29, when a staff member mistakenly sent an internal spreadsheet to two visitors. Upon discovering the error, ODOC promptly ensured that the emails and attachments were fully deleted from the recipients' emails and state systems by September 16. The compromised information included names, driver’s license or state ID numbers, dates of birth, and FBI numbers, protected under the Oregon Consumer Information Protection Act. Although no Social Security or financial data was exposed, ODOC is offering one year of free identity theft resolution services to affected individuals.

CONCERNING: Oregon Department of Corrections (ODOC), Data Leak.?

SENSCY'S ANALYSIS: The data breach at the Oregon Department of Corrections (ODOC) underscores several critical risks and considerations in cybersecurity for correctional departments. First, the breach illustrates the danger of human error in handling sensitive data, which, while unintentional, can have far-reaching privacy implications. In this case, the leak of personal identifiers like driver’s license numbers, dates of birth, and FBI numbers can make individuals vulnerable to identity theft or fraud, even though no Social Security or financial information was exposed. This incident also highlights the risks associated with insider threats—whether accidental or malicious—and the need for stronger access and sharing controls within correctional systems. The sensitive nature of the data held by correctional departments means they are prime targets for cybercriminals seeking information for illicit purposes, especially considering the highly confidential information tied to inmate records, staff, and public interactions. To mitigate these risks, corrections departments should adopt several preventative measures. First, strict data handling policies should be in place, including regular staff training on secure communication practices and email verification steps before sensitive information is shared. Implementing multi-factor authentication and limiting access to sensitive data based on job roles can also minimize the risk of accidental exposure. Encryption of sensitive files before sharing can further safeguard information by ensuring that only authorized parties can access it, even if an email is mistakenly sent. Moreover, automated systems that detect unusual data-sharing patterns or flag emails containing sensitive information could prevent similar incidents in the future. Organizations should also establish incident response plans to contain any data breach swiftly and effectively, as ODOC demonstrated by ensuring the deletion of the mistakenly sent emails. By implementing these preventive measures, correctional departments can fortify their defenses against accidental and malicious data breaches.

Saint Xavier University Reports Data Breach

WHAT HAPPENED: On October 30, 2024, Saint Xavier University (SXU) reported a data breach to the Maine Attorney General after discovering that an unauthorized party accessed and downloaded files from its network. The breach affected the sensitive information of 212,267 individuals, including names, Social Security numbers, and financial account details. SXU first noticed suspicious activity on July 21, 2023, and quickly secured its systems, initiating an investigation with cybersecurity experts. The investigation confirmed that unauthorized access occurred between June 29 and July 18, 2023, allowing the actor to access and download sensitive files. By August 26, 2024, SXU completed its review of the compromised files to identify affected individuals. On October 30, 2024, SXU began notifying impacted individuals about the breach and the specific data compromised in each case.

CONCERNING: Saint Xavier University (SXU), Academia.

SENSCY'S ANALYSIS: Schools can improve their ability to detect unauthorized access quickly by implementing a range of security measures that strengthen both visibility and response capabilities. First, a well-configured Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) can monitor network traffic for unusual behavior, helping to identify suspicious activities such as unexpected logins, data transfers, or access patterns. Coupled with endpoint detection and response (EDR) tools on individual computers and devices, schools can gain deeper insights into potentially compromised endpoints and respond quickly. Schools should also employ network segmentation, which limits lateral movement by isolating critical systems (e.g., databases with sensitive student records) from other parts of the network. This containment strategy can reduce the potential damage and scope of a breach while making it easier to spot suspicious access attempts. Regularly auditing and limiting user access to sensitive data based on job roles can further reduce the chance of unauthorized access going unnoticed. Implementing multi-factor authentication (MFA) is essential to add a strong layer of defense against unauthorized access. MFA makes it significantly harder for unauthorized users to log in, even if they have compromised passwords. Additionally, real-time logging and monitoring of system activities, paired with AI-driven analytics, can help detect anomalies that signify a possible intrusion. AI and machine learning tools analyze vast amounts of data quickly, flagging unusual patterns that may indicate a breach. Schools should also prioritize regular cybersecurity training for all staff to recognize phishing attacks and other common entry points used by attackers. With staff aware of threats, there is a reduced chance of unauthorized access through human error. Finally, establishing an incident response plan ensures that, if a breach is detected, the school can promptly investigate, contain, and disclose the incident to those affected, minimizing the time-sensitive data is exposed and improving transparency with stakeholders.

Cyberattack Hits Los Angeles Housing Authority, Cactus Ransomware Group Claims Responsibility

WHAT HAPPENED: The Housing Authority of the City of Los Angeles (HACLA) recently experienced a cyberattack, which the Cactus ransomware group later claimed. HACLA, a major public housing authority, supports low-income families, children, and seniors in Los Angeles through various affordable housing programs. Following the attack, HACLA engaged external forensic specialists to assist with the investigation and recovery. Despite the incident, HACLA reports that its systems remain functional, and it continues to provide essential services to the community. The organization has not disclosed when the breach was identified or whether any sensitive data was compromised. Meanwhile, the Cactus gang claims to have extracted 891 GB of data from HACLA’s network.

CONCERNING: Housing Authority of the City of Los Angeles (HACLA), Cyberattack, Ransomware, Cactus Group.

SENSCY'S ANALYSIS: The Cactus ransomware group became relevant in early 2023 using a double extortion attack, since then it added over 260 companies to its leaked website. Cactus ransomware primarily exploits vulnerabilities in VPN software to gain entry into target systems, where it establishes communication with its operators via SSH and uses Scheduled Tasks to maintain persistence. Once inside, it scans the network for other vulnerable targets, steals credentials, and uses these credentials to spread across the network. Cactus also disables antivirus software via msiexec and hides from detection by encrypting its code, making analysis difficult without the decryption key. Known as double-extortion ransomware, Cactus encrypts files using RSA and AES and exfiltrates data to cloud storage before issuing ransom demands. Its attacks generally target large enterprises with vulnerable VPNs, as these organizations are likely to pay significant ransoms. To defend against Cactus, SensCy recommends that organizations promptly patch VPN and other software to eliminate known vulnerabilities. Implementing multi-factor authentication (MFA) can prevent credential-based attacks, and educating employees about secure password practices can help reduce credential reuse risks. Network segmentation can limit the malware's ability to spread, while network security tools can detect lateral movements. Lastly, anti-ransomware solutions can block encryption attempts and stop data exfiltration, offering critical protection against Cactus's tactics.