Cyber Incident Weekly Report - Week of September 23, 2024

Dell Investigates Data Breach Claim

WHAT HAPPENED: Dell Technology began investigating a potential data breach after a threat actor known as “grep” claimed to have stolen around 3.5GB of data. In a post on the dark web, the threat actor said the stolen data includes employees' unique identifiers, full names of employees for Dell and partners, status of employees (active or not), and an internal identification string. A small sample was shared by the threat actor for free while the entire database can be bought for roughly $0.30.

CONCERNING: Dell, Technology Company, Data Breach.?

SENSCY'S ANALYSIS: The threat actor “grep” appears to have gained traction over the past couple of years, earlier in September, the same profile claimed to have stolen 20 GB? of data from the French IT giant Capgemini, before leaking the entire database for free. Researchers believe “grep” is likely aligned with other hacking groups, including “Anonymous” the popular hacktivist collective known for its cyber-attacks targeted by governments and large corporations. Hacktivists may leak a whole database for free on the dark web for several key motivations, firstly, leaking an entire database publicly can cause reputational and financial damage to the target organization. It may humiliate the organization, causing distrust among its users or stakeholders. Exposing databases for free might also serve as a warning to other organizations about weak cybersecurity practices. The hacktivist may want to showcase the vulnerabilities in a company’s system, sending a message about the importance of proper data protection.

Kansas County Suffers Ransomware Attack, Exposes 30,000 Residents

WHAT HAPPENED: Franklin County, Kansas, filed a Data Breach Notice with the Office of the Maine Attorney General indicating that a ransomware attack impacted 29690 individuals. The incident occurred on May 19 and was discovered on May 20, when the county “discovered and responded to a ransomware attack.” The investigation concluded that the threat actors accessed the county poll book records containing names, Social Security numbers, driver’s license numbers, financial account numbers, and medical information.?

CONCERNING: Kansas, Local Government, Ransomware, Data Breach.?

SENSCY'S ANALYSIS: The County explained that it implemented new security features in response to the attacks, including improving network access controls, disabling inactive user accounts, and updating firewall protections. While these are important steps, Senscy recommends that all local governments and counties implement the following four proactive measures: Ensure all software, operating systems, and hardware devices are regularly updated with the latest security patches to prevent exploitation of vulnerabilities; Provide ongoing cybersecurity awareness training for all employees to recognize phishing, social engineering attacks, and best practices for secure data handling; Invest in intrusion detection and prevention systems (IDS/IPS); Create a comprehensive cybersecurity incident response plan and regularly conduct tabletop exercises to ensure preparedness for responding to cyberattacks, minimizing downtime, and mitigating damage. SensCy also recommends all impacted individuals enroll in the complimentary one-year Experian membership for credit and identity monitoring, stay vigilant by reviewing financial statements, and report any suspected identity theft to law enforcement and credit bureaus.?

Kansas Water Plant Forced to Switch to Manual Operation Following Cyberattacks

WHAT HAPPENED: Arkansas City, Kansas, detected and contained a cyberattack over the weekend but was forced to switch the water treatment facility to manual operations to contain the attack. In a statement, city manager Randy Frazer confirmed that the water supply is secure and that the cyberattack has not affected water treatment operations.?

CONCERNING: U.S. water sector, Water Agency, Critical Infrastructure, State-Sponsored Hackers, Arkansas City water treatment facility.

SENSCY'S ANALYSIS: SensCy continues to monitor and report on the increased number of targeted attacks on the U.S. water sector. SensCy observed cyber attacks on water and wastewater utilities in Indiana, Pennsylvania, Texas, and now Kansas. More attacks are likely occurring as organizations prefer not to publicly report their incidents. Many of the previous attacks were conducted by nation-state-linked threat actors attempting to disrupt the critical infrastructure. Only two days before the Arkansas City attacks, the Water Information Sharing and Analysis Center (WaterISAC) issued a threat advisory warning of Russian-linked hacking groups targeting the water sector. The U.S. government also sanctioned two Russian cybercriminals last summer for their involvement in multiple cyberattacks, including the water storage in Texas, while they were part of the Russia-linked “hacktivist” group Cyber Army of Russia Reborn (CARR). Researchers at DarkTrace, have previously expressed their concerns over the limitations of “air-gapped” security measures, especially regarding Operational Technology (OT), as many threat actors successfully exploit air gaps attack vectors including supply chain compromise of misconfiguration that can potentially lead to unknown points of IT/OT convergence.? SensCy recommends that all water agencies and water treatment facility owners review the EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems to evaluate their cybersecurity best practices and implement new measures to reduce their exposure. SensCy also recommends increasing the overall collaboration between water agencies, federal entities, and private cybersecurity firms to improve information sharing about emerging threats and vulnerabilities.??