Medical Records of 750,000 Patients Compromised in Oregon
The Oregon Anesthesiology Group (OAG) announced this past week that it suffered a ransomware attack in July of 2021. The incident involved a two-pronged attack in which attackers first targeted the records of some 750,000 OAG patients and 552 past and current OAG employees. The records were exfiltrated prior to the attackers launching a ransomware attack. The encryption attack locked OAG out of its own servers, forcing Internal IT to rebuild their server infrastructure from the ground up with the help of off-site backups which managed to escape the attack. An outside cybersecurity consulting group was brought in to aid in the remediation and investigation. On October 21, the FBI contacted OAG to inform them that they had been a victim of a data breach. The compromised data was comprised of patient information that included names, addresses, medical record numbers, insurance provider names and insurance ID numbers. Compromised employee data included names, addresses, social security numbers and other W-2 information.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)
The FBI informed OAG in October that it had seized an account belonging to a Ukrainian ransomware group called Hello Kitty. Hello Kitty was first identified in 2020, and has actively participated in multiple attacks throughout 2021. It is believed that the attackers exploited a vulnerability in OAG’s firewall as the group is known for targeting SonicWall products. Once inside, the attackers were able to data-mine the credentials of an OAG administrator. Using this account, they used penetration tool applications to probe and map the network. They were then able to obtain additional escalated privileges that were used to access the datastores and extract the desired records. Once all the data was transferred, Hello Kitty encrypted everything with ransomware. This is a common attack method for the Hello Kitty actors who demand Bitcoin ransoms that are tailored to each victim to an amount that they believe the organization can afford. If the victim fails to pay the ransom, the stolen data is then posted on the dark web or sold to a third-party data broker. The criminal gang is also known to launch distributed denial of service (DDoS) attacks in the event of nonpayment. The FBI has posted an alert about Hello Kitty that includes a list of .exe files that are Hello Kitty’s signature identity indicators.
|CONTAINMENT (If vulnerable or IOCs are identified)
OAG decided to replace its breached firewall and they have expanded their use of multifactor authentication (MFA). Besides replacement of the firewall, OAG could have patched the known vulnerabilities of CVE-2021-20016, CVE-2021-20021, CVE-2021- 20022, and CVE-2021-20023. Victims of the data breach are being provided 12 months of Experian identity protection services and credit monitoring as well as a $1 million identity theft insurance policy. All victims have been advised to be vigilant about cybersecurity hygiene and be on the lookout for scams involving email, text, or phone calls. Employees whose social security numbers were compromised are being urged to contact the Social Security administration.
|REMEDIATION (If IOCs are identified)
OAG was able to recover from the initial ransomware attack because they were able to restore their infrastructure and data from their backups. An effective backup system is the most important component of a ransomware prevention strategy. The FBI recommends that you either store your backups in the cloud or on external drive storage that is properly segmented from the rest of the network, preferably offline. Hello Kitty is known to use compromised credentials to infiltrate networks as well, so having a way to monitor compromised credentials as they are reported can give you the needed heads-up to change these credentials. Multifactor authentication is highly recommended as is the perpetual practice of keeping all computers, applications, and devices such as firewalls patched and up to date. If you detect the presence of a ransomware attack, you should immediately isolate the infected system or area. Shutdown and power off all connectable devices and then physically segment the infected machines from the network. Unless your firm is highly experienced in ransomware remediation and forensic investigation, you should obtain the services of an outside firm that specializes in this area.
If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or would like to further protect you web applications, please reach out to your HALOCK account manager or chat with us online at www.halock.com to schedule a call with one of our security experts.