By the CyberWire staff | Thecyberwire.com »
At a glance
- Veterans’ private data exposed.
- Love in the time of alt-coin.
- Spearphishing in the aerospace and travel sectors.
Veterans’ data exposed in unprotected database.
Researcher Jeremiah Fowler discovered that cybercriminals likely gained access to the private data of hundreds of thousands of US veterans, Forbes reports. The data were essentially handed to them, stored in an unsecured storage database on the web. The database was owned by United Valor Solutions, a disability evaluation services provider for government agencies like the Veterans Administration. In addition to the sensitive data (including medical records) of 189,460 veterans, the database also contained unencrypted passwords for internal United Valor accounts, meaning attackers could easily use the credentials to infiltrate United Valor’s systems from the inside. To make matters worse, the storage bucket was configured in such a way that anyone could not only view the data, but also modify or even remove records. It became clear to Fowler that attackers had already found the goldmine when, buried among the records, he came upon a ransom note demanding 0.15 bitcoin (or about $8,400) in exchange for not releasing the records to the public. Fowler immediately informed United Valor of his findings, and they secured the data the very next day, but it’s likely the damage had already been done.
Several industry experts emailed comments on the incident. Saryu Nayyar, CEO of Gurucul thinks it likely there may be more to the story::
“If the researcher found this database of 200,000 medical records, then who knows who else may have also found it and made off with the highly sensitive PII data of veterans. United Valor does not appear to be in control of the situation. They claim only two IP addresses accessed the data: United Valor’s and the researcher’s. That sounds doubtful. All in all this is a troublesome discovery, especially given the sensitivity of the data.”
Dr. Chenxi Wang, General Partner at Rain Capital, also thinks there may be more going on here:
“It is entirely possible that the United Valor systems had already been penetrated and infected by malware/ransomware. We are seeing a change in the tactics of ransomware attacks. Instead of encrypting data and ask for a ransom, more ransomware attacks have been threatening to expose data instead. This happened with the recent Japanese toolmaker ransomware attack.
“The data could show up on the darknet if the perpetrator’s goal is fetching a handsome price for it, as health records are a much more attractive of a target than credit card data these days. Health records can sell for $150/record while credit card data is only a few dollars per record. Usually such security incidents are not isolated. Once you discover some symptoms, you probably already had multiple incidents or breaches.”
Tom Garrubba, CISO at Shared Assessments, thinks the incident looks like a case of poor application design and development:
“The only explanation for having a database publicly exposed is due to poor application design and development. It might also indicate that United Valor practices poor internal cyber hygiene as it appears that “the data has only been accessed via our internal IP and yours.” This could be an indicator as to the presence of an internal threat. There are numerous tools and logging functionality available to monitor such internal threats and it appears these are non-existent in the United Valor IT toolbox or, they exist but are poorly utilized. Such tools could have helped identify when the “ransomware” occurred and provided useful in their follow up investigations.
“It depends on the type of malware installed by the threat actor and the techniques employed to bypass any existing controls.
“It is possible that a ransomware incident and the exposed databases are related. In many cases poorly designed and tested application controls provide easily accessible gateways for threat actors to get to their targets: networks, systems, and data.
“This data could wind up on the dark net – for sale to the highest bidder. Such sensitive personal and health information are ripe targets for “Robin Hood theft” – a form of medical ID theft – which is rampant in the healthcare industry due to its difficulty in catching the user fraud in a timely manner. Such information carries a high price tag in the dark web.
“In many, cases, threat actors will not only steal the data but install backdoors for stealthy access to the network and systems and even install other types of malware which often go hidden for a long time. This incident could lead to discovery of additional security issues.
“This shows why organizations must practice good cyber hygiene and test all components that are public facing. They also must employ time-tested cyber security strategies, tools and techniques when protecting such sensitive data.”
Baber Amin, COO of Veridium, comes back to zero trust:
“An incident is discovered either by looking for it, or being notified of it. I am sure that United Valor is going through the authentication and access logs to confirm who had access and whether all access is accounted for and mapping to authorized persons. If access was obtained via a stolen credential, that will make it a bit more challenging to track. This is one reason why organizations are moving away from static credentials like passwords. You can’t steal something if it doesn’t exist.
“It is always possible that the veterans’ data contained in this exposed database could eventually show up on the darknet, since the data was available publicly. The mystery is how the data got there, and who was involved in that chain.
“This could be a “tip of the iceberg” if the data exposure was done via an attack, but if it was put out in public due to an internal security failure or error, then it just be a one-off mistake. Our advice is to organizations is to follow zero trust principals and:
- “Implement passwordless for employees
- “Use a layered security approach using biometrics, FIDO2 keys, device biometrics
- “Utilize risk signals to match an authenticated session with the risk associated with information/resource/service being accessed
- “Encrypt all sensitive information at rest and in transmit
- “Eliminate all extra standing privileges”