The Week in Breach News: 03/22/23 – 03/28/23
This week: This week: Cl0p’s exploit spree continues, utilities get nailed in Puerto Rico and Guam and a trio of healthcare sector breaches expose patient data plus get to know EDR and its benefits for businesses.
How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>
The City of Oak Ridge, Tennessee
https://www.scmagazine.com/brief/ransomware/ransomware-attack-disrupts-tennessee-city
Exploit: Ransomware
The City of Oak Ridge, Tennessee: Municipal Government
Risk to Business: 1.702 = Severe
Officials in the City of Oak Ridge, TN, have disclosed that the city has been hit by a ransomware attack that has caused a network disruption that has impacted city services. Officials were quick to reassure citizens that the Oak Ridge Police Department and the city’s fire department could still be contacted through 911 and weren’t affected. However, the city was left unable to process utility payments due to the malware attack, noting that disconnect orders and late fees will not be added during the outage. Officials say that they are working to restore services as quickly as possible.
How It Could Affect Your Customers’ Business: Governments at every level continue to be popular targets for ransomware groups.
Kaseya to the Rescue: Learn more about how our Security Suite can help MSPs protect their clients from expensive and damaging cyberattacks and other information security trouble. GET IT>>
Puerto Rico Aqueduct and Sewer Authority (PRASA)
https://securityaffairs.com/144022/hacking/puerto-rico-aqueduct-and-sewer-authority-attack.html
Exploit: Ransomware
Puerto Rico Aqueduct and Sewer Authority (PRASA): Utility
Risk to Business: 2.711 = Moderate
The Vice Society ransomware group has claimed responsibility for a ransomware attack on the Puerto Rico Aqueduct and Sewer Authority (PRASA). Officials disclosed the attack on March 19, saying that threat actors had gained access to customer and employee information. People impacted are being informed by letter. Utility services were not affected.
How It Could Affect Your Customers’ Business: 14 of 16 critical infrastructure sectors were hit by ransomware attacks last year.
Kaseya to the Rescue: Develop an effective, efficient incident response plan with the tips in our guide How to Build an Incident Response Plan. GET YOUR GUIDE>>
Kroger Postal Prescription Services
https://www.jdsupra.com/legalnews/kroger-postal-prescription-services-4845634/
Exploit: Human Error
Kroger Postal Prescription Services: Pharmacy Delivery Service
Risk to Business: 1.706 = Severe
Kroger Postal Prescription Services (PPS) has filed a notice of a data breach. In a report to the Department of Health and Human Services, PPS noted that 82,466 Kroger customers who created online PPS accounts from July 2014 to Jan. 13, 2023, had their names and email addresses compromised due to an employee error. PPS said that on March 15, 2023, they sent out data breach letters to all individuals whose information was compromised.
How It Could Affect Your Customers’ Business: Employee errors are a gateway to expensive, damaging data breaches and other cybersecurity problems, and training reduces them.
Kaseya to the Rescue: Learn how security awareness training can help businesses combat security risks from phishing to employee mistakes. LEARN MORE>>
SundaySky Inc.
https://www.jdsupra.com/legalnews/sundaysky-inc-notifies-37-095-consumers-9885854/
Exploit: Hacking
SundaySky Inc.: Video Marketing Platform
Risk to Business: 1.623 = Severe
SundaySky Inc. is a video marketing software company based in New York, has admitted that it has suffered a data breach thanks to hackers breaking into a few of its servers. The company said that an unauthorized party had accessed its cloud-based U.S. servers and copied certain files between January 6 and January 8, 2023. SundaySky works with healthcare providers including health plans to create marketing videos. Consumer information was accessed in the incident including consumers’ first names, personal email addresses and information related to their Healthcare Savings Accounts. The company said that it is working with federal law enforcement to investigate the incident.
How It Could Affect Your Customers’ Business: Companies that are adjacent to the healthcare industry need to maintain a strong security posture to avoid expensive disasters.
Kaseya to the Rescue: Dark web data and other dark web-related risks are big threats to businesses. Learn more about them in our infographic 5 Ways the Dark Web Can Harm Businesses. GET IT>>
US Wellness
Exploit: Supply Chain Attack
US Wellness: Healthcare Provider
Risk to Business: 2.899 = Moderate
Blue Cross Blue Shield of Arizona (BCBSAZ) members are being informed that their personal data may have been compromised in a data breach involving a vendor of BCBSAZ, US Wellness. In turn, US Wellness points to one of its vendors as the source of the data breach. US Wellness says that it was informed on January 31, 2023, that an unnamed vendor had experienced a data breach. Ultimately, US Wellness was informed on February 9, 2023, that the vendor’s incident resulted in the exposure of personal data belonging to BCBSAZ members. Information impacted includes a member’s name, address, date of birth, member ID number, where a service originated and address of the service location.
How it Could Affect Your Customers’ Business: Supply chain risk, especially from service providers, is a top concern for businesses as it continues to grow.
Kaseya to the Rescue: Managed SOC helps overtaxed security teams detect and address security issues without spending on additional equipment or expanding the payroll. LEARN MORE>>
https://www.theverge.com/2023/3/27/23657928/twitter-source-code-leak-github
Exploit: Malicious Insider
Twitter: Social Media Platform
Risk to Business: 1.709 = Severe
Troubled social media giant Twitter has disclosed that some proprietary source code for Twitter’s platform and internal tools was exposed via GitHub. Twitter recently made a court filing in California to force GitHub to turn over data that could help the platform find the person responsible for the leak and give them information about any other GitHub users who may have downloaded the data. Twitter has also asked GitHub to take down the code. The New York Times reports that Twitter sources tell them that the company suspects that an employee who left the company last year may be responsible for the leak. GitHub has not commented on whether or not it would comply with Twitter’s request, but the information has apparently been available for several months. Twitter no longer has a press office to respond to inquiries, a casualty of the Elon Musk takeover.
How it Could Affect Your Customers’ Business: Disgruntled employees are a huge security risk, and many take proprietary data with them when they leave a company.
Kaseya to the Rescue: See the biggest SMB security challenges and decision-maker attitudes toward security, training and more in the Kaseya Security Insights Report. DOWNLOAD IT>>
Find out about five of today’s biggest dark web threats to businesses in this infographic. DOWNLOAD IT>>
The City of Toronto
Exploit: Supply Chain Attack
The City of Toronto: Municipal Government
Risk to Business: 1.836 = Severe
The Cl0p ransomware group has been on a cyberattack spree after turning its sights to exploiting a remote code execution flaw in Fortra’s GoAnywhere secure file transfer tool. The latest victim added to the list is the City of Toronto, Canada. The city confirmed on March 23, 2023, that it has experienced a data breach through an attack on a third-party vendor, resulting in the exposure of unspecified city data. The city says that it is in the early stages of its investigation, and it has not yet uncovered evidence that consumer data was impacted. Over 100 organizations have been hit by Cl0p in this crime wave including two others recently added to the gang’s dark web leak site, Virgin Red and the UK’s Pension Protection Fund (PPF).
How it Could Affect Your Customers’ Business: Once a bad actor finds a juicy exploit, they’ll hammer at it until it stops working. Patching and regular maintenance can help reduce risk.
Kaseya to the Rescue: The Cybersecurity Risk Protection Checklist helps businesses make sure that they’re covering all of their security bases. GET CHECKLIST>>
How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>
UK -Walsall Healthcare NHS Trust
https://www.birminghammail.co.uk/black-country/walsall-healthcare-nhs-trust-dealing-26542780
Exploit: Hacking
The Walsall Healthcare NHS Trust: Healthcare Provider
Risk to Business: 2.733 = Moderate
The Walsall Healthcare NHS Trust, the operator of Walsall Manor Hospital, said that it has been hit by a cyberattack. The incident began two weeks ago on March 10, although it was only made public last Thursday, and it has since been contained. Hospital operations did not appear to be impacted. Signs point to a data breach, but exactly what data has been stolen was not specified. Hospital officials said that they are working with the U.K.’s National Cyber Security Centre and the Information Commissioner’s Office (ICO) to investigate the incident.
How it Could Affect Your Customers’ Business: This hospital got lucky, bad actors have been pounding hospitals with ransomware.
Kaseya to the Rescue: Most ransomware attacks start with phishing. See how Graphus protects businesses from phishing danger in this infographic. DOWNLOAD INFOGRAPHIC>>
Alliance Healthcare
Exploit: Ransomware
Alliance Healthcare: Pharmaceutical Company
Risk to Business: 1.733 = Severe
Spain’s leading pharmaceutical company, Alliance Healthcare, has experienced a likely ransomware attack. The company said that the attack began on March 17 and led to a complete shutdown of the company’s website, billing systems and ordering processes. The incident has led to drug supply shortages due to the snarled ordering and shipping systems as pharmacies scramble to resupply from other drug companies. Those delays and outages may linger. The incident remains under investigation.
How it Could Affect Your Customers’ Business: Pharmaceutical companies have two major cyberattack risk factors: they’re suppliers and in the hard-hit healthcare sector.
Kaseya to the Rescue: Learn how to achieve complete endpoint security in a flash without blowing up your budget with antivirus and Datto EDR in this information sheet. DOWNLOAD IT>>
Go inside BEC scams & get tips to keep businesses safe from today’s most expensive cyberattack. DOWNLOAD EBOOK>>
Guam – Docomo Pacific
Exploit: Hacking
Docomo Pacific: Telecommunications Provider
Risk to Business: 1.733 = Severe
Docomo Pacific, a major provider of mobile, television, internet and telephone services in Guam and the Northern Mariana Islands, has experienced a cyberattack that has negatively impacted its systems. The company disclosed that the March 18, 2023 attack led to customers throughout the region losing some of their services. The company stressed that customer data, mobile network services and fiber services remain unaffected. Some services were restored over the weekend, but the company has not offered a timeline for other services being restored after a Facebook post with a service restoration update was inundated with comments from angry customers.
How it Could Affect Your Customers’ Business: Communications companies are infrastructure targets too, an attractive proposition for bad actors because of the time-sensitive nature of their business.
Kaseya to the Rescue: Find the right security awareness training solution for your clients and your MSP with our Security Awareness Training Buyer’s Guide for MSPs. DOWNLOAD IT>>
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a range of factors for each incident
Don’t miss the industry’s best event, Connect IT Global April 24 – 27, 2023, in Las Vegas! REGISTER NOW>>
Now Get FREE Ransomware Detection with Managed SOC
What is one of today’s biggest security fears for businesses? Ransomware. That’s why we’ve developed an amazing new ransomware detection capability that we’re providing free for our Managed SOC customers.
This new technology is state of the art and not only detects encryption events, but it also takes immediate mitigating action to prevent the full encryption of an affected system. Plus, our SOC is immediately alerted to the incident, enabling our experts to take immediate action to mitigate and neutralize the threat. With managed SOC, MSPs also have the flexibility to configure automatic response options that allow them to isolate the infected device and stop the ransomware attack, limiting the spread of the attack to minimize damage and downtime.
Explore the awesome benefits of Kaeya Managed SOC. LEARN MORE>>
Book a demo and a FREE trial of Kaseya Managed SOC. SCHEDULE DEMO>>
This infographic helps IT professionals get the most out of a security awareness training solution. DOWNLOAD IT>>
The Evolution of Endpoint Detection and Response (EDR): Datto EDR Buyers Guide
Many of today’s cybercriminals can bypass traditional defenses at will. This leaves businesses exposed to ransomware, credential harvesting and other types of attacks that can cost $8,000 per hour from the time of the known attack to remediation.
Learn how Datto EDR helps MSPs mitigate that danger for their customers easily and affordably.
Datto EDR provides effective endpoint detection and response in an affordable, easy-to-use, manage and deploy package. Enjoy these unbeatable benefits:
- Unlike other EDR products that are built for large-scale enterprise SOC teams, Datto EDR eliminates common EDR issues, such as high-cost, management complexity and alert fatigue
- Datto EDR is purpose-built for MSPs and SMB customers
- This technology helps businesses meet compliance standards for many cyber insurers
Download your Datto EDR Buyer’s Guide. GET YOUR COPY>>
Did you miss… The Preventing Email Based Cyberattacks Checklist? DOWNLOAD IT>>
Learn about SMB attitudes toward cybersecurity and other growth opportunities for MSPs. GET INFOGRAPHIC>>
Give Your Clients Protection Against Attacks Anti-Virus Alone Might Miss
In today’s volatile threat landscape, businesses and MSPs need every advantage they can get. Endpoint detection and response (EDR) is a tool that gives them a big security boost fast. EDR is a layered, integrated endpoint security solution that monitors end-user devices continuously in addition to collecting endpoint data with a rule-based automated response. EDR platforms record and remotely store system-level behaviors of endpoints, analyze these behaviors to detect suspicious activity and provide various response and remediation options. EDR agents collect and analyze data from endpoints and respond to threats that have appeared to bypass existing antivirus (AV) protections and continue to analyze, detect, investigate, report and alert your security team of any potential threats. EDR is the ideal update to make to any security buildout, offering amazing value and unbeatable protection against threats that traditional antivirus solutions alone can miss.
Excerpted in part from The Evolution of Endpoint Detection and Response: Datto EDR Buyer’s Guide.
EDR Terminology Explained
These definitions the abbreviations you may run across when exploring EDR can help clarify that very complex subject.
AV (Antivirus)
Antivirus solutions are solutions that prevent and classify file-based malware attacks. Legacy AV solutions typically use definitions or signatures of known malware, while advanced solutions utilize artificial intelligence methods to classify files. Classification is delivered in two forms: Real-time on-access scans and on-demand scans.
- On-access scans act in real-time to classify and allow or deny files as they are accessed, started or downloaded. Files that are denied are not allowed to run and are quarantined or deleted.
- On-demand scans perform full disk or partial disk scans for malicious software when requested by a user or on a scheduled basis. Files classified as malware are quarantined or deleted.
EDR (Endpoint detection and response)
Endpoint detection and response solutions (EDR) are defined as solutions that record and centrally store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity and provide remediation suggestions to restore affected systems.
According to the technology analysis firm Gartner, who originally coined the term, EDR solutions must provide the following four primary capabilities:
- Detect security incidents
- Contain the incident at the endpoint
- Investigate security incidents
- Provide remediation guidance
An EDR solution can incorporate or be included with traditional endpoint protection (EPP) functionality, such as antivirus, or it can stand alone.
Endpoint protection platform (EPP)
An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts. EPP is often the umbrella term used for endpoint-based capabilities. Endpoint control and EDR can contain any combination of these capabilities (EDR is sometimes included in an optional module or premium tier of an EPP).
Learn how a new integration between BullPhish ID & Graphus saves time & money. SEE THE DETAILS>>
EDR FAQ
Here are answers to a few common questions about EDR and AV technology.
Aren’t traditional antivirus tools good enough?
Although antivirus (AV) tools are good and necessary for protecting endpoints from daily cyber threats, sophisticated threat actors can bypass AV at will by using a variety of attack techniques that standard AV simply cannot detect. This leaves many small and medium-sized businesses open to ransomware, fileless malware, credential harvesting, data loss and other cyberattacks. Mainstream AV products work well to stop common threats and should always be used to protect endpoints, but because they are signature-based, they often fail to catch zero-day threats, multistaged attacks or other types of sophisticated threats. Most traditional endpoint protection products protect endpoints by using a signature-based library of known threats and utilize advanced technologies, such as behavioral analysis, heuristics or machine learning, to catch advanced threats that bypass traditional AV solutions.
What about Microsoft Defender’s for the AV component?
Microsoft Defender has been a free, built-in feature of Windows platforms for many years and has grown into a top antivirus and prevention solution. However, it only provides basic, traditional protection. Although Microsoft Defender is included on Windows platforms, it is not configured to its full potential by default. A comprehensive EDR solution will offer a feature that applies and enforces recommended policies on Defender to make it equal to or better than most leading EPP vendors. It monitors Defender and correlates its alerts to EDR’s behavioral patterns to identify any attacks that slip past preventative controls.
The right EDR solution will have advanced capabilities that make it the perfect accompaniment to Defender, like identifying and mitigating threats posed by new malware as well as accurate logging and forensic information for security events. That platform will also give insights into endpoint activity and alerts IT personnel quickly when it detects hundreds of specific user or machine behaviors associated with misuse and intrusions.
Find the right dark web monitoring solution for your customers & your MSP with this checklist! DOWNLOAD IT>>
Datto EDR – Endpoint Detection for SMBs Turnkey Technology and Security Expertise
Traditional EDR is complex. Nearly all EDR products are designed and built for the enterprise world. This makes them costly, cumbersome to deploy and manage, and highly complex, requiring a team of dedicated SOC analysts to effectively utilize, which most SMBs cannot afford or retain on staff. Without having trained staff, SMBs are left in the dark when it comes to quick remediation. Alert fatigue is real. To demonstrate their efficacy, most EDR products generate numerous alerts for SOC analysts to triage. This works fine for large SOC environments, but for most who have limited staff and/or training, spending time on numerous alerts is inefficient, often resulting in missed indicators of compromise.
Datto EDR is purpose built for small and medium-sized businesses. Datto EDR provides effective endpoint detection and response in an affordable, easy-to-use, manage-and-deploy package. Unlike other EDR products that are built for large-scale enterprise SOC teams, Datto EDR eliminates common EDR issues, such as high cost, management complexity and alert fatigue. Each alert comes with a quick, easy-to-execute set of response guidelines to support your team in isolating infected hosts, terminating processes and collecting additional evidence. Datto EDR also integrates with Datto RMM for efficient endpoint management. For SMBs who use the Kaseya IT Complete platform, Datto EDR integration eliminates the need to switch consoles for a seamless endpoint security experience.
Datto EDR and Microsoft Defender Antivirus
Datto EDR allows the easy management Microsoft Defender Antivirus to enable proactive, real-time endpoint protection with no need for additional agent installation. It identifies malware automatically based on suspicious and malicious behaviors at the endpoint, such as unusual processes, unexpected startup locations and modifications in registry keys, file system or file structure. Datto EDR enforces a secure configuration and adds monitoring capabilities, further enhancing endpoint protection.
Key prevention features:
- Block potentially unwanted applications
- Block risky DNS requests
- Quarantine threats
- Alert management inside EDR console
- Scheduled and ad hoc scans
- Manage exclusions Datto EDR used in conjunction with Microsoft Defender Antivirus provides top value while reducing cybersecurity costs
This infographic explains how you can achieve complete endpoint security with EDR and AV DOWNLOAD IT>>
Download our EDR Buyer’s Guide
Learn more about how the Kaseya Security Suite helps MSPs & their customers thrive in a dangerous world. GET BRIEF>>
Register Now for the ID Agent & Graphus Q2 Product Update on Tuesday, April 11, 2023, at 10:00 AM ET & 6:00 PM ET
This action-packed webinar will present the new features and enhancements that were delivered in Q1, the reasons behind our roadmap decisions and catch a preview of what’s to come in Q2 and for the rest of the year. REGISTER NOW>>
March 30: Kaseya + Datto Connect Local Boston REGISTER NOW>>
March 30: Kaseya + Datto Connect Local Melbourne REGISTER NOW>>
April 11: ID Agent & Graphus Q2 Product Update REGISTER NOW>>
April 18: Kaseya + Datto Connect Local London REGISTER NOW>>
April 24 – 27: Kaseya Connect Global in Las Vegas REGISTER NOW>>
June 26-28: DattoCon Europe REGISTER NOW>>
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>
Do you have comments? Requests? News tips? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.
ID Agent Partners: Feel free to reuse this content. When you get a chance, email [email protected] to let us know how our content works for you!
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!