From Capitol Hill, the Senate Homeland Security and Governmental Affairs Committee will hold a full Committee hearing to examine cybersecurity risks to the healthcare sector. The hearing will occur on Thursday, March 16, 2023, at 10 am.
Among the topics at the hearing will be a serious cybersecurity breach at DC Health Link which runs the DC health marketplace under the Affordable Care Act (“Act”). In the Affordable Care Act (“ACA”) Congress shifted its health benefits coverage for its members and senior staffers from FEHB to the ACA marketplace. Of note, Congress was directly hit in the OPM breach and this new one.
A hacker who uses the pseudonym “Denfur” is selling a database they claim includes stolen sensitive data from at least 55,000 customers of D.C.’s health insurance marketplace, including members of Congress and their staffs.
Driving the news: Congressional leaders started warning lawmakers on Wednesday about the breach at DC Health Link and suggested they freeze their credit while an investigation continues.
- DC Health Link, which confirmed the breach and dark web leaks in a statement, helps all city residents purchase health insurance, not just members of Congress.
What’s happening: Researchers at Check Point Research told Axios Thursday that a malicious hacker had posted the database for sale on the “biggest English-speaking dark web hacking forum.” The member claims the database includes sensitive data from thousands of customers, including Social Security numbers, birthdates and home addresses.
- Denfur is now selling the stolen database for just “a few dollars,” researchers noted. Denfur signed off the post with “Glory to Russia!”
- CyberScoop reports that a sample of the stolen data includes information about former defense officials and lobbyists, and the Associated Press reported it was able to authenticate data belonging to two victims in the set.
- Axios has seen the dark web post, which was still live as of Friday morning.
A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned.
Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed.
At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.
From the cybersecurity risks / vulnerabilities front —
Tech Republic tells us,
CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year — identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving “cloud-conscious” actors nearly tripled from 2021.
“This growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,” said CrowdStrike in its 2023 Global Threat Report.
Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike’s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities. * * *
Last week’s revelation of an attack on password manager LastPass, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee’s home computer, releasing to the attackers a trove of unencrypted customer data.
The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog on March 7, 2023, and two more on March 10. Bleeping Computer provides its perspective here.
Tech Republic also highlights a cybersecurity report from the World Econonic Forum that is worth a gander.
From the ransomware front
Tech Republic informs us based on the CrowdStrike report that cybercriminals are shifting tactics from ransomware to data exfiltration and extortion like what happened at DC Health Link. “There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike’s reckoning.”
HHS’s Healthcare Sector Cybersecurity issued a threat alert on data exfiltration trends in the healthcare sector on March 9.
Here’s a link to Bleeping Computer’s The Week in Ransomware.
From the cybersecurity defenses front —
Health IT Security reports
HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the healthcare sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.
The guide aims to help healthcare organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). * * *
The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.
Bank Info Security points out that “In addition to the new joint NIST cybersecurity framework toolkit, the Health Sector Coordinating Council and HHS are also close to completing an update of a joint 2019 publication, Health Industry Cybersecurity Practices.”