Hospital Data Breached

Hospital Data Breach

Hackers will continue to pummel the sector with targeted attacks.

Have you heard the news about the most recent Chicago, Illinois area hospital data breach?  We’re referring to the article in the Chicago Tribune, By Lisa Schencker on December 31, 2019.  “Personal information of nearly 13,000 people may have been exposed in Sinai Health System data breach” Click here to view the article.

After reading this article many questions came to mind.  Who would hack a hospital system?  Are cyber attacks on hospitals becoming more frequent? Could a foreign hacker be targeting hospitals to conduct cyber warfare?  Could it be a disgruntled employee who maliciously wants to obtain patient electronic medical records (EMR) and target a particular patient?

It has been reported that 70% of hospital data breaches include sensitive demographic or financial information of that could lead to identity theft. The Sinai Health System data breach included 13,000 patients’ names, addresses, birth dates, Social Security numbers, health information or health insurance information were potentially exposed. 

One could easily assume that if a hacker was armed with this information, they could sell patient electronic medical records and financial data to the highest bidder. The potential for patient harm is exponential.

Data Breach Incident Response

What happens next? Computer Forensic Experts are called to initiate a data breach response. Experts start with immediately stopping the breach, accessing the damage, notifying those affected, conducting a security audit. Forensic experts create a recovery plan to prepare for future attacks.  Finally, Forensics experts train employees to protect the data and enforce strong passwords.

Computer Forensic Experts A.K.A. Cyber Security sleuths or electronic detectives are really excellent at detecting where and how the breach occurred and accessing the damage.  In cases of litigation due to a data breach or medical malpractice, Computer Forensics Experts are hired by law firms to serve as expert witnesses to help win the litigation. In addition, many hospitals hire Computer Forensic Experts to assist in auditing their records to prove their side of the case. 

Prepare a Data Breach Incident Response Plan

Looking forward to 2020. Cyber Forensic experts agree the entire sector needs to adjust its security approach to keep pace with hackers. The Department of Health and Services and many states may impose fines on those who are not following security guidelines. It’s vitally important to create a Data Breach Incident Response Plan.

Enigma Forensics are experts in Data Breach Incident Response. To learn more about Enigma Forensics read below.

If you think you have been breached…contact Enigma Forensics.com

Office 365 Chameleon Spearfish Malware Attacking Microsoft Users

Enigma Forensics cyber security and computer forensics expert, Lee Neubecker discovered a morphing piece of malware code named Chameleon Spearfish, that targets Microsoft Office 365 users. This notice is an effort to help Microsoft exchange administrators running Microsoft Office 365 identify the malware and protect their users from compromise. Microsoft issued an advisory last week alleging that Iranian hackers have been targeting Office 365 accounts.

Characteristics of the malware

The malware is spread when an Office 365 end user clicks on an emailed pdf attachment. Users who do not open the attachment but reply to the compromised sender may receive an auto reply directing them to a sharepoint.com subdomain website. The page appears to be the compromised organization’s download site and displays a protected by Norton logo.

Be Aware of Spearfish Malware

We have observed both the original inbound attachment and the outbound attachment that gets sent onward to the compromised user’s address book. Thus far, only users of Office 365 appear to be targeted. It appears that the malware checks the compromised user’s contacts and performs an mx record query to determine which contacts in the compromised user’s contact address book are hosting their email with Microsoft.

The inbound pdf conforms to an identifiable schema.

  1. The message uses the compromised user’s signature at the bottom of the email.
  2. The file attachment has a name similar to the following:
    “Proposal Invitation 10-7-2019.pdf”, “Proposal Note 10-8-2019.pdf”
  3. The hash values of the file attachment are unique and not reported as problematic at the time the malware is morphed.
  4. The body content of the message varies, but is designed to induce the user to click on the pdf suggesting it is a proposal for business.
  5. Users clicking the pdf are directed to the following website where the user is asked to provide their Office 365 Exchange Credentials.
  6.  One of the samples directed the user to a specific url on the following domain, https://adswbellc-my.sharepoint.com (Pinging this address resolves to 40.108.203.33, an Akamai IP address which may vary depending on the source computer performing the ping).
  7. Another of the samples when clicked directed the user to a link on the following subdomain https://netorgft2768825-my.sharepoint.com (Pinging this address resolves to 13.107.136.9 a microsoft.com IP address).
  8. Future instances of this may be uploading further documents to other compromised Office 365 SharePoint websites.

Once the pdf attachment is clicked on, the malware appears to morph itself making it undetectable by any of the common antivirus solutions and begins further distribution and propagation.

Analysis of email headers on inbound and outbound messages containing the compromised pdf indicates the MAPI protocol is used to relay the message onwards to the compromised user’s contacts. Only Outlook.com and Office 365 users appear to be targeted by Chameleon Spearfish. Analysis of the malware code is in progress, but it appears that the emails are distributed from software running on the compromised end user’s machine using the MAPI protocol to connect to Office 365.

Items in the compromised user’s sent folder are purged by the malware, making it difficult to understand who received the morphed copy of the malware. Organizations using Office 365 Compliance functions should be able to determine any outbound messages sent by a compromised account by searching their enterprise.

Protective Recommended Measures

  1. Make a local DNS entry or local machine HOSTS file entry to sandbox adswbellc-my.sharepoint.com to 0.0.0.0.
  2. Consider blocking all sharepoint.com traffic outbound with an exception for your internal sharepoint.com subdomain if applicable.
  3. Search your mailbox and Outlook 365 compliance for “Proposal*10-*-2019.pdf”
  4. Search firewall traffic logs for users visiting any sharepoint.com website, but especially adswbellc-my.sharepoint.com.

What to do if you are compromised?

  • Rotate end user passwords for any user that clicked on the pdf and do this from a machine that is secure.
  • Back up data from compromised computer and deploy fresh image of the operating system and programs.
  • Notify any downstream impacted users about the compromise by sending them a link to this article if you or anyone in your organization was compromised.
  • Consider hiring our firm to assist you if you have a severe outbreak.