Malware Activity
Perry Johnson & Associates Discloses Data Breach Involving PII and PHI of 9 Million Individuals
Perry Johnson & Associates (PJ&A), a provider of transcription services to healthcare providers in the United States, has disclosed a data breach impacting 9 million individuals following a cyberattack that occurred in March of 2023. In their data breach notice, PJ&A stated that an unauthorized third-party gained access to the PJ&A network between March 27, 2023, and May 2, 2023, and exfiltrated copies of specific files from their systems. The organization detailed that the files contained personal health information (PHI) belonging to certain individuals and varied per person. Overall, the following information was exposed: name, date of birth, address, medical record number, hospital account number, admission diagnosis, and dates/times of services. For a portion of impacted individuals, Social Security numbers (SSNs), insurance information, and clinical information from medical transition files (such as laboratory and diagnostic testing results, medications, name of treatment facility, and name of healthcare providers) were also exposed. PJ&A confirmed that the data accessed by the threat actor did not contain credit card information, bank account information, usernames, or passwords. There is currently no evidence, according to PJ&A, that the exposed information has been misused "for the purpose of committing fraud or identity theft." CTIX analysts will continue to monitor activity surrounding PJ&A's data breach and will provide updates when available.
Threat Actor Activity
New Joint Advisory Released by CISA and FBI in Wake of Recent Rhysida Ransomware Attacks
The Rhysida ransomware gang has been observed partaking in opportunistic attacks recently, leveraging Rhysida ransomware against 'targets of opportunity,' targeting organizations across a range of industries, such as the education, healthcare, manufacturing, information technology, and government sectors. The Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency CISA), along with the Multi-State Information Sharing Agency Center (MS-ISAC), released a joint advisory on November 15th, 2023 in response to these attacks taking place as well in the wake of the US Department of Health and Human Services (HHS) warning that many of the recent attacks on healthcare organizations were the fault of the Rhysida threat actors. Rhysida operates as a Ransomware-as-a-Service (RaaS) model, compromising organizations and splitting ransom payments among affiliates, engaging in double extortion tactics where a ransom is demanded to decrypt victims' data and avoid leaking exfiltrated data. They've been around since May 2023, quickly making a name for themselves after breaching and leaking the stolen data of the Chilean Army. The advisory includes indicators of compromise (IOCs), detection info, and Rhysida tactics, techniques, and procedures (TTPs) observed during investigation. Rhysida threat actors have been observed using phishing attacks, exploiting the Zerologon vulnerability (CVE-2020-1472) to gain initial access and persistence within a network, and hacking into external-facing remote services like VPNs when targeting organizations that didn't have Multi-Factor Authentication (MFA) enabled. The joint advisory also highlighted that Vice Society ransomware group affiliates (aka Vanilla Tempest or DEV-0832) had been recorded shifting to the use of Rhysida ransomware payloads in their attacks starting in July 2023. CTIX analysts recommend that administrators patch actively exploited vulnerabilities and enable MFA across all services, among other recommendations noted in the joint advisory.
Vulnerabilities
Critical Vulnerabilities Exploited to Attack Danish Critical Infrastructure
In May 2023, Denmark suffered the largest cyberattack against critical infrastructure in its history, after threat actors believed to be Russia-affiliated exploited a critical vulnerability impacting the Zyxel firewalls of twenty-two (22) different companies. The attack was highly sophisticated and targeted, and all victim organizations were exploited simultaneously. The initial vulnerability, tracked as CVE-2023-28771, is a command injection flaw which was exploited to achieve remote code execution (RCE), allowing the threat actors to conduct deep reconnaissance in vulnerable industrial control system (ICS) infrastructure of eleven (11) organizations. Later that month, a second wave of attacks exploited two (2) zero-day Zyxel vulnerabilities (CVE-2023-33009 and CVE-2023-33010), allowing threat actors to takeover over vulnerable endpoints, leveraging them in distributed denial-of-service (DDoS) attacks via the notorious “Mirai” and “MooBot” botnets. SektorCERT, a non-profit organization supported by Danish critical infrastructure companies, originally identified the malicious behavior against ICSs connecting the attacks, attributing them to the hacking arm of Russia's GRU (tracked as Sandworm). The second wave of attacks utilized previously unknown means and infrastructure and cannot currently be confirmed with high-confidence to be associated with the Russian threat actors. Further details of the attack campaign can be found in the SectorCERT report linked below. CTIX analysts will continue to publish information about cutting edge attacks against critical infrastructure.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
