It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.

This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.

A few more highlights…

- Malware on the move!  New Malware targeting Android phones making the rounds 

- Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords

- AI startup working on the United States drone program finds Russian malware on their server

- The Nigerian princes are back! This time, they want to be business partners...

There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it's still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store.

https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday.

https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/

Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from.

https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/

Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks!

https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/


What we’re STILL listening to this week!

Elmcroft Senior Living

Exploit: Outside actor.

Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach

Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.

Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Disclosed

  • Elmcroft made an official statement on June 8th, 2018

Data Compromised

  • Names
  • Date of birth
  • Social Security Numbers
  • Personal health information

How it was Compromised

  • A third party had access to information being transferred from Elmcroft to the new management company

Attribution/Vulnerability

  • Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/
Terros Health

Exploit: Phishing scam that compromised one account.

Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.

Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.

Terros Health: Phoenix-based mental health and addiction services provider.

Data Compromised

  • Patient names
  • Date of birth
  • Social Security number

How it was Compromised

  • Phishing scam that compromised a single email account

Customers Impacted

  • 1,600 patients

Attribution/Vulnerability

  • One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

 

Elmcroft Senior Living

Exploit: Malware exploit to steal IP

Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.

Risk to Exploited Individuals: High: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking.

Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Data Compromised

  • Possibly customer data, although Clarifi denies that any data was compromised.

How it was Compromised

  • Unclear, although the origin of the malware is believed to be Russian

Attribution/Vulnerability

  • Malware

Customers Impacted

  • The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked

https://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

 

HealthEquity

Exploit: Compromised email.

Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.

Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.

HealthEquity: Utah based firm that handles millions of health savings accounts.

Data Compromised

  • Names of members
  • HealthEquity ID numbers
  • Names of employers
  • Employers HealthEquity IDs
  • Social Security numbers

How it was Compromised

  • An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.

Attribution/Vulnerability

  • Compromised employee email.

Customers Impacted

  • 23,000

https://www.darkreading.com/operations/23000-compromised-in-healthequity-data-breach/d/d-id/1332050

 

Dixons Carphone

Exploit: Investigation ongoing.

Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.

Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.

Dixons Carphone: Electronics company located in the UK.

Data Compromised

  • Customer Cards
  • Names
  • Addresses
  • Email addresses

How it was Compromised

  • The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.

Attribution/Vulnerability

  • Unauthorized access to company data

Customers Impacted

  • 5.9 million

 

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised. Don’t let your business end up on the next Breach list. Make sure you and your employees’ passwords are strong, not reused or shared, and that your credentials aren’t up for sale on the Dark Web.

To find out if any of your company’s credentials are for sale on the Dark Web, copy and paste the following link into your browser and complete the request form.  --  https://www.mcs-stl.com/dark-web-scan/   --

Please share this week's breach news with your family, coworkers and friends.