Updates from Enzoic’s Threat Research Team
Some good news this week in the form of infostealer infrastructure disruption as Dutch authorities claim to have shut down some threat actors operating instances of the Redline and META infostealers. Hopefully there is a deterring effect on other Malware-as-a-Service (MaaS) providers. It’s a bit hard to be optimistic that the flow of exfiltrated data will slow, given the ease with which infostealer malware is sold, disseminated, and operated— once the code is out there, the cat is out of the proverbial bag. However, these operations sometimes yield information or evidence that can assist in larger-scale crackdowns, and any reduction in infostealer volume is certainly better than none.
In another success for the authorities, the threat actor known as ‘USDoD’ was arrested in Brazil a couple weeks ago (around the time of our last blog installment). He is most well-known for the recent National Public Data breach (the contents of which can be searched along with many other breaches via our identity breach monitoring product), which exposed millions of US citizens’ Social Security numbers, along with other personal information. USDoD has a long history of high-profile data breaches; hopefully, his downfall will not only prevent him from further criminal activity, but also deter others.
Still, there remain many threat actors out there, and cybercrime is largely a land of opportunity. While the financial incentives remain, we expect there to be a perpetual cast of threat actors waiting in the wings. As researchers, we can take these law enforcement actions as a sign to be vigilant for shifts in the threat landscape as threat actors try new domains, pseudonyms, servers, and tactics to continue exploiting others for illicit revenue.
In a sadly expected follow-up from the ransomware attack in February 2024, Change Healthcare recently confirmed that over 100 million people had their personal financial and health-related information stolen, and notified the individuals that were affected. This makes it the largest healthcare data breach in history. The healthcare industry has long been a juicy target for threat actors due to the high value of the personal information in perpetrating identity theft and fraud, and the highly critical nature of their operations making them a sensitive target for ransomware. We’ve written before about password security problems in the healthcare industry, and this Change breach serves as yet another warning— in testimony to a US House subcommittee, CEO Andrew Witty “confirmed that compromised credentials were used to gain access to Change Healthcare’s systems, which were most likely purchased by the attacker on the dark web.”1
Unfortunately for users, patients, and providers, these large organizations appear uninterested in taking meaningful action to protect against even these basic threats. Despite the costs of this breach exceeding 2 billion dollars1 so far, it’s unlikely to make a significant dent in the revenue of parent company UnitedHealth, which had over 23 billion dollars in net income in 2023, and HIPAA fines max out at $2 million. Some US senators are fighting to remove this limit and establish minimum cybersecurity standards that will hopefully protect the already vulnerable populations (i.e. those suffering health problems) that are harmed by these types of breaches.
FAQs
1Adler, Steve. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/</small
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.