Imagine waking up one day, only to find out that your personal and financial information has been stolen in a security breach. This is what happened to 25,549 individuals whose data was compromised in a recent cybersecurity attack on the Philadelphia Inquirer, the city’s largest newspaper and the third-longest operating daily newspaper in the United States.

The Attack and Its Aftermath

Picture this: It’s May 2023, and the Philadelphia Inquirer’s content management system suddenly goes down. The newspaper quickly realizes that something is amiss and takes some computer systems offline to contain the breach. They also bring in Kroll forensics experts to investigate the “anomalous activity.”

As a result of the attack, the publication of the print newspaper is disrupted, and home-delivery subscribers are asked to catch up with the latest news using the newspaper’s website, which remains unaffected.

In their data breach notifications, the Inquirer states, “We determined that an unauthorized party gained access to our systems and certain files were viewed and/or copied from our systems between May 11, 2023, and May 13, 2023.” The exposed information includes names, personal identifiers, and financial account numbers, as well as credit/debit card numbers (in combination with security code, access code, password, or PIN for the accounts).

The newspaper advises affected individuals to monitor their accounts for identity theft and fraud attempts and offers 24 months of free Experian credit monitoring and identity restoration services.

The Culprit: Cuba Ransomware Gang

Although the Inquirer doesn’t reveal who’s responsible for the attack, the Cuba ransomware gang takes credit for it one week after the incident. The group claims to have stolen financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code from the newspaper’s compromised servers.

Cuba then publishes the files on its dark web leak site, which suggests that the Inquirer refused to pay a ransom and the extortion attempt hit a dead end. However, the Inquirer later reports that the documents don’t “appear to come from the newspaper.” Subsequently, the ransomware gang removes the Philadelphia Inquirer entry from its website.

The Bigger Picture: Ransomware Attacks on the Rise

The Cuba ransomware gang is no stranger to such attacks. According to a joint security advisory by the FBI and CISA, the group collected over $60 million in ransoms until August 2022 after breaching more than 100 victims worldwide. A previous FBI advisory from December 2021 also warned that Cuba operators had compromised at least 49 U.S. critical infrastructure organizations.

Don’t Be the Next Victim: Protect Yourself and Your Information

The Philadelphia Inquirer breach is a stark reminder that we all need to be vigilant about our cybersecurity. Whether you’re an individual or a business owner, it’s crucial to stay informed and take necessary precautions to protect your data from potential threats.

So, what are you waiting for? Get in touch with us at IT Services to learn more about how to safeguard yourself from cyberattacks and keep your information secure. We’re here to help you stay one step ahead of the bad guys and ensure your peace of mind.

4/30/24: Update added below about Change Healthcare Citrix credentials previously stolen by information-stealing malware.

UnitedHealth has confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang. The attackers used stolen credentials to log into the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

UnitedHealth CEO Andrew Witty shared this information in written testimony published ahead of a House Energy and Commerce subcommittee hearing scheduled for tomorrow.

The ransomware attack on Change Healthcare occurred in late February 2024, leading to severe operational disruptions on Optum’s Change Healthcare platform.

This impacted a wide range of critical services used by healthcare providers across the U.S., including payment processing, prescription writing, and insurance claims, and caused financial damages estimated at $872 million.

Previously, the BlackCat ransomware gang claimed they had received a $22 million ransom payment from UnitedHealth. However, the payment was stolen from the affiliate who conducted the attack in an exit scam. Shortly after, the affiliate claimed to still have the data and partnered with RansomHub to initiate an additional extortion demand by leaking stolen data.

The healthcare organization recently admitted that it paid a ransom to protect people’s data post-compromise, but no details about the attack or who carried it out were officially disclosed.

RansomHub has since removed the Change Healthcare entry from its site, indicating that an additional ransom was paid.

An easy break-in

In testimony by Andrew Witty, the CEO confirmed that the attack occurred on the morning of February 21 when the threat actors began encrypting systems and rendering them inaccessible to the organization’s employees.

For the first time, the company also officially confirmed that the ALPHV/BlackCat ransomware operation was behind the attack.

While the actual public-facing attack occurred on February 21, Witty revealed that the attacker had access to the company’s network for approximately ten days before deploying their encryptors. During this time, the threat actors spread through the network and stole corporate and patient data that would be used in their extortion attempts.

The investigations, which are still ongoing, revealed that the attackers first gained access to Change Healthcare’s Citrix portal on February 12, 2024, using stolen employee credentials. It is unknown whether those credentials were initially stolen via a phishing attack or information-stealing malware.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” explained Witty.

“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

The CEO also shared a personal moment, stating that the choice to pay a ransom was entirely his and one of the hardest decisions he had to make.

“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” Witty wrote in his testimony.

Remediation efforts

Witty further outlined UnitedHealth’s immediate actions to secure their systems following the attack, characterizing them as “swift and forceful.” He noted that the threat was successfully contained by taking everything down despite knowing the impact this would have on people.

Following the attack, the organization’s IT team replaced thousands of laptops, rotated credentials, and completely rebuilt Change Healthcare’s data center network and core services in just a few weeks. Witty states such a task would usually have taken several months.

Although data samples that leaked online contained protected health information (PHI) and personally identifiable information (PII), Witty notes that, so far, they have seen no evidence of exfiltration of materials such as doctors’ charts or complete medical histories.

Concerning the status of the impacted services, pharmacy networks operate at a fraction of a percent below normal, medical claims flow nearly at normal levels, and payment processing at approximately 86% of pre-incident levels.

Update 4/30/24: After publishing our story, Hudson Rock CTO Alon Gal told us that on February 8, the company’s threat intelligence platform detected a Change Healthcare employee’s Citrix credentials stolen through information-stealing malware.

The stolen credentials are associated with the URL remoteapps[.]changehealthcare[.]com/vpn/index.htm, and while that site is no longer accessible, we have confirmed it to be the URL for Change Healthcare’s Citrix Gateway login page.

It is unknown if these are the credentials used to gain access to Change Healthcare’s networks and conduct the ransomware attack.

Uh-oh, another data breach! This time, it’s the Financial Business and Consumer Solutions (FBCS), a nationally licensed debt collection agency in the U.S., that’s grabbing headlines. They’ve recently warned nearly 2 million impacted individuals that their systems were compromised, and unauthorized access was detected.

What happened at FBCS?

FBCS specializes in collecting unpaid debts from various sectors, including consumer credit, healthcare, commercial, auto loans and leases, student loans, and utilities. In late February 2024, they discovered that unauthorized actors had breached their network and had access to sensitive data since February 14, 2024. The intrusion lasted for nearly two weeks before being detected.

What data was exposed?

During the breach, the unauthorized actor had the ability to view or acquire certain information on the FBCS network. The exposed data includes:

• Full name
• Social Security Number (SSN)
• Date of birth
• Account information
• Driver’s license number or ID card

This is some pretty sensitive stuff! With access to this information, individuals are at a higher risk of falling victim to phishing, fraud, and social engineering attacks. That’s why FBCS is providing those affected with instructions to enroll in 12 months of credit monitoring through Cyex, hoping to prevent any further damage.

What’s being done to prevent this from happening again?

As an IT Services company, we understand that such incidents can have severe consequences for the victims. FBCS has taken steps to implement additional security measures in a newly built environment to prevent similar incidents from occurring in the future.

What can you do if you’re affected?

If you’re one of the unlucky recipients of the data breach notifications, it’s crucial to remain vigilant against unsolicited communications and monitor your account statements and credit reports for suspicious activity. At the time of writing, no ransomware groups have claimed responsibility for the attack at FBCS, but it’s always better to stay cautious.

Stay informed and stay protected

As cybersecurity experts, we know that staying informed is the best defense against cyber threats. That’s why we encourage you to keep coming back to learn more about the ever-evolving world of cybersecurity. Together, we can make the digital world a safer place for everyone.