In short Cybercriminals have used fake Emergency Data Requests (EDRs) to steal sensitive customer data from service providers and social media companies. At least one report suggests that Apple and Facebook’s parent company, Meta, fell victim to this fraud.
Apple and Meta turned over user addresses, phone numbers and IP addresses in mid-2021 after being duped by such emergency requests, according to Bloomberg.
EDRs, as the name suggests, are used by law enforcement to obtain information from telephone companies and technology service providers about particular customers, without the need for a warrant or subpoena. to appear. But they should only be used in very serious, life or death situations.
As infosec reporter Brian Krebs first reported, some miscreants are using stolen police email accounts to send bogus EDR requests to companies for information about internet users. There really is no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR, they are under pressure to hand over the requested customer information.
“In this scenario, the receiving company finds itself stuck between two unsavory outcomes: not immediately complying with an EDR – and potentially having someone’s blood on their hands – or potentially disclosing a client file to the wrong person. “, wrote Krebs.
Major internet and other service providers have entire departments reviewing such requests and doing what they can to get the requested police emergency data as quickly as possible, said Mark Rasch, a former U.S. Department prosecutor. of Justice, in Krebs.
“But there’s no real mechanism set out by most ISPs or tech companies to test the validity of a search warrant or subpoena,” Rasch said. “And as long as it looks right, they’ll comply.”
Days after Krebs and Bloomberg published the articles, Sen. Ron Wyden (D-OR) told Krebs he would ask tech companies and federal agencies for more information about these programs.
“No one wants tech companies to deny legitimate emergency requests when someone’s safety is at stake, but the current system has obvious weaknesses that need to be addressed,” Wyden said. “Fraudulent government applications are a significant concern, which is why I have already drafted legislation to stamp out bogus warrants and subpoenas.”
Hive ransomware reportedly hit healthcare group
The Hive ransomware gang claimed to have stolen 850,000 personally identifiable information (PII) records from the nonprofit healthcare group Partnership HealthPlan of California.
Brett Callow, a threat analyst at anti-malware firm Emsisoft, alerted Santa Rosa newspaper The Press Democrat that the ransomware gang had posted what were believed to be details of the intrusion on its Tor-hidden blog. Hive claimed to have stolen 400 GB of data, including patient names, social security numbers, addresses and other sensitive information.
Partnership HealthPlan of California did not respond to The register‘s regarding the alleged ransomware attack. But a notice on its website acknowledged “abnormal activity on certain computer systems within its network”.
The healthcare group said it had a team of third-party forensic specialists investigating the incident and was working to restore its systems. “Should our investigation determine that any information is potentially accessible, we will notify affected parties in accordance with regulatory guidelines,” he added.
Hive, which the FBI and security researchers began paying attention to in June 2021, is notorious for its double-extortion ransomware attacks on healthcare organizations. Still, attacking a nonprofit organization is a “new low” even for these cybercriminals, said Andy Norton, cyber risk manager at IoT security firm Armis.
“It also raises some tough questions,” Norton wrote in an email to The register. “I think we assume that charities and nonprofits don’t have the big cyber budgets of their commercial cousins, and yet they hold the same data sensibility. What constitutes a appropriate and proportionate security in times of heightened risk?
Shutterfly admits employee data was stolen
Shutterfly revealed that cybercriminals stole employee data in a ransomware attack in December 2021.
In documents filed with the California Attorney General’s office, the company disclosed that “an unauthorized third party gained access to our network” in a ransomware attack on or around December 3. The online photo company said it discovered the security flaw on December 13.
Although Shutterfly did not name the third party in its filing, it was widely reported that the notorious Conti ransomware gang was behind the intrusion. The stolen data included employee names, salary information, family leave and workers’ compensation claims, according to Shutterfly.
The company said it “promptly took action” to restore systems, notify law enforcement and bring in third-party cybersecurity experts to investigate the breach. He also offered employees two years of free credit monitoring from Equifax and “strongly encouraged” them to take advantage of the offer.
He also noted that employees “may wish” to change account passwords and security questions.
Law enforcement ransomware response lacking
Law enforcement faces a deluge of challenges in responding to ransomware attacks, and chief among them is simply not being informed about intrusions and infections from victims.
According to an analysis by threat intelligence firm Recorded Future of ransomware enforcement operations in 2020 and 2021, law enforcement around the world is ill-equipped to respond to ransomware outbreaks. In addition to being unaware of the attacks, they also lack the cybersecurity skills, technology and data, such as threat intelligence, to respond to them.
Recorded Future, citing several other investigations, says law enforcement is unaware of the vast majority of cyberattacks and needs to learn more from the media.
In some parts of the UK alone, just 1.7% of all fraud and cybercrime was reported to authorities between September 2019 and September 2020, Recorded Future said, citing data from the UK’s Office for National Statistics. United drawn from its survey of crime in England and Wales.
He also cited a Europol IOCTA report from 2020, which found that ransomware remains an underreported crime. Although Europol’s report did not provide any figures to illustrate just how under-reported ransomware is, it noted that “several law enforcement authorities mentioned identifying ransomware cases through the media. (locals) and approached the victims to help them by possibly launching a criminal investigation”.
Unless organizations do a better job reporting ransomware attacks, law enforcement cannot get an accurate picture of the threat landscape, Recorded Future noted. “Without reliable and valid data on the number and types of cyberattacks (i.e. attack vectors), it is difficult for law enforcement to accurately assess threats and respond appropriately. appropriately, resulting in threats not being given the resources or priority they deserve.”
While this analysis does not provide any US-specific reporting statistics, it should be noted that a recently signed federal law will require owners and operators of critical infrastructure in the US to report a “substantial” cybersecurity incident. to Uncle Sam’s Cyber and Infrastructure Security Agency within 72 hours. and within 24 hours of paying ransomware.
Proponents of the new law, including CISA Director Jen Easterly, said it would give federal agencies and law enforcement better data and visibility to help them protect critical infrastructure.
Organizations are not ready for cyber reporting rules
Despite the U.S. Cybersecurity Incident Reporting Act, as well as a related U.S. Securities and Exchange Commission proposal that would require public companies to disclose cyberattacks within four days, organizations are seriously unprepared to these new disclosure rules, according to Bitsight.
The cyber risk ratings firm released a study this week which found, among other things, that it takes an average of 105 days for an organization to discover and disclose an incident from the date it occurred.
Additionally, it takes twice as long for organizations to disclose higher severity incidents compared to lower severity incidents. This means that it takes on average more than 70 days to disclose a moderate, medium or high severity incident once it has been discovered, and 34 days for low security events.
For this research, Bitsight analyzed over 12,000 publicly disclosed cyber incidents worldwide between 2019 and 2022. This included incident type, incident date, discovery date, and disclosure date.
BitSight used its classification methodology (a scale of 0 to 3) to analyze the severity of security incidents. Events received a higher severity score due to a combination of more serious incidents, such as ransomware and human error, and a higher number of records.
The security company also segmented the disclosure organizations based on the number of employees: very large (more than 10,000 employees), large (1,000 to 10,000 employees), medium (500 to 1,000 employees) and small (fewer). of 500 employees).
Unsurprisingly, very large organizations are 30% faster at discovering and disclosing incidents than others. Still, it takes these companies an average of 39 days to discover and 41 days to disclose an incident, BitSight found, noting that’s still far longer than the timelines proposed in the new rules. ®