China-Backed Threat Group Compromises US Government Agencies Through Emails
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In June 2023, an unnamed US Federal Civilian Executive Branch (FCEB) agency discovered an anomalous email activity. The incident was reported to Microsoft, which deemed it as malicious and linked it with the ongoing investigation into an espionage campaign by a Chinese-linked threat actor.
The campaign is said to have compromised around 25 government organizations and consumer email accounts of individuals associated with these agencies, across US and Europe. On July 12, the incident was disclosed in a joint advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI).
The advisory came after Microsoft’s disclosure wherein it attributed the campaign to a China-based threat group, Storm-0558. The group is known to target government agencies in Western Europe with a focus on data theft, credential access, and espionage activities. According to Microsoft, the campaign began around mid-May, a month before it was discovered.
Apparently, the threat actors gained access to users’ email accounts through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.
‘’The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com. [..] The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail,’’ explained Microsoft. There was no evidence to support that the threat actor had used Azure AD or any other Microsoft account (MSA) keys. OWA and Outlook.com, were the only services that were compromised using forged tokens.
The tech giant said that it had mitigated the threat by blocking the usage of tokens signed with the acquired MSA key in OWA. It also replaced the key to prevent threat actors from using it to forge tokens and blocked usage of tokens issued with the key for all impacted consumer customers as well.
The CISA and FBI have recommended agencies to contact Microsoft in case of any suspicious, anomalous activity linked to the current espionage attack. The agencies have also been advised to notify the above-mentioned federal agencies, in addition to ensuring that audit logging is enabled.
Data of Nearly 11 Million Customers Exposed in HCA Healthcare Data Breach
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
HCA Healthcare in a press release confirmed the alleged data breach incident that exposed personal information of around 11 million patients who received care at their clinics and hospitals. The incident came to light on July 5, 2023, when an unknown threat actor published samples of stolen data on a hacking forum.
The published data allegedly contained 17 files with 27.7 million rows of information. Initially, the data was not available for sale, rather the threat actor used a post wherein it threatened to publish the data if its demands were not met by HCA by July 10th. On receiving no response from the company, the hacker put the full database for sale and is open to receiving offers from interested parties.
The company in its investigation has confirmed the authenticity of the posted data which was apparently stolen from an ‘’external storage location.’’ The information stored in the location was used for sending promotional and follow-up email messages to patients. The investigation which was carried out with the help of third-party cybersecurity experts revealed that compromised information included patients’ names, address, email, telephone number, date of birth, gender, patient’s scheduled hospital or care center appointment dates and locations.
The stolen data does not include any clinical and financial information of the patient, nor any other sensitive data like passwords, social security numbers or driver’s license information. In the statement, the company stated that there was no disruption in any of its care and service programs nor its day-to-day operations. ‘’Based on the information known at this time, the company does not believe the incident will materially impact its business, operations, or financial results,’’ noted HCA.
The healthcare provider has notified the appropriate law enforcement authorities and has retained services of external forensic and threat intelligence experts. It continues the investigation to ensure that its networks and systems are free from access by any unknown threat actors. HCA deployed containment measures, including disabling user access to the hacked storage location and announced support for impacted patients, including credit monitoring and identity protection services, where appropriate.
HCA Healthcare is a US-based healthcare services company that comprises 182 hospitals and 2,300+ care centers across the US and UK.
