HC3 Issues Warning About Scattered Spider Threat Actor

Posted by Steve Alder

A warning has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) about a financially motivated group known as Scattered Spider. Many cybercriminal groups are Russian-speaking and are based in Russia or the Commonwealth of Independent States; however, Scattered Spider is a native English-speaking group and its members are believed to be mostly located in the United States and the United Kingdom. There have been four arrests in those countries but the group remains active. Intelligence gathered on the group suggests the members are mostly in the 19-22 age group.

Rather than develop their own malware payloads and attack tools, Scattered Spider uses publicly available tools and malware developed by other threat actors. Legitimate tools known to have been leveraged by the group include remote monitoring and management solutions such as AnyDesk, Connectwise Control, ASG Remote Desktop, Screenconnect, and Splashtop; Mimikatz and LaZagne for credential theft; and Ngrok to create secure tunnels to remote web servers.

The group has previously used multiple malware variants in its operations including Atomic, Racoon Stealer, VIDAR Stealer, and Meduza Stealer, as well as phishing kits such as EIGHTBAIT and Oktapus, and the BlackCat and Ransomhub ransomware variants. The group has also collaborated with the Qilin threat group.

Information stealers are commonly used to obtain credentials for initial access, and then living-off-the-land techniques are used to evade security solutions while the group moves laterally within networks, disabling security solutions and stealing sensitive data. Attacks often end with the deployment of ransomware.

Scattered Spider uses advanced social engineering tactics, with its members well-versed in spear phishing, smishing, and voice phishing. One campaign attributed to Scattered Spider involves spear phishing voice techniques, where members of the IT Help Desk are targeted over the phone with the group posing as employees, sometimes aided by artificial intelligence to impersonate voices.

The aim is to trick the IT Help Desk into performing password resets and registering their own devices to receive multifactor authentication codes. The Help Desk is provided with personal information about the person they are impersonating and usernames and employee IDs obtained in previous stages of its attacks. HC3 has previously issued a warning about this campaign as healthcare organizations were among the group’s victims.

Scattered Spider has been active since at least 2022 and was initially focused on customer relationship management (CRM), business process outsourcing (BPO), telecommunications, and technology companies; however, the group has since expanded its targeting and has been attacking a broader range of sectors. While the healthcare industry has not been extensively targeted by the group, healthcare organizations have been attacked. The Scattered Spider threat actor profile shares indicators of compromise and recommended mitigations to improve defenses.

The post HC3 Issues Warning About Scattered Spider Threat Actor appeared first on The HIPAA Journal.

Wichita County and Parkland Health Suffer Data Breaches

Posted by Steve Alder

Wichita County in Texas experienced a cyberattack in May 2024 that exposed the sensitive data of 47,784 individuals, the majority of which are residents of Wichita County. According to County officials, the incident was detected on May 7, 2024, when network disruption was experienced. Immediate action was taken to secure its network and prevent further unauthorized access and independent forensics experts were engaged to investigate the security breach.

Experts were engaged to conduct a data review to determine the types of data that may have been acquired in the incident, and the review was completed on September 3, 2024. Contact information was then verified contact information to allow the notification letters to be sent. That process was completed on October 2, 2024, and notifications were mailed to the affected individuals on October 22, 2024.

The types of data involved varied from individual to individual and may have included name along with one or more of the following: date of birth, Social Security number, driver’s license number, other government ID, passport number, financial account information, health insurance information and medical information related to the treatment of mental or physical health conditions.

Complimentary credit monitoring and identity theft protection services have been made available to the affected individuals for 2 years. The Medusa ransomware group appears to have been responsible for the attack, although that has not been confirmed by Wichita County officials.

Parkland Health Investigating Cyberattack and Data Breach

Parkland Health, the community public health system for Dallas County in Texas which includes Parkland Memorial Hospital in Dallas, has experienced a cyberattack involving unauthorized access to the protected health information of 6,523 patients. In an October 22 notice to the Texas Attorney General, Parkland Health confirmed that the breach included names, dates of birth, and medical information.

No other details about the breach are known at this stage. Parkland Health said it is still investigating the cyberattack and will release further information when the investigation is concluded. Individual notifications have been mailed to the affected individuals.

The post Wichita County and Parkland Health Suffer Data Breaches appeared first on The HIPAA Journal.