When Your IT Support Company Gets Hacked
Sometimes you see something in the Dark Web that looks like an anomaly.
If you chase down that anomaly, and you see more of the same thing, you start to see a pattern, a commonality linking different verticals. A hacking forensics investigator digs deeper and asks more questions.
1 private school
5 healthcare groups
1 local government
3 hospitality chains
1 commercial service provider
1 country club
...all have in common...besides all being in a 30-mile radius?
Think about that for a moment as we go back to how we got here.
On December 18th, we received a sample of a malware we haven't seen before from an unlikely contact. After checking it's hash against several sources and not finding a match, we started analyzing it to understand its DNA and its purpose. Disguised as a Microsoft Word document, it was a variant of an encryptor or ransomware.
The payload had been distributed to a large number of customers of a healthcare group through a compromised e-mail account. Anyone opening the attachment in the e-mail, and it was a very genuine-appearing one, would've infected their computer. As we hunted for more information, we discovered that one of this group's credentials had been compromised almost a year before and was being actively offered for sale on dark web marketplaces. That compromised account matched the e-mail account that was used to distribute this malware.
Over the next several days as we spent time searching for similar incidents in a 100-mile radius and analyzing threat intelligence from several sources, we kept seeing a pattern in compromised credentials in the dark web. After some correlation, the search area eventually narrowed to about a 30-mile radius of businesses whose credentials appeared to have been hacked and stolen. That in itself isn't unusual, but what is unusual is that 14 of the businesses, from different verticals, had one or more credentials compromised on the SAME date.
More research revealed a glaring commonality among all 14 of these businesses. Some phone calls and cross-referencing later, we confirmed the common factor. ALL 14 of the businesses had outsourced their IT support to one company. A local mid-size IT support provider in the 30-mile radius.
THAT IT support company had credentials compromised on the SAME date as the 14 businesses. We don't believe in coincidences and this was no longer an anomaly. We can't say with certainty what happened, but if we had to guess, the IT company was storing customers passwords in e-mails or files on a computer(s) that was breached. From there, it was open game for the threat actors to go after the businesses that this company supported. Not surprisingly, it appears this IT company continues to experience compromised credentials, and likely continuing to expose their customers and customer data.
Clearly understanding the implications of HIPAA violations and PII breach, we reached out directly to each of the healthcare groups we'd identified and notified them by e-mail of potential compromises they may not be aware of. None acknowledged our notifications. We also contacted the local government entity that we identified and shared what we found. They were the only ones to take it seriously.
These healthcare groups and the other organizations impacted are victims of cyber crime directly linked to their supply chain. They placed their trust in a company to provide technology services that should've included competent cybersecurity. Overlooking the cybersecurity of your IT provider is like ignoring an insider threat.
Imagine if the security guard you hired to protect your property left his/her keys on the door and robbers helped themselves.
* To our knowledge, and we checked HHS' breach notification site, the healthcare group that acknowledged their e-mail was compromised never reported the breach to HHS. It's possible no PII was exposed during the 13 months between the credentials being compromised and the account being used to spread malware.
Firestorm Cyber is a cybersecurity company and part of the global cybersecurity community. When our threat intelligence indicates potential threats, we feel it's our responsibility to reach out to businesses and organizations and alert them, even when they're not our customers.