Nova Scotia Health Says 100,000 Affected by MOVEit Hack

Cyber Security Threat Summary:
The personal information of approximately 100,000 Nova Scotia Health employees was unlawfully obtained by hackers who exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer application. The recent disclosure made by the women's and children's health center is a sign that other healthcare organizations may also announce data breaches caused by ransomware hackers who exploited a previously fixed vulnerability in the software. Late Friday, the Health Sector Cybersecurity Coordination Center of the U.S. Department of Health and Human Services issued an alert, stating that the exploitation of this vulnerability could have significant repercussions on the healthcare and public health sector due to its extensive reach.

“The government of Nova Scotia, a Maritime province on Canada's east coast, uses the MOVEit service to transfer employee payroll information. "Right now, all we can confirm is that the personal information of up to 100,000 past and present employees of Nova Scotia Health, the IWK Health Center and the public service has been stolen," a Nova Scotia government spokesperson told Information Security Media Group. "This number could change. It could go up or down. Our investigation is ongoing, and we will continue to update the public as more information is available." Patient information appears unaffected, the spokesperson said. The investigation into the incident determined that compromised employee information includes social insurance numbers, addresses and banking information, Nova Scotia's cybersecurity and digital solutions service said in a statement issued on Tuesday” (DataBreachToday, 2023).

Security Officer Comments:
Earlier this week, the Clop ransomware-as-a-service group claimed responsibility for a series of attacks exploiting the MOVEit vulnerability, which Progress Software patched on May 31. Progress Software reported that numerous healthcare and public health sector organizations, including hospitals, clinics, and insurance groups, utilize MOVEit for secure file transfer. This includes various file transfer activities related to healthcare billing, insurance inquiries, healthcare claims, audit logs, appointment reminders, patient surveys, and retrieval of medical records by patients. The Clop ransomware gang has issued a warning that unless they are contacted first, they will begin publicizing the names of victims starting on Wednesday. However, they mentioned that they have erased data obtained from governmental, municipal, or police sources, as they have no intention to expose such information. The recent incidents involving MOVEit are part of a series of similar attacks seen earlier this year that targeted a vulnerability in another secure file transfer software called Fortra's GoAnywhere MFT. Exploiting managed file transfer platforms is appealing to malicious actors due to the fact that organizations frequently rely on these applications to securely store and exchange sensitive information with their partners and customers.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.databreachtoday.com/nova-scotia-health-says-100000-affected-by-moveit-hack-a-22263