Northern Ireland police data exposed due to staff error | Cyber Intelligence Briefing: 11 August

Top news stories this week

1. Belfast blues. Personal information from Police Service of Northern Ireland inadvertently leaked. 
2. Electioneering. 43 million voters’ details exposed in attack on UK Electoral Commission. 
3. Turning on the taps. Cl0p gives new 15 August deadline and uses torrents for leaking data. 
4. Medical mayhem. Rhysida attack on Prospect Medical Holdings disrupts US hospitals’ operations. 
5. Caught red-handed. North Korea’s Lazarus group hacks top Russian missile manufacturer. 
6. Phish and chips. Interpol dismantles phishing-as-a service platform. 
   

1. Northern Ireland police data exposed due to staff error

The names and addresses of over 10,000 police officers and other staff of the Police Service of Northern Ireland were exposed online following an accidental disclosure in response to a Freedom of Information request. The data is highly sensitive given the security situation in Northern Ireland and included names of intelligence officers and surveillance units. 

So what?

Sensitive information should be carefully sanitised before being shared with external stakeholders. Organisations should have robust processes, including access controls, to prevent accidental exposure.

2. Attack on UK electoral commission exposes 43 million voter details 

The UK Electoral Commission has disclosed that unidentified threat actors had access to servers holding the names and addresses of every adult registered to vote in the UK between 2014 and 2022. The attack began in August 2021 and was first detected in October 2022, but it is unclear what files were accessed. Security researchers have speculated that the threat actor is linked to Russia and gained access using the ProxyNotShell vulnerability. 

So what?

While preventative controls are important, the ability to detect a cyber incident is critical. Detection and response solutions and regular threat hunting exercises are just two important ways to improve an organisation’s detection capabilities. Furthermore, timely disclosure in the wake of a data breach is essential not only to comply with legal requirements, but also to mitigate reputational damage.

3. Cl0p issues new deadline and turns to torrents for data leaks

The Cl0p ransomware gang, who was responsible for the recent MOVEit breach, has issued a new deadline. The group claims it will start leaking data from companies named on their site who have not made contact by 15 August 2023. In addition to using clear web leak sites for larger victims, the gang has also begun using torrents to leak stolen data.  

So what?

In contrast to dark web leak sites with slow download speeds, torrents and clear web sites will make leaked data much more readily accessible. 

4. Rhysida ransomware attacks force hospitals in the US and Israel to halt operations 

US-based Prospect Medical Holdings experienced a ransomware attack which caused systems outages and disrupted operations at its 16 hospitals across California, Connecticut, Pennsylvania, and Rhode Island. The attack was attributed to Rhysida, a relatively new ransomware-as-a-service group. Security researchers have linked Rhysida to Vice Society, a more established group also known to target the healthcare and education sectors.

So what?

There are several methods to improve ransomware resilience, including good backups hygiene. One important, but often overlooked, measure is isolating critical systems from the rest of the operational network and limiting access to these as much as possible.

5. Lazarus Group hacks Russian missile manufacturer

The North Korean state-backed threat actor Lazarus Group infiltrated the systems of Russian missile developer NPO Mashinostroyeniya between late 2021 and May 2022. Hackers installed backdoors for persistent access, but it is unclear what data was accessed. The breach was inadvertently made public after security staff at NPO Mash uploaded data to a platform used by cyber security researchers. 

So what?

Not all cyber attacks are financially motivated. Organisations with sensitive intellectual property could be the target of different motivations. Acknowledging this and protecting sensitive and valuable data accordingly is critical. 

6. Interpol dismantles phishing-as-a-service platform

Interpol has successfully taken down the 16shop phishing-as-a-service platform. This platform provided easy to use phishing kits for major payment platforms such as Apple Pay, Paypal, and American Express. The site had around 70,000 users from 43 countries. 

So what?

While the takedown of 16shop is a significant step, it is crucial to remain vigilant as similar platforms still exist. These platforms reduce the skill barrier for attackers, emphasising the ongoing need for robust cyber security measures and user awareness.