Ah, supply chain attacks—the gift that keeps on giving… headaches, fines, and catastrophic data breaches. In this episode, we unwrap three cautionary tales of organizations caught in the tangled web of digital supply chain chaos. From unpatched vulnerabilities and sneaky software backdoors to hackers casually buying network access like it’s an eBay auction, each story serves up a hard truth: you don’t want to be part of a supply chain attack, you don’t want to have a supply chain attack, and you definitely don’t want to delay dealing with a supply chain attack. So grab your metaphorical flashlight and let’s go spelunking into the murky caves of cybersecurity mishaps.
In this episode:
Supply Chain Attacks: The Risks Keep Growing – Ep 490
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
Supply Chain Attacks: The Risks Keep Growing
[06:42] Supply chain attacks are becoming more sophisticated and harder to detect, leaving businesses and individuals at greater risk. From hidden malware in trusted tools to unpatched vulnerabilities and outright extortion, these threats are evolving in ways that make them even more dangerous. In this episode, we explore recent examples of how these attacks unfold and what we can learn to better protect ourselves.NY state fines a healthcare provider $1.4m reduced to $550k
[09:50]NY Health Group Fined $550K in Unpatched Vulnerability Hack
This case involves HealthAlliance which operates facilities including two hospitals and a residential care center serving New York’s Ulster and Delaware counties.
I like the way they worded this announcement to make it clear it could have been worse. According to the penalty calculations they fined them $1.4m but “suspended” $850,000 because of their “financial condition” and role providing care in the community.
What happened?
Zero-day vuln in a Citrix NetScaler appliance they used for telemedicine went unpatched. Hackers ended up taking advantage of the vuln to steal 196gb of data affecting about 242,000 patients and employees.
July 18, 2023, Citrix released a cybersecurity advisory and patches for several known exploits. One was a critical zero-day on NetScaler. The advisory said that attackers had already exploited this vuln to access an organization’s critical infrastructure to exfiltrate their Active Directory user accounts.
HealthAlliance immediately caught the announcement and went to patch it. For some reason, it wouldn’t install successfully on their device. They tried for days to patch it. Then, called Citrix who tried to patch it and couldn’t do it. They tried to patch their standby NetScaler device and couldn’t do it. They even brought in another 3rd party who couldn’t get the patch to install.
They tried to resolve the problem for months. The problem was that they kept the unpatched device up and running though.
Oct. 12, 2023 it all fell apart because several leaders of the organization received emails from the attackers letting them know they had accessed their network and systems allowing them to steal data. They did pick up “unusual activity” around the same time and started an investigation.
Finally, they took the Netscaler offline and replaced them with brand new ones that were patched.
The attackers did exactly what the advisory said they could do. Get into the AD and steal the user accounts. Then, they used those accounts to access over 40 different hosts between Sept. 22, 2023, and Oct. 8, 2023.
[22:03]So many things can be learned from this case. Here are few:
- Patching is critical but especially when there is a zero-day that is public facing. Those vulnerabilities must be patched within a few days, the sooner the better.
- If you can’t get the patch done for any reason then the device must be taken offline. Period end of discussion.
- Tech staff need to remember this story because we get caught up in fixing it and forget about how long it is taking. Someone has to step back and say pull the plug and get us a new one ASAP. In the end, they would have saved close to a million dollars if not more just by doing that when Citrix couldn’t patch it themselves.
The website attack buried by very patient attackers
[26:38]Yearlong supply-chain attack targeting security pros steals 390K credentials – Ars Technica
A simple piece of useful code was shared for developers to use. That code was maintained like normal. What no one noticed was a hidden piece of code buried in one of the 16 updates done that included some malware that opened up a backdoor.
That code was spread slowly but surely across WordPress sites by developers. They need a piece of code that does something simple. You only pull code like that when it has a good reputation of being maintained and used by others consistently. The attackers waited patiently for their hidden backdoor to spread without using it.
Next, they published another little tool that was very simple and helpful. If anyone looked they would see that this tool would automatically incorporate the first tool with the malware. It seems legit.
Now, this tool has started being used across websites. Each one now had a tiny back door that could be used by attackers and it was very hard to notice it was there.
They combined regular updates to a legitimate looking tool and made that tool dependent on another one that opened up any place the software was installed.
In this case the attackers stole information from the websites every day and put info in Dropbox sometimes and file.io other times. It was stealing very important security keys and login information. They also planted crypto mining software and used the processing power of the system running the website to make them more even money.
They targeted security researchers and other techie folks on this one. No one is immune. That is why we are so paranoid about getting hacked ALL OF THE TIME.
- This is why your website matters.
- This is why your web developer matters.
- This is why you should be checking it too.
- This is why we talk about things like code review and SBOMS your developers should be doing
I was just reviewing a HDO’s website. It made me a nervous wreck when I see on the contact page a little badge:
It didn’t get better when I checked out their chat tool vendor which included a similar note. Sure, we are HIPAA compliant, they said too. At least they spelled it correctly on their site.
Your systems may be part of the attacker supply chain
[41:11]Of course, we can’t have an episode about hacks and breaches that doesn’t touch close to home. This one involved 2 different organizations in GA. One a town’s police department server and the other a doctor’s office plus a dentist in FL.
Hacker gets 10 years in prison for extorting US healthcare provider
Robert Purbeck, a 45-year-old from Idaho, was sentenced to ten years in prison for hacking at least 19 organizations, stealing personal data of over 132,000 individuals, and engaging in multiple extortion attempts. His handles included LifeLock and Studmaster (eye rolls now).
His scheme is one that many criminals use every day. He just happens to be one that got caught.
He bought network access to the doctor’s office off the dark web in 2017. This is the stuff we tell you about where they have the machines and check on them periodically so no one notices them. Then, someone buys that access info. He stole 43k patient records and demanded a ransom.
He bought access to the police department the next year and stole info from their systems. Then, later in 2018 he tried to ransom an orthodontist in FL after he stole patient records there using the same scheme. In this one, though, he was harassing patients and the doctor with text messages and emails.
The attackers have a supply chain too. We don’t want to be part of it!
Supply chain attacks aren’t just a cybersecurity buzzword—they’re a recurring nightmare with a plot that keeps getting worse. In today’s episode, we explored three cautionary tales where small oversights turned into big disasters. Whether it’s delays in action, sneaky vulnerabilities hiding in plain sight, or hackers buying access like they’re at an online yard sale, the takeaway is crystal clear: You don’t want to be part of a supply chain attack, you don’t want to have a supply chain attack, and you definitely don’t want to delay dealing with a supply chain attack. In the end, it’s not just about staying secure—it’s about staying ready.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
