Full Report
For the latest discoveries in cyber research for the week of 23rd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The State of Rhode Island has issued a notification that RIBridges, the state’s portal for social services, has suffered a cyber attack and data leak. According to the reports, the breach was […] The post 23rd December – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Week of December 23rd Security Events (Summary)
## Executive Summary
This summary compiles several significant security incidents reported for the week of December 23rd, primarily involving ransomware attacks on government and healthcare entities (State of Rhode Island, Telecom Namibia, Texas Tech University Health Sciences Center, Ascension Health) and a breach at identity management firm Beyond Trust. The incidents highlight ongoing threats from ransomware, data exfiltration, and critical vulnerabilities in widely used software platforms.
## Incident Details
- **Discovery Date:** Various dates spanning December 2023 through December 2024, as the report summarizes multiple distinct events.
- **Incident Date:** Various, including specific dates like September (Texas Tech) and May (Ascension).
- **Affected Organization:** State of Rhode Island (RIBridges), Beyond Trust, Telecom Namibia, Phreesia (ConnectOnCall subsidiary), Ukrainian Justice Ministry, Texas Tech University Health Sciences Center, Ascension Health.
- **Sector:** Government Services, IT/IAM Solutions, Telecommunications, Healthcare Software, Government Services (Justice), Higher Education/Healthcare, Healthcare Services.
- **Geography:** USA (Rhode Island, Texas), Namibia, Ukraine.
## Timeline of Events
### Initial Access
- **Date/Time:** Varied across incidents.
- **Vector:** Ransomware exploitation (likely phishing/remote access compromise), API key compromise, exploited software vulnerability.
- **Details:**
* **RI Bridges/Ascension/TTUHSC/Telecom Namibia:** Likely ransomware deployment via an initial vector that allowed execution and network spread.
* **Beyond Trust:** Attackers gained access via a compromised Remote Support API key.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Standard network traversal within compromised environments.
- **Details:**
* Attackers in the Telecom Namibia incident, attributed to Hunters International, exfiltrated substantial data (600GB+).
* Ascension Health was targeted by Black Basta, leading to weeks of operational disruption.
### Data Exfiltration/Impact
- **Date/Time:** During the active compromise phase.
- **Vector:** Data extraction prior to or alongside encryption/disruption.
- **Details:**
* **RI Bridges:** Compromise of personal information for hundreds of thousands of residents.
* **Phreesia/ConnectOnCall:** Unauthorized access to PII and medical records for 914,138 patients, involving communications between providers and patients.
* **TTUHSC:** Extraction of PII, financial details, and medical data for 1.465 million people, claimed by Interlock ransomware.
* **Ascension Health:** Extraction of medical records, financial data, and PII for 5.6 million people.
### Detection & Response
- **Date/Time:** Post-exploitation disclosure/notification.
- **Vector:** Public disclosures following forensic investigation or system notification.
- **Details:**
* **Ukraine Justice Ministry:** Attack attributed to GRU, involved shutting down online services; the Ukrainian security service was aware and responded.
* **Response:** Organizations began investigations, notified affected parties, and worked to restore services (e.g., Ascension faced weeks of disruption).
## Attack Methodology
* **Initial Access:** Ransomware vectors, API Key theft (Beyond Trust).
* **Persistence:** Not explicitly detailed, but implied by the extent of data exfiltration in ransomware cases.
* **Privilege Escalation:** Not explicitly detailed, but necessary for wide-scale data extraction.
* **Defense Evasion:** Implied, as Black Basta, Interlock, and Hunters International groups successfully deployed and operated.
* **Credential Access:** Beyond Trust involved exploiting API key access to local application accounts.
* **Discovery:** Standard reconnaissance likely occurred pre-exfiltration in ransomware campaigns.
* **Lateral Movement:** Broad network compromise indicated by the scale of affected data (millions of records).
* **Collection:** Targeted extraction of PII, financial, and medical records.
* **Exfiltration:** Confirmed data theft by Hunters International (Namibia) and confirmed extraction in US healthcare/government incidents.
* **Impact:** System disruption (Ukraine, Texas Tech) and massive data exposure (all major ransomware cases).
## Impact Assessment
- **Financial:** Not explicitly quantified, but significant downtime costs implied for Telecom Namibia and Ascension Health.
- **Data Breach:** PII, financial records, and sensitive Protected Health Information (PHI) belonging to millions (RI, TTUHSC, Ascension, Phreesia).
- **Operational:** Severe disruption at Ascension Health (weeks), shutdown of online services at Ukrainian Justice Ministry.
- **Reputational:** Public notification required for multiple large government and healthcare bodies.
## Indicators of Compromise
*No specific IOCs were detailed in the provided summary of the attacks, as the summary focuses on aggregated news.*
## Response Actions
- **Containment:** Implied system isolation or segmentation following ransomware detection (specific actions not detailed).
- **Eradication:** Efforts to remove ransomware/malware strains (e.g., Black Basta, Interlock).
- **Recovery:** Restoration of services and necessary public notification procedures initiated by affected entities.
## Lessons Learned
- Reliance on third-party management tools (like Remote Support) can introduce significant risk if associated API keys are compromised (Beyond Trust).
- Critical infrastructure and government social service portals remain prime targets for disruptive ransomware operations.
- Healthcare and government entities must prioritize securing PII and PHI against large-scale exfiltration attempts associated with modern ransomware groups.
## Recommendations
- Implement robust Multi-Factor Authentication (MFA) across all application access points, including API keys where possible.
- Review and strictly control access permissions granted via third-party service keys.
- Maintain stringent segmentation and immutable backups to limit the scope and recovery time from ransomware operations impacting PII/PHI systems.