Security News Survey – February 22, 2019

A look at an exposed UW Medicine database, a 16-month malware infection, and a ranked list of nation-state actor “breakout times”


We may be biased, but the most exciting cybersecurity news we’ve seen in the last week is that of Interset’s acquisition by Micro Focus, one of the world’s largest software companies! At the end of last week, we officially joined the Micro Focus family, and we are thrilled to be a part of the company’s Security, Risk, and Governance portfolio. If you haven’t already, be sure to check out the announcement to learn more out the vision behind the acquisition.

Despite our excitement around that piece of news, we did keep an eye out for other interesting headlines in the cybersecurity world. Let’s take a look at some that stood out to us.

Website server glitch exposed nearly one million UW Medicine patients for three weeks

A University of Washington (UW) Medicine patient recently made a concerning discovery when they Googled their own name: a file containing their personal information and UW Medicine medical record number. It turns out a UW Medicine website server vulnerability exposed a database of personal health information (PHI) of 974,000 patients for up to three weeks in December. The organization has removed the data from the site and has been working with Google to ensure that the files don’t appear in searches anymore. UW Medicine also says there’s no evidence of attempts to misuse the exposed information, which included names and medical record numbers. Thankfully, no actual medical records, financial information, or Social Security numbers were involved.

Ironically, it seems the database was housing PHI that has to be tracked according to legal requirements, such as HIPAA. So much for protecting privacy.

Healthcare organization discovers malware-driven data breach—more than a year after infection

In a much smaller (but perhaps more troubling) healthcare data breach, 42,161 patients of AdventHealth Medical Group’s Pulmonary & Sleep Medicine were exposed after hackers infiltrated the organization’s systems via malware. Compromised data includes names, addresses, dates of birth, SSNs, medical histories, and more. Of course, this isn’t the first time we’re seeing malware as a conduit to data exfiltration, but this case is raising a lot of eyebrows in light of the fact that the malware appears to have been installed in August 2017 and not discovered until December 27, 2018—16 months later. The group has removed the malware and are investigating the extent of the breach and why it took such a long time to discover the malware.

No doubt, they’ll have some explaining to do, but theirs is a common and difficult situation. Having visibility into every corner of your company’s systems is critical, especially when trying to account for malware covertly moving through your organization. It can be difficult to detect malware, especially brand new ones with no known signatures, but malware often leaves behind behavioral clues that can indicate its presence. Take a look at our blog on fileless malware to learn more about how Interset helps with this.

You have less than 20 minutes to contain a Russian nation-state attack, says CrowdStrike

The last thing we wanted to look at this week is actually a new report from our partners over at CrowdStrike. This week, CrowdStrike released their annual Global Threat Report shared some enlightening statistics about a measurement they call “breakout time”—the time between a hacker’s compromise of a machine and when they can move laterally to other machines on the network. The company ranked different malicious actors (nation-state and “eCrime”) according to breakout time, and the windows varied. At the low end were eCrime actors (which the company dubbed “Spiders”) at around 9:42 hours. At the top, however, were Russian nation-state actors (dubbed “Bears”), with a breakout time of just 18:49 minutes. That’s right—you’ll have a 20-minute window to contain a Russian nation-state attack. This is really valuable knowledge that can inform detection, investigation, and response strategies for many of today’s organizations for whom nation-state attacks are a stark reality.

After you read their report, take a look at our recent blog to learn how Interset UEBA and CrowdStrike EDR worked together to detect a nation-state level Red Team attack at a major enterprise.