on 03-Jan-2023 19:57
Hello Everyone, This week, your editor is Koichi.
Today's This Week in Security is a long story about a ransomware attack and how it was solved. We also check two issues of the GitHub breach.
This TWIS is the last edition published in 2022. Thank you for reading TWIS in 2022 and I hope you have a happy New Year.
We in F5 SIRT invest lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
In October 2021, Handa Hospital, a municipal hospital in the Tsurugi, Tokushima Prefecture Japan, was under cyber-attack from a Russian-based hacker crime group. The attack was carried out by a ransomware which stole and encrypted data such as electronic medical records, and brought down hospital functions. The virus uses advanced encryption technology and is said to be 'impossible to unlock' unless a ransom is paid. The hospital announced that it would not pay the ransom and asked an IT contractor in Tokyo to investigate and restore the system, which was restored two months later and all departments were reopened. How they deactivated the ransomeware was not published until recently.
In the early hours of 31 October 2021, a nurse on the ward noticed something unusual. Documents printed endlessly were scattered all over the floor until the printer ran out of paper. When she picked it up, she was told in English: 'Your data has been stolen and encrypted. Pay the ransom or your data will be exposed". From here, the hospital's long battle began.
The attack on Handa Hospital was carried out by the world's largest hacker crime group, calling themselves 'Rockbit 2.0' (now renamed Rockbit 3.0). Rockbit broke into the Handa Hospital system, stole and encrypted data, causing the electronic medical records of 85,000 patients to disappear and rendering the medical accounting and other systems useless across the board. Backups of electronic medical records, which were supposed to prepare for unforeseen circumstances, were also infected by the virus, and the hospital was plunged into chaos.
Handa Hospital decided to maintain a minimum level of medical care by taking emergency measures such as writing medical records by hand. It stopped accepting emergency and new patients and limited consultations to patients with appointments only. Patients who could be discharged were asked to leave the hospital, and the only hospital in western Tokushima Prefecture that was accepting deliveries was also turned down. The electronic medical records were restored at the end of December, and normal medical services were not restored until 4 January 2022, after the new year.
A Japanese anonymous hacker negotiated with the world's largest hacker crime group and obtained a decryption key free of charge. This led to the restoration of the hospital's system. The criminal group later complained that they had been cheated by the hacker. The anonymous hacker admitted that he had contacted Lockbit and obtained the decryption key, but strongly denied any connection with the recovery.
The officer of the Handa Hospital would negotiate a ransom, but the executive refused that, as they can’t negotiate directly with hacker crime groups for compliance reasons, and implied that they used ransom negotiators and legal entities, and finally they got the decryption keys.
There are a number of intermediaries between the Handa Hospitals and ransom negotiators. It was a complex multiple subcontracting structures. The system was designed to keep as far away as possible from the back-room dealings of negotiating with hacker crime groups. The Handa Hospital only asked the IT contractor to restore the system and pay the restoration costs. .
What was the role of the 'anonymous Japanese hacker' who contacted Lockbit and obtained the decryption key for free? They may have sold the decryption keys they obtained from Lockbit to a third-party negotiator. It may have been inexpensive at first, but as it passed through the hands of a number of traders, it may have become more and more expensive. Data decryption was successful because the recovery company paid the hacker through a subcontractor.
Handa Hospital commissioned to the ransom negociator through the subcontractor. As a result, Handa Hospital paid 70 million yen (Around 600 000 USD) to the subcontractor to get a decryption key but the commission was drained through multiple subcontracting structure, and the actual payment to the hacker was just 4 million yen (Around 30 000 USD).
Source: “Why was the 'impossible to disarm' Russian hacker crime group's computer virus able to be disarmed? Handa Hospital, Tokushima, under cyber-attack, and what happened behind the scenes to restore it.” https://nordot.app/977511889856217088
Okta, a provider of identity management and authentication services, announced on 22 December (US time) that there had been a security breach affecting its code repository on GitHub. However, the company said that its customers were not affected and that there was no need for them to take action. The security breach relates to the Okta Workforce Identity Cloud (WIC) and does not include the Auth0 customer identity cloud product, which the company acquired in 2021. According to the company, GitHub reported a suspicious access to Okta's code repositories in early December, and an investigation revealed that this access copied the code repositories associated with WIC. Okta temporarily restricted access to the Okta GitHub repository and stopped all GitHub integrations with third-party applications immediately after receiving reports of suspicious access.
Fujitsu Smart City 5G Source Code Leaked Online
A hacker is claiming to have breached Fujitsu’s code repositories and is now selling the source code for Fujitsu’s Smart City 5G project online. RestorePrivacy examined the data sample and obtained an explanation from the hacker on how the code was accessed.
Accourding to the source, 14 GB of source code allegedly leaked from Fujitsu's "Smart City 5G" project was put up for sale on the "Breached" forum/BBS which is used for posting leaked data. The attacker had claimed to have compromised the company's GitLab using a vulnerability. Approximately 55 MB of data was posted on file-sharing websites as a sample (and it is alrdady deleted).