The biggest cyber security attacks in November

Cyber Security Hub takes a look at the most significant cyber security incidents in November.

Contents

• 2.2 million people impacted by McLaren Health Care data breach
• Toyota Financial Services systems forced offline by cyber attack
• Data breach at US nuclear energy firm exposes sensitive employee information
• BlackCat/APLHV ransomware gang reports victim’s “undisclosed” data breach
• Canadian Government data exposed by contractor cyber attack
• LockBit ransomware affiliates actively exploit Citrix Bleed vulnerability
• General Electric investigates claims of cyber attack and data theft

2.2 million people impacted by McLaren Health Care data breach

Healthcare delivery system McLaren Health Care notified around 2.2 million individuals that their personal information was compromised in a data breach earlier this year. The Michigan-based company said hackers accessed its systems between late July and August in a breach notice filed with Maine’s attorney general.

Exposed information includes Social Security numbers, health insurance information, medical information including billing or claims information, medical record numbers, prescription/medication information and diagnostic and treatment information, according to McLaren. Notorious ransomware gang BlackCat/ALPHV claimed responsibility for the attack, though McLaren has not confirmed whether it has received or paid a ransom demand.

Toyota Financial Services systems forced offline by cyber attack

A cyber attack on Toyota’s European and African financial services department forced the car maker to take systems offline. In a statement, Toyota Financial Services Europe and Africa said it identified unauthorized activity on systems in a limited number of its locations before taking certain systems offline to investigate. The Medusa ransomware group claimed responsibility for the attack and said it has stolen data from the car giant, giving the company 10 days to pay a US $8 million ransom.

Toyota’s internet-accessible systems were vulnerable to the “Citrix Bleed” vulnerability that affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances, according to cyber security expert Kevin Beaumont.

Data breach at US nuclear energy firm exposes sensitive employee information

Sensitive information of employees at the Idaho National Laboratory (INL), part of the US Department of Energy, was exposed following a data breach at the advanced nuclear energy testing lab. The breach occurred on Sunday November 19.  

An unnamed hacktivist group claimed responsibility for the incident, alleging to have obtained “hundreds of thousands” of data points from the INL. This reportedly includes dates of birth, email addresses, phone numbers, Social Security numbers, physical addresses and employment information.

The breach highlights the severity of cyber threats and the potential consequences for both individuals and national security, commented Erfan Shadabi, cybersecurity expert at comforte AG.

BlackCat/APLHV ransomware gang reports victim’s “undisclosed” data breach

In an unprecedented move, ransomware group BlackCat/APLHV reported one of its victims to the US Securities and Exchange Commission (SEC) for failing to comply with a four-day cyber attack disclosure rule. This came after it claimed to have breached and stolen data from software company MeridianLink.

The gang said it breached MeridianLink’s network on November 7 and stole company data without encrypting systems, giving the victim a 24-hour deadline to pay a ransom before it would publish the information.

An apparent lack of response appeared to prompt the hackers to exert more pressure by sending the complaint to the SEC about the incident that impacted “customer data and operational” information. However, the newly-formed cyber attack notification rule (Form 8-K, under Item 1.05) that it accused MeridianLink of breaking had not actually come into force yet.

Canadian Government data exposed by contractor cyber attack

The Canadian Government suffered a data breach after contractor hacks exposed the sensitive information of an undisclosed number of employees. The breaches occurred last month (October 19) and impacted Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, which provide location services to Government workers.

The Government said it took immediate action to investigate the breach which involves information held by the companies about current and former employees, members of the Canadian Armed Forces and Royal Canadian Mounted Police personnel. Details on specific individuals impacted were not shared at the time of writing, but the preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999, the Government stated.

The LockBit ransomware group claimed responsibility for breaching SIRVA’s systems, leaking what appear to be archives containing 1.5TB of stolen documents.

LockBit ransomware affiliates actively exploit Citrix Bleed vulnerability

Affiliates of the LockBit ransomware group have been detected actively exploiting the “Citrix Bleed” vulnerability, a cyber security advisory warned. The flaw affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. It allows threat actors to exploit and bypass password requirements and multifactor authentication (MFA) to hijack legitimate user sessions and acquire elevated permissions to harvest credentials, move laterally and access data and resources.

“Malware identified in this campaign is generated beginning with the execution of a PowerShell script which concatenates two base64 strings together, converts them to bytes and writes them to the designated file path,” according to the advisory.

General Electric investigates claims of cyber attack and data theft

General Electric (GE) revealed that it is investigating claims that a threat actor breached the company’s development environment in a cyber attack and leaked allegedly stolen data. This came after “IntelBroker” attempted to sell access to GE’s “development and software pipelines” for $500 on a hacking forum, before posting again to say they would be selling both the network access and the allegedly stolen data.

GE confirmed it is aware of the hacker’s claims and is investigating the alleged data leak, reported Bleeping Computer. “We are aware of claims made by a bad actor regarding GE data and are investigating these claims. We will take appropriate measures to help protect the integrity of our systems,” said a GE Spokesperson. The American multinational company has divisions in power, renewable energy and aerospace industries.

Get the latest insights on the cyber threat landscape

Download our 'Mid-Year State of Cyber Security Report' to learn about the current challenges that cyber security practitioners in Europe, the Middle East, Africa, and North America are facing, and discover where they are focusing their investment decisions in 2023 and beyond.

Read More