CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments. Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts. The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified. CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post-compromise activity in...
PHI of More Than 420,000 Individuals Potentially Compromised in Ransomware Attack on Ohio Law Firm
Bricker & Eckler, one of the leading law firms in Ohio, suffered a ransomware attack in January in which client information was potentially compromised. The ransomware infection was detected by the law firm on January 31, 2021 and a third-party cybersecurity firm was engaged to assist with the investigation. The investigation revealed the attackers first gained access to its systems on January 14, 2021, and access remained possible until January 31, 2021. During that time the attackers gained access to files containing client information and exfiltrated some data from the law firm’s systems. A notice about the security incident on the law firm’s website confirms that the attackers were contacted, and information stolen in the attack was retrieved, suggesting the ransom was paid. Bricker & Eckler said the attackers confirmed they took steps to delete the stolen data and reassurances were provided that there had been no further disclosures of the stolen information and that no copies of the data had been retained. As a full-service law firm serving clients in the healthcare...
Malware Discovered on Networks of Squirrel Hill Health Center and La Clinica de la Raza
La Clinica de la Raza in Oakland, CA is alerting certain patients about a potential breach of their protected health information. Malware was detected on systems containing patient data on January 28, 2021. A third-party forensics company was engaged to assist with the investigation into the malware attack and determined on February 26, 2021 that the malware would have allowed files containing patient data to be accessed. The breach was short lived, as the malware had been installed and was only active on January 12, 2021. During the short period of time that the malware was active it is possible that documents were viewed by unauthorized individuals, but the clinic believes relatively few documents were viewed. Those documents included full names, dates of birth, phone numbers, home addresses, health insurance information, and certain health information such as dates of service, diagnosis, test results, and treatment information related to medical services provided at the clinic. Steps have been taken to improve data security, including enhancing its intrusion detection and...
Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups
Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities. Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system. Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others...
Orthopaedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients
The Centers for Advanced Orthopaedics has discovered multiple employee email accounts have been accessed by unauthorized individuals. The practice, which serves patients in Virginia, Maryland, and Washington DC, identified suspicious activity in its email system on September 17, 2020. Third party cybersecurity experts were engaged to assist with the investigation and determined several email accounts had been accessed by unauthorized individuals between October 2019 and September 2020. A review of the affected email accounts was conducted to determine the types of information that had been exposed and it was confirmed on January 25, 2021 that protected health information may have been viewed or acquired by cybercriminals. The email accounts contained information of patients, employees, and their dependents. Patient information was mostly restricted to names, dates of birth, diagnoses, and treatment information. A subset of patients also had one or more of the following data types stored in the account: Social Security number, driver’s license number, passport number, financial...



