The INSIDER THREAT is also very real and can be equally as destructive as an outside threat
Chief Operating Officer of Network Security Company Charged with Cyberattack on Medical Center - Vikas Singla - Indicted
In my opinion an insider threat attack is actually worse than a foreign adversary poking around your Network. Why? Because that insider threat was an employee and they (rightly or wrongly) were placed in a position of trust. To violate that trust is a massive breach that should transcend political party affiliations
.
The Department of Justice & FBI score a big - win
And it doesn’t matter how long it takes the FBI - if you’re a cyber criminal —thoughts and prayers
Gwinnett Medical Center October 2018
Back in October 2018 - Salted Hash contacted Gwinnett Medical Center (GMC), and alerted GMC that there “might” have been a data security breach. Thereafter GMC later confirmed that they had launched an investigation of “an IT incident”
and shortly thereafter the FBI launched an investigation
Defendant Vikas Singla
On June 8, 2021 a Grand Jury in the NDGA handed down an INDICTMENT as to Vikas Singla (1) counts 1-17, 18 with Forfeiture. NDGA-ECF https://ecf.gand.uscourts.gov/doc1/055113735290
per the indictment GMC’s injury could have been absolutely devastating - also you’ll note that the indictment repeatedly states “defendant VIKAS SINGLA aided and abetted by others unknown”
The direct, indirect and potential impact to both GMC and their patients, it’s kind of hard to comprehend.
a. loss to Gwinnett Medical Center during the one-year period from SINGLA's course of conduct affecting protected computers aggregating at least $5/000 in value…
b. the modification, impairment, and potential modification and impairment of the medical examination, diagnosis, treatment and care of one or more individuals:
Printers. Yes. Printers.
VIKAS SINGLA, was employed by and ran a network security company that offered services for the healthcare industry. SINGLA was the chief operating officer of the company.
Count One:
Charges Defendant SINGLA with 18 U.S.C. §§ 1030(a)(5)(A) (b) and (c)(4)(B) and Section 2.
September 27,2018, in the Northern District of Georgia and elsewhere the defendant VIKAS SINGLA aided and abetted by others unknown to the Grand Jury…knowingly caused and attempted to cause the transmission of a program, information, code, and command and as a result of such conduct, intentionally caused and attempted to cause damage without authorization to a protected computer—that is one or more computers used by Gwirmett Medical Center that operated the Duluth/ Georgia hospital’s Ascom phone system…
Counts two thru seventeen
Full disclosure this is kind of like the “worst nightmare scenario” and the fact it was an insider-threat that committed the cyber attack is a betrayal that’s hard to overlook. Pure speculation on my end - I’d venture to say that a large section of the private industry doesn’t understand that devices on your network that connect to the internet are vulnerable and can be an attackers actual back door entry into your network.
Counts two thru seventeen all in violation of Title 18, United States Code Sections 1030(a)(5)(A)(b) and (c)(4)(B) and Section 2 - as you’ll note the indictment proffers a list of network devices that the Defendant purportedly tampered with.
Fundamentally if you have a unsecured device on your network and it touches the public internet —you are literally inviting unauthorized users in to your network. Not to belabor the point the insider threat is real and it’s hard to anticipate and ultimately mitigate. As further alleged in the Indictment
As further alleged in the Indictment
September 27, 2018, in the Northern District of Georgia and elsewhere/ the defendant VIKAS SINGLA -aided and abetted by others unknown to the Grand Jury, intentionally accessed and attempted to access a computer without authorization and exceeded and attempted to exceed authorized access to a computer/ and thereby obtained and attempted to obtain information from a protected computer that is a Hologic R2 Digitizer used by Gwinnett Medical Center…and the offense was committed for purposes of commercial advantage and private financial gain.
One thing I can speak to with direct knowledge and personal experience - my employer has printers that allow you to “scan” aka “digitize” documents. The printer(s) converts the scans into searchable PDFs. Those pdf files are also locked and if you don’t have the correct passcode you can’t open the file. Moreover these printers also have the functionality of emailing the scanned documents. But my employer takes cyber security extremely seriously, our access code(s) and even client code(s) are continually dynamic. Meaning the codes change frequently.
In reading the sparse details in this indictment, leads me to believe that the Defendant improperly accessed the “memory” of various printers and scanners and then he exfiltrated those documents. The part that bugs me is “aiding and abetting unknown individuals” I suppose we will find out should this case go to trial or if the Defendant decides to “take a plea” —in the end Defendant SINGLA is exactly the kind of insider threat that keeps IT Security officials up at night.
And to be fair “gross negligence” in the IT world typically means that basic and I mean basic cyber security protocols weren’t in place. As it relates to Lexmark - back in 2017 a plethora of researchers (and here and here) discovered that there were serious cyber security issues with LexMark Printers… but it’s important to remember this is in the context of an “outsider threat” versus an insider threat. Meaning if you neglect to use a password for an Internet enabled printer - well if you fall victim to a cyber attack and the point of entry was an unsecured printer than you only have yourself to blame.
I’m not intentionally singling out LexMark - in this indictment the Defendant appears to have used/abused his privileges -particularly egregious given his very senior role within GMC.
After various public reports concerning cyber security flaws with LexMark printers and software. The company did the responsible thing, Additional details can be found in our Secure Software Development Lifecycle (SSDL) Whitepaper. Moreover from 2010 thru 2015 only a handful of Security advisories were sent out. But LexMark has really stepped up their Security Advisories, found here
August 2016 - Arbitrary code execution vulnerabilities in Lexmark Perceptive Document Filters (CVE-2016-5646, CVE-2016-4336, CVE-2016-4335) Lexmark has learned of three separate vulnerabilities in Lexmark Perceptive Document Filters that, under certain circumstances, could lead to arbitrary code execution.
September 2017 - Orpheus' Lyre Vulnerability (CVE-2017-11103) - Some older Lexmark products may have a vulnerability that allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack.
March 2018 - KRACK Vulnerabilities (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088) Lexmark has learned of a series of weaknesses in WPA2, the protocol that secures all modern protected WiFi networks. This vulnerability can allow the disclosure of information that was assumed to be safely encrypted.
April 2018 - Markvision Enterprise is vulnerable to Spring Data REST 2.6.6 (CVE-2017-8046) Markvision Enterprise (MVE) uses Spring Data REST 2.6.6 which is vulnerable to malicious HTTP PATCH requests and with specially crafted JSON data will run arbitrary Java code.
Again not to beat a dead horse but as stated (repeatedly) in the indictment;
VIKAS SINGLA aided and abetted by others unknown to the Grand Jury..
Shortly after the cyber attack (I’d call it insider sabotage) the unknown attackers decided to released personal identifiable information of GMC’s patients, which included patients: full names, their date(s) of birth, and gender. The unknown attackers then decided to toy with various news outlets - almost taunting the news Organizations that the attackers had access to Gwinnett Medical Center records systems.
When Gwinnett Medical Center initially denied any such cyber attack - this drew the ire of one of the unknown attackers. Who was so mad that they sent a message to the security blog Salted Hash …in which the attacker message:
"does GMC have control of this system. The answer is no. The last time we checked, we own their Ascom system and their data…”
the Salted Hash - ruminated who was potentially behind the GMC but to date I don’t think the “others unknown to the Grand Jury” have ever been positively identified. Again I’d recommend you re-read the Salted Hash article -and I’d pay particular attention to Update and Update 2…
This all could be the work of Particle Matrix, given the threat actor's nature of taunting and extortion demands against victims. Originally, the group started off using open RDP and other means to deliver homegrown ransomware payloads to medical victims, but they abandoned those efforts last year. These days, the group mostly sticks to extortion. Online, the attackers claimed they reached out to GMC's Chief Financial Officer, Tommy McBride, but he "rejected our help."
Another odd aspect to the taunting messages online are the affiliate links. The person(s) posting messages containing alleged GMC patient data are promoting a Lifelock affiliate link and encouraging GMC patients to register for identity theft protection.
In their own words, without edits or modifications, this is what they had to say:
"…ask beth how their sscom wireless handsets are working. Does GMC have control of this system. the answer is no. the last time we checked we own their ascom system and their data. tell beth the allworx phones kept us one step ahead of them. we know everything that happens…"
Until more information is released however, it's impossible to determine what group – if any – are responsible for the incident at GMC. Beyond the facts - I went ahead and uploaded Defendant VlKAS SINGLA indictment to my public drive because there are no Open Source Links to his indictment and it was kind of a PITA to find. Otherwise you are welcome to pay for the indictment NDGA-ECF https://ecf.gand.uscourts.gov/doc1/055113735290
-Filey
Excellent (and thanks for including the link to the indictment. Will push out my analysis on Monday. You are correct, when the insider threat becomes a reality, the reality is someone you trusted just broke that trust. In this case it was a vendor who added and abetted and made possible the compromise - Why printers? As you point out network access is network access --- Also, they are the font of knowledge by multiple users and will contain PII and health data all information which can be exploited. Great piece.
Christopher