In Brief Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook’s parent company Meta, were victims of this fraud.

Both Apple and Meta handed over users’ addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.

EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations. 

As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens’ info. There’s really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info. 

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” Krebs wrote.

Large internet and other service providers have entire departments that review these requests and do what they can to get the police emergency data requested as quickly as possible, Mark Rasch, a former prosecutor with the US Department of Justice, told Krebs. 

“But there’s no real mechanism defined by most internet service providers or tech companies to test the validity of a search warrant or subpoena” Rasch said. “And so as long as it looks right, they’ll comply.”

Days after Krebs and Bloomberg published the articles, Sen Ron Wyden (D-OR) told Krebs he would ask tech companies and federal agencies for more information about these schemes. 

“No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” Wyden said. “Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”

Hive ransomware reportedly hits healthcare group

The Hive ransomware gang claimed it stole 850,000 personally identifiable information (PII) records from the nonprofit health-care group Partnership HealthPlan of California.

Brett Callow, a threat analyst at anti-malware company Emsisoft, alerted Santa Rosa newspaper The Press Democrat that the ransomware gang posted what was said to be details about the intrusion on its Tor-hidden blog. Hive claimed it stole 400GB of data including patients’ names, social security numbers, addresses, and other sensitive information.

Partnership HealthPlan of California did not respond to The Register‘s inquiries about the alleged ransomware attack. But a notice on its website acknowledged “anomalous activity on certain computer systems within its network.”

The healthcare group said it had a team of third-party forensic specialists investigating the incident and was working to restore its systems. “Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines,” it added. 

Hive, which the FBI and security researchers started paying attention to in June 2021, is known for double-extortion ransomware attacks against healthcare organizations. Still, attacking a nonprofit is a “new low,” even for these cybercriminals, said IoT security firm Armis cyber risk officer Andy Norton. 

“It also raises some tough questions,” Norton wrote in an email to The Register. “I think we assume that charities and not for profits don’t have the big cyber budgets their commercial cousins have, and yet they hold the same sensitivity of data. What constitutes appropriate and proportionate security during times of heightened risk?”

Shutterfly admits employee data stolen

Shutterfly disclosed cybercriminals stole employees data during a December 2021 ransomware attack.

In documents filed with the California Attorney General’s office, the firm revealed that “an unauthorized third party gained access to our network” in a ransomware attack on or around December 3. The online photo company said it discovered the security breach on December 13.

While Shutterfly didn’t name the third-party in its filing, it was widely reported that the notorious Conti ransomware gang was behind the intrusion. Data stolen included employees’ names, salary information, family leave, and workers’ compensation claims, according to Shutterfly.  

The company said it “quickly took steps” to restore the systems, notified law enforcement, and brought in third-party cybersecurity experts to investigate the breach. It also offered employees two years of free credit monitoring from Equifax, and “strongly encouraged” them to take advantage of this offer.

It also noted that employees “may wish” to change account passwords and security questions.

Law enforcement’s ransomware response lacking

Law enforcement agencies face a barrage of difficulties responding to ransomware attacks, and chief among them is simply not being made aware of intrusions and infections by victims.

According to an analysis by threat intelligence firm Recorded Future of ransomware enforcement operations in 2020 and 2021, law enforcement agencies around the globe aren’t equipped to respond to ransomware outbreaks. In addition to simply not knowing about the attacks, they also lack the cybersecurity skills, technology, and data such as threat intel to respond. 

Recorded Future, citing several other surveys, says law enforcement doesn’t know about the vast majority of cyberattacks, and have to learn about them from the media.

In parts of the UK alone, just 1.7 percent of all fraud and cybercrime was reported to the authorities between September 2019 and September 2020, Recorded Future claimed, citing data from the UK Office for National Statistics from its crime survey for England and Wales. 

It also cited a Europol IOCTA report from 2020, which found ransomware remains an under-reported crime. While the Europol report doesn’t provide any numbers to illustrate how under-reported ransomware is, it noted “several law enforcement authorities mentioned identifying ransomware cases through (local) media and approaching victims to assist them by potentially starting a criminal investigation.”

Unless organizations do a better job reporting ransomware attacks, law enforcement can’t get an accurate picture of the threat landscape, Recorded Future noted. “Without reliable and valid data on the number and types of cyber attacks (that is, attack vectors), it is difficult for law enforcement agencies to accurately evaluate threats and react appropriately, resulting in threats not being given the resources or priority they deserve.”

While this analysis doesn’t provide any US-specific reporting stats, it’s worth noting that a newly signed federal law will require US critical infrastructure owners and operators to report a “substantial” cybersecurity incident to Uncle Sam’s Cybersecurity and Infrastructure Security Agency within 72 hours and within 24 hours of making a ransomware payment. 

Supporters of the new law, including CISA director Jen Easterly, have said it will give federal agencies and law enforcement better data and visibility to help it protect critical infrastructure.

Orgs aren’t ready for cyber reporting rules

Despite the US cybersecurity incident reporting law, along with a related US Securities and Exchange Commission proposal that would force public companies to disclose cyberattacks within four days, organizations really aren’t prepared for these new disclosure rules, according to Bitsight.

The cyber risk ratings firm published research this week that found, among other things, it takes the average organization 105 days to discover and disclose an incident from the date it occurred.

Additionally, it takes twice as long for organizations to disclose higher-severity incidents compared with lower severity incidents. This, on average, means it takes more than 70 days to disclose a moderate-, medium- or high-severity incident once it has been discovered, and 34 days for low-security events.

For this research, Bitsight analyzed more than 12,000 publicly disclosed cyber incidents globally between 2019 and 2022. This included type of incident, date of incident, date of discovery, and date of disclosure.

BitSight used its classification methodology (a 0 to 3 scale) to analyze the severity of the security incidents. Events received a higher-severity score due to a combination of more serious incidents, such as ransomware and human error, and higher record counts.

The security firm also segmented the disclosing organizations by employee count: extra large (more than 10,000 employees), large (1,000 to 10,000 employees), medium (500 to 1,000 employees) and small (less than 500 employees).

Perhaps unsurprisingly, the extra-large organizations are 30 percent faster at discovering and disclosing incidents than the rest. Still, it takes these companies an average of 39 days to discover and 41 days to disclose an incident, BitSight found, noting that this is still way longer than the timeframes proposed in the new rules. ®