[Security Weekly] California’s Department of Finance Attacked by LockBit Ransomware

california lockbit

December 2022, Issue II


1. California’s Department of Finance attacked by LockBit ransomware

On December 12, California Governor’s Office of Emergency Services confirmed that the state’s Department of Finance was hit by a cyberattack. Russia-affiliated LockBit ransomware gang later claimed responsibility.

A statement released by California’s Cybersecurity Integration Center (Cal-SCIC) said that the attack was proactively detected and contained. However, the state’s ebudget website remained shut down throughout the day of the attack, a sign that the attackers may have encrypted or wiped some systems prior to detection. Fortunately, the state funds remained safe.

On the LockBit ransomware gang’s leak site, it claimed to have stolen 75 GB of data including confidential data, IT documents, and financial documents, and posted several screenshots of files they exfiltrated from the attack. A screenshot of a directory showed that over 246,000 files in 114,000 folders are now in the hands of LockBit. The gang threatened to release the data if the demanded ransom isn’t paid by December 24.

Sources: Infosecurity, TechCrunch


2. Uber suffers second data breach in three months, source code leaked

After being hit by a prior cyberattack in September, Uber suffered another data leak in less than three months after a threat actor managed to hack into Teqtivity, a third-party vendor that Uber uses for asset management and tracking services.

On December 10, a threat actor named “UberLeaks” posted data on a dark web forum containing Uber’s source code associated with its mobile device management (MDM) platform, IT asset management reports, data destruction reports, email addresses of 77,000 employees, and other corporate documents.

Uber and Teqtivity both confirmed that the threat actor managed to gain access to Teqtivity’s AWS backup server, which contained sensitive files relating to its customers.

A leak of source code can have long-term consequences as hackers could use it to search for vulnerabilities in the system, leading to further cyberattacks. Leaked employee emails could also be used to conduct social engineering campaigns against corporate accounts.

Sources: Bleeping Computer, Computer Weekly


3. HHS warns of Royal ransomware attacks against US healthcare sector

The US Department of Health and Human Services (HHS), along with the Health Sector Cybersecurity Coordination Center (HC3), issued an advisory on December 8 warning that the Royal ransomware gang has been actively attacking healthcare providers in the country.

The advisory stated that the group’s activity sharply increased since September, and the HC3 has been aware of several targeted cyberattacks against healthcare organizations, with ransom demands ranging from $250,000 to $2 million.

Unlike other ransomware groups that operate through a RaaS model, Royal appears to be a human-operated, privately run ransomware with financial motivation. The group is known for deploying Cobalt Strike for persistence. In all past exploits, the group has claimed to have published 100% of all data stolen from the victim.

Healthcare remains one of the most vulnerable industries to ransomware attacks. Due to the critical nature of healthcare operations, the industry has been the preferred target by many threat actors. Learn more on how healthcare organizations can stay safe from cyberattacks.

Sources: SC Media, SecurityWeek, TechTarget


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security