[Security Weekly] Ransomware Hits US Healthcare Giant CommonSpirit, Multiple Hospitals Impacted

commonspirit ransomware

October 2022, Issue II


1. Healthcare giant CommonSpirit hit by ransomware impacting multiple US hospitals

CommonSpirit, the second-largest nonprofit hospital chain in the US, notified on October 4 that its IT systems across multiple healthcare facilities have been impacted by a cyberattack, later confirmed to be a ransomware attack. CommonSpirit operates more than 140 hospitals and 2,000 care sites in 21 states.

Affected hospitals include several CHI Memorial hospitals in Chattanooga, Tennessee, many Omaha-based hospitals including Lakeside, Creighton University Medical Center, and Immanuel Medical Center, Iowa-based MercyOne Des Moines Medical Center, Virginia Mason Franciscan Health in Seattle, and many more. Each hospital has been issuing individual notices as the degree of impact varies between each facility.

Although the attack on CommonSpirit began on October 3, many hospitals continued to suffer IT outages two weeks later. Many of the impacted hospitals were forced to shut down their IT systems and electronic health records (EHR), leading to appointment cancellations and procedure delays. Apart from operational issues, it remains unknown whether sensitive patient information was compromised in the attack.

Ransomware has become the biggest cyberthreat to healthcare providers, making it necessary for hospitals to prepare themselves with enterprise-level cybersecurity measures and protocols.

Sources: Infosecurity, Health IT Security, The Register


2. Major US airports suffer DDoS attacks launched by pro-Russian Killnet group

Killnet, a pro-Russian hacktivist group, claimed responsibility for a series of distributed denial-of-service (DDoS) attacks against major US airports, crashing their websites with bot traffic generated by custom software.

The series of attacks took place throughout the weekend of October 8. Impacted airports include Hartsfield-Jackson Atlanta International Airport (ATL), Los Angeles International Airport (LAX), as well as Chicago O’Hare (ORD), Orlando (MCO), Denver (DIA), Phoenix (PHX), and more.

Fortunately, none of the airports reported flight delays or operational disruptions as a result of the attacks. Airport operational systems were not impacted and services remained functional throughout the attacks. Nevertheless, online services offered via customer-facing websites were temporarily unavailable.

Although the attack did not cause any significant economical damage to the airports, experts warn that more attacks of a similar nature will likely occur as tension with Russia rises. Over the past months, Killnet has been actively targeting NATO allies including Italy and Romania. Organizations and critical infrastructure operators should stay prepared for potentially more serious attacks. 

Sources: SC Media, The Guardian, Associated Press


3. Toyota source code exposed on GitHub, given access to 300,000 customer records

In early October, Toyota issued a notification warning that the personal data of 296,019 customers may have been leaked, following a disclosure suggesting that the access key to Toyota’s T-Connect customer database was contained in a source code that was mistakenly uploaded on GitHub by a third-party web developer.

T-Connect is the customer-facing app of Toyota’s telematics service, connecting the vehicle’s head unit to the customer’s smartphones and backend cloud services. A portion of the app’s source code, which contained the database access key, was uploaded on GitHub in December 2017, only to be discovered on September 15, 2022, leaving it publicly accessible for nearly five years.

The database contained the users’ email addresses and customer control numbers. Names, phone numbers, and credit card information were not stored in the exposed database. Toyota said that it has not discovered any fraudulent usage of the access key and that the access credentials have since then been updated. Nevertheless, there is no guarantee that the database hasn’t been accessed and that customers should be aware of potential phishing emails.

Source code leakage incidents are becoming increasingly common. What makes the matter worse is that developers sometimes hardcode access keys and passwords into the source code to make modifications and updates easier during the development process. Experts strongly recommend that these credentials be removed from the source code after an app is released.

Sources: Infosecurity, Bleeping Computer, IT News


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security