Contents:
On Wednesday, New South Wales Health has confirmed being the target of a cyberattack involving the Accellion file transfer system.
The system was widely used to share and store files by organizations worldwide, including NSW Health.
According to an update released by the NSW,
Medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health.
Different types of information, including identity information and in some cases, health-related personal information, were included in the attack.
NSW Health has been working with NSW Police and Cyber Security NSW and to date, and so far, there is no evidence any of the information has been misused.
A NSW Health spokesperson said, “The privacy of individuals is of the utmost importance to NSW Health, and we are making impacted people aware of the attack so that they can take appropriate precautions and access our support services.”
Back in February, Transport for NSW, which is the main transport and roads agency in New South Wales, Australia, and the state’s ministry of health, was also entrapped in the attack.
The breaches first began in mid-December 2020, when UNC2546 started exploiting a SQL injection vulnerability in Accellion’s FTA. Now, the hackers opted for an extortion campaign exploiting zero-day vulnerabilities in the legacy FTA software to install DEWMODE web shell on victim networks and withdrawing sensitive data. Subsequently, the victims were blackmailed over email with making stolen information publicly available on a leak site operated by the Clop Ransomware gang unless a ransom was paid.
Threat actors targeted up to 100 companies using Accellion’s FTA and stole sensitive files by combining multiple zero-day vulnerabilities and a new web shell.
Among the companies that had their data leaked due to a zero-day software flaw so far are Fugro, Danaher, Singapore’s largest telco, Singtel, Law firm Jones Day, and the Reserve Bank of New Zealand. The latter was also affected by the same incident which had compromised information such as personal email addresses, dates of birth, or credit information. They are working directly with stakeholders to determine how many people were affected and will make sure they are well assisted.
Unfortunately, data breach notifications are well-acquainted with the NSW government. In April 2020, a cyberattack that compromised the information of no less than 186,000 customers targeted Service NSW, the state government’s one-stop-shop for service delivery. After an investigation that lasted four months, Service NSW said it discovered that 738GB of data (over 3.8 million documents), was stolen from 47 staff email accounts.