Weekly CyberTip: Check the whole URL before clicking!
By now, we are all used to hovering over or previewing links in emails before we click on them. Just don’t forget that it’s important to scan the entire previewed URL, not just the domain at the beginning. When examining links, keep an eye out for URLs that include multiple occurrences of “http”, or potential “red flag” settings like “url=”, “redirect=”, “external-link”, or “proxy”. These may indicate that what you think is a trusted domain is actually an attempt to redirect you to a malicious site. Always proceed with caution, and seek assistance if you’re not sure about a link.
Third-party cyber attack disrupts UK’s National Health Service
According to a report by the BBC, recent service outages affecting the UK’s National Health Service (NHS) 111 medical hotline were triggered by a cyber attack. Advanced, a third-party service provider for the NHS, suffered a security incident on August 4 that disrupted service to its Adastra client patient management system, used to refer patients for care, ambulance dispatch, after-hours appointments, and emergency prescriptions. The system is used by some 85% of NHS 111 providers and numerous after-hours services. According to a report in DigitalHealth, five Advanced applications including Adastra were affected by the outage, potentially affecting millions of patients, clinicians, and healthcare organizations.
Service disruptions have been felt in all four countries supported by the NHS: England, Scotland, Wales, and Northern Ireland. The UK public has been urged to use the online version of the NHS 111 hotline until Advanced can resume normal services.
In a statement to the BBC, Advanced’s CEO Simon Short explained: “A security issue was identified [August 4] which resulted in loss of service. We can confirm that the incident is related to a cyber-attack and as a precaution, we immediately isolated all our health and care environments. Early intervention from our Incident Response Team contained this issue to a small number of servers representing 2% of our Health & Care infrastructure.”
For its part, the NHS has activated “tried and true” manual procedures and processes that will be implemented in each jurisdiction until services resume.
Twitter confirms January breach that leaked information about nearly 5.5 million accounts
In an August 5 blog post, Twitter confirmed that a platform vulnerability identified in January 2022 has led to the theft of information associated with nearly 5.5 million of its accounts.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said. The vulnerability would also present the specific account associated with the email or phone number as well.
The bug was introduced inadvertently in a June 2021 software upgrade. It was discovered and reported to Twitter on January 1, 2022; Twitter acknowledged the issue on January 6, and their developers had the vulnerability resolved a week later. At the time, the company advised that it had no evidence that the bug had been exploited during the 6-7 months it was live.
However, In late July, researchers from RestorePrivacy reported that they had discovered a trove of phone numbers and email addresses corresponding to nearly 5.5 million accounts, including those appearing to belong to celebrities and corporate accounts in addition to private individuals. A BreachForums user called “devil” is asking for at least $30K (all figures USD) to remove the data from the leak site. “devil” alleges that information for 5,485,636 accounts is involved.
Twitter will be contacting all accounts it believes could be affected; however, since the company conceded that it is unable to confirm exactly how many accounts could have been accessed, they chose to come forward with the explanation and apology to raise public awareness. Twitter also reminded users to enable two-factor authentication or other security measures where possible, and recommended against adding publicly-known phone numbers or email addresses to a Twitter account for those concerned about keeping their identity concealed.
The connection between pseudonymous Twitter accounts and publicly-known phone numbers and/or email addresses could cause damaging exposure to the individuals involved. Further, even though most of the data being sold is publicly available, threat actors can use the email addresses and phone numbers in targeted phishing attacks. In the wake of the disclosure, Twitter users are reminded to be vigilant when receiving emails about their accounts, particularly if they are being asked to login or confirm details.
German Chambers of Industry and Commerce hit by cyber attack
The Association of German Chambers of Industry and Commerce (DIHK) is believed to be the target of a “massive” cyber attack on August 4. The DIHK, a coalition of 79 chambers (IHKs) across Germany representing some 3 million businesses, shut down its Internet connections in response. According to a post translated to English from the German language DIHK website, “Due to a possible cyber attack, the IHK organization has shut down its IT systems as a precautionary measure for security reasons. We are currently working intensively on a solution and defense. After being checked, the IT systems are successively started up so that the services for companies are then available again.”
In a German language LinkedIn post, Michael Bergmann, general manager of the Middle Ruhr IHK chamber, confirmed that a cyber attack was involved, but warned that it was unclear how long email and website services would be down.
According to a report in the German language news site Heise, “The DIHK offices in Frankfurt, Cologne, Berlin, Lippe and more released statements online confirming that their phone systems were back up and running but that other systems were still down.” While the central DIHK website is currently operational (in both German and English), most individual IHK sites remained down as of August 7.
The nature of the cyber attack has not been disclosed, with commentators speculating ransomware or DDoS attack. As of August 7, there were no reported indications of ransoms or data disclosures related to the DIHK on the dark web.