Cybercriminal sells credentials of French hospital workers
Cybercriminal sells credentials of French hospital workers
Francois Remaining - February 22, 2021
Home Cybercriminal sells credentials of French hospital workers
50,000 user accounts of French hospital agents are for sale on a cybercriminal forum. This data could allow buyers to access the computer networks of certain health establishments. Once introduced into the system, criminals can deploy their ransomware and cripple the hospital.
New alert for French hospitals, this time launched by the monitoring site of the Ministry of Health on February 18, 2021. The Cert (Governmental Center for Monitoring, Alert and Response to Computer Attacks) has warned them of the sale of 'a database on a cybercriminal forum. The thug published it on February 4 under the name “FR medecine related database”. Inside would be, according to the seller, a list of passwords and email addresses of " 50,000 user accounts ". The Ministry of Health specifies that they “ probably belong to hospital center agents ”.
Hospitals, vulnerable targets of cybercriminals. // Source: CCO / Pxhere
For his part, blogger Damien Bancal explains on Zataz that the cybercriminal provided him with evidence of the content of the database. He obtained emails linked to nearly ten hospitals, including those in Lyon, Bordeaux, and Besançon. What is the price charged by the criminal to obtain the base? 1,000 dollars. An amount justified by the possibility of using these identifiers to set up lucrative ransomware attacks . As the Department of Health explains, grassroots buyers could use this information to try and connect to hospital VPNs or other online spaces like Outlook and Gmail accounts. Their final goal: to enter the computer network, and deploy their malware.
IS THIS DATABASE REALLY VALUABLE?
If this sale calls for the implementation of preventive measures in the establishments concerned, it is difficult to know what the real value of the base is without obtaining it. Does it contain 50,000 lines of identifiers as claimed by the seller? Are these identifiers usable? As a reminder, in this type of list , the password associated with the email is the one that the person concerned used for one of his many online accounts (we do not know which ones, it can range from a game forum to a dating site, for example), not the email one. If the victim does not reuse the leaked password to log into their professional tools, the list will be of no use.
Then, the interest of the base varies if the data is new or already known. If the list of hospital worker identifiers contains information that has already been leaked beforehand, the risk it represents will be reduced. By way of comparison, last year, a source communicated to Cyberguerre a list with passwords linked to government addresses (in "gouv.fr"). This database was an aggregate of several pieces of known data leaks, like the famous " Collections # 1 ". It is dangerous, because it makes it possible to target a particular sector, but the French Cert had already taken note of its content, and warned the administrations concerned so that the compromised passwords could be changed.
FRENCH HOSPITALS ALREADY ON ALERT
The fact remains that even if the passwords of the base are not usable, nothing that the list of emails has of interest for the thugs. It would allow a cybercriminal to do precise targeting, and launch a phishing tailor-made to trap healthcare workers.
Since the beginning of 2021, the authorities must intervene every week at the bedside of a French hospital victim of different ransomware. The media coverage around the last two victims, the hospitals of Dax and Villefranche-sur-Saône, prompted President Macron to announce a series of measures intended to better defend health establishments. These measures complement a national investment plan , a small part of which is allocated to the development of Anssi, the French agency on the front line of the response to these attacks.
Hospitals are interesting targets: they pay the ransom in more than 80% of cases according to a criminal. In France, Anssi pushes victims never to pay, but the paralysis of IT services caused by ransomware can force managers to change their minds: sometimes it is no longer just data, but the lives of patients that are at stake.
Francois Remaining - February 22, 2021
Home Cybercriminal sells credentials of French hospital workers
50,000 user accounts of French hospital agents are for sale on a cybercriminal forum. This data could allow buyers to access the computer networks of certain health establishments. Once introduced into the system, criminals can deploy their ransomware and cripple the hospital.
New alert for French hospitals, this time launched by the monitoring site of the Ministry of Health on February 18, 2021. The Cert (Governmental Center for Monitoring, Alert and Response to Computer Attacks) has warned them of the sale of 'a database on a cybercriminal forum. The thug published it on February 4 under the name “FR medecine related database”. Inside would be, according to the seller, a list of passwords and email addresses of " 50,000 user accounts ". The Ministry of Health specifies that they “ probably belong to hospital center agents ”.
Hospitals, vulnerable targets of cybercriminals. // Source: CCO / Pxhere
For his part, blogger Damien Bancal explains on Zataz that the cybercriminal provided him with evidence of the content of the database. He obtained emails linked to nearly ten hospitals, including those in Lyon, Bordeaux, and Besançon. What is the price charged by the criminal to obtain the base? 1,000 dollars. An amount justified by the possibility of using these identifiers to set up lucrative ransomware attacks . As the Department of Health explains, grassroots buyers could use this information to try and connect to hospital VPNs or other online spaces like Outlook and Gmail accounts. Their final goal: to enter the computer network, and deploy their malware.
IS THIS DATABASE REALLY VALUABLE?
If this sale calls for the implementation of preventive measures in the establishments concerned, it is difficult to know what the real value of the base is without obtaining it. Does it contain 50,000 lines of identifiers as claimed by the seller? Are these identifiers usable? As a reminder, in this type of list , the password associated with the email is the one that the person concerned used for one of his many online accounts (we do not know which ones, it can range from a game forum to a dating site, for example), not the email one. If the victim does not reuse the leaked password to log into their professional tools, the list will be of no use.
Then, the interest of the base varies if the data is new or already known. If the list of hospital worker identifiers contains information that has already been leaked beforehand, the risk it represents will be reduced. By way of comparison, last year, a source communicated to Cyberguerre a list with passwords linked to government addresses (in "gouv.fr"). This database was an aggregate of several pieces of known data leaks, like the famous " Collections # 1 ". It is dangerous, because it makes it possible to target a particular sector, but the French Cert had already taken note of its content, and warned the administrations concerned so that the compromised passwords could be changed.
FRENCH HOSPITALS ALREADY ON ALERT
The fact remains that even if the passwords of the base are not usable, nothing that the list of emails has of interest for the thugs. It would allow a cybercriminal to do precise targeting, and launch a phishing tailor-made to trap healthcare workers.
Since the beginning of 2021, the authorities must intervene every week at the bedside of a French hospital victim of different ransomware. The media coverage around the last two victims, the hospitals of Dax and Villefranche-sur-Saône, prompted President Macron to announce a series of measures intended to better defend health establishments. These measures complement a national investment plan , a small part of which is allocated to the development of Anssi, the French agency on the front line of the response to these attacks.
Hospitals are interesting targets: they pay the ransom in more than 80% of cases according to a criminal. In France, Anssi pushes victims never to pay, but the paralysis of IT services caused by ransomware can force managers to change their minds: sometimes it is no longer just data, but the lives of patients that are at stake.
