While the cyber attack on AIIMS Delhi still remains a concern, a threat actor with a high reputation on a cybercrime forum is advertising sensitive information of another hospital’s patients. This data purportedly belongs to Tamil Nadu-based multispecialty hospital – Sree Saran Medical Center.
CloudSEK’s discovered a post made by a threat actor, advertising sensitive data allegedly sourced from Three Cube IT Lab India.
Three Cube IT Chennai is a provider of application development, business intelligence, and consulting services. A sample was shared as proof for potential buyers to inspect the authenticity of the data. This data was found to be containing patient details from a hospital, based in Tamil Nadu. The sample image has data records dated from the years 2007-2011.
The data set contains 150K records of patients’ data. The data fields present in the patients’ database include – patient name, guardian name, DOB, doctor’s details, and address information. The data was allegedly sourced from a compromised third-party vendor, Three Cube IT Lab.
As part of responsible disclosure CloudSEK has informed all the stakeholders about the incident.
The sensitive data that was stolen from Three Cube IT Lab has been advertised on popular cybercrime forums and a Telegram channel used to sell databases and which is frequented by threat actors. However, CloudSEK has no information that ThreeCube may be operating as a software vendor for Sree Saran Medical Center.
“We can term this incident as a Supply Chain Attack, since the IT Vendor of the Hospital, in this case Three Cube IT Lab, was targeted first. Using the access to the vendor’s systems as initial foothold, the threat actor was able to exfiltrate Personally identifiable information (PII) and Protected Health Information (PHI) of their hospital clients,” said Noel Varghese, Threat Analyst, CloudSEK
“If sensitive secrets such as system passwords, VPN Credentials etc are found in the vendor’s systems, then the adversary can gain access to Three Cube IT Labs’ client infrastructure and maintain persistence on their systems, and exfiltrate PII and PHI of their hospital clients. This raises the risk of a Supply Chain Attack,” Noel Varghese explained.
Threat actor’s post on the forum – advertising patient data
- The database is advertised for USD 100 (meaning that multiple copies of the database would be sold).
- For actors seeking to be the exclusive owner of the database, the price is raised to USD 300.
- If the owner intends to resell the database, the quoted price is USD 400
Data Analysis from Sample
- The threat actor had shared a screenshot, depicting patent data which was uploaded to Prnt.sc.
- Prnt.sc is an image-hosting service, for any screenshots taken using the Lightshot screen capture tool.
The data fields present in the patients’ database include:-
- Patient Name
- Guardian Name
- DOB
- Doctor’s details
- Address information
Information from Open-source intelligence (OSINT)
- CloudSEK’s researchers used the names of doctors from the database, in order to identify the healthcare firm, whose data was present in the sample.
- Researchers were able to identify that the doctors work at a Medical firm in Tirupur, Tamil Nadu, known as Sree Saran Medical Center.
- We assess with low confidence and no direct proof that Three Cube IT may be a software vendor for Sree Saran Medical Center.
Sharing mitigations, Varghese said “Organizations need to assess the security rating of their vendors, ensure that they meet compliance requirements and mitigate potential threats that could lead to a cyber incident with greater scope of risk. We are not unsure if more clients could be affected, though it’s a possibility”.
Information from a Sensitive Source
- Since making the advertisement, the database was verified by the cybercrime forum’s admin and moved to the ‘Verified Leaks’ section of the forum.
- Exfiltration of sensitive Personally identifiable information (PII) and Protected Health Information (PHI), through unauthorized access.
- The data can be sold for monetary profit.
- Threat actors can establish persistence on the network by using post-exploitation techniques & launch sophisticated ransomware attacks.
Impact
- Exfiltration of sensitive PII and PHI, through unauthorized access.
- The data can be sold for monetary profit.
- Threat actors can establish persistence on the network, by using post-exploitation techniques & launch sophisticated ransomware attacks
