A hacker selling upwards to 655,000 healthcare records on the dark web allegedly obtained them after exploiting a vulnerability in how companies implement remote desktop protocol, or RDP, functionality.
The hacker, who goes by the handle “thedarkoverlord,” allegedly penetrated three healthcare organizations and made off with a database from each, according to Deep Dot Web, who reported the news over the weekend.
One database comes from a healthcare facility based in Farmington, Missouri and appears to contain plaintext information on 48,000 patients.
“It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords,” the attacker told the site on Sunday.
The second two databases are much larger – 210,000 patients and 397,000 patients – and come from an organization in the Central/Midwest United States and another in Georgia. Like the former, both databases are said to be in plaintext. The Georgia database was accessed via a network through plaintext usernames and passwords while the Central/Midwest U.S. database was retrieved the same way, but also by exploiting a misconfigured network.
The hacker apparently decided to sell the information shortly after contacting the companies. When asked if they’d pay him to divulge how he was able to secure access to the information, they refused. In response the hacker is selling the information for a hefty cost; the databases range in price, from 151 BTC, roughly $100,000, to 607 BTC, roughly $395,000. The information is for sale at TheRealDeal, the the same underground marketplace that the hacker ‘Peace’ sold stolen login information from social networks VK.com and Myspace.com on earlier this year.
The hacker claims to have already sold $100,000 worth of records from the Georgia database – information that apparently belonged to a Blue Cross Blue Shield regional office – according to a Tripwire blog about the hack.
Details around the specific RDP vulnerability the hacker used are unfortunately few and far between. The protocol allows remote display and input capabilities and is usually used so tech support can access computers. In May attackers targeted corporate networks running Internet-available RDP servers. After locating them, they brute forced the servers with weak passwords to spread the Bucbi ransomware. A few years ago a botnet made the rounds that also specialized in brute-forcing. It targeted poorly implemented RDP setups that stored payment card information.
According to experts the hacker’s actions could serve as a blueprint for the future of ransomware.
“This is the next stage of ransomware, in which the attacker is mitigating the risk of the victim restoring from backup by keeping a copy of the private data,” including Travis Smith, a senior security research engineer with Tripwire said Monday.
“Now the victim may have to make decisions on paying not only to recover their data, but to prevent it from being leaked externally. For businesses, this could mean fines and diminished reputation from the breach. For consumers, this could be private or damaging information,” Smith said.
Smith points out that while a lot of the buzz around ransomware is based around recovering data, more incidents like this could shift the paradigm and force companies to focus more on prevention.