Medibank Breach Incident Score: Analysis & Impact (MED2232322112125)

In this Rankiteo incident briefing, we review the Medibank breach identified under incident ID MED2232322112125.

The analysis begins with a detailed overview of Medibank's information like the linkedin page: https://www.linkedin.com/company/medibank, the number of followers: 56069, the industry type: Insurance and the number of employees: 3712 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 777 and after the incident was 675 with a difference of -102 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Medibank and their customers.

PVServers (DataImpulse) recently reported "Joint Sanctions Imposed on Bulletproof Hosting Providers Enabling Ransomware Operations", a noteworthy cybersecurity incident.

The governments of the United States, United Kingdom, and Australia imposed joint sanctions against individuals and entities (Aleksandr Ermakov, Aleksandr Rakitin, PVServers/DataImpulse, and LumoHost) involved in providing bulletproof hosting (BPH) services.

Impact assessments are still underway, so the full scope is not yet clear.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Asset freezes, Travel bans and Business transaction prohibitions, and began remediation that includes Disruption of bulletproof hosting infrastructure and Increased operational costs for ransomware actors, and stakeholders are being briefed through Public attribution of sanctioned entities and Diplomatic messaging to encourage global coordination.

The case underscores how Ongoing (sanctions imposed; monitoring for compliance and rebranding attempts), teams are taking away lessons such as Targeting cybercrime infrastructure (e.g., bulletproof hosting) can disrupt ransomware operations at the supply chain level, International collaboration is critical for effective enforcement against globally distributed threat actors and Bulletproof hosting providers frequently rebrand and change jurisdictions to evade scrutiny, requiring persistent monitoring, and recommending next steps like Enhance cross-border cooperation to track and disrupt bulletproof hosting providers, Implement stricter due diligence for hosting services to prevent abuse by cybercriminals and Encourage domain registrars and infrastructure providers to proactively monitor and report suspicious activity, with advisories going out to stakeholders covering Organizations are warned against transacting with sanctioned entities to avoid secondary penalties, Infrastructure providers (e.g., hosting services, domain registrars) are advised to enhance abuse detection and reporting mechanisms and Financial institutions are urged to monitor transactions linked to bulletproof hosting operators.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified External Remote Services (T1133) with high confidence (95%), supported by evidence indicating bulletproof Hosting (BPH) enabled ransomware groups to establish resilient C2 infrastructure (PVServers/LumoHost) and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), supported by evidence indicating rEvil ransomware group likely abused compromised cloud/remote access credentials via BPH infrastructure. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (80%), supported by evidence indicating bulletproof hosting services provided persistent infrastructure for C2 and data exfiltration. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Email Hiding Rules (T1564.008) with moderate to high confidence (70%), supported by evidence indicating ignored abuse complaints, law enforcement takedown requests (BPH providers enabled evasion) and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (75%), supported by evidence indicating public dump of stolen data on the dark web suggests selective retention/deletion of evidence. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.005) with moderate to high confidence (80%), supported by evidence indicating theft of sensitive personal and health data of 9.7 million customers implies credential harvesting. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating names, addresses, dates of birth, Medicare numbers, health claims data (mental health, drug addiction, abortion) exfiltrated and Data from Network Shared Drive (T1039) with high confidence (90%), supported by evidence indicating highly sensitive health claims data suggests targeted collection from shared repositories. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), supported by evidence indicating public dump of stolen data on the dark web via BPH infrastructure (PVServers/LumoHost) and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (85%), supported by evidence indicating malware C2 server hosts used by REvil for data exfiltration via sanctioned BPH providers. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), supported by evidence indicating ransomware attack in 2022 by REvil group, public dump of stolen data after ransom refusal and Data Destruction (T1485) with moderate to high confidence (70%), supported by evidence indicating public dump of stolen data suggests partial destruction/deletion of original systems. Under the Command and Control tactic, the analysis identified Proxy: External Proxy (T1090.004) with high confidence (90%), supported by evidence indicating bulletproof hosting (BPH) provided resilient proxy/C2 infrastructure (PVServers, LumoHost) and Protocol Tunneling (T1572) with moderate to high confidence (80%), supported by evidence indicating ignored abuse complaints, law enforcement takedown requests implies tunneling via BPH. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.