The alert had been given on cyberveille-sante.gouv.fr, the site aiming to group together security alerts concerning the health sector, in connection with the Cert-FR: a user of a cybercriminal forum has been offering since 4 February a database containing usernames and passwords for more than 50,000 accounts, “probably belonging to hospital center agents”.
So many accounts allowing the acquirers of this stolen database to connect to the information systems of the health establishments concerned, with a view to spreading malware, ransomware, or more simply to carry out the theft of health data within compromised systems. The ad has been online since February 4.
A leak from an unknown source
Cyberwatch says it is unable to determine the origin of this data leak, but highlights the potential impact of this leak for administrators and recommends taking password renewal actions, as well as being particularly attentive to the events of the activity logs. The service also recommends that particular attention be paid to backups, ensuring “the ability to restore an offline copy”.
The price of the data is, according to the author of the post, up for debate. But this would be around, according to Zataz, 1000 dollars, a price higher than the usual standards of the cybercriminal market. As Numerama points out, the quality of the information contained in this database remains an unknown: if the author of the post affirms that the database includes e-mail addresses belonging to “all French hospitals”, the cyberveille site health indicates for its part that “for the moment only a few domain names of establishments have been identified”. On the forum, the seller indicated on February 20 that the database was still available and that he was ready to sell it.
The database is for sale on the RaidForums forum, a well-known forum dedicated to reselling stolen data and hacking tools. Active since 2015, RaidForums started out as a forum aimed at bringing together communities of Twitch raiders, before evolving into a more generalist forum. Its Leaks Market section is widely used by cybercriminals who wish to publish advertisements for the sale of stolen data: it is in particular on this forum that the databases stolen from the company Ledger had been published at the end of 2020. In one interview given to the company Recorded Future, the administrator of the forum indicated to be ready to cooperate with the police, but argued that his site was only a showcase protected by freedom of expression and that the data itself was often hosted elsewhere.
At the same time, the French startup CybelAngel published a white paper reporting on the online distribution of a database, this time containing the information of 500,000 French patients. among the data concerned, we find “surname, first name, email address, telephone number and patient health data”. If the data was initially sold on several forums, the author of the leak decided to make them fully accessible, to protest against the resale of the data by its customers. The origin of the data is also not clearly identified, but it could have been stolen from hospitals in recent cyberattacks, according to CybelAngel.