Quiron subsidiary Prevencion suffers ransomware cyber attack - A "strange behavior" on the network and more than 4 gigs of outgoing traffic: this chilling story details how Chiron detected and reacted to a cyber attack with 'ransomware'.

A few days ago one of the largest internet providers around the world, Fastly, had technical problems and much of the network of networks was down. At that time, many users understood how our society is increasingly dependent on technology.

That is why cybersecurity cannot be reduced to technological formalism alone. Ensuring that a company's or an administration's computer systems are well defended can mean the difference between people's life and death. More in the health field.

During the pandemic, many groups of cybercriminals targeted healthcare companies around the globe. Thus, the hospital of Torrejón de Ardoz was already a victim of computer incidents that paralyzed its routines and put the lives of patients at risk. This was also the case with Fresenius, the parent company of Quirónsalud, one of the largest private healthcare providers in Spain.

Chiron's subsidiary, Chiron prevention, again suffered a new ransomware cyber attack late last year. Cybersecurity is not a mere technological formalism because it is also talent, resilience, responsiveness and transparency. Typically, when a company is under attack, it tries to deny the biggest and avoid any reputational crisis.

Quiron subsidiary Prevencion suffers ransomware cyber attack

But the Spanish Data Protection Agency (AEPD) is one of the public bodies that is responsible for ensuring the strengths and secure systems in which the data of Spanish citizens are treated. Other bodies responsible for carrying out the relevant cybersecurity checks are the National Cryptological Centre or the National Cybersecurity Institute.

By virtue of its purpose, the AEPD published a few days ago a resolution detailing how was the cyber attack that affected several Chiron prevention systems in November last year. This subsidiary is responsible for developing occupational risk prevention protocols and has played an essential role for companies such as airlines when it comes to offering PCR tests.

That's why a tweet from a user in November last year set off all the alarms. "Yesterday the Chiron prevention servers were hacked, I did the PCR in Alicante because I flew on Monday at 8: 00. There is no operating phone and I need that PCR to fly, can you help me?".

Quiron subsidiary Prevencion suffers ransomware cyber attack

The AEPD requested information from Chirón prevención to know how the incident went. The company confirms that from Thursday, November 12, at 22:30 hours, Chiron employees detect "strange behavior" in the domain and network systems of the company thanks to the monitoring systems they had activated.

"When connecting, it is identified that 2 of the 6 servers that make up the Exchange mail service have been affected by an Avaddon family ransomware. It has not been detailed which program used these servers, but it is worth remembering that a few months later Microsoft acknowledged having suffered a hack that left tens of thousands of these servers vulnerable.

All of a sudden, Chiron prevención's files were encrypted and a plain text note appeared on their computers "requesting payment in bitcoins in exchange for providing a tool to decrypt the files."

"It is also determined that this is a scenario of double extortion, so the attacker not only requests payment in exchange for providing the means to decrypt these files, but also extorts to give the ransom payment in exchange for not making public information that they have presumably exfiltrated from the network of the organization," he continues.

Quiron subsidiary Prevencion suffers ransomware cyber attack: At one and a quarter in the morning from Thursday to Friday, Chiron prevention technicians make the decision to cut the internet. At two o'clock in the morning, they cut "tunnels" with third parties. Two hours later, they open A Severity case with Microsoft and request a forensic analysis from their security center. At ten to five in the morning, the networks of the firm's headquarters are isolated.

All passwords of users accessing the systems are reset. Virtual private networks (VPNs) that were being used for teleworking are interrupted. On Friday at noon, all permissions on shared folders are removed and virtual servers are isolated from the network.

In the information that Chiron refers to the AEPD it is highlighted that the most likely hypothesis as an input vector of the attacker is "a phishing campaign aimed at employees". "After obtaining some credentials you access the network through a VPN connection. Once inside, the attacker tries to make lateral moves to other machines and climb privileges between November 10 and 12."

Quiron subsidiary Prevencion suffers ransomware cyber attack

It also identifies "a total of 4.15 GB of outbound traffic from 6 servers in the organization's internal network to the attacker's server". "The information contained in those servers has data from the company's Active Directory, emails and some employee data such as ID, phones and emails."

The firm itself recognizes that the attack occurs "in the current external context of pandemic in which telework has been extended extensively and quickly to most employees of Quirón". The incident sparked a rapid and frantic reaction with which the problems "were limited and resolved" during the weekend immediately following, from 14 to 15 November.

"Between Monday 16 and Tuesday 17 all digital services to our customers were already available", claims the company, and a week after the attack"the corporate email service was restored".

As the company itself recognizes, the data of the Active Directory in which the identity documents, emails and telephones of 5,000 workers appear were affected. "The possible consequences could be the publication of the exfiltrated data publicly, as well as the sending of emails using the corporate email address, which would imply a corporate identity spoofing."

Quiron subsidiary Prevencion suffers ransomware cyber attack: Chirón, who clarifies that" in no case " the ransom note was heeded, threatened to publish this information. "For this reason the company is monitoring the network in case any publication is made. As of the date of the communication of the response to the Data Inspection request, no publication has been detected".

However, this potential gap has not been notified to the affected —employees— according to the criteria provided by the own AEPD in one of his guides, "taking into account the criteria of volume, type of data and impact", because "the security breach does not pose a risk to the rights and freedoms of natural persons".

In addition to maintaining this network monitoring, Quirón introduced a double authentication system to its users and migrated its mail service to a secure solution in the cloud. He switched his antivirus to a comprehensive cybersecurity solution and rebuilt his Active Directory.

The AEPD resolves the case without sanctions by concluding that "prior to the breach, the entity had reasonable security measures based on the possible estimated risks". Also, as it did with the attack on Mapfre a year ago, "highlights the rapid action of the entity from the moment it was aware of the facts".

"He actively intervened in its resolution, minimizing the possible pernicious effects of the incident. Thus, the entity updated the physical and logical equipment with due diligence."

# Quiron subsidiary Prevencion suffers ransomware cyber attack #