Three threat actors made posts over the course of two weeks purporting to sell internal information from Aerolineas Argentinas, the Ministry of Health, and the Santa Cruz Judiciary. A dedicated community for buying and selling stolen data offers filtration or data leak.

Cybercriminals frequently publish stolen data for others to buy and exploit for a variety of illegal activities. The judicial system of Córdoba, the legislature of Buenos Aires, the Supreme Court of Buenos Aires, the Garrahan Hospital, and other institutions have experienced weaknesses in their computer security systems this year. This is not the first time that a state entity has been penetrated.

Private information is compromised as a result of leaks, which frequently harm sensitive data. They frequently reveal credit card information, medical or financial details, or passwords.

There is technical information, passwords, emails, and more in the case of the three businesses involved in these two weeks.

Two leaks on Aerolineas Argentinas

“The same threat actor affected two breaches on airlines: one last week and another during the early hours of this Wednesday. In the first, the attacker provided technical documentation from Aerolineas Argentinas and other service providers, such as Austral, while emphasizing that the documents were outdated but still useful, Santiago Pérez Montao, a security analyst with Clarion, noted.

Because of the nature of the filtration, he continues, “I supplemented the filtration with FTP server logs, where it included detailed information like credentials in plain text.” The handling of the data assumes a high risk when it is in “plain text.”

“This disclosure involves private information from the institution’s physical and digital assets. Naturally, it has to be regarded as having high gravity. The second breach, which happened this morning, has around 65,000 email addresses of airline customers, many of which had official or government domains, the source continues. Also take aware that the government has addresses.

The flag carrier acknowledged Clarion the leak despite this, but insisted that “no confidential data was violated.”

The data is given out, the expert explains, which is a startling information that makes the situation much more serious. This means that even if they are in a forum for buying and selling data, you can get them for free.

Data from the Ministry of Health is filtered to show what is known.

The nation’s Ministry of Health, on the other side, was also impacted. Medical records, which are extremely private for residents, are one of the most sensitive types of information that is compromised in data breaches to health institutions.

Without providing much background, a threat actor advertised access credentials to the Argentine Ministry of Health in the same forum. After speaking with him, he made it clear that these are credentials for the Argentina Integrated Health Information System, and he provided screenshots of their access to the system as proof, said Pérez.

Remembering that these systems keep extremely private user data (medical records), he explained, “we may infer from the screenshots that the afflicted user has a significant hierarchy within the system, allowing them to visualize said information. He claims that the assailant has not fixed a price for the data set and is instead listening to offers.

Despite being contacted in this method, they did not provide any official communications to the body.

The specifics of Santa Cruz’s judicial filtering

The year 2022 will be challenging for legal systems. The Córdoba Judiciary experienced a ransomware attack in August that rendered the entire system utterly unusable. 15 000 records were posted online for sale after the Supreme Court of the Province of Buenos Aires was breached in July. The Santa Cruz Judiciary was now in charge.

“A third actor published in the same forum that he had complete access to the judiciary’s network through a privileged user. The expert explained, “He described having privileged access to all systems, including databases and RDP credentials (to connect remotely to internal teams)”.

“The attacker asked for payment in various cryptocurrencies and has no standing in the community. As in the prior instance, the price is open,” he concluded.

When Clarin contacted the organization, it provided the following information: “An intrusion was reported in one of our web servers. They explained that the system in question has 250 internal users and is used to exchange information across various judicial authorities.

Additionally, they took the necessary precautions in case of a leak by changing the passwords of the OWNCLOUD client users they use. They also stopped letting people who work from home use remote access. proactive manner.

The prosecutor’s office received a criminal complaint from the provincial judiciary.

What to do if a data breach occurs

Data leaks must be reported by the affected organizations. According to cybercrime attorney Daniel Monastersky, “it applies to organizations that come under subsection an of the art. 8 of Law 24156 the need to disclose security events to the DNCIB.”

Article 7 of Administrative Decision No. 641/2021 states that. “In the case that the security incident has affected information assets and has compromised information and/or personal data of third parties, such occurrence must be publicly disclosed,” he adds. This is also stated in the Annex that is approved by article 1: “Guideline 12. Incident Management.”

It is usually advised to change passwords or even utilize a key manager on the side of the affected users, in this case, employees of Aerolineas, Salud, and the Judiciary of Santa Cruz, in addition to enabling the double authentication factor whenever possible (something that in general, State entities seldom enable).