It’s likely about to be a very bad day for three medical facilities and 655,000 patients whose information has been put up for sale on the TheRealDeal market, a marketplace, located on TOR, that specializes in selling numerous illegal items.
In an interview from 2015 with the market’s admin, “…basically we consist of 4 partners who have a lot of experience in infosec…We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.” Fantastic! We certainly wouldn’t want those in the business of perpetrating fraud on others to be defrauded themselves… (Yes, that’s sarcasm.) Included in the list of items for sale are a variety of exploits (both known and unknown / not yet patched), databases (like the ones TheDarkOverlord is selling), code, drugs, hardware including physical hacking tools, and specialty services offered by hackers (such as paying for a hacker to access a specific email account or acquisition of a specific document – think corporate espionage).
The admin went on to provide some details on their security, “…we are also at the final stages of configuring and deploying a WAF [web application firewall] and IPS [intrusion prevention system] – This is something we are very good at. Our servers consist of full disk encryption and will be worthless in case of seizure, and all the hashing functions have been modified and hardened.” In short these guys have done their homework and will make taking them down very difficult on law enforcement. Unless of course they slip up like the owner of The Silk Road did.
Back to the databases up for sale. The first is listed as a “Healthcare Database (48,000 Patients) from Farmington, Missouri, United States.” TheDarkOverlord has this database listed for sale for $100,000 USD. The second database is listed as “Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States.” With a list price of $400,000 USD, this database contains a great deal of information, see the screenshot below, which was provided by TheDarkOverlord show just how much detail is included. The third database is listed as “(210,000 Patients) from Central/Midwest United States.” The last one has a list price of $200,000 and information on the listing says it includes Social Security numbers, names, dates of birth and addresses.
That should put Farmington, and Atlanta (the 3rd database is too unclear on it’s actual source) on notice, and yes according to reports the institutions in question are aware of what TheDarkOverlord is in possession of as he / she has been in contact with them in order to request a payment in lieu of putting the database up for sale. From DeepDotWeb, who was asked by TheDarkOverlord to add a note to their reporting, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.”
So a little extortion, and when that didn’t work, data on 655,000 individuals will now be sold to the highest bidder.
TheDarkOverlord speaks or types well, so it leads one to wonder if he / she is domestic to the United States as opposed to a foreigner, which is where so many hackers are found. TheDarkOverload engaged in a chat with The Daily Dot where additional information was provided. TheDarkOverlord is quoted by The Daily Dot as saying in the chat, “I found several exploits to remotely access the SRSSQL server. It was like stealing candy from a baby.” He / she went on to say that it was the Atlanta facility that was using SRS EHR v. 9 software, Electronic Health Records software, and he / she claims the SRA software is very vulnerable. He / she says, “I suggest anyone using an SRS EHR cease activity of it immediately. I have already plundered as many as I could find since I discovered the vulnerability.”
It has not yet been confirmed or proven false that SRS EHR does indeed have a vulnerability, but to be on the safe side, anyone using SRS EHR should bring a cyber security professional in to look for vulnerabilities on their network and / or any evidence of a network breach, because as of right now while TheDarkOverlord may have three databases for sale, he / she claims to have, “A number that is large and sad”. What TheDarkOverlord is doing with them remains to be seen. Is he / she is actively pursuing other extortion attempts or is TheDarkOverlord just waiting to see how much the first three sell for before pricing out the additional databases. Only time will tell.