At a glance.
- Critical vulnerability found in GE Healthcare devices.
- Settlements for two US privacy lawsuits.
- New protocol improves browser history privacy.
- Stolen Facebook accounts on offer for just one thin dime.
- More on the Foxconn ransomware incident.
Critical vulnerability found in GE Healthcare devices.
Researchers at medical cybersecurity company CyberMDX discovered a vulnerability that affects more than one hundred devices produced by GE Healthcare, reports SecurityWeek. The bug, which can be found in a variety of instruments including CT scan, X-ray, and ultrasound devices, could give a threat actor access to protected health information via hardcoded credentials that can be acquired online by anyone with network access to a device. GE, who asserts that network security measures would make it difficult for an unauthorized party to acquire the credentials, does not intend to release a patch but will instead provide training to ensure the devices are properly secured.
Settlements for two US privacy lawsuits.
Kalispell Regional Healthcare, based in the US state of Montana, has proposed a $4.2 million settlement to resolve a lawsuit concerning a 2019 phishing attack that exposed the personal health information of 130,000 patients, reports Infosecurity Magazine. The class-action lawsuit, which is scheduled for a final approval hearing in January, alleges that Kalispell did not properly secure the patient data and put the victims at increased risk by waiting several weeks before disclosing the breach. Kalispell denies any wrongdoing.
TechGenix reports US home improvement retail giant Home Depot will pay $17.5 million to forty-six states and Washington DC to settle a lawsuit for a 2014 data breach that was considered at the time to be the largest credit card breach in retail history. The info for 56 million credit and debit cards was compromised when bad actors accessed self-checkout terminals due to flawed encryption protocols. Home Depot denies any wrongdoing and is “glad to put this matter behind us.”
New protocol improves browser history privacy.
Cloudflare and Apple have created a new internet protocol they’re calling Oblivious DNS-over-HTTPS (ODoH) that offers increased security for users’ browser histories, reports TechCrunch. Typically, whenever a user visits a website, an unencrypted DNS query is sent to a DNS resolver in order to locate the page, which means the internet provider and any prying eyes could intercept the query and see exactly what site the user is visiting. Until now, the greatest protection offered was DNS-over-HTTPS (or DoH), which encrypts the query but does not completely hide it from the internet provider. The new protocol, ODoH, prevents the internet provider from connecting the browser history to the user by using a proxy server as a shield. As Cloudflare’s head of research Nick Sullivan put it, “What ODoH is meant to do is separate the information about who is making the query and what the query is.” Early adopters can use ODoH through Cloudflare’s 18.104.22.168 DNS resolver, but the Internet Engineering Task Force will need to approve the new protocol before it can be automatically built into browsers and operating systems.
They ask me, "What's your secret?" And I tell them, "Volume!"
More than eighty-one-thousand Facebook accounts belonging to users in Russia, Ukraine, the United Kingdom, Brazil, and the United States are being offered for sale in dark web souks. The BBC says the files on the block include private messages. It's not exactly crazy Leon's nut house of cyber bargains, but TechTimes reports that a gang is hawking stolen Facebook account items for as little as ten cents a pop.
More comment on the Foxconn ransomware attack.
We've received more industry comment on the Foxconn ransomware incident. Gustavo Palazolo, Security Researcher at Appgate, contributed the perspective of threat researchers who've rummaged through a deep web criminal site:
"Our team had access to Doppel ransomware's website on the deep web, where they publish their victims stolen data, and we could confirm that they have published data about Foxconn Technology Group. By looking at the list of organizations\targets from this and other threat groups behind large ransomware operations, we found a very diverse list of targets, so we have the impression that the threat actors are trying to make money no matter the type or size of the organization. Most of these groups work in the RaaS (Ransomware-as-a-Service) model, which will continue to increase the list of companies compromised. A great example is Egregor, when our team first analyzed this threat, there was only 6 companies in their "wall of shame" website. At this time, there are more than 150 companies that are not necessarily related by industry.
eSentire's Founder and Chief Innovation Officer, Eldon Sprickerhoff, wrote about what makes an extortion target attractive, and what renders them vulnerable:
"Manufacturers are a specifically attractive target; especially if they're able to disrupt operations. Manufacturers can tell you what the impact is (from an hourly perspective) when they're down. They state that they were hit on Thanksgiving weekend: attackers these days have a tendency to "lay low" and establish broad connectivity, get embedded into the backup cycle, gather information to exfiltrate, and then on a weekend (or a long weekend) initiate broad ransomware attacks.
"The ransom itself seems rather large (34m); there comes a point where the company itself might prefer to just 'bite the bullet' and start to rebuild from greenfield. This could help to retire any 'tech debt' they might have had before."