By the CyberWire staff
At a glance.
- HHS will investigate Change Healthcare attack.
- CISA says two of its systems were breached through Ivanti flaws.
- Midnight Blizzard makes use of data stolen from Microsoft.
- Stanford University discloses scale of last year's ransomware attack and data breach.
- French government hit by "intense" cyberattacks.
- France's unemployment agency discloses data breach affecting 43 million people.
- 15,000 Roku accounts breached via credential stuffing.
- Paysign investigates data breach claim.
- DarkGate malware campaign exploited SmartScreen bypass vulnerability.
HHS will investigate Change Healthcare attack.
The US Department of Health and Human Services (HHS) has launched an investigation into the ransomware attack against UnitedHealth Group's Change Healthcare platform, the Record reports. The HHS's Office for Civil Rights (OCR) said in a letter published yesterday, "Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules." The letter adds, "OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."
BleepingComputer notes that BlackCat, the ransomware gang behind the attack, claimed on its leak site to have stolen "source code for Change Healthcare solutions and sensitive information from many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and many other healthcare insurance providers."
Team Cymru’s Threat Intelligence solutions allow you to aim your sights on the malicious actors.
Imagine a world where you're always one step ahead of cyber threats, where your defenses are impenetrable because you see what others don't. With real-time access to the worlds largest threat intelligence data ocean, we enable you to turn the tables on attackers. Transform your security from reactive to proactive through accelerated threat hunting and incident response, made possible through automation. Team Cymru: be the hunter, not the hunted.
CISA says two of its systems were breached through Ivanti flaws.
The US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that it was forced to take two systems offline last month following exploitation of vulnerabilities affecting Ivanti products, the Record reports. An agency spokesperson stated, "The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time. This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience."
The Record cites a source as saying that the compromised systems were "the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans."
Midnight Blizzard makes use of data stolen from Microsoft.
Microsoft said on Friday that the Russian state-sponsored threat actor Midnight Blizzard is exploiting information stolen from the company earlier this year. Microsoft stated, "In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."
The company adds, "It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024."
Stolen credentials are involved in over 44% of all data breaches.
Simplify password policy management, enforce compliance requirements, and block over 4 billion compromised passwords 24/7 from your Active Directory.
See how you can automate better password security with custom dictionaries, blocking weak and common terms, enforcing length-based aging, supporting passphrases and offering real-time end-user feedback. Eliminate password vulnerabilities and mitigate risks of password reuse. Get a free trial of Specops Password Policy.
Stanford University discloses scale of last year's ransomware attack and data breach.
Stanford University has disclosed that personal data information belonging to 27,000 people was breached during a ransomware attack against the university's Department of Public Safety in September 2023. The university stated, "The personal information that may have been affected varies from person to person but could include date of birth, Social Security number, government ID, passport number, driver’s license number, and other information the Department of Public Safety may have collected in its operations. For a small number of individuals, this information may also have included biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature, and credit card information with security codes."
The Record reports that the Akira ransomware group has claimed responsibility for the attack.
French government hit by "intense" cyberattacks.
The French Prime Minister’s office said on Monday that several government agencies were hit by "intense" cyberattacks, the Record reports. Details of the incident weren't disclosed, but the Record notes that the description is consistent with a DDoS attack. The government says the attacks were "conducted using familiar technical means but of unprecedented intensity." The Prime Minister's office said in a statement that a "crisis cell has been activated to deploy countermeasures," and that "the impact of these attacks has been reduced for most services and access to state websites restored."
SecurityWeek notes that the pro-Russian hacktivist group Anonymous Sudan has claimed responsibility for the attacks.
Compete in a CTF Cloud Security Challenge
Join Lacework for a virtual Cloud Security Capture the Flag Challenge on March 19. You’ll have one hour to complete as many challenges as possible. Plus, the top 3 scorers will win a Valve Steam Deck. Attendance is limited, so register now to secure your spot.
France's unemployment agency discloses data breach affecting 43 million people.
The French government's unemployment agency, France Travail, has disclosed that hackers stole personal information belonging to approximately 43 million individuals, BleepingComputer reports. The threat actors accessed records on job seekers who have registered with the agency within the past two decades. The compromised data include full names, dates of birth, social security numbers (NIRs), France Travail identifiers, email addresses, postal addresses, and phone numbers.
15,000 Roku accounts breached via credential stuffing.
Roku has disclosed that more than 15,000 customer accounts were breached via credential stuffing attacks, BleepingComputer reports. In some cases, the breached accounts were used to purchase streaming subscriptions, and Roku is offering refunds for any unauthorized charges. The company says "access to the affected Roku accounts did not provide the unauthorized actors with access to social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification."
BleepingComputer notes that the breached Roku accounts are being sold on underground forums for 50 cents apiece.
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Paysign investigates data breach claim.
Consumer banking company Paysign is investigating reports of a data breach affecting over a million customer records, the Record reports. A user on a cybercriminal forum claimed last week to have stolen 1.2 million records containing "full names of customers, addresses, dates of birth, phone numbers and account balances."
DarkGate malware campaign exploited SmartScreen bypass vulnerability.
Trend Micro says a DarkGate malware campaign in January exploited a now-patched Windows Defender SmartScreen bypass vulnerability (CVE-2024-21412) to download fake Microsoft software installers. The researchers note, "The phishing campaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others. The fake installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload."
Patch news.
Microsoft on Tuesday issued patches for 61 vulnerabilities, including two critical flaws affecting the Windows Hyper-V hypervisor, the Register reports. One vulnerability (CVE-2024-21407) can lead to remote code execution from the guest to host server, while the other (CVE-2024-21408) is a denial-of-service flaw.
BleepingComputer reports that approximately 150,000 internet-facing Fortinet FortiOS and FortiProxy secure web gateway systems are still vulnerable to a critical out-of-bounds write vulnerability (CVE-2024-21762) that was patched in February. CISA last month added the flaw to its Known Exploited Vulnerabilities Catalog and required Federal agencies to apply patches or discontinue use of the products by February 16th.
Prepare for today’s top certifications with confidence.
For budding talent and seasoned professionals in IT & cyber - make the low-risk investment in yourself today for the highest return toward your future success. N2K offers affordable exam prep training for top certifications, including ISC2 Certified in Cybersecurity, CompTIA Security+, ISC2 CISSP, and many others. Get access to simulated exams, custom quizzes, e-flashcards, and more. What could your career look like with a new certification? Prepare with confidence with N2K’s practice tests. Get started today.
Crime and punishment.
A Russian-Canadian man has been sentenced to four years in prison and must pay $860,000 in restitution for his involvement in LockBit ransomware attacks, BleepingComputer reports. Mikhail Vasiliev of Bradford, Ontario pleaded guilty in Canada last month to eight counts of cyber extortion, mischief, and weapons charges. Vasiliev is also awaiting extradition to the United States, where he's charged with "conspiracy to intentionally damage protected computers and to transmit ransom demands."
Courts and torts.
The US Federal Trade Commission (FTC) has reached a $26 million settlement with two Cyprus-based tech support firms, Restoro and Reimage, over the companies' use of phony popups that attempted to trick users into thinking their devices were infected with malware, SecurityWeek reports. The FTC stated, "Since at least January 2018, Defendants have operated a tech support scheme that has bilked tens of millions of dollars from consumers, particularly older consumers. Defendants have been using false and unsubstantiated claims about the performance and security of consumers’ computers in the marketing of their purported computer security and repair services, in violation of the FTC Act and the TSR."
Policies, procurements, and agency equities.
US Senators Dick Durbin (Democrat of Illinois) and Mike Lee (Republican of Utah) have introduced a bipartisan bill to reauthorize and reform Section 702 of the Foreign Intelligence Surveillance Act (FISA), the Record reports. The authority, set to expire on April 19, has been criticized for its incidental collection of US citizens' communications and alleged FBI misuses. The proposed legislation seeks a balance by allowing intelligence searches of the database for Americans' communications with the stipulation of obtaining a warrant for accessing content, except in certain cases like digital attacks.
Senator Durbin, the chair of the Senate Judiciary Committee, said in a speech on Thursday, "I have had demonstrations of the Section 702 authority and there is no doubt in my mind that it is a valuable tool for collecting foreign intelligence. But this authority raises serious constitutional concerns as it allows access not just to communications by those who are foreigners, but also to the vast databases of Americans communications without the customary search warrant required by the United States Constitution."