TikTok showdown: U.S. lawmakers target privacy and security.

The US House votes to enact restrictions on TikTok. HHS launches an investigation into Change Healthcare. An Irish Covid-19 portal puts over a million vaccination records at risk. Google distributes $10 million in bug bounty rewards. Nissan Oceana reports a data breach resulting from an Akira ransomware attack. Meta sues a former VP for alleged data theft. eSentire sees Blind Eagle focusing on the manufacturing sector. Claroty outlines threats to health care devices. A major provider of yachts is rocked by a cyber incident. In our Threat Vector segment, David Moulton explores the new SEC cybersecurity regulations with legal expert and Unit 42 Consultant Jacqueline Wudyka. And ransomware victims want their overtime pay. 

Today is Tuesday, March 14th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US House votes to enact restrictions on TikTok. 

In a move reflecting growing concerns over digital privacy and national security, the U.S. House of Representatives passed the Protecting Americans from Foreign Adversary Controlled Applications Act. This legislation targets TikTok, the wildly popular social media platform owned by the Chinese company ByteDance, by threatening a ban unless ByteDance divests its ownership. With the bill now awaiting Senate consideration and President Joe Biden indicating readiness to sign it into law, the potential implications for TikTok and its vast American user base are significant.

Central to the bill's provisions is the authority it would grant the U.S. President to compel foreign-owned social media applications to either sell their interests to non-adversarial entities or face a ban, should U.S. intelligence deem them a threat. Specifically, TikTok, with its 170 million American users, has been singled out due to concerns over data collection and the potential for disseminating Chinese propaganda. However, privacy advocates argue that TikTok's data practices are not significantly different from those of other social media platforms and suggest that the real solution lies in enacting a robust data privacy law for the United States.

Should the sale not proceed, the consequences for TikTok's availability in the United States could be unprecedented. A ban would directly impact the app's distribution through major platforms like Google's Play Store and Apple's App Store, which have historically complied with U.S. law. This restriction could significantly diminish TikTok's accessibility, yet experts like Cooper Quintin from the Electronic Frontier Foundation anticipate that users would quickly seek and find workarounds, potentially leading to a surge in tech-savvy individuals capable of bypassing digital restrictions.

The global precedent for such workarounds exists, as seen in countries like India where TikTok has been banned yet continues to be accessed through various means. These scenarios suggest that a U.S. ban might not effectively curb TikTok's use but could inadvertently foster a generation more adept at circumventing digital barriers, with all the attendant risks that such endeavors entail, including exposure to malicious software disguised as the banned app.

This complex situation underscores the challenges inherent in regulating the digital sphere, where legislative actions aimed at addressing privacy and security concerns must contend with the realities of technology's pervasive influence and the ingenuity of its user base. As the U.S. grapples with these issues, the debate over TikTok highlights broader questions about data privacy, national security, and the future of digital governance.

HHS launches an investigation into Change Healthcare. 

The U.S. Department of Health and Human Services (HHS) has announced an investigation into the major ransomware attack on Change Healthcare, which caused widespread disruptions in healthcare services across the country. The Office for Civil Rights (OCR) is leading the probe to determine if protected health information was compromised and if Change Healthcare and its parent company, UnitedHealth Group, complied with HIPAA regulations. The investigation follows significant operational impacts on hospitals, clinics, and pharmacies, with reports of severe financial losses due to halted billing operations. UnitedHealth has announced progress in restoring systems, but the attack has highlighted the vulnerability of the healthcare sector to cyber threats, raising concerns about the concentration of healthcare IT services following UnitedHealth's acquisition of Change Healthcare. 

An Irish Covid-19 portal puts over a million vaccination records at risk. 

Security researcher Aaron Costello from AppOmni discovered a significant data leak in the Irish Health Service Executive's Covid-19 vaccination portal, potentially exposing over a million vaccination records, including names and vaccination details. The issue, identified in December 2021, stemmed from a configuration error that granted users overly broad access via the Salesforce Health Cloud, also exposing internal HSE documents and staff information. Despite the potential for widespread data access, there's no evidence the exposed information was exploited.

Google distributes $10 million in bug bounty rewards. 

In 2023, Google disbursed $10 million in rewards through its bug bounty program to over 600 security researchers across 68 countries for identifying vulnerabilities in its products and services. This payout marked a decrease from the $12 million awarded in 2022. Since the inception of the program in 2010, Google has paid out a total of $59 million to researchers. The largest single reward in 2023 was $113,337. The tech giant has increasingly focused on securing its Android ecosystem, awarding over $3.4 million for significant vulnerabilities found therein and raising the maximum reward for critical vulnerabilities to $15,000. New initiatives included adding Wear OS to the bug bounty program and introducing special incentives for finding exploits in Chrome and AI products, though some of these incentives remain unclaimed.

Nissan Oceana reports a data breach resulting from an Akira ransomware attack. 

Nissan Oceania reported a data breach affecting nearly 100,000 customers due to a December ransomware attack claimed by the Akira operation. The breach involved the exfiltration of personally identifiable information, employment and salary details, and loan transactions. Up to 10% of affected customers also had sensitive government information like Medicare cards, passports, and driver's licenses stolen. The incident impacted customers of Nissan's finance services, including those of Infiniti, Renault, and Mitsubishi. Nissan Oceania is offering a year of free credit monitoring and data protection services to affected customers in Australia and New Zealand, committing to promptly inform individuals about the breach and advising on protection against potential harm, identity theft, scams, or fraud. Some observers have noted the delay, over one hundred days, between the attack and Nissan Oceana’s acknowledgment. 

Meta sues a former VP for alleged data theft.  

Meta has initiated legal proceedings against Dipinder Singh (TS) Khurana, a former vice president at the company, for allegedly misappropriating employee and business contracts before resigning to join an AI startup. Accused of being "brazenly disloyal," Khurana reportedly uploaded sensitive documents to his personal cloud storage accounts prior to his departure in June 2023, after 12 years at Meta. He is also accused of recruiting at least eight Meta employees. This case surfaces alongside increasing concerns over insider threats, underscored by a similar incident at Google involving ex-employee Linwei Ding, who allegedly stole AI-related intellectual property. Insider risks are ongoing challenges for cybersecurity defenders, particularly with the shift towards remote work and digital collaboration.

eSentire sees Blind Eagle focusing on the manufacturing sector. 

Blind Eagle, identified as APT-C-36 since 2018, is a South American threat actor primarily targeting Colombia and neighboring countries. It uses phishing emails to infiltrate systems. Trend Micro reported in 2021 that Blind Eagle deployed various RATs, including njRAT and Remcos. The eSentire Threat Response Unit recently noticed Blind Eagle focusing on the manufacturing sector, delivering malware via phishing emails with malicious VBS files in RAR and BZ2 archives. These files, once executed, ensure persistence by copying themselves into the startup folder, and use obfuscated PowerShell commands to download further malicious payloads. The operation's sophisticated use of encryption and obfuscation techniques, coupled with targeted phishing, highlights the persistent threat posed by Blind Eagle to industries in its focus area.

Claroty outlines threats to health care devices. 

Security firm Claroty reports that 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) are present in healthcare networks, with 23% of medical devices harboring at least one exploited vulnerability. This cybersecurity risk encompasses a range of devices, from imaging to surgical equipment. The study highlights the challenge posed by legacy devices, which are often retained beyond their cyber-safe lifespans due to traditional replacement schedules not accounting for cybersecurity risks. Connectivity advances in healthcare have enhanced patient care but also increased vulnerability to cyberattacks. With only 13% of medical devices supporting endpoint protection and 72% connected to the internet, the emphasis shifts to network security strategies like segmentation to protect patient data and device functionality. Additionally, 22% of hospitals have devices that connect guest and internal networks, presenting significant security risks.

A major provider of yachts is rocked by a cyber incident. 

MarineMax, the world's largest recreational boat and yacht services company, has disclosed in regulatory filings a cybersecurity incident that began Sunday. The attack involved unauthorized third-party access to parts of its information environment. Immediate containment measures were taken, causing some business disruptions, though operations continued. The company has engaged cybersecurity experts and informed law enforcement, but it's unclear if the incident was a ransomware attack or involved data theft. MarineMax reported no sensitive data was compromised and the incident hasn't materially impacted operations yet. This follows cyberattacks on other boating industry leaders, including Brunswick Corporation, which faced significant financial losses due to a cyber incident last year.

Coming up on our Threat Vector segment, host David Moulton and legal expert and Unit 42 Consultant Jacqueline Wudyka explore the new SEC cybersecurity regulations that reshape how public companies handle cyber risks. 

 

Ransomware victims want their overtime pay. 

And finally, employees in the City of Hamilton, Ontario are increasingly frustrated due to not receiving overtime pay amidst a ransomware attack that has disrupted the city's central services for two weeks. Union leaders, representing various city workers, have voiced their concerns, highlighting the strain on those who have worked additional hours without compensation. The situation has reached a critical point for many, with union representatives stating that the lack of serious response from city officials only adds to the frustration. Plans for a group grievance are underway, and there's talk of refusing overtime work altogether. This standoff not only stresses the immediate financial implications for the workers but also raises concerns about their personal information's security in light of the cyberattack. Despite the city's reassurance that personal data has not been compromised, trust issues persist. 

The workers' dissatisfaction is a good reminder of the broader impact of a ransomware attack on a city's operational and human resource management, and that management and recovery is as much a people problem as it is a technical one. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.