Unraveling a healthcare ransomware web.

Change Healthcare gets hit with another ransom demand. A French football team warns fans of a cyberattack. The Home Depot breach is chalked up to a misconfigured SaaS application. The FCC looks to sure up car connectivity security to protect survivors of domestic violence. Targus reports a disruptive cyberattack. A massive doxxing event hits El Salvador. India's top audio and wearables brand investigates a customer data breach. The Israeli military jams GPS. Microsoft Security’s Ann Johnson, host of Afternoon Cyber Tea podcast, shares a segment of her latest episode featuring Jason Healey, founding scholar and director for cyber efforts at Columbia's School of International and Public Affairs. They discuss nurturing trust in cybersecurity. And, I’ll have a burger with a side of surveillance. 

Today is April 9th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Change Healthcare gets hit with another ransom demand. 

The Change Healthcare data breach saga has intensified with a newly emerged ransomware group called RansomHub claiming to possess 4TB of data stolen from the healthcare tech company in February. Originally linked to the ALPHV/BlackCat ransomware group, this breach led to significant operational disruptions and threats of sensitive data exposure. Despite an alleged $22 million ransom payment by UnitedHealth Group's subsidiary Optum to ALPHV/BlackCat, the funds were reportedly stolen by the group in an exit scam, leaving the original perpetrators without payment. RansomHub is now demanding a ransom from UnitedHealth, threatening to sell the stolen data, which includes sensitive medical and personal information, to the highest bidder if payment is not made. This incident highlights the complexities and dangers of ransom payments, with experts cautioning against such actions due to the risk of becoming repeated targets for extortion. The involvement of multiple ransomware groups and affiliates in the cybercriminal ecosystem adds layers of complexity to resolving such breaches.

A French football team warns fans of a cyberattack. 

Paris Saint-Germain (PSG), the Qatari-owned French football team, alerted fans to a cyberattack on its online ticketing service detected on April 3. The incident was reported as PSG prepares for a Champions League quarterfinal match against Barcelona. Despite no evidence of data extraction, the club, facing potential fines under EU data protection laws, informed France's data protection regulator and took immediate steps to enhance security. This cyberattack underscores the vulnerability of major football clubs to cybercriminal activities, as seen with Manchester United in 2020 and the Royal Dutch Football Association in 2023. PSG has assured that a vulnerability was quickly fixed and has advised fans of the potential compromise of personal information.

The Home Depot breach is chalked up to a misconfigured SaaS application. 

The recent Home Depot data breach, which compromised information of over 10,000 employees, was attributed to a misconfigured SaaS application, highlighting a widespread issue across enterprises. Information leaked on a hacking forum included employee names, work emails, and user IDs, raising concerns about potential social engineering attacks. The breach, confirmed by Home Depot on April 7, was due to a third-party vendor's error. Security experts emphasize the need for enterprises to address SaaS misconfigurations to prevent such incidents. They advocate for better visibility into SaaS risks, monitoring of user behaviors, and connected applications to secure sensitive data and strengthen defenses against similar vulnerabilities.

The FCC looks to sure up car connectivity security to protect survivors of domestic violence. 

The FCC is initiating a process to explore methods for preventing the misuse of car connectivity tools by abusers against domestic violence survivors. This move, announced on Monday, involves a proposed rulemaking to assess how automakers and wireless providers can support abuse survivors. Stemming from the enforcement of the 2022 Safe Connections Act aimed at enhancing access to communication services for domestic abuse survivors, the FCC's action seeks to address the potential risks connected car services pose. The proposal includes considering classifying connected cars as mobile virtual network operators (MVNOs), which would significantly increase regulatory oversight, including prohibiting the sale of geolocation data and improving transparency around data practices. The FCC aims to ensure that connected car technologies align with the Safe Connections Act's objectives, enhancing safety and security for domestic violence survivors using these services.

Targus reports a disruptive cyberattack. 

Laptop and tablet accessories maker Targus reports experiencing a cyberattack disrupting its operations after an unauthorized access to its file servers was detected on April 5th, 2024. The attack led Targus to implement its incident response and business continuity measures to investigate, contain, and remediate the disruption, as disclosed in a FORM 8-K filing by its parent company, B. Riley Financial, INC. Although the attack caused temporary business interruptions, Targus has since contained the incident and is in the process of recovering its systems with the assistance of external cybersecurity experts. The details regarding potential data exfiltration have not been disclosed, but regulatory authorities and law enforcement have been notified. There has been no claim of responsibility for the attack by any ransomware gangs or threat actors.

A massive doxxing event hits El Salvador. 

A hacker has released the personal information of over 5 million Salvadorans, marking the largest data breach in El Salvador's history. Detailed data including full names, birthdays, phone numbers, addresses, email addresses, and social security equivalent DUI numbers, along with high-definition headshot photos, have been leaked on the dark web. This breach impacts the majority of Salvadoran adults, with the country's total population around 6.6 million, including a significant diaspora. Initially offered for a $250 fee since August, the data was released for free after a failed ransom demand by the hacker. The incident was confirmed by La Prensa Gráfica, a major Salvadoran newspaper.

India's top audio and wearables brand investigates a customer data breach. 

boAt, India's top audio and wearables brand, is probing a potential data breach following online advertisements of a supposed customer data cache. The leaked information, verified by TechCrunch against exposed phone numbers, includes full names, phone numbers, email addresses, mailing addresses, and order numbers, indicating authenticity. The breach reportedly occurred in March, affecting over 7.5 million customers. boAt confirmed the investigation into the alleged leak, emphasizing customer data protection as a paramount concern. The data breach involved credentials reportedly stolen from boAt’s systems, with references to Shopify in the leaked data. boAt holds a significant market share in India's wireless earbuds and wearables sectors, and it postponed its IPO plans amid market slowdowns despite being valued at $300 million in a 2021 funding round.

The Israeli military jams GPS. 

The Israeli military has been jamming GPS in Tel Aviv as a defensive measure against the threat of Iranian reprisal. This has significantly disrupted daily life, affecting everything from navigation apps like Waze and Google Maps to public transportation payments and even matchmaking on dating apps. Initially targeting Tel Aviv to protect against potential Iranian attacks, the GPS disruptions are a response to a strike on Iran’s diplomatic compound in Damascus, attributed to Israel, which killed senior military officials. Iran vowed to retaliate, leading to widespread operational changes in Israel, including in Haifa, where residents have adapted to GPS scrambling by the military for the past six months. The situation highlights the broader implications of modern warfare tactics on civilian life and technology, emphasizing the reliance on GPS for various aspects of daily activities and the challenges of maintaining normalcy amidst security threats.

Up next, we have  Afternoon Cyber Tea’s Ann Johnson talking about nurturing trust in cybersecurity with Jason Healey. Jason is the founding scholar and director for cyber efforts at Columbia's School of International and Public Affairs. 

Welcome back. Thanks, Ann. You can check out links for the Afternoon Cyber Tea podcast and hear Ann’s full discussion with Jason Healey in our show notes.

I’ll have a burger with a side of surveillance. 

And finally, Forbes looks at the infiltration of surveillance technology into the fast food and vending machine sectors. Leading tech corporations have paved the way for consumer surveillance, establishing a model that fast food chains and vending machine companies are now emulating.

In a notable case at the University of Waterloo, Canada, students accidentally uncovered that vending machines on campus, supplied by Switzerland-based Invenda, were utilizing facial recognition technology to track users' age and gender without their consent. 

Invenda's ambitions to expand into the U.S. market, following a $19 million seed funding round, further highlight the potential scale of this issue. This shift is particularly concerning in public and semi-public spaces, such as hospitals and government buildings, where confidentiality is paramount.

Moreover, the fast food industry's adoption of similar surveillance tactics, employing systems to monitor and analyze employee-customer interactions, illustrates a growing trend towards the automation and control of service processes. These practices, while aimed at optimizing efficiency and service quality, come at the cost of personal privacy and autonomy, with little regulatory oversight to safeguard consumer rights.

This evolving landscape raises pressing questions about the balance between technological innovation and privacy protection. As companies increasingly prioritize data collection and analysis over traditional customer service values, the need for comprehensive privacy legislation and ethical guidelines becomes ever more critical. The challenge lies in ensuring that technological advancements serve to enhance, rather than undermine, consumer rights and freedoms.

In this new era of automated surveillance, some wonder if the fast food experience has lost its flavor, replaced by the bitter taste of lost privacy.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.