The CyberWire Daily Podcast 4.23.24
Ep 2052 | 4.23.24

Visa crackdown against spyware swindlers.


The State Department puts visa restrictions on spyware developers. UnitedHealth says its recent breach could affect tens of millions of Americans. LockBit leaks data allegedly stolen from the DC government. Microsoft says APT28 has hatched a GooseEgg. The White House and HHS update HIPAA rules to protect private medical data. Keyboard apps prove vulnerable. A New Hampshire hospital suffers a data breach. Microsoft’s DRM may be vulnerable to compromise. On our Industry Voices segment, Ian Leatherman, Security Strategist at Microsoft, discusses raising the bar for security in the software supply chain. GoogleTeller just can’t keep quiet.

Today is April 23rd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The State Department puts visa restrictions on spyware developers. 

The U.S. Department of State is implementing visa restrictions on 13 individuals involved in the development and sale of commercial spyware, as well as their immediate family members. These individuals are linked to companies that have financially benefited from or facilitated the misuse of spyware, which in severe cases has been associated with human rights violations like arbitrary detentions and extrajudicial killings. This action is part of a broader initiative to combat the misuse of surveillance technology that has been used against journalists, academics, human rights defenders, dissidents, and U.S. government personnel.

The policy, which officials say underscores the U.S. commitment to addressing these threats, includes various measures such as export controls, sanctions, and the prohibition of spyware use by the U.S. government that risks national security. Key actions have included adding companies like Intellexa and Cytrox to the Commerce Department's Entity List, which restricts trade with entities posing a national security threat.

UnitedHealth says its recent breach could affect tens of millions of Americans. 

UnitedHealth Group has acknowledged a significant data breach at its Change Healthcare unit following a ransomware attack in February, compromising sensitive personal and medical information of potentially millions of Americans. The breached data includes both protected health information and personally identifiable information. The full extent of the stolen data is still being determined as the company continues its extensive analysis, which is expected to take several months.

In response to the breach, UnitedHealth Group has launched a dedicated support system for victims, including a website, call center, and two years of free credit monitoring and identity theft protections. The attack not only led to the theft of sensitive data but also caused major disruptions in U.S. healthcare services, impacting medical reimbursements and pharmacy prescriptions.

UnitedHealth also confirmed that it paid a ransom to the attackers, a move often discouraged by security experts due to the lack of assurances that the data will not be misused. Restoration efforts are ongoing, with significant regulatory scrutiny and multiple lawsuits emerging as a result of the breach. The company estimates the total costs associated with the attack could reach $1.6 billion.

LockBit leaks data allegedly stolen from the DC government. 

The LockBit ransomware gang has leaked 1GB of data allegedly stolen from the District of Columbia’s Department of Insurance, Securities and Banking (DISB), claiming possession of a much larger trove (800GB) which also includes data from the US Securities and Exchange Commission (SEC) and various financial entities. This threat emerges from a cyberattack on Tyler Technologies, a third party software provider, in late March. During the breach, unauthorized access was gained to a cloud environment, leading to the deployment of ransomware. Tyler Technologies has been working on recovery and assessing the full impact, noting that personal information such as Social Security numbers might have been compromised. The full scope of the breach is still being determined, and individual notifications will follow once the affected parties are identified.

Microsoft says APT28 has hatched a GooseEgg. 

Microsoft says Russian APT group APT28 (also known as Strontium or Forest Blizzard), is utilizing a novel tool named "GooseEgg" to exploit a Windows Print Spooler vulnerability (CVE-2022-38028) since as early as April 2019. This bug, patched in October 2022 after being reported by the NSA, allowed the group to modify and execute a JavaScript file with system-level permissions, enabling the theft of credentials and sensitive information. GooseEgg serves as a launcher that can initiate other applications with elevated permissions, supporting activities like remote code execution and lateral movement in compromised networks. APT28, linked to the Russian GRU and known for cyber-espionage, targets entities across Ukrainian, Western European, and North American government, education, and transportation sectors. Microsoft urges sysadmins to patch the exploited vulnerability or disable Print Spooler and recommends using EDR or XDR tooling to detect GooseEgg.

The White House and HHS update HIPAA rules to protect private medical data. 

The Biden administration introduced new rules on Monday aimed at protecting the privacy of abortion providers and patients from conservative legal challenges. These regulations, updated by the Department of Health and Human Services (HHS), prohibit healthcare providers, insurers, and related entities from disclosing health information to state officials involved in investigating or prosecuting patients or providers related to abortion services. The updates to the Health Insurance Portability and Accountability Act (HIPAA), originally established in 1996, now address modern challenges in reproductive rights, particularly for those seeking legal abortions across state lines or under special circumstances like rape. These changes, set to take effect in two months, come amid significant concerns about the misuse of private medical data in the charged post-Dobbs legal environment. The new rule also mandates that any requests for health information related to reproductive health must be formally declared as unrelated to criminal investigations or legal actions.

Keyboard apps prove vulnerable. 

A pinyin keyboard app is used primarily for typing Chinese characters on devices like smartphones, tablets, and computers. In a pinyin keyboard app, users type out the phonetic spelling of Chinese words using the Latin alphabet. The app then displays a list of Chinese characters or phrases that match the typed pinyin sounds. Users can select the correct character from this list to input into their text. This method simplifies the process of typing in Chinese and is widely used both in China and globally by those who need to input Chinese text electronically.

Research from Citizen Lab  uncovers significant security vulnerabilities in cloud-based pinyin keyboard apps used by approximately one billion users globally. The study analyzed apps from nine vendors, finding security lapses in eight, which could expose user keystrokes to passive network surveillance. Citizen Lab says these vulnerabilities were not previously identified in security literature.

A New Hampshire hospital suffers a data breach. 

Nearly 2,800 patients at Catholic Medical Center in New Hampshire may have had their personal and health information exposed due to a data breach at Lamont Hanley & Associates Inc., a third-party vendor handling account receivable management for the hospital. This incident involved unauthorized access to an employee's email account through a phishing attempt. Although the investigation, aided by cybersecurity experts, did not confirm data theft, the possibility could not be entirely excluded. Affected individuals will be notified and offered free credit monitoring services. This disclosure follows significant layoffs at the hospital due to financial difficulties.

Microsoft’s DRM proves vulnerable to compromise. 

Adam Gowdiak of AG Security Research discovered vulnerabilities in Microsoft’s PlayReady technology, which is used by streaming services to protect content. He demonstrated that these vulnerabilities could be exploited to illegally download movies by extracting plaintext content keys during a specific phase of the encryption process. This exploit does not require hacking into set-top boxes but leverages weaknesses in Windows’ Protected Media Path and Warbird compiler technologies. The findings could potentially affect major platforms like Netflix, HBO Max, and Amazon Prime Video, which use PlayReady. Despite Microsoft’s claim that the issue is related to third-party client settings, Gowdiak’s continued research suggests systemic vulnerabilities within PlayReady itself.


Next up on our Industry Voices segment Microsoft Security Strategist Ian Leatherman discusses raising the bar for security in the software supply chain.

We’ll be right back

Welcome back

GoogleTeller can’t keep quiet. 

That sound you’re hearing is your computer sharing your data with Google. Let me explain. 

Dutch software developer Bert Hubert created a tool named googerteller, which emits a noise whenever his computer sends data to Google. The idea, which Hubert says he’d contemplated for years, materialized into a software that alerts users of data transmission to Google without their consent. Following viral attention from his initial demonstration, Hubert enhanced the tool to detect data flows to other trackers like Facebook and numerous others, making evident the frequent and pervasive nature of online tracking. The tool's audible alerts bring a new dimension to understanding data privacy, highlighting the constant data exchange that occurs unnoticed. 

For example, here’s the sound of someone interacting with Google’s home page, typing in a common search phrase.

Now, here’s the sound of browsing a web page from The Daily Mail, a site notorious for Hoovering up as much information as possible. 

Sounds like you’ve left the speaker on from your 1200 baud modem. 

This experiment underscores the visceral  impact of real-time awareness tools in promoting transparency and fostering critical discussions on privacy. Hubert hopes to evolve the tool further, including visual aids for those hard of hearing and expanding its availability across more platforms.

In our daily editorial team meeting, one of our producers suggested replacing the clicking sound with the famous Wilhem Scream. <scream goes here> Talk about the stuff of nightmares…

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.