Kaiser Permanente's privacy predicament.

Healthcare providers report breaches affecting millions. PlugX malware is found in over 170 countries. Hackers exploit an old vulnerability to launch Cobalt Strike. A popular Wordpress plugin is under active exploitation. Developing nations may serve as a test bed for malware developers. German authorities question Microsoft over Russian hacks. CISA celebrates the success of their ransomware warning program. Our guest is Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, discussing open source software. Password trends are a mixed bag.

Today is April 26th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Health care providers report breaches affecting millions. 

Kaiser Permanente, a major U.S. healthcare provider, reported a security breach affecting 13.4 million individuals. The breach involved sharing patient data, including names and IP addresses, with third-party companies like Google, Microsoft, and X-Twitter for advertising purposes. This information was collected through their website and mobile apps, but did not include sensitive details like Social Security Numbers or financial data. Kaiser has since removed the tracking codes responsible for the data sharing. There's no evidence yet of misuse of this exposed information. This incident follows a June 2022 breach at Kaiser where an email compromise exposed the health details of 69,000 people. Kaiser operates 39 hospitals and over 700 medical offices across multiple U.S. states.

Meanwhile, the Los Angeles County Department of Health Services experienced a phishing attack on February 19-20, 2024, leading to a data breach impacting 6,085 patients. Hackers accessed the login credentials of 23 employees, compromising their email inboxes which contained patients' personal and health information, including names, contact details, medical records, and health plan data. However, Social Security Numbers and financial details were not exposed. Following the breach, the department took steps such as disabling affected accounts, re-imaging devices, and enhancing email security. They also alerted employees to the risks of phishing. Notifications have been sent to affected individuals and relevant authorities, although there has been no reported misuse of the exposed data.

PlugX malware is found in over 170 countries. 

Researchers at cybersecurity firm Sekoia have discovered the China-linked PlugX malware in over 170 countries. Initially developed in 2008 by companies tied to the Chinese Ministry of State Security, the malware has been widely used for espionage. Its spread intensified in 2020 when hackers added features enabling transmission via USB drives, targeting networks that are usually offline. In September 2023, Sekoia took over a command and control server for PlugX, observing daily connections from up to 100,000 unique IP addresses and identifying over 2.5 million unique IPs in six months. The data revealed significant infection rates particularly in Nigeria, India, Iran, and the USA, among others. Researchers speculate that the malware’s distribution could relate to strategic locations important to China’s Belt and Road Initiative, suggesting its use in gathering intelligence on these regions. Despite the potential for a mass disinfection campaign, legal and technical challenges have led to a more cautious approach, leaving the decision to national authorities.

Hackers exploit an old vulnerability to launch Cobalt Strike. 

Hackers have exploited an old Microsoft Office vulnerability to launch Cobalt Strike Beacon attacks in Ukraine. This vulnerability, identified in 2017, allows attackers to execute arbitrary code through specially crafted files. The campaign involved a deceptive Powerpoint Slideshow file posing as a US Army manual, which evaded security measures by using an external OLE object linked via a scripted HTTPS URL. This method demonstrates the attackers' emphasis on stealth. The Cobalt Strike Beacon, central to this attack, communicated with a C&C server disguised as a photography website, indicating sophisticated evasion tactics. Although the attackers remain unidentified, the operation's detection at all stages highlights the necessity for vigilant and advanced cybersecurity measures. The team at Deep Instinct Threat labs are credited with much of the research. 

A popular Wordpress plugin is under active exploitation. 

Threat actors are exploiting a critical vulnerability in the WordPress Automatic plugin, enabling SQL injection to inject code into websites and create administrator accounts. This flaw allows attackers to bypass user authentication, upload malicious files, and gain sustained access by renaming the vulnerable plugin file. WPScan has detected over 5 million attempts to exploit this vulnerability. Website administrators using WordPress Automatic are urged to update their installations immediately to prevent unauthorized access and potential site takeover.

Developing nations may serve as a test bed for malware developers. 

Cyber security firm Performanta reports that Hackers are increasingly using developing and emerging nations as testing grounds for new malware strains before launching attacks in wealthier countries. Organizations in Africa, Latin America, and Asia, with typically weaker security, are initially targeted. This tactic was noted in attacks on institutions like a bank in Senegal and a financial services company in Chile. One notable ransomware strain, Medusa, known for encrypting and threatening to publish data unless a ransom is paid, was first deployed against targets in South Africa, Senegal, and Tonga, before being used in more advanced economies such as the US and UK. This approach allows hackers to refine their methods before targeting high-profile victims in North America and Europe. Some experts suggest that ransomware gangs also sell their tools to less sophisticated hackers in poorer regions, contributing to the prevalence of attacks there.

German authorities question Microsoft over Russian hacks. 

Russian hackers, identified as Midnight Blizzard (also known as APT29 or Cozy Bear), compromised Microsoft's source code repository but only gained read-only access, without the ability to alter the code. This was disclosed by Microsoft senior executives during a closed-door meeting with the German parliamentary technology oversight committee. The breach, which involved viewing but not modifying code, was part of a broader discussion on security lapses highlighted by recent high-profile attacks and criticisms of Microsoft's security practices. German officials are particularly concerned about the potential risks to government operations relying heavily on Microsoft products. The hearing aimed to assess the hack's implications and ensure ongoing communication between Microsoft, the German committee, and the Federal Office for Information Security.

CISA celebrates the success of their ransomware warning program.   

The Cybersecurity and Infrastructure Security Agency (CISA) is reporting success with its Ransomware Vulnerability Warning Pilot, a program launched in January 2023 to alert organizations about internet-exposed vulnerabilities targeted by ransomware actors. The program, part of legislation signed by President Biden in 2022, led to 1,754 notifications last year, with 852 of those vulnerabilities being patched, controlled, or removed following the alerts. Most organizations see a significant reduction in risk within the first 90 days, with an average risk reduction of 40% within a year. The program primarily notified government and healthcare entities, highlighting its effectiveness in these critical sectors. By identifying and addressing these vulnerabilities, CISA aims to increase the operational costs for ransomware gangs and deter their activities through enhanced cyber defense.

 

Coming up on our guest segment, we’ve got CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein talking about open source software.

We’ll be right back

Welcome back

Password trends are a mixed bag. 

A survey by Bitwarden revealed concerning trends in password management, with 54% of individuals globally relying on memory and 33% using pen and paper to manage passwords. The survey covered users from the US, UK, Australia, France, Germany, and Japan, highlighting widespread password reuse and the use of personal information in passwords. Despite 60% of respondents feeling confident in identifying phishing attacks and 68% in mitigating AI-enhanced cyber threats, 19% have experienced security breaches due to poor password practices, and 23% have had passwords stolen or compromised. At work, similar trends persist, with reliance on memory and paper still prevalent. However, the survey also notes a positive shift towards better security habits, including the adoption of password managers and two-factor authentication, reflecting a growing awareness and implementation of stronger cybersecurity measures.

As for committing passwords to memory? Heck, I can’t even remember what I had yesterday for lunch. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

N2K is excited to share the third installment of Cyber Talent Insights today. This three-part special series podcast explores cybersecurity workforce development from three different perspectives: the enterprise employer, the cyber practitioner, and cyber talent pipelines. Join Dr. Heather Monthie, Dr. Sasha Vanterpool, and Jeff Welganfor for a dynamic discussion that guides listeners through effective strategies to develop cybersecurity teams in the constantly changing landscape of the industry.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.