Ransomware is just a prescription for chaos.

UnitedHealth’s CEO testimony before congress reveals details of the massive data breach. Major US mobile carriers are hit with hefty fines for sharing customer data. Muddling Meerkat manipulates DNS. A report from Sophos says ransomware payments skyrocketed this past year. The DOE addresses risks and benefits of AI. LightSpy malware targets macOS. A crucial Kansas City weather and traffic system is disabled by a cyberattack. A Canadian pharmacy chain shuts down temporarily following a cyberattack. Guest Kayla Williams, CISO from Devo, joins us to share CISO insights into the pressure of their roles they feel mounting on them and gives us a look into their plans for RSAC 2024.Pay attention - that AWS meter may be running.

Today is April 30th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

UnitedHealth’s CEO testimony before congress reveals details of the massive data breach. 

UnitedHealth CEO Andrew Witty provided a detailed account of the February ransomware attack on its subsidiary, Change Healthcare, during a House subcommittee hearing. Witty explained that the attack began when hackers used stolen credentials to access an unprotected Citrix portal used by Change Healthcare for remote employee access to their internal network. Critically, this portal did not have multi-factor authentication enabled, a security lapse that facilitated the unauthorized access.

Once inside the system, the hackers utilized sophisticated techniques to move laterally across the network and extracted data over the following days. The situation escalated nine days after the initial breach, on February 21, when the hackers deployed ransomware. In response, UnitedHealth was forced to shut down its network to contain the breach.

The cyberattack had severe financial repercussions, costing UnitedHealth over $870 million in the first quarter alone, despite the company's substantial revenue of nearly $100 billion during the same period. UnitedHealth confirmed that it had paid a ransom to the attackers, known as RansomHub, to prevent further distribution of the stolen data. RansomHub, which is the second gang to claim responsibility for this attack, had already begun posting portions of the data on the dark web, escalating the threat of wider data misuse.

This incident has brought to light significant security shortcomings in the healthcare industry's use of critical IT infrastructure and will likely prompt further investigation into why necessary security measures, such as multi-factor authentication, were not in place.

Major US mobile carriers are hit with hefty fines for sharing customer data. 

The FCC fined four major U.S. mobile carriers—Sprint, T-Mobile, AT&T, and Verizon—a total of nearly $200 million for selling customer location data without consent. According to the Communications Act, carriers must protect customer information and obtain explicit consent before sharing it. The FCC found that these carriers continued to sell sensitive location data to third parties through aggregators, even after realizing that safeguards were inadequate. This practice persisted despite the carriers being aware of unauthorized access incidents, including a case where a Missouri sheriff used such data to track individuals without their consent. The investigation and fines are part of broader efforts to hold carriers accountable for data privacy violations.

Muddling Meerkat manipulates DNS. 

The threat group "Muddling Meerkat," linked to Chinese state-sponsored actors, has been manipulating DNS systems globally since October 2019, with increased activity in September 2023. This group notably alters MX records via China's Great Firewall, introducing fake DNS responses—a new tactic for China's internet censorship system. Discovered by Infoblox, the exact intentions of Muddling Meerkat remain unclear, but the operations reflect a high level of sophistication in DNS manipulation. This activity involves creating DNS "noise" and possibly mapping network vulnerabilities to prepare for future attacks, showing advanced capabilities in testing and disrupting global DNS infrastructures.

A report from Sophos says ransomware payments skyrocketed this past year. 

According to Sophos' "The State of Ransomware 2024" report, average ransom payments skyrocketed by 500% over the past year, reaching $2 million per incident, up from $400,000 the previous year. Despite a slight decrease in the frequency of ransomware attacks—from 66% of organizations affected in 2023 to 59% in 2024—ransom demands have become significantly steeper, with 63% exceeding $1 million and 30% surpassing $5 million. Although fewer organizations are being targeted, those hit face more severe financial demands. Additionally, recovery from ransomware attacks has become costlier and more prolonged, with average recovery expenses rising to $2.73 million and fewer companies recovering within a week compared to the previous year.

The DOE addresses risks and benefits of AI. 

The U.S. Department of Energy (DOE) released a report assessing the potential benefits and risks of artificial intelligence (AI) in critical energy infrastructure. As the Sector Risk Management Agency for the U.S. energy sector, the DOE highlights AI's potential to significantly enhance security, reliability, and resilience across the sector. However, it also identifies the need for updated, risk-aware best practices for AI's safe and secure deployment. The report details ten AI applications and four risk categories, including unintentional failures and adversarial attacks. The DOE plans ongoing engagement with energy sector stakeholders to refine AI strategies and ensure resilient and secure energy systems. This effort aligns with broader federal initiatives to manage AI risks and leverage its advantages responsibly.

LightSpy malware targets macOS. 

The resurgence of LightSpy malware now targeting macOS devices has raised alarms in the cybersecurity community. Originally known in 2020 for infecting iOS devices, the new variant specifically compromises Apple’s desktop operating system. Discovered discrepancies between Blackberry's initial findings and Huntress's subsequent report highlight this shift. Huntress has confirmed that the malware's binaries are compiled for the x86_64 architecture, typical for macOS, not the ARM architecture used in iPhones. This variant exhibits more sophisticated operational security and advanced malware capabilities compared to its iOS counterpart. Security enhancements by Apple, including Lockdown Mode and tighter data access controls, aim to mitigate these risks. Huntress has also provided detection tools and indicators of compromise to help businesses protect against this evolving threat.

A crucial Kansas City weather and traffic system is disabled by a cyberattack. 

Last week, the Kansas City Scout System, a crucial bi-state traffic and weather management tool operated by the Departments of Transportation in Missouri and Kansas, was disabled by a cyberattack. This outage occurred during a weekend of severe storms, posing significant risks as the system displays real-time weather and traffic updates on highway signs and through its app and website. Following the attack, all systems, including traffic cameras and message boards, were shut down as a protective measure by the IT team. Restoration efforts are underway, but there is no specified timeline for when services will resume. The disruption has raised concerns about the inability to communicate urgent weather warnings to drivers, complicating safety measures during a critical time.

A Canadian pharmacy chain shuts down temporarily following a cyberattack. 

London Drugs, a Canadian pharmacy chain, has temporarily closed all its stores across Western Canada following a cybersecurity incident detected on April 28, 2024. The company has enlisted external cybersecurity experts to help contain the breach and conduct a forensic investigation. Although there is currently no evidence that customer or employee data was compromised, the company has taken extensive measures to secure its network and data. London Drugs has not yet notified authorities, as personal and health information appears to be unaffected. However, they have stated that they will inform impacted individuals and privacy commissioners if the ongoing investigation reveals any compromised personal information. In the meantime, customers with urgent pharmacy needs are advised to contact their local pharmacy.

 

Coming up, I speak with Devo CISO Kayla Williams. Kayla shares CISO insights into the pressure of their roles they feel mounting on them and gives us a look into their plans for RSAC 2024.

We’ll be right back

Welcome back

Pay extra attention - that AWS meter may be running. 

Maciej Pocwierz [MAH-chay POCK-werz], Senior Software Engineer at Semantive, experienced significant frustration when their AWS bill skyrocketed to over $1,300 due to a misunderstanding involving the use of their S3 bucket. They set up a single bucket in the eu-west-1 region for a proof of concept, assuming it would remain within the free-tier limits. Instead, they found nearly 100,000,000 PUT requests had been made to their bucket in just one day, most of these from misconfigured instances of a popular open-source tool that had mistakenly used the same bucket name as a default.

He discovered that AWS charges for unauthorized requests (4xx errors), which were unexpectedly flooding their bucket from third-party systems. These charges were compounded by the fact that requests without a specified region were defaulting to us-east-1, resulting in additional redirection costs. Out of curiosity and an attempt to understand the scale of the issue, they temporarily allowed public writes to the bucket, quickly amassing over 10GB of random data, which underscored the potential for serious data leaks due to such misconfigurations.

They tried to mitigate the problem by reaching out to the maintainers of the open-source tool, the AWS security team, and the owners of the data they accidentally collected. However, responses were minimal or non-existent, adding to their frustration. Although AWS eventually waived the hefty bill as an exception, the ordeal highlighted critical lessons in cybersecurity and AWS usage, including the importance of specifying regions in requests and choosing unique bucket names to avoid similar costly mistakes. This incident was a painful but enlightening experience that exposed vulnerabilities in default configurations and third-party interactions with cloud services.

One day you're in the cloud; the next, you're thunderstruck by a $1,300 bill.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.