Podcasts
CyberWire Daily
Ep 2070
The CyberWire Daily Podcast 5.17.24
Ep 2070 | 5.17.24

MediSecure data breach hits Aussie healthcare.

Show Notes
Transcript

Australia warns of a large-scale ransomware data breach. The justice department charges five with helping North Korean IT workers evade sanctions. The FCC wants to beef up BGP. Antidot is a new Android banking trojan. The SEC enhances disclosure obligations. Researchers uncover vulnerabilities in GE ultrasound devices. A Baltimore neo-nazi pleads guilty to conspiring to take down an electrical grid. On our Solution Spotlight: N2K’s Simone Petrella speaks with Alicja Cade, Director in Google Cloud's Office of the CISO, about the CISO role, board communication, and cyber workforce development. “Tanks” for the warm water, but you can keep the vulnerabilities.

Today is Friday (!) May 17th, 2024. I’m Dave Bittner, and I’m back with your CyberWire Intel Briefing.

Australia warns of a large-scale ransomware data breach. 

The Australian government has issued a warning about a “large-scale ransomware data breach” impacting healthcare data, disclosed by prescription company MediSecure. The breach, affecting personal and health information, is believed to have originated from a third-party vendor. MediSecure emphasized transparency and promised updates on its website. This incident recalls the October 2022 ransomware attack on Medibank, which led to the publication of sensitive healthcare data for 480,000 individuals on the dark web, prompting significant cybersecurity reforms in Australia. The national cybersecurity coordinator and the federal police are investigating the MediSecure breach, with limited details currently available. Cybersecurity Minister Clare O’Neil confirmed she had been briefed and stressed the importance of avoiding speculation to support the ongoing response efforts.

The justice department charges five with helping North Korean IT workers evade sanctions. 

The US Justice Department has charged a US woman and a Ukrainian man, along with three unidentified foreign nationals, for helping North Korean IT workers secure remote jobs at US companies using false identities. This scheme involved defrauding over 300 companies, including several Fortune 500 firms, by using US payment platforms and proxies to disguise the workers' locations. The operation generated at least $6.8 million for North Korea from October 2020 to 2023. The US State Department is offering up to $5 million for information disrupting the financial mechanisms supporting North Korea or identifying the three foreign nationals involved. The FBI has also issued a warning to help companies avoid hiring North Korean IT workers posing as freelancers.

The FCC wants to beef up BGP. 

FCC Chairwoman Jessica Rosenworcel proposes requiring ISPs to submit confidential reports on securing the Border Gateway Protocol (BGP), a critical internet routing system. The proposal aims to protect against national security threats by bad actors exploiting BGP vulnerabilities. The FCC's interest in BGP security heightened in 2022 due to threats from Russian hackers. BGP hijacks can lead to data theft, extortion, espionage, and disrupted transactions. The proposal includes implementing origin validation and RPKI to ensure route legitimacy. Major ISPs would need to develop and report BGP security plans and submit public quarterly progress updates. The FCC will vote on this proposal in June. Experts say enhancing BGP security is crucial for national security, communication, and commerce.

Antidot is a new Android banking trojan. 

Threat intelligence firm Cyble has identified a new Android banking trojan, Antidot, which steals user credentials and conversations while also spying on them. Disguised as a Google Play update, Antidot uses overlay attacks to collect credentials. Its capabilities include remote control via VNC, keylogging, screen recording, forwarding calls, collecting contacts and SMS messages, and performing USSD requests. The malware tricks users into granting permissions by displaying a fake Google Play update page in their language. Antidot then communicates with a command-and-control server to execute various tasks like unlocking the device, making calls, and initiating VNC to control the device. It uses WebView to show phishing pages and capture credentials through overlay attacks, targeting banking and cryptocurrency apps. Cyble highlights Antidot’s advanced features and stealthy operations, aimed at evading detection.

The SEC enhances disclosure obligations. 

The SEC has unanimously adopted new rules to enhance financial firms' obligations to warn investors about privacy breaches. Updating regulations from 2000, the amendments require broker-dealers, investment companies, registered advisers, and transfer agents to develop policies for detecting, responding to, and recovering from data breaches. Firms must now notify customers if their personal information has likely been exposed. SEC Chair Gary Gensler emphasized the need for these updates to protect investors’ financial data. The rule changes take effect 60 days after publication, with larger firms having 18 months and smaller firms 24 months to comply.

Researchers uncover vulnerabilities in GE ultrasound devices. 

Researchers from Nozomi Networks discovered 11 security vulnerabilities in GE HealthCare's Vivid Ultrasound products and two related software programs, with severities ranging from 5.7 to 9.6 on the CVSS scale. Issues include missing encryption and hardcoded credentials. Some vulnerabilities could lead to remote code execution (RCE) with full privileges, though the most severe cases require physical access, reducing risk. However, physical access is feasible in hospitals and clinics. For instance, the Vivid T9 system’s GUI could be bypassed to gain administrative privileges and execute arbitrary code, while the EchoPAC software could be compromised using hardcoded credentials. Patches and mitigations are available on GE HealthCare's product security portal.

A Baltimore neo-nazi pleads guilty to conspiring to take down an electrical grid. 

Sarah Beth Clendaniel, 36, pleaded guilty to conspiring with neo-Nazi leader Brandon Russell to destroy electrical substations around Baltimore, aiming to cause massive destruction. Clendaniel, who planned the attack with Russell, called it a plot that would "completely lay this city to waste." She admitted to charges of conspiracy to damage an energy facility and illegal firearm possession. The government will recommend a sentence of up to 18 years. The FBI described Russell's group, Atomwaffen Division, as a racially motivated extremist organization. Clendaniel, who has a terminal illness, sought to target five substations to create a cascading power failure. Authorities found firearms and ammunition at her home, despite her being prohibited from possessing them due to past felony convictions. Russell's trial is set for July 9.

After the break, we will jump back into last week’s RSA Conference where N2K’s Simone Petrella talked with Google Cloud’s Alicja (pronounced like Aleesha) Cade on our Solution Spotlight about the CISO role, board communication, and cyber workforce development.

We’ll be right back

Welcome back. That was N2K’s Simone Petrella and Google Cloud’s Alicja Cade on our Solution Spotlight from the 2024 RSA Conference. 

Tanks for the warm water, but you can keep the vulnerabilities. 

And finally, our home automation desk shares a story about a homeowner’s quest for hot water that took an unexpected turn. When Ars Technica Senior technology reporter Kevin Purdy and his wife moved into a new house, they found a Rinnai tankless water heater installed. These heaters are energy-efficient but take their sweet time to deliver hot water.

One day, while trying to solve the issue of slow hot water, he discovered a Wi-Fi module magnetically stuck to the back of the heater. Installing the module, he found he could control the heater with an app, triggering the recirculation feature to get hot water faster. This seemed like a win, but the app was clunky and required him to pull out his phone every time he wanted hot water.

Being a home automation enthusiast, he dug deeper and found an unofficial Rinnai component that allowed for more advanced control. He could now set the heater to recirculate on a schedule, triggered by various conditions. Everything was working great until he discovered a serious security flaw in the system.

With just an email address, anyone could control the water heater. This meant a bad actor could potentially make the water scalding hot or continuously recirculate, wasting energy and water. He collaborated with other tech enthusiasts to verify the issue and prepared a security advisory for Rinnai.

Despite the serious nature of the flaw, the company was slow to respond. Eventually, Rinnai updated their authentication system and released a new app, but the experience left him wary of relying too heavily on smart devices.

Throughout this process, he realized the challenges of DIY tech solutions. Companies might issue DMCA notices or legal threats against those who create unofficial integrations, even if they improve functionality. However, he also found a supportive community of like-minded individuals who shared his passion for smarter, more efficient home automation.

In the end, he successfully automated his water heater using open-source tools and a bit of ingenuity. Now, he enjoys hot water on demand without the hassle of waiting. It was a winding journey filled with surprises, but it ended with a warm and satisfying result.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Be sure to check out Research Saturday this weekend, where I am joined by Hosein Yavarzadeh from the University of California San Diego, as he is discussing his work on "Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor." That’s Research Saturday, check it out!

As we reported on the international law enforcement takedown of BreachForum yesterday, we have a special edition podcast this weekend about the 10th anniversary of the first indictment against the PLA. It features my conversation with Dave Hickton, the US Attorney who signed that indictment. Watch for it in your CyberWire Daily podcast feed on Sunday.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.