The CyberWire Daily Podcast 6.11.24
Ep 2086 | 6.11.24

Hijacking your heritage.

Transcript

23andMe’s looming bankruptcy could pause class-action privacy lawsuits. The FCC focuses on BGP. The White House looks to big tech to help secure rural hospitals. Cylance confirms a data breach. Arm warns of GPU kernel driver vulnerabilities. The world's largest law firm faces class action over the MOVEit hack. SAP releases high priority patches. Apple redefines AI - literally - and offers up Private Cloud Compute at their developer’s conference. Guest Chris Novak, Senior Director of Cyber Security Consulting at Verizon, shares highlights and key takeaways of their recently published 2024 Data Breach Investigations Report (DBIR). Share your love — but not your passwords.

Today is Tuesday June 11th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

23andMe’s looming bankruptcy could pause class-action privacy lawsuits. 

In December 2023, 23andMe disclosed that hackers accessed the personal information of 5.5 million people using its DNA Relatives feature. The stolen data included names, birth years, relationship labels, ancestry reports, and self-reported locations. Initially, in October 2023, the company had reported only 14,000 individuals affected.

An additional 1.4 million users also had their Family Tree profile information accessed, totaling 14 million people impacted. Hackers were in 23andMe’s systems from April to September 2023.

A class-action lawsuit filed in January accused 23andMe of failing to notify customers of Chinese and Ashkenazi Jewish heritage that they were specifically targeted, with their genetic information sold on the dark web.

US District Judge Edward Chen indicated a potential pause in discovery in these lawsuits as 23andMe faces bankruptcy. The company, already struggling financially, saw its net loss more than double from $311.7 million to $666.7 million between fiscal years 2023 and 2024. Losing the lawsuits could push the company further towards bankruptcy, potentially resulting in damages exceeding $3 billion under the Illinois Genetic Information Privacy Act.

Despite these challenges, the value of 23andMe's DNA database might attract interest for drug development deals. Additionally, the Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada launched a joint investigation into the breach, scrutinizing 23andMe’s data protection measures and breach notifications. 23andMe has stated its intention to cooperate with these investigations.

The FCC focuses on BGP. 

The U.S. Federal Communications Commission (FCC) is advancing security mandates for major internet providers, focusing on Border Gateway Protocol (BGP) vulnerabilities. The FCC approved a proposal requiring the nine largest U.S. broadband providers to create confidential BGP security risk management plans. These plans must include route origin authorizations via Resource Public Key Infrastructure (RPKI) to enhance internet routing security.

This initiative follows warnings that hackers exploit BGP weaknesses to disrupt services. The FCC's interest in BGP security intensified after a Russian-linked hijacking incident in Ukraine in 2022. The proposed rules also demand that smaller providers maintain BGP security plans, available within 48 hours upon request. Public transparency and accountability are emphasized through public information on routing security actions.

The White House looks to big tech to help secure rural hospitals. 

The Biden-Harris administration secured commitments from Microsoft and Google to enhance cyber defenses for rural hospitals. Microsoft will extend its nonprofit program, offering grants and up to a 75% discount on security products for critical access and rural emergency hospitals. Larger rural hospitals using eligible Microsoft solutions will receive advanced security suites free for one year. Microsoft will also provide free cybersecurity assessments, training, and extend Windows 10 security updates for a year at no cost.

Google will offer free endpoint security advice and funding support for software migration, launching a pilot program for a tailored security package for rural hospitals. These efforts aim to strengthen healthcare sector resilience amid a 128% surge in cyberattacks from 2022 to 2023.

Cylance confirms a data breach. 

Security firm Cylance confirmed that data being sold on a hacking forum is old information stolen from a third-party platform. The threat actor Sp1d3r is selling the data, which includes 34 million customer and employee emails and personally identifiable information, for $750,000. Researchers believe the data is old marketing information used by Cylance. BlackBerry Cylance stated that no current customers are affected, and no sensitive information is involved. The data appears to be from 2015-2018, before BlackBerry's acquisition of Cylance. Additionally, Sp1d3r is selling data from Advance Auto Parts, linked to a Snowflake account breach. Recent breaches at other companies have also been linked to Snowflake attacks by the threat actor UNC5537, who uses stolen credentials to target accounts without multi-factor authentication.

Arm warns of GPU kernel driver vulnerabilities. 

Arm issued a security bulletin about a memory-related vulnerability (CVE-2024-4610) in Bifrost and Valhall GPU kernel drivers, being exploited in the wild. This use-after-free flaw affects all driver versions from r34p0 to r40p0 and can lead to information disclosure and arbitrary code execution. A non-privileged user can exploit this to access freed memory improperly.

The vulnerability was fixed in version r41p0 released on November 24, 2022. However, due to Android's complex supply chain, updates may be delayed for end users. Bifrost GPUs are found in smartphones, tablets, and embedded systems, while Valhall GPUs are in high-end devices and smart TVs. Some impacted devices may no longer receive security updates.

The world's largest law firm faces class action over the MOVEit hack. 

Kirkland & Ellis, the world's largest law firm by revenue, is facing a proposed class action over a data breach linked to the MOVEit Transfer file management software hack in May 2023. The lawsuit accuses Kirkland and other companies, including Humana and Progress Software, of failing to protect personal information. The breach affected millions and led to numerous lawsuits, now centralized in Massachusetts federal court under U.S. District Judge Allison Burroughs.

Kirkland represented Trilogy Home Healthcare in its acquisition by Humana's CenterWell Home Health, transferring files with private information using MOVEit. The lawsuit, filed on behalf of at least 4,700 people, claims Kirkland delayed notifying Trilogy of the breach until October, with customers informed in March 2024. The ransomware gang cl0p claimed responsibility for the hack.

SAP releases high priority patches. 

SAP announced the release of ten new and two updated security notes for its June 2024 Security Patch Day. This includes two high-priority patches: a cross-site scripting (XSS) vulnerability in Financial Consolidation (CVE-2024-37177, CVSS score 8.1), and a denial-of-service (DoS) vulnerability in SAP NetWeaver AS Java (CVE-2024-34688, CVSS score 7.5).

The XSS flaw can manipulate website content, severely impacting confidentiality and integrity, while the DoS issue allows attackers to disrupt service by exploiting unrestricted access to Meta Model Repository services.

Eight medium-severity vulnerabilities affect various SAP products, leading to potential DoS conditions, file uploads, information disclosure, or data tampering. Two low-severity issues in BusinessObjects Business Intelligence Platform and Central Finance Infrastructure Components were also addressed. Organizations are urged to update their systems promptly.

Apple redefines AI - literally - and offers up Private Cloud Compute at their developer’s conference. 

Yesterday at their Worldwide Developers Conference, Apple addressed user concerns about sharing personal data with AI companies by introducing the "Apple Intelligence" system, which uses "Private Cloud Compute" to protect data processed on cloud servers. Yes, you heard that right - as far as Apple is concerned, AI no longer stands for Artificial Intelligence, it stands for Apple Intelligence. Craig Federighi, Apple's Senior VP of Software Engineering, emphasized that users shouldn't have to hand over personal details to AI clouds. Many of Apple's generative AI models can run on-device, eliminating data transmission risks.

When Apple’s AI determines that cloud processing is necessary, it will use Apple silicon servers with built-in Swift security tools, sending only relevant data and ensuring it's not stored or used for further training. Federighi assured that this system is verifiable, with server code publicly accessible for inspection by independent experts. Apple claims this transparency aims to establish a new standard for privacy and AI.

 

Coming up, I caught up with Verizon’s  Senior Director of Cyber Security Consulting Chris Novak to discuss some highlights and key takeaways of their recently published 2024 Data Breach Investigations Report (DBIR). We’ll be right back

Welcome back. You can find a link to the 2024 DBIR report in our show notes. Thanks to Chris for joining us. 

Share your love — but not your passwords. 

And finally, our Affairs of the Heart desk reminds us that sharing is caring—right up until the moment it isn’t. Malwarebytes’ new research shows that love and digital life don't always mix well. Couples often share passwords, locations, and devices, but this can lead to anything from Netflix mooching to serious privacy invasions, like spying through smart doorbells.

Malwarebytes surveyed 500 committed partners: 30% regretted location sharing, 27% worried about being tracked, and 23% feared unauthorized account access. These concerns highlight that trust in a relationship doesn’t mean sharing every digital detail.

Breakups make this messier. Ever had an ex binge-watch on your Netflix? Annoying. But shared shopping accounts? Risky—they can expose your location and payment info. For domestic abuse survivors, any data leak can be dangerous.

Smart home devices add another layer of risk. Exes have been known to misuse these gadgets for spying, turning what should be convenient tech into tools for harassment.

Ultimately, while tech can enhance relationships, it’s crucial to know the risks. Sharing should be based on trust, not pressure, and proper measures can help ensure your digital life remains private and secure. For those in harmful situations, resources like the National Network to End Domestic Violence are available for support.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.