A health bot’s security slip-up.

Researchers at Tenable uncovered severe vulnerabilities in Microsoft’s Azure Health Bot Service. Scammers use deepfakes on Facebook and Instagram. Foreign influence operations target the Harris presidential campaign. An Idaho not-for-profit healthcare provider discloses a data breach. Research reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. Patch Tuesday roundup. Palo Alto Networks’ Unit 42 revealed a significant security risk in open-source GitHub projects. Enzo Biochem will pay $4.5 million to settle charges of inadequate security protocols. Our guest is Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, joins us to discuss the ongoing Snowflake account attacks driven by exposed legitimate credentials. Mining for profits on Airbnb. 

Today is Wednesday August 14th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers at Tenable uncovered severe vulnerabilities in Microsoft’s Azure Health Bot Service. 

Researchers at Tenable uncovered severe vulnerabilities in Microsoft’s Azure Health Bot Service, a platform for AI-powered healthcare chatbots, which allowed unauthorized access to user and customer information. Among the vulnerabilities was a critical privilege escalation issue (CVE-2024-38109) that enabled attackers to move laterally within Microsoft’s cloud infrastructure. By exploiting a server-side request forgery, researchers bypassed security filters, gaining access to Azure’s Internal Metadata Service (IMDS) and obtaining an access token. This token allowed them to list hundreds of resources belonging to other customers. Microsoft quickly mitigated this flaw by rejecting redirect status codes for data connection endpoints. Additionally, another privilege escalation vulnerability was found in the Data Connections feature, though it was less severe and did not provide cross-tenant access. Both vulnerabilities were promptly addressed by Microsoft, and there is no evidence of exploitation by malicious actors. 

Scammers use deepfakes on Facebook and Instagram.

Scammers are leveraging deepfake technology to promote fraudulent cryptocurrency investments on Meta platforms, using AI-generated videos featuring British Prime Minister Sir Keir Starmer and Prince William. These deepfakes, seen by an estimated 890,000 users on Facebook and Instagram, falsely endorse a scam platform called Immediate Edge. The videos claim users have been selected for “life-changing” opportunities, with one depicting Starmer announcing a “National Invest Platform.” Despite Meta’s efforts to remove the ads, over 250 deepfake ads featuring Starmer have appeared, leading to significant financial losses for victims. Even after being scammed, some victims continued to believe in the fake endorsements. Researchers highlight the growing problem of disinformation on Meta platforms, noting that this trend seems to be worsening despite the company’s policies against such misuse.

Foreign influence operations target the Harris presidential campaign. 

Following reports of Donald Trump’s campaign being targeted by Iranian hackers, Vice President Kamala Harris’ presidential campaign revealed that it was also notified by the FBI last month about a foreign influence operation aimed at it. Despite the targeting, Harris’ campaign stated that no security breaches have occurred, and they remain in contact with authorities. The FBI has yet to comment on either case, while Iran has denied involvement in the alleged hacking of Trump’s campaign.

An Idaho not-for-profit healthcare provider discloses a data breach. 

Kootenai Health [KOOT-en-ee], a not-for-profit healthcare provider in Idaho, has disclosed a data breach affecting over 464,000 patients. The breach was carried out by the 3AM ransomware group, which gained unauthorized access to Kootenai’s systems on February 22, 2024, and remained undetected for ten days. The cybercriminals stole sensitive data, including full names, dates of birth, Social Security numbers, medical records, and health insurance information. The breach was discovered on March 2, 2024, and an investigation confirmed the data theft by August 1. The 3AM ransomware gang leaked a 22GB archive of the stolen data on their darknet portal, indicating that no ransom was paid. Kootenai Health is offering affected individuals up to two years of identity protection services.

Research reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. 

Research from intelligence platform provider Silobreaker titled, “Ransomware? What Ransomware? 2024 Report Insights,” reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. Analyzing 922 ransomware incidents from 2023, researchers Hannah Baumgaertner and Peter Kroyer Bramson found that over 50% of affected organizations did not acknowledge an attack until it became public, and nearly half of the victims didn’t disclose the attack at all. The study also highlighted a 90-day average delay in notifying customers of data breaches. Despite a slight improvement in reporting speed, only 5% of incidents were reported within a day in 2023. The research underscores the growing exploitation of vulnerabilities, with healthcare, education, and government sectors being prime targets. The U.S. remains a top target for ransomware due to its financial resources. The study emphasizes the need for robust cybersecurity measures, including better patch management and staff training, to counter evolving ransomware tactics.

Patch Tuesday roundup. 

The August 2024 Patch Tuesday brought critical security updates from major tech companies, addressing a wide range of vulnerabilities across various industries. Here’s a roundup of the key updates:

Microsoft’s August 2024 Patch Tuesday addressed 87 vulnerabilities, including nine zero-day flaws actively exploited in the wild. Critical patches were released for Windows, Office, and Edge, focusing on remote code execution and privilege escalation threats. 

Siemens, Schneider Electric, Rockwell Automation, and Aveva released security advisories addressing numerous vulnerabilities in their industrial control systems (ICS). Siemens fixed issues in products like SINEC INS, while Schneider Electric patched vulnerabilities in EcoStruxure and Modicon PLCs. Rockwell Automation and Aveva also addressed critical flaws that could impact industrial operations, highlighting the ongoing need for robust security measures in critical infrastructure.

Adobe’s August security updates included patches for 56 vulnerabilities across several products, including Adobe Acrobat, Reader, and Dimension. The updates addressed critical issues that could lead to arbitrary code execution, privilege escalation, and information disclosure. 

Chipmakers Intel and AMD released patches for over 110 vulnerabilities, with Intel alone addressing 83 security issues. The vulnerabilities span various products, including Intel’s firmware, drivers, and software, as well as AMD’s processors and chipsets. 

Fortinet released patches for several vulnerabilities in its FortiOS and FortiProxy products, some of which could lead to remote code execution and unauthorized access. Zoom also addressed multiple security flaws in its video conferencing platform, including issues that could be exploited to bypass security controls and execute arbitrary code. 

Organizations are urged to prioritize these updates to protect against increasingly sophisticated cyber threats targeting software, hardware, and critical infrastructure systems.

Palo Alto Networks’ Unit 42 revealed a significant security risk in open-source GitHub projects. 

Palo Alto Networks’ Unit 42 revealed a significant security risk in open-source GitHub projects, where GitHub Actions workflows could expose sensitive secrets and allow attackers to inject malicious code. These workflows often use tokens, such as cloud service tokens, which may inadvertently be included in publicly accessible artifact files generated during the workflow. Researcher Yaron Avital discovered that these artifacts often contain sensitive data like GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN, which attackers could exploit to replace artifacts with malicious code or inject harmful content into repositories. Avital created a proof-of-concept, RepoReaper, to demonstrate how an attacker could exploit GITHUB_TOKEN to push malicious code. To mitigate this risk, project maintainers are advised to review artifact creation and privilege levels, ensuring that sensitive artifacts are not published and that least privilege is enforced. Palo Alto also developed a tool to block the upload of artifacts containing secrets.

Enzo Biochem will pay $4.5 million to settle charges of inadequate security protocols. 

Enzo Biochem will pay $4.5 million to settle charges that inadequate security protocols led to a cyberattack in April 2023, compromising the personal and health information of 2.4 million patients. The settlement with New York, New Jersey, and Connecticut resolves claims that Enzo failed to protect patient data. Attackers accessed Enzo’s network using outdated, shared credentials and installed malware, which went undetected for days. As part of the settlement, Enzo is enhancing security measures, including stronger passwords and two-factor authentication.

 

Today, I welcome LastPass Cyber Threat Intelligence Analyst Stephanie Schneider. We discuss the ongoing Snowflake account attacks driven by exposed legitimate credentials and how enterprises can boost their defenses against these types of attacks. We’ll be right back.

Welcome back.

Mining for profits on Airbnb. 

And finally, our wearing out your welcome desk tells us of a bizarre twist to the Airbnb experience. Ashley, an Airbnb host, found herself drafting a new “no crypto mining policy” after a guest turned her rental into a mini crypto mining operation. The tenant set up 10 mining rigs and even installed an EV charging station, all within a three-week stay that racked up a staggering $1,500 electricity bill.

Ashley, who shares her hosting adventures on TikTok, was shocked when the guest casually mentioned he made over $100,000 mining crypto during his stay. Apparently, renting her house was a cost-effective way for him to pay for the electricity!

Ashley isn’t alone in this unexpected side hustle. Other Airbnb hosts have chimed in with similar tales of guests running up sky-high electric bills. One UK host saw their bill soar by thousands of pounds, while another had to boot guests before they could rack up a $6,000 power tab.

It seems the latest must-have for Airbnb hosts isn’t just fresh linens and free Wi-Fi—it’s a strict ban on crypto mining!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.