Patient portals down, ransomware up.

A Colorado health system’s patient portal has been compromised. Malicious uploads to open-source repositories surge over the past year. Octo2 malware targets Android devices. A critical vulnerability in Veeam Backup & Replication software is being exploited. The U.S. and U.K. team up for kids online safety. The European Council adopts the Cyber Resilience Act. New York State adopts new cyber regulations for hospitals. The FBI created its own cryptocurrency to help thwart fraudsters. Our guest Dr. Bilyana Lilly joins us to talk about her new novel "Digital Mindhunters." Getting dumped via AI.

Today is Friday October 11th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A Colorado health system’s patient portal has been compromised. 

A recent cyberattack on Colorado’s Axis Health System has compromised the patient portal used for communication with healthcare providers. The nonprofit, which runs 13 facilities across southwest and western Colorado, confirmed the breach but provided limited details. Officials stated they are still investigating and will notify patients if their data is affected. Currently, the patient portal remains offline, with patients urged to contact clinics directly. The Rhysida ransomware gang has claimed responsibility, demanding over $1.5 million. This group is notorious for targeting hospitals and government entities, with previous attacks on Prospect Medical hospitals and the governments of Columbus, Ohio, and Seattle, Washington.

On the same day, security firm Censys released a report warning about the dangers healthcare organizations face from internet-exposed devices. Censys identified over 14,000 IP addresses tied to healthcare systems, potentially exposing sensitive medical data. Nearly half of these devices are based in the U.S., with India also heavily affected. The report highlighted the risks posed by exposed systems like servers handling medical images (36%) and electronic health record systems (28%).

Censys warned that healthcare providers, particularly radiology and pathology services, often prioritize accessibility over security, making them vulnerable. The firm urged organizations to implement stricter security measures, including multi-factor authentication and proper access controls, to reduce risks of unauthorized access.

Malicious packages uploaded to open-source repositories surge over the past year. 

A new report from Sonatype reveals a 150% surge in malicious packages uploaded to open-source repositories over the past year. Open-source software, a foundation of modern digital technologies, allows nearly anyone to contribute to its code. Sonatype analyzed over 7 million open-source projects and found more than 500,000 contained malicious packages.

The report highlights the growing vulnerabilities within the open-source ecosystem, worsened by developers prioritizing rapid feature releases over security. Fixing critical vulnerabilities now takes up to 500 days, compared to 200-250 days in the past. Even major bugs like Log4Shell continue to be downloaded, with 13% of Log4J downloads still using vulnerable versions. Sonatype warns that the open-source supply chain is struggling to keep up with the increasing number of security issues.

Octo2 malware targets Android devices.

Octo2, a new variant of the Octo malware family, is targeting Android devices by posing as popular apps like NordVPN and Google Chrome. Researchers at DomainTools report that Octo2 uses advanced techniques to evade detection, steal credentials, and enable remote access to infected devices. It features improved remote access capabilities and advanced Anti-Analysis and Anti-Detection techniques, making it harder to detect and neutralize.

Octo2 also uses a Domain Generation Algorithm (DGA) to create dynamic command and control (C2) server addresses, increasing its resilience against security takedowns. Early samples have been found in Europe, but global spread is expected. The malware spreads via a dropper called Zombinder, which disguises malicious payloads as legitimate apps. DomainTools urges caution when downloading apps and emphasizes the importance of threat intelligence and security monitoring.

A critical vulnerability in Veeam Backup & Replication software is being exploited. 

A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) is being exploited by hackers to deploy ransomware, including Fog and Akira variants. The flaw allows unauthenticated remote code execution, enabling attackers to create unauthorized accounts and gain privileged access. Attackers initially gained access through compromised VPN gateways without multifactor authentication. Sophos reported several attacks over the past month, highlighting the need for patching, updating outdated VPNs, and implementing strong security measures. Veeam has released a patch (version 12.2.0.334), and administrators are urged to apply it immediately.

The U.S. and U.K. team up for kids online safety. 

The U.S. and Britain have launched a joint working group to improve children’s online safety. U.S. Commerce Secretary Gina Raimondo and British Science and Technology Minister Peter Kyle urged tech platforms like Instagram and Snapchat to enhance protections for children. Social media’s impact on youth, especially related to body image and mental health, has raised significant concerns. Studies show platforms like Snapchat and Meta’s services are frequently used in child abuse crimes. The group aims to increase scrutiny and strengthen regulations, aligning with ongoing efforts in both countries. In the U.S., two key bills—COPPA 2.0 and KOSA—await approval, while Britain’s Online Safety Act, set for 2024, will impose strict rules on content access for minors and enforce penalties for non-compliance.

The European Council adopts the Cyber Resilience Act. 

The European Council has adopted the Cyber Resilience Act, mandating security-by-design measures for connected devices in the EU. Manufacturers must now meet essential cybersecurity requirements, including conducting risk assessments, ensuring data protection, and swiftly patching vulnerabilities. The regulation requires vendors to notify the EU of actively exploited vulnerabilities within 24 hours. Products that comply will bear a “CE” marking, while non-compliance could result in fines of up to 15 million euros or 2.5% of global turnover. Despite criticism from security experts and industry stakeholders, who argue the act may aid hackers or disrupt supply chains, EU regulators believe it will simplify compliance and streamline product distribution across the bloc. The legislation will take effect after a 36-month transition period.

New York State adopts new cyber regulations for hospitals. 

New York State now requires general hospitals to report “material” cybersecurity incidents, such as ransomware attacks, to the state’s health department within 72 hours under new regulations effective as of October 2. Hospitals must also comply with additional mandates by October 2025, including appointing a Chief Information Security Officer (CISO), conducting annual security risk assessments, implementing multifactor authentication, and establishing a comprehensive cybersecurity program. The regulations aim to enhance patient care continuity and protect hospital operations from cyberattacks. Non-compliance may result in penalties, though the focus is on providing resources to protect against cyber threats. New York has allocated $500 million to assist hospitals in meeting the requirements. The regulations come as the healthcare sector faces an increasing number of cyberattacks, with hospitals bearing the brunt of these incidents, affecting patient data and hospital functions. Federal regulators are also working on updates to the HIPAA Security Rule.

The FBI created its own cryptocurrency to help thwart fraudsters. 

The FBI created its own cryptocurrency, NexFundAI, to monitor suspected fraudsters in a cryptocurrency market manipulation scheme. This Ethereum-based token allowed the FBI to observe fraudulent activities, leading to arrests in the UK, Portugal, and Texas. The Department of Justice charged 18 individuals with fraud and manipulation, particularly for using “wash trades” to falsely inflate trade volumes, a tactic commonly used in “pump and dump” schemes. Saitama, one organization involved, misled investors about its token’s market stability and regulatory approval, while secretly profiting from manipulation. The FBI’s cryptocurrency operation helped expose these fraudulent activities. The SEC has also filed charges against five promoters, warning investors of the ongoing risks in crypto markets. Four defendants have already pled guilty, with one more intending to do so.

Before we head into our break, I wanted to share a programming note. Our team will not be publishing on Monday, October 14th in observance of the US holiday, Indigenous Peoples’ Day. We will offer a special edition Solution Spotlight episode of N2K’s Simone Petrella speaking with ISC2’s Andy Woolnough (pronounced Wool-NO) with a detailed first look at ISC2's 2024 Cybersecurity Workforce Study. The CyberWire Daily podcast will return on Tuesday! 

Next up, I speak with Dr. Bilyana Lilly about her new novel "Digital Mindhunters." We’ll be right back

Welcome back. You can find a link to Bilyana’s book in our show notes. 

Getting dumped via AI. 

And finally, our lonely hearts desk shares the story of NYC-based software developer Nick Spreen, who had a birthday surprise he probably won’t forget anytime soon, thanks to Apple’s upcoming AI feature. On his iPhone 15 Pro, running a beta version of iOS 18, Spreen received a message summary from the Apple Intelligence feature that distilled several breakup texts from his girlfriend into a blunt, AI-penned notification: “No longer in a relationship; wants belongings from the apartment.” Ouch.

Spreen shared the AI-generated breakup cliff notes in a viral tweet on X-Twitter, humorously captioning it for anyone curious about how an AI summarizes a breakup text. Yes, it happened on his birthday, and yes, the summary was eerily accurate, as Spreen confirmed.

While the AI’s unemotional delivery might sound dystopian, Spreen admitted it softened the blow a bit, making the moment feel surreal—like a personal assistant delivering bad news while keeping things professional. Who knew AI could be so emotionally detached yet helpful?

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.