No more “cyber Snorlax” naps.
Microsoft describes a macOS vulnerability. A trio of healthcare organizations reveal data breaches affecting nearly three quarters a million patients. Group-IB infiltrates a ransomware as a service operation. Instagram rolls out new measures to combat sextortion schemes. Updates from Bitdfender address Man-in-the-Middle attacks. An Alabama man is arrested for allegedly hacking the SEC. In our Industry Voices segment, Gerry Gebel, VP of Strata Identity, describes how to ensure identity continuity during IDP disrupted, disconnected and diminished environments. CISOs want to see their role split into two positions. Game Freak’s Servers Take a Critical Hit.
Today is Friday October 18th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Microsoft describes a macOS vulnerability.
Microsoft has discovered a vulnerability in macOS, called “HM Surf” (CVE-2024-44133), which allows attackers to bypass Apple’s Transparency, Consent, and Control (TCC) protections. This flaw grants unauthorized access to sensitive user data, including camera, microphone, location, and browser history. The vulnerability specifically affects Safari, as its TCC entitlements can be exploited to bypass privacy checks.
Microsoft reported the issue to Apple, which released a fix in the September 2024 macOS Sequoia update. Users are urged to apply the update immediately, as Microsoft detected potential exploitation by the Adload malware family. Attackers could use this flaw to access a device’s location, capture camera snapshots, record audio, or stream data without the user’s knowledge. While third-party browsers like Chrome and Firefox are not affected, Safari’s default status makes this a significant threat.
Staying withMicrosoft, Redmond has warned enterprise customers of a bug that caused critical security logs to be partially lost between September 2nd and October 3rd, potentially leaving companies vulnerable to undetected threats. The issue, which affected services like Microsoft Entra, Azure Logic Apps, and Microsoft Sentinel, hindered the ability to monitor suspicious activity and generate security alerts. The bug stemmed from a fix to the log collection service, which inadvertently created a deadlock condition, preventing proper log uploads. Although the issue has been resolved, some companies did not receive notifications. This follows previous criticism of Microsoft for requiring payment for advanced logging features, which limited access to critical security data during major breaches. Microsoft has since expanded its free logging capabilities for Purview Audit standard customers.
A trio of healthcare organizations reveal data breaches affecting nearly three quarters a million patients.
Three healthcare organizations—Omni Family Health, Tri-City Medical Center, and New York Plastic Surgery—have reported major data breaches affecting around 740,000 patients and employees. Omni Family Health, a network of 40 clinics in California, disclosed that roughly 470,000 individuals were impacted after sensitive data, including Social Security numbers and medical information, was leaked on the dark web. Tri-City Medical Center in San Diego County reported a breach affecting about 108,000 people, exposing patient data from suspicious network activity. New York Plastic Surgery’s breach impacted nearly 162,000 individuals, with compromised data including Social Security numbers, biometric data, and medical records. Ransomware groups are suspected in the latter incident. These breaches highlight the growing trend of healthcare cyberattacks, often involving data theft, as attackers increasingly target the abundant and accessible sensitive data in the healthcare sector.
Group-IB infiltrates a ransomware as a service operation.
The Cicada3301 ransomware-as-a-service (RaaS) group had its affiliate program infiltrated by Group-IB researchers, revealing new details about the gang’s operations. Active since June 2024, Cicada3301 has claimed at least 30 victims, mainly in the U.S. and U.K. The group shares similarities with the defunct ALPHV/BlackCat ransomware, although it’s unclear if they rebranded or bought its source code. Cicada3301’s affiliate panel, accessible via Tor, allows affiliates to customize attacks, manage victims, and negotiate ransom payments. Affiliates earn a 20% commission and can adjust encryption methods and landing page types. The ransomware is written in Rust, targeting Windows, Linux, and older systems like PowerPC. Cicada3301 avoids attacking Commonwealth of Independent States (CIS) countries and communicates in both Russian and English. Group-IB’s findings highlight the professionalism and evolving threats posed by modern ransomware groups.
Instagram rolls out new measures to combat sextortion schemes.
Instagram has introduced new security measures to combat sextortion scams, which have surged by over 300% from 2021 to 2023. The platform now hides follower lists, prevents screenshotting of sensitive images in direct messages, and expands its nudity protection feature globally. Alongside these updates, Instagram is partnering with the National Center for Missing and Exploited Children (NCMEC) and Thorn to create educational resources to help teens recognize sextortion scams. Additionally, Instagram launched Teen Accounts, offering built-in protections such as private profiles by default, restricted messaging settings, and time management features. Parents will also have greater oversight through supervision tools, allowing them to monitor messages and set daily limits.
Updates from Bitdfender address Man-in-the-Middle attacks.
Bitdefender Total Security was found vulnerable to multiple Man-in-the-Middle (MITM) attacks due to improper certificate validation in its HTTPS scanning feature. These vulnerabilities, identified under several CVEs, allow attackers to intercept and alter communications between users and websites. Issues include trusting self-signed and insecure certificates, and failing to verify certificate chains and hash functions. All vulnerabilities received a high CVSS score of 8.6, signaling significant risks to user data confidentiality and integrity. Bitdefender has released an update (version 27.0.25.115) to fix these issues.
An Alabama man is arrested for allegedly hacking the SEC.
Eric Council Jr., a 25-year-old from Alabama, was arrested for his alleged involvement in the January hack of the U.S. Securities and Exchange Commission’s (SEC) social media account. The hack falsely announced the approval of bitcoin exchange-traded funds (ETFs), causing bitcoin’s price to briefly spike by over $1,000. Authorities say Council used a “SIM swap” technique to impersonate someone with access to the SEC’s account, allowing hackers to post the fake announcement. The SEC quickly denied the post, clarifying no approval had been granted. Council is charged with conspiracy to commit aggravated identity theft and access device fraud. Following the hack, bitcoin’s price surged to nearly $48,000 before falling back to around $45,200 after the SEC’s clarification.
CISOs want to see their role split into two positions.
A survey by Trellix and Vanson Bourne found that 84% of CISOs advocate for splitting their role into two positions—technical and business-focused—due to the growing complexity of cybersecurity threats and regulatory demands. With 98% of CISOs concerned about keeping up with evolving regulations and 79% finding the compliance burden unsustainable, many are seeking external insights, with 87% preferring peer discussions over solo research. CISOs are also under pressure to maintain frequent communication with leadership, with nearly half reporting to the board weekly. The expanding scope of the role has led to burnout, with half of CISOs not seeing a long-term future in the position.
Our Industry Voices segment is coming up next with Gerry Gebel, VP of Products and Standards at Strata Identity. Gerry and I discuss how to ensure identity continuity during IDP disrupted, disconnected and diminished environments. We’ll be right back.
Welcome back. Don’t forget to check our show notes for links about our guests.
Game Freak’s Servers Take Critical Hit.
And finally, our Pokédex Chronicle desk reports that it looks like Team Rocket isn’t the only one causing trouble for Game Freak! The co-owner of the Pokémon franchise confirmed a cyberattack earlier this year, resulting in a major data leak. Hackers allegedly nabbed over 1TB of data, including personal info of 2,600 employees—names, emails, and potentially some “unreleased evolutions” of upcoming projects (though Game Freak isn’t saying). Fans were quick to jump on the leaks, with design documents and Pokémon art surfacing on platforms like X and Reddit. Game Freak has since patched up its systems and is “training hard” to boost security, promising it won’t let another “cyber Snorlax” nap on their servers again. In a heartfelt apology, the company expressed regret for the inconvenience caused. Looks like this breach hit harder than a Hyper Beam, but Game Freak’s ready to catch ‘em all—cyber threats, that is!
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Don’t forget to check out Research Saturday tomorrow. This week, we’ve got Chester Wisniewski, Global Field CTO from Sophos X-Ops team, sharing his team’s work on the return of Chinese cyberespionage campaign Crimson Palace.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.