CyberWire Daily - A health bot’s security slip-up.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Researchers at Tenable uncover severe vulnerabilities in Microsoft's Azure Health Bot service. Scammers use deepfakes on Facebook and Instagram. Foreign influence operations target the Harris presidential campaign.

Starting point is 00:02:14 An Idaho not-for-profit healthcare provider discloses a data breach. Research reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. We got a Patch Tuesday roundup. Palo Alto Network's Unit 42 reveals a significant security risk in open-source GitHub projects. Enzo Biochem will pay $4.5 million to settle charges of inadequate security protocols. Our guest is Stephanie Schneider, cyber threat intelligence analyst at LastPass, joining us to discuss the ongoing Snowflake account attacks driven by exposed legitimate credentials.

Starting point is 00:02:49 And mining profits on Airbnb. It's Wednesday, August 14th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for once again joining us here today. Researchers at Tenable uncovered severe vulnerabilities in Microsoft's Azure Health Bot Service, a platform for AI-powered healthcare chatbots, which allowed unauthorized access to user and customer information. Among the vulnerabilities was a critical privilege escalation issue that enabled attackers to move laterally within Microsoft's cloud infrastructure.

Starting point is 00:03:50 By exploiting a server-side request forgery, researchers bypassed security filters, gaining access to Azure's internal metadata service, and obtaining an access token. This token allowed them to list hundreds of resources belonging to other customers. Microsoft quickly mitigated this flaw by rejecting redirect status codes for data connection endpoints. Additionally, another privilege escalation vulnerability was found in the data connections feature, although it was less severe and did not provide cross-tenant access. Both vulnerabilities were promptly addressed by Microsoft, and there is no evidence of exploitation by malicious actors. Scammers are leveraging deepfake technology to promote fraudulent cryptocurrency investments

Starting point is 00:04:39 on meta-platforms, using AI-generated videos featuring British Prime Minister Sir Keir Starmer and Prince William. These deepfakes, seen by an estimated 890,000 users on Facebook and Instagram, falsely endorse a scam platform called Immediate Edge. The videos claim users have been selected for life-changing opportunities, with one depicting Starmer announcing a national invest platform. Despite Meta's efforts to remove the ads, over 250 deepfake ads featuring Starmer have appeared, leading to significant financial losses for victims. Even after being scammed,

Starting point is 00:05:20 some victims continued to believe in the fake endorsements. Researchers highlight the growing problem of disinformation on meta-platforms, noting that this trend seems to be worsening despite the company's policies against such misuse. Following reports of Donald Trump's campaign being targeted by Iranian hackers, Vice President Kamala Harris' presidential campaign revealed that it was also notified by the FBI last month about a foreign influence operation aimed at it.

Starting point is 00:05:51 Despite the targeting, Harris's campaign stated that no security breaches have occurred and they remain in contact with authorities. The FBI has yet to comment on either case, while Iran has denied involvement in the alleged hacking of Trump's campaign. Kootenai Health, a not-for-profit healthcare provider in Idaho, has disclosed a data breach affecting over 464,000 patients. The breach was carried out

Starting point is 00:06:19 by the 3AM ransomware group, which gained unauthorized access to Kootenai's systems on February 22nd of this year and remained undetected for 10 days. The cybercriminals stole sensitive data, including full names, dates of birth, social security numbers, medical records, and health insurance information. The breach was discovered on March 2nd, and an investigation confirmed the data theft by August 1st. The 3AM ransomware gang leaked a 22-gigabyte archive of the stolen data on their Darknet portal, indicating that no ransom was paid. Kootenai Health is offering affected individuals up to

Starting point is 00:06:59 two years of identity protection services. Research from intelligence platform provider SiloBreaker, titled Ransomware, What Ransomware?, reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. Analyzing 922 ransomware incidents from 2023, researchers Hannah Bumgardner and Peter Kroyer Bramson found that over 50% of affected organizations did not acknowledge an attack until it became public and nearly half of the victims didn't disclose the attack at all The study also highlighted a 90-day average delay in notifying customers of data breaches Despite a slight improvement in reporting speed only 5% of incidents were

Starting point is 00:07:46 reported within a day in 2023. The research underscores the growing exploitation of vulnerabilities, with healthcare, education, and government sectors being prime targets. The U.S. remains a top target for ransomware due to its financial resources. The study emphasizes the need for robust cybersecurity measures, including better patch management and staff training to counter evolving ransomware tactics. The August 2024 Patch Tuesday brought critical security updates from major tech companies,

Starting point is 00:08:19 addressing a wide range of vulnerabilities across various industries. Here's a roundup of the key updates. Microsoft's August 2024 Patch Tuesday addressed 87 vulnerabilities, including nine zero-day flaws actively exploited in the wild. Critical patches were released for Windows, Office, and Edge, focusing on remote code execution and privilege escalation threats. remote code execution and privilege escalation threats. Siemens, Schneider Electric, Rockwell Automation, and Aviva released security advisories addressing numerous vulnerabilities in their industrial control systems. Siemens fixed issues in products like Cynic INS, while Schneider Electric patched vulnerabilities in EcoStruxure and Modicon PLCs. Rockwell Automation and Aviva also addressed critical flaws

Starting point is 00:09:07 that could impact industrial operations, highlighting the ongoing need for robust security measures in critical infrastructure. Adobe's August security updates included patches for 56 vulnerabilities across several products, including Adobe Acrobat, Reader, and Dimension. The updates addressed critical issues that could lead to arbitrary code execution, privilege escalation, and information disclosure.

Starting point is 00:09:32 Chipmakers Intel and AMD released patches for over 110 vulnerabilities, with Intel alone addressing 83 security issues. The vulnerabilities span various products, including Intel's firmware, drivers, and software, as well as AMD's processors and chipsets. Fortinet released patches for several vulnerabilities in its 40OS and 40Proxy products, some of which could lead to remote code execution and unauthorized access. Zoom also addressed multiple security flaws in its video conferencing platform, including issues that could be exploited to bypass security controls and execute arbitrary code.

Starting point is 00:10:13 Organizations are urged to prioritize these updates to protect against increasingly sophisticated cyber threats targeting software, hardware, and critical infrastructure systems. threats targeting software, hardware, and critical infrastructure systems. Palo Alto Network's Unit 42 revealed a significant security risk in open-source GitHub projects, where GitHub Actions workflows could expose sensitive secrets and allow attackers to inject malicious code. These workflows often use tokens, such as cloud service tokens, which may inadvertently be included in publicly accessible artifact files generated during the workflow. Researcher Yaron Avital

Starting point is 00:10:52 discovered that these artifacts often contain sensitive data, like GitHub token and Actions Runtime token, which attackers could exploit to replace artifacts with malicious code or inject harmful content into repositories. Avital created a proof-of-concept, RepoReaper, to demonstrate how an attack could exploit GitHub token to push malicious code. To mitigate this risk, project maintainers are advised to review artifact creation and privilege levels, ensuring that sensitive artifacts are not published and that least privilege is enforced. Palo Alto also developed a tool to block the upload of artifacts containing secrets. Enzo Biochem will pay $4.5 million to settle charges that inadequate security

Starting point is 00:11:40 protocols led to a cyber attack in April of 2023, compromising the personal and health information of 2.4 million patients. The settlement with New York, New Jersey, and Connecticut resolves claims that Enzo failed to protect patient data. Attackers accessed Enzo's network using outdated shared credentials and installed malware, which went undetected for days. shared credentials and installed malware, which went undetected for days. As part of the settlement, Enso is enhancing security measures, including stronger passwords and two-factor authentication. Coming up after the break, my conversation with Stephanie Schneider, cyber threat intelligence analyst at LastPass.

Starting point is 00:12:31 She's joining us to discuss the ongoing Snowflake account attacks. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.

Starting point is 00:13:08 Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk.

Starting point is 00:14:16 In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Stephanie Schneider is Cyber Threat Intelligence Analyst at LastPass. I recently caught up with her to discuss the ongoing Snowflake account attacks. It's just a matter of time until we start to hear about more potentially impacted entities from the Snowflake breach. And I think we're starting to see that, you know,

Starting point is 00:14:59 the cloud service provider Snowflake, it's probably one of the biggest data breaches of 2024 so far this year. And I think there's a couple of notable things about this attack that stand out to me. One is that the attackers didn't even have to use sophisticated tactics to pop them. This all came about due to breached credentials that were just available on the dark web. It's also now led to, I think, the latest figure I've seen is about $1.6 billion in costs so far that may continue to grow as more information comes out and victims come forward. So really, this was a simple attack with a pretty significant impact. In terms of sort of spreading around the responsibility or trying to unpack the things

Starting point is 00:15:47 that could have been done to prevent something like this, when we're talking about credential stuffing, how much of this is the responsibility of the users? And would a cloud provider also have a responsibility to kind of protect users from themselves? Yeah, I think that's a really interesting point that's kind of come out of this whole debacle is what is the responsibility of companies to really enforce some of these better cyber hygiene standards like multi-factor authentication. In this instance, the threat actors really went after accounts

Starting point is 00:16:24 that did not have MFA enabled. It wasn't a requirement that Snowflake had for its customers. And so that was kind of the low-hanging fruit here. So when we think about what led to this, I think there are a few reasons. One, MFA, successful authentication, only required a valid username and password, which allowed the threat actors easy access to those targeted accounts. Two, some of the credentials identified in Infosteel or malware output had been for sale on the dark web for years. I think some of it was available as early as 2020, and those were still valid credentials. So that means that those

Starting point is 00:17:04 credentials hadn't been rotated or updated in quite some time. Thirdly, the compromised Snowflake instances didn't have network allow lists and allow listing involves compiling a list of sanctioned entities like IP addresses or domains, applications, and only the entities on this designated list are granted access to a specific resource or they can perform specific actions. So this really helps to reduce the attack

Starting point is 00:17:34 surface and limit access to trusted, verified entities. So I think that there's probably a few things that we can kind of go back and look at that really led to this large data breach. Yeah. From the point of view of a person who's responsible for security at their organization and they're looking to do a better job with their access controls, I mean, the folks who are in the kind of business that you all are in at LastPass, and there are a handful of organizations who provide that kind of service. What sort of tools are the state of the art these days in making sure that people aren't going to have an issue here with things like credential stuffing? You know, I think it's actually a pretty simple cyber hygiene that this all really comes down to. I mean, if you don't have

Starting point is 00:18:26 simple protections in place, like enabling MFA, maintaining patches, having good password management, having that secondary verification method like multi-factor authentication, you're really raising the likelihood of getting hit by a cyber attack. It doesn't take very sophisticated attacks to pull off this type of data breach, honestly. You know, I've seen more and more as well that I guess folks are subscribing to some of these databases of known passwords. You know, we talk about Troy Hunt's list, the Have I been pwned list. And there's a lot of places I've seen where if you try to use a password that's been in one of these breaches, the system will stop you and say, not so fast. This is something that's shown up in one of

Starting point is 00:19:17 these databases. Choose something a little more complex. Apart from, apart from MFA, right, it's pretty straightforward, but highly effective. It can really substantially improve that baseline security posture and resilience. You know, credentials are stolen through phishing or malware like InfoStealers. And MFA does add that extra layer of security by requiring more than just a password to really access an account. And it makes it that much harder for attackers to gain authorized access. Another thing that folks can do to really make sure that they're boosted in defense against these types of attacks is managing their credentials. The sheer amount of data out there is staggering.

Starting point is 00:20:02 If it's not already, it should probably keep you up at night. RockU 2024, the list that was recently released and leaked on a popular hacking forum, has about 10 billion passwords. And the chances that you or someone you know has information that's been leaked in that breach is pretty staggering. And this is just out there readily available. Anyone can go and pull that down. And threat actors can exploit this password compilation to conduct brute force attacks and gain unauthorized access to online accounts. So I think from an enterprise perspective, consider what does your coverage look like in terms of managing your credentials? How do you know that your employees' personal passwords aren't in there?

Starting point is 00:20:52 That's how redactors can get their foot in the door. And in the case of Snowflake, the majority of compromised credentials were available from historical info stealer infections, some of which dated back as far as 2020. So this is all pretty simple, straightforward kind of guidance. I think another thing that folks can do is to be monitoring for cyber campaigns that may be interested in targeting their enterprise. So that probably looks like establishing monitoring via open source reporting or other means to get those early warnings on cyber attack campaigns that may be targeting your critical service providers. And as you're collecting and sharing information with your enterprise, security teams can use that advance notice

Starting point is 00:21:45 to proactively change credentials and confirm policy compliance and your connections to affected companies in the supply chain. So those are all a few things that enterprises can really do to boost their defenses against these types of attacks. Our thanks to Stephanie Schneider,

Starting point is 00:22:04 Cyber Threat Intelligence Analyst at LastPass, for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,

Starting point is 00:22:44 and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, our Wearing Out Your Welcome desk tells us of a bizarre twist in the Airbnb experience. Ashley, an Airbnb host, found herself drafting a new no-crypto mining policy after a guest turned her rental into a mini-crypto mining operation. The tenant set up 10 mining rigs and even installed an EV charging station, all within a three-week stay. That racked up a staggering $1,500 electricity bill. Ashley, who shares her hosting adventures on TikTok, was shocked when the guest casually mentioned he

Starting point is 00:23:45 made over $100,000 mining crypto during his stay. Apparently, renting her house was a cost-effective way for him to pay the electricity. Ashley isn't alone in this unexpected side hustle. Other Airbnb hosts have chimed in with similar tales of guests running up sky-high electric bills. One UK host saw their bills soar by thousands of pounds, while another had to boot guests before they could rack up a $6,000 power tab. It seems the latest must-have for Airbnb hosts isn't just fresh linens and free Wi-Fi. It's a strict ban on crypto mining. And that's The Cyber Wire. For links to all of today's stories,

Starting point is 00:24:37 check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement

Starting point is 00:25:08 agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.

Starting point is 00:26:38 Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com

CyberWire Daily - A health bot’s security slip-up.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.