CyberWire Daily - Kaiser Permanente's privacy predicament.
Episode Date: April 26, 2024Healthcare providers report breaches affecting millions. PlugX malware is found in over 170 countries. Hackers exploit an old vulnerability to launch Cobalt Strike. A popular Wordpress plugin is under... active exploitation. Developing nations may serve as a test bed for malware developers. German authorities question Microsoft over Russian hacks. CISA celebrates the success of their ransomware warning program. Our guest is Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, discussing open source software. Password trends are a mixed bag. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, discussing open source software. Selected Reading Kaiser Permanente data breach may have impacted 13.4 million patients (Security Affairs) LA County Health Services: Patients' data exposed in phishing attack (Bleeping Computer) China-linked PlugX malware infections found in more than 170 countries (The Record) Hackers Exploit Old Microsoft Office 0-day to Deliver Cobalt Strike (GB Hackers) Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors (SecurityWeek) Cybercriminals are using developing nations as test beds for ransomware attacks (TechSpot) Microsoft Questioned by German Lawmakers About Russian Hack (GovInfo Security) More than 800 vulnerabilities resolved through CISA ransomware notification pilot (The Record) Most people still rely on memory or pen and paper for password management (Help Net Security)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. to launch Cobalt Strike. A popular WordPress plug-in is under active exploitation.
Developing nations may serve as a testbed for malware developers.
German authorities question Microsoft over Russian hacks.
CISA celebrates the success of their ransomware warning program.
Our guest is Eric Goldstein,
Executive Assistant Director for Cybersecurity at CISA,
discussing open-source software. And password trends are a mixed bag.
It's Friday, April 26th, 2024. I'm Dave Bittner, and this is great to have you here with us. Kaiser Permanente, a major U.S.
healthcare provider, reported a security breach affecting 13.4 million individuals. The breach
involves sharing patient data, including names and IP addresses, with third-party companies like
Google, Microsoft, and xTwitter for advertising purposes. This information was collected through
their website and mobile apps, but did not include sensitive details like social security numbers
or financial data. Kaiser has since removed the tracking codes responsible for the data sharing.
There's no evidence yet of misuse of this exposed information. This incident follows a June 2022
breach at Kaiser, where an email compromise exposed the health details of 69,000 people.
email compromise exposed the health details of 69,000 people. Kaiser operates 39 hospitals and over 700 medical offices across multiple U.S. states. Meanwhile, the Los Angeles County Department
of Health Services experienced a phishing attack on February 19th and 20th of this year,
leading to a data breach impacting just over 6,000 patients. Hackers accessed the login
credentials of 23 employees, compromising their email boxes, which contained patients' personal
and health information, including names, contact details, medical records, and health plan data.
However, social security numbers and financial details were not exposed. Following the breach, the department
took steps such as disabling affected accounts, re-imaging devices, and enhancing email security.
They also alerted employees to the risks of phishing. Notifications have been sent to
affected individuals and relevant authorities, although there has been no reported misuse of the exposed data.
Researchers at cybersecurity firm Sequoia have discovered the China-linked PlugX malware in over 170 countries. Initially developed in 2008 by companies tied to the Chinese Ministry of State
Security, the malware has been widely used for espionage. Its spread intensified in 2020 when
hackers added features enabling transmission via USB drives, targeting networks that are usually
offline. In September of 2023, Sequoia took over a command and control server for PlugX,
observing daily connections from up to 100,000 unique IP addresses and identifying over 2.5 million unique IPs in six months.
The data revealed significant infection rates,
particularly in Nigeria, India, Iran, and the U.S., among others.
Researchers speculate that the malware's distribution could relate to strategic locations
important to China's Belt and Road
Initiative, suggesting its use in gathering intelligence on those regions.
Hackers have exploited an old Microsoft Office vulnerability to launch Cobalt Strike beacon
attacks in Ukraine. This vulnerability, identified in 2017, allows attackers to execute arbitrary code through
specially crafted files.
The campaign involved a deceptive PowerPoint slideshow file posing as a U.S. Army manual,
which evaded security measures by using an external OLE object linked via a scripted
HTTPS URL.
This method demonstrates the attacker's emphasis on stealth. The Cobalt Strike beacon
central to this attack communicated with a CNC server disguised as a photography website,
indicating sophisticated evasion tactics. Although the attackers remain unidentified,
the operation's detection at all stages highlights the necessity for vigilant and advanced cybersecurity measures.
The team at Deep Instinct Threat Labs are credited with much of the research.
Threat actors are exploiting a critical vulnerability in the WordPress automatic plugin,
enabling SQL injection to inject code into websites and create administrator accounts.
injection to inject code into websites and create administrator accounts. This flaw allows attackers to bypass user authentication, upload malicious files, and gain sustained access by renaming the
vulnerable plugin file. WPScan has detected over 5 million attempts to exploit this vulnerability.
Website administrators using WordPress Automatic are urged to update
their installations immediately to prevent unauthorized access and potential site takeover.
Cybersecurity firm Performanta reports that hackers are increasingly using developing and
emerging nations as testing grounds for new malware strains before launching attacks in wealthier countries.
Organizations in Africa, Latin America, and Asia with typically weaker security
are initially targeted. This tactic was noted in attacks on institutions like a bank in Senegal
and a financial services company in Chile. One notable ransomware strain, Medusa,
known for encrypting and threatening to publish data unless a ransom is paid,
was first deployed against targets in South Africa, Senegal, and Tonga before being used in more advanced economies such as the U.S. and U.K.
This approach allows hackers to refine their methods before targeting high-profile victims in North America and Europe.
their methods before targeting high-profile victims in North America and Europe. Some experts suggest that ransomware gangs also sell their tools to less sophisticated hackers in poorer
regions, contributing to the prevalence of hackers there. Russian hackers identified as Midnight
Blizzard, also known as APT29 or CozyBear, compromised Microsoft's source code repository
but only gained read-only access without the ability to alter the code.
This was disclosed by Microsoft's senior executives
during a closed-door meeting with the German Parliamentary Technology Oversight Committee.
The breach, which involved viewing but not modifying code,
was part of a broader discussion on security lapses
highlighted by recent high-profile attacks
and criticisms of Microsoft's security practices.
German officials are particularly concerned
about the potential risks to government operations
relying heavily on Microsoft products.
The hearing aimed to assess the hack's implications
and ensure ongoing communications between Microsoft, the German Committee, and the Federal Office for Information Security.
We note in full disclosure that Microsoft is a CyberWire partner, but we report on them just like we would any other company.
The Cybersecurity and Infrastructure Security Agency is reporting success with its Ransomware Vulnerability Warning Pilot,
a program launched in January 2023 to alert organizations about Internet-exposed vulnerabilities targeted by ransomware actors.
The program, part of legislation signed by President Biden in 2022, led to 754 notifications last year,
in 2022 led to 754 notifications last year, with 852 of those vulnerabilities being patched,
controlled, or removed following the alerts. Most organizations see a significant reduction in risk within the first 90 days, with an average risk reduction of 40% within a year.
The program primarily notified government and healthcare entities, highlighting its effectiveness in these critical sectors.
By identifying and addressing these vulnerabilities, CISA aims to increase the operational costs for ransomware gangs and deter their activities through enhanced cyber defense.
Coming up after the break, we've got CISA's Executive Assistant Director for Cybersecurity, Eric Goldstein, talking about open source software. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, Yeah, with pools. And a spa. And endless snacks. Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Eric Goldstein. He's Executive Assistant Director for Cybersecurity at
CISA. Eric, welcome back. I want to touch today on open source software and what CISA's
guidance is for organizations who are looking to do their part in securing that. What can you
share with us today? Open source software security has been a priority for CISA and the
broader U.S. government for quite some time now. But in early March, we held an open-source security summit
where we brought together leaders from the open-source software community,
and we announced a few key actions that we are really excited about
because we know that at this point,
the potential risks of open-source software are understood,
as well as the extraordinary value that the open source ecosystem provides
to almost every software prep package
used for every critical function of daily life.
And so as part of this summit,
we brought together package repositories,
we brought together developers, maintainers,
and federal agencies to really try to drive
some measurable change
in how we manage these critical resources.
Well, take us through what was the summit like and what were some of the key elements that you all touched on there?
Yeah, you know, there's really three key areas that we focused on during the summit.
First of all, we were really excited about the role of open source package repositories as acting as effective intermediaries
package repositories as acting as effective intermediaries to help support developers and maintainers and help manage risks for open source end users. And so as part of this summit, CISA and the Open Source Security Foundations Securing Software Repositories Working Group developed a framework for voluntary security maturity levels for package repositories. And as part of this summit,
we got agreement from multiple repositories,
the Rust Foundation, the Python Software Foundation,
NPM to name only a few,
to commit to using this voluntary framework
for package security and then some very specific improvements
to how they are
securing their ecosystem and the open source packages they're in.
In addition, we launched a new effort to enable voluntary collaboration and information sharing
across the open source software community because we know that although there is rich
information sharing about threats and vulnerabilities across enterprises and across
many software manufacturers, many times the open source community are in part of these
conversations where there is a new adversary campaign or new vulnerability.
And so our goal is to bring the open source community into this collaboration model that
we've built and makes that we are working together to address the next threat and vulnerability
that arises. And then finally, we ended the day with a tabletop exercise focused on vulnerability
and incident response affecting an open source package. And we're going to publish the exercise
scenario we used so that the community can build upon that work and further advance our approaches
to responding to vulnerabilities and
incidents that affect open source repositories or packages. Where do you see CISA sitting within
the ecosystem here in terms of being a collaborator, of having a leadership position? I mean,
you know, the open source community has been around for a while. It is a robust community.
Where do you all see yourselves sitting?
Our goal is to be a partner, a convener,
and most importantly, a supporter.
The open source community,
the developers and maintainers
who build and manage open source projects
provide extraordinary economic value to our country
and to the global technology ecosystem.
And so our goal is to lift up those organizations who are investing in improving the security of
this ecosystem, identify areas where more investment and support is needed, and then
provide the fora, the platforms, the collaborative models to make sure that we are bringing in
the right partners and driving the right level of change. But ultimately, this work is going
to be driven inherently by the community itself, by the developers, the maintainers,
the repositories who are doing the critical work every day.
Yeah, I mean, it really strikes me as being a key area here, just in that, you know,
every day we're seeing stories
about supply chain vulnerabilities.
And much of that happens
where some open source library
has either been corrupted or cloned.
There's been misinformation.
I guess what I'm getting to
is that I see the need here
as being really strong.
That's exactly right.
There is nothing more insecure or vulnerable
about open source software
than about proprietary software.
But we know that the ubiquity
and the scale deployment of open source packages
does mean that we need to take
the security risks really seriously.
And so we think that working with developers and maintainers,
and with repositories,
we're going to be able to drive
the right security practices in
the development and maintenance of open-source software,
and also ensure that when an end-user organization
is using an open-source package or library,
that they have confidence that it is in fact
a non-malicious version that is up to date
and has been checked for known vulnerabilities.
For folks who are ready to jump in here,
are looking to engage with you and your colleagues there,
what would be the best way to get in touch?
Yep, they can go to our website, sysa.gov.
On the landing page, we have a link to our open source work.
That is a great place to check out our various resources. And there's also an email on there to get in touch
with our open source team. All right. Well, Eric Goldstein is Executive Assistant Director for
Cybersecurity at Sysa. Eric, thank you so much for joining us. Thanks, Dave. Always a pleasure. Thank you. We're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, a survey by Bitwarden revealed concerning trends in password management, with 54% of individuals globally
relying on memory and 33% using pen and paper to manage passwords. The survey covered users from
the U.S., U.K., Australia, France, Germany, and Japan, highlighting widespread password reuse
and the use of personal information in passwords. Despite 60% of respondents feeling
confident in identifying phishing attacks and 68% in mitigating AI-enhanced cyber threats,
19% have experienced security breaches due to poor password practices, and 23% have had passwords
stolen or compromised. At work, similar trends persist, with reliance on memory and paper still prevalent.
However, the survey also notes a positive shift toward better security habits,
including the adoption of password managers and two-factor authentication,
reflecting a growing awareness and implementation of stronger cybersecurity measures.
As for committing passwords to memory, I can't even remember what I had yesterday for lunch.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We are excited to share the third installment of Cyber Talent Insights today.
This three-part special series podcast explores cybersecurity workforce development from three different perspectives.
The enterprise employer, the cyber practitioner, and cyber talent pipelines. Join Dr. Heather Munthe, Dr. Sasha Vanterpool,
and Jeff Welgen for a dynamic discussion that guides listeners through effective strategies
to develop cybersecurity teams in the constantly changing landscape of the industry.
That's Cyber Talent Insights. Do check it out. Be sure to check out this weekend's Research Thank you. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers
are Jennifer Iben
and Brandon Karp.
Our executive editor
is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here
next week. Thank you. are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.