CyberWire Daily - Ransomware hit causes pathology paralysis.
Episode Date: June 4, 2024Ransomware disrupts London hospitals. Researchers discover serious vulnerabilities in Progress' Telerik Report Server and Atlassian Confluence Data Center and Server. Over three million people are aff...ected by a breach at a debt collection agency. A report finds Rural hospitals vulnerable to ransomware. An Australian mining firm finds some of its data on the Dark Web. Google patches 37 Android vulnerabilities. Russian threat actors target the Summer Olympics in Paris. On our Industry Voices segment, we are joined by Sandy Bird, CTO at Sonrai. Sandy discusses the risks of unused identity infrastructure. The Amazon rainforest goes online. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Sandy Bird, CTO at Sonrai. Sandy discusses the risks of unused identity infrastructure. You can learn more about Sonrai’s work in this area by reviewing their Quantifying Cloud Access Risk: Overprivileged Identities and Zombie Identities report. Selected Reading Critical incident declared as ransomware attack disrupts multiple London hospitals (The Record) CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server (Tenable) Atlassian’s Confluence hit with critical remote code execution bugs (CSO Online) Debt collection agency FBCS leaks information of 3 million US citizens (Malwarebytes) Rural hospitals are particularly vulnerable to ransomware, report finds (CyberScoop) Australian rare earths miner hit by cybersecurity breach (Mining Weekly) 37 Vulnerabilities Patched in Android (SecurityWeek) Russia used fake AI Tom Cruise in Olympic disinformation campaign (Computer Weekly) The Internet's Final Frontier: Remote Amazon Tribes (New York Times) Listen to our newest podcast, “Only Malware in the Building.” N2K and Proofpoint have teamed up to launch “Only Malware in the Building,” the newest podcast on the N2K CyberWire network. Each month our hosts Selena Larson, Proofpoint’s staff threat researcher, and N2K’s Rick Howard and Dave Bittner, explore the mysteries around today’s most intriguing cyber threats. Listen to the first episode and subscribe now. Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Transcription by CastingWords data center. Over 3 million people are affected by a breach at a debt collection agency.
A report finds rural hospitals vulnerable to ransomware. An Australian mining firm finds
some of its data on the dark web. Google patches 37 Android vulnerabilities. Russian threat actors
target the Summer Olympics in Paris. On our Industry Voices segment, we're joined by Sandy
Byrd, CTO at Sunray. Sandy discusses the risks of unused
identity infrastructure. And the Amazon rainforest goes online.
It's Tuesday, June 4th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for once again joining us. It is great to have you here with us.
A ransomware attack on third-party
provider Synovus has caused significant disruptions to pathology services at several London hospitals.
This includes Guy's and St. Thomas NHS Foundation Trust, Royal Brompton and Harefield Hospitals,
and King's College Hospital NHS Foundation Trust, with primary care across southeast London also affected.
The attack, which was detected on Monday,
has resulted in the cancellation of operations
and a critical incident emergency status being declared.
This is due to the inability of healthcare professionals
to access pathology services,
including blood tests for transfusions.
The disruption is having a significant impact on patient care,
with urgent blood components only being transfused when critically indicated.
The attack highlights the ongoing threat of ransomware attacks on the healthcare sector,
which can have serious consequences for patients.
In the UK alone, there have been 215 reported ransomware
incidents in the healthcare sector since January of 2019. Authorities are concerned about the lack
of reporting of such incidents and the impact on patients. The disruption is also expected to put
additional pressure on other hospitals, potentially leading to further critical incidents being
declared. Patients whose
appointments have been canceled or redirected to other providers at short notice are likely to be
particularly affected by the incident. Researchers have discovered a vulnerability chain that allows
for remote code execution on Progress's Telerik report server. The chain involves an insecure deserialization flaw
and an authentication bypass issue.
An attacker can exploit these flaws to create a malicious report,
allowing them to execute arbitrary code on the server.
The vulnerabilities have been assigned a high CVSS score
of 9.9 and 9.8, respectively.
A proof-of-concept script has been published,
and it is strongly recommended that users patch these flaws as soon as possible.
The latest version of Report Server addresses both issues.
Meanwhile, a critical remote code execution vulnerability
has been discovered in Atlassian Confluence data center and server.
The flaw allows unauthenticated attackers to exploit account privileges and execute arbitrary
code with no user interaction required. The vulnerability is due to insufficient input
validation in the add a new language function of the Configure Code Macro section. To exploit this flaw, an attacker must have access to the vulnerable network,
privilege to add new macro languages, and upload a forged JavaScript file.
Atlassian recommends upgrading to the latest version to fix the vulnerability.
Financial Business and Consumer Solutions, FBCS, is a nationally licensed debt collection agency
that collects commercial and consumer debts on behalf of creditors.
They've filed a data breach notification affecting over 3.2 million individuals.
The exposed data includes full names, social security numbers, birth dates, account information,
driver's license or state ID numbers, and medical claims information. In some cases, the compromised data also includes
health insurance information. The company has sent breach notifications to those affected,
offering 12 months of free credit monitoring. A new report from CSC 2.0, an offshoot of the Cyberspace Solarium Commission,
warns that rural hospitals are particularly vulnerable to ransomware attacks due to their
limited resources and outdated technology. The report finds that federal funding is crucial to
addressing this issue, as it will allow for major cybersecurity investments.
The threat is no longer theoretical, with recent attacks on large healthcare providers,
including Ascension and Change Healthcare, disrupting patient care and medical procedures.
The report recommends increasing funding for the Department of Health and Human Services,
updating cybersecurity objectives, and encouraging healthcare providers
to invest in basic cybersecurity measures such as employee training and managed IT services.
Australian rare-earths firm Northern Minerals reported that some of its data was released
onto the dark web after detecting a cybersecurity breach months ago. The stolen information includes corporate and financial data,
personnel details, and shareholder info.
The company detected the breach in March 2024,
but only recently learned that the stolen data is now available on the dark web.
Northern Minerals has informed Australian authorities of the theft.
This comes just a day after Australia's government
ordered China-affiliated investors
to sell their shares in the firm
due to concerns over national interest.
Google has released its June 2024 Android security update,
which patches 37 vulnerabilities,
including multiple high-severity elevation of privilege bugs.
The update resolves 19 issues in the framework and system components,
with seven flaws leading to local escalation of privileges.
Additionally, 18 more vulnerabilities were addressed in kernel,
imagination technologies, and ARM components, with three critical Qualcomm-specific flaws.
ARM components with three critical Qualcomm-specific flaws. The update is recommended for all devices running Android to ensure security and prevent potential exploits. The Microsoft Threat Analysis
Center, MTAC, has detected malicious disinformation campaigns by Russian-backed threat actors
targeting the upcoming Summer Olympics in Paris. The goal
is to denigrate the International Olympic Committee's reputation and create fear of
violence breaking out during the Games. MTAC has tracked two main influence actors, Storm 1679 and
Storm 1099, which have been using artificial intelligence-generated content to spread
false information. Tactics include releasing a fake film, producing fake videos and press releases,
and spreading fear of crime or violence through social media bots. One release even included an
audio deepfake of the voice of actor Tom Cruise, falsely expressing his support. The campaigns are expected
to intensify in the weeks leading up to the Olympics, with MTAC warning that Russian actors
may try to exploit security concerns and create illusions of protests or real-world provocations.
Coming up after the break, my conversation with Sandy Bird, Chief Technology Officer at Sunray.
We're discussing the risks of unused identity infrastructure.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Sandy Bird is Chief Technology Officer at Sunray. I recently caught up with him for our sponsored
Industry Voices segment, where Sandy describes the risks of
unused identity infrastructure. Yeah, if we focus on moving workloads to the cloud,
like deploying your new workloads in AWS, Azure, Google Compute Cloud, when we look at the actual
identity space, about 92% of the identities that are deployed in those clouds have what we're going to call sensitive permissions, things that create and destroy infrastructure, poke holes in the networks, things like that.
And 92% of them don't even use the ones that they're granted.
So they've been granted the identities, the identities don't need them.
And we measured that over a fairly long period of time.
And the longer you were deploying workloads in cloud, the worse it got.
Why is that?
I mean, is it safe to say this is over-provisioning?
There's definitely an over-provisioning aspect.
I think there's an interesting thing
if you look at the data report that we produced.
The machine identities, by far and large,
are the biggest percentage of this.
I think there was
a ratio of like 88% versus 12% of machine identities versus human identities when we
looked at this. And I think it's a lot of times the developer building the application doesn't
know what permissions they're going to need in the future. And so they just naturally over-permission
that. In enterprise networks, the developers were always many levels kind of below
the internet. You know, there were boundary firewalls before they could expose anything.
But in cloud, when they're building on AWS or they're building in GCP, they're really only
one step away. And so these sensitive permissions expose a lot of risk that wouldn't necessarily be
there in a typical enterprise network. Is it also true that once access is given, it's rarely revoked? Very rarely revoked.
There's another part of that same data report, which is really interesting. We looked at
identities. Sometimes we call them cyber litter. They're just identities that are there that are
not being used at all. And if we used a 90-day window, was the identity active in the last 90 days? 61% of the identities and people
that had been in cloud for more than five years were no longer used. That's a really high number.
Yeah, that is a high number. So how do people typically go about managing this and what are
the frustrations they bump up against? We, for years, thought that the way people would manage these are using similar process to internal identities like lever, mover, joiner scenarios, right?
Somebody joins the company, you give them provisions, they leave the company, you take the provisioning away.
But what was happening with all these machine identities were they aren't people, so they don't come into the HR system and leave the HR system.
They just get left there alone.
And we thought, well, that's easy.
We'll just clean them up with automation, right?
We'll write something that goes and finds them all, and then some sort of a utility that goes and then removes them after they have been dormant.
What we found was people weren't willing to do that.
And the reason why, you know, it may be obvious, is that a lot of those identities, the person that actually wrote the code and put
them in place may not even be with the company anymore. And the new person responsible for doing
that in the cleanup doesn't know how to put them back after they've been taken away. And they're
worried they're going to break a yearly report or something very important to the company. So
there's this fear in removing them. And then some of them are actually legitimately there,
but not supposed to be used. Sometimes we call them break class accounts or things that we use in cases of emergency.
And so people don't want to turn those ones off. But because they don't have a good inventory of
them, they don't know how to automate this process. And so we spent a lot of time
kind of as we released this cloud permissions firewall to actually have a way of
quarantining them, basically taking the permissions away so they can't be used
right now. But if they need to be brought back, you could bring them back.
It reminds me of that old story about the folks who find something in the server closet
and they don't know what it does.
And somebody says, well, unplug it.
The person who needs it, they'll come, they'll tell you.
It's exactly, and this is exactly how that works in the cloud permission firewall.
We basically cut them off.
As soon as they start to be used again, if they log in, if something assumes that role, whatever it is,
we send a little message in Slack or Teams or whatever people use for their chat ops process saying,
hey, this identity, which hasn't been used in two years, just woke up.
Do you want to allow it to wake up? Yes or no?
And you simply answer it and away you go and it works again.
What are some of the challenges here then for people doing the right thing? Allow it to wake up, yes or no? And you simply answer it and away you go. And it works again.
What are some of the challenges here then for people doing the right thing?
I mean, you'd imagine you want to give people the least amount of privileges that they need.
Is there just too much overhead to do that for most organizations?
I think there's two stories. One is where you've been in cloud for five years and you have a lot of technical debt you need to clean up, in which case, you know, you're going to end up basically creating more work for the teams to clean it up.
Or you're starting net new in cloud, in which case you want to do it right from the start.
And both stories are a little different, but they come back to the point that somebody has to care enough to do this.
Or if that's not the case, you need to put in some centralized controls to stop this.
And we don't like centralized controls anymore.
We want to distribute security
to all of the individuals to do it right.
But where some of these permissions
are so sensitive in cloud,
for the small subset that are really sensitive,
they should be actually probably centrally be controlled
with a really low friction way to, you know,
grant them and remove them basically instantly as people need them.
How often does someone get overprivileged or overprovisioned just based on status?
You know, the CEO, well, we're going to give that person everything.
We had this great story from a design partner we were working with, which said, you know,
and they happened to use Azure, so it was
interesting, but they said basically that the process
was the same for somebody to ask for a
contributor, which is a fairly high role
in the Azure world, as
it was to ask for the least privileged role. So
everybody just asked for a contributor because it was
just the same amount of work and approval
process for both of them.
There is also that scenario that you talk
about where it's the,
you know, I'm the VP of engineering, so I need full access, even though I won't use it in those cases. I think it's interesting. I've seen a mix depending on the companies. Some companies,
that absolutely is the case. And, you know, you look at that company, you're like, oh,
don't take away that access. That's so-and-so. They own this project. And even though they never
use it, we have to leave them that access. And in other companies, people are actually more than willing
to take those away and say, no, they don't need access. Let's turn that off. We'll tell them
they haven't used it in a year and they're willing. So it does, it's changing. I would say
in the modern world, people are, you know, not wanting to have all of this extra access
hanging around. Yeah, I was going to say, it seems to me like perhaps even a framing issue of saying, you
know, we don't want to burden you with the responsibility of all of this extra access.
Yeah.
You know, there's some amount of risk in having it there.
And I think, you know, most executives today, if they've been through cybersecurity training
and things, would know that they shouldn't have all this extra access hanging around.
Well, let's talk about some best practices then.
I mean, you mentioned kind of the two scenarios,
the folks who are coming into this with a bunch of technical debt
and then the people who are starting from a fresh,
a clear, clean slate, if you will.
Can you share some best practices for either of those situations?
Yeah, if you're coming in with a lot of technical debt,
you need to basically have a little bit of a hammer approach to this and that you need to take those really, really sensitive permissions and move them into a centralized control like this cloud permissions firewall where we can find all the exemptions, we grant them back.
But for the 92% that never use them, we just take them away and then give you a really low friction way to enable them if something needs them two weeks from now. If you're starting from scratch, what's really neat is if you put in these
controls from day one where those really sensitive permissions are already gated somehow, right?
There has to be an approval to use them and things. You can let your developers run a little
bit wild and yet still have control of the really sensitive permissions.
But then where the really sensitive workloads are, you do a nice job on least privilege. And I think those are a good balance in those scenarios. But I always tell people, start with those completely
unused identities. We see so many of them in our customers. It's insane. And the amount of privilege
that they have that an attacker could use if they ever got a hold of them is insane.
And so starting with those kind of, you know, completely unused identities is the easiest first step.
How do you and your colleagues there at Sunray measure success here?
I mean, when you've interacted with an organization and seen the things that they've done, what does it look like on the other side?
Yeah, years ago, we used to measure it in the number of identities that you got to least
privilege. And when we were measuring things in the thousands, we were really excited.
But when we kind of look at the world now and we realize that some of these customers have,
you know, 20,000 unused identities, 50,000 unused identities, measuring things in the thousands
doesn't even help. And so now we measure success more in the number of controls that you can put in place and
the number of, you know, we call them zombie identities you can quarantine because you can
actually deal with the big numbers very, very quickly. And I think that's a better way to look
at success. Is it common that folks don't even know what they don't know? Like they're unaware of how many identities are just hanging out there, you know, in the graveyard?
It's interesting.
I think most people know, you know, when you talk to them initially, you know, like, oh, yes, we definitely have that problem.
You know, what are you doing about it?
Well, we have a project for that.
about it, well, we have a project for that.
The problem is, I think everyone knows that they're going to be able to deal with a human number
fixing this problem. If you have 100
developers and you assign them each five tickets, then you can get
500 things done. But that doesn't actually
scale when you have a problem as big as you do. So you have a tendency
to make it a Friday problem, not a Monday problem.
And we spent a lot of time when we were building this cloud permissions firewall with
these central controls to say, how do we make this a Monday problem where you spend a couple
hours with it, you solve the really big problem, and then that gives you more time to work on the
other things that matter, right? And I think that's a win for people.
Yeah. It strikes me as being kind of also a shame-free way to deal with the situation.
It is, exactly. Yeah. That's Sandy Bird, Chief Technology Officer at Sunray.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, there's an old Hollywood trope
about the isolated village or jungle tribe
that suddenly finds itself exposed to modern technology.
Typically, either hilarity or tragedy ensues.
Heck, Star Trek has the prime directive to deal with this very thing.
Well, thanks to Starlink's satellite internet,
a modern version of this is playing out.
Alison Renaud is a Brazilian anthropologist and researcher
who's dedicated her career to studying and working with indigenous
communities in the Amazon rainforest. She's also the intrepid benefactor who's traveled to the
heart of the Amazonian jungle to document what happens when the small Marubo tribe in Brazil
suddenly finds themselves with access to the internet. Renault provided the tribe with 20 Starlink systems
to kickstart their journey into the digital domain.
Enoke Marabou, the tribe's leader,
or boss, as he calls himself,
is excited about the prospect of getting online.
He's already got his Amazon Prime account ready to go
and is planning on binge-watching the entire season
of the Great British Baking Show.
Meanwhile, Alfredo Marubo, Enroque's rival or arch-nemesis, as he puts it,
is less optimistic about the arrival of the Internet.
He's worried that it'll corrupt the tribe with its evil ways and turn them all into gamers.
Interviews with other villagers echo common themes from around the world and from all walks of life.
The internet is making these kids lazy.
They don't want to go outside anymore.
But of course, these grown-ups just don't understand.
But seriously, the arrival of the internet in the Amazon rainforest is a big deal.
It's a chance for these remote communities to connect with the rest of the world,
access important information, and even check out the latest cat videos.
A final programming note that admittedly is a bit self-promotional as yours truly is on it.
We'd love you to take a listen to our newest podcast, Only Malware in the Building. We collaborated with our friends at Proofpoint
on this one. The show is hosted by Proofpoint staff threat researcher, Selena Larson,
along with N2K's Rick Howard and me. Each month, we'll explore the mysteries around today's most
intriguing cyber threats. We'll have a link in the show notes. Have a listen. You won't regret it. email us at cyberwire at n2k.com. Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn more at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Keltzman.
Our executive producers are Jennifer Iben
and Brandon Karp.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.