CyberWire Daily - TikTok showdown: U.S. lawmakers target privacy and security.
Episode Date: March 14, 2024The US House votes to enact restrictions on TikTok. HHS launches an investigation into Change Healthcare. An Irish Covid-19 portal puts over a million vaccination records at risk. Google distributes $...10 million in bug bounty rewards. Nissan Oceana reports a data breach resulting from an Akira ransomware attack. Meta sues a former VP for alleged data theft. eSentire sees Blind Eagle focusing on the manufacturing sector. Claroty outlines threats to health care devices. A major provider of yachts is rocked by a cyber incident. In our Threat Vector segment, David Moulton explores the new SEC cybersecurity regulations with legal expert and Unit 42 Consultant Jacqueline Wudyka. And ransomware victims want their overtime pay. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment, host David Moulton explores the new SEC cybersecurity regulations that reshape how public companies handle cyber risks with legal expert and Unit 42 Consultant Jacqueline Wudyka. They discuss the challenges of defining 'materiality,' the enforcement hurdles, and the impact on the cybersecurity landscape. Selected Reading Bill that could spur TikTok ban gains House OK  (SC Media) What would a TikTok ban look like for users? (NBC News) HHS to investigate UnitedHealth and ransomware attack on Change Healthcare (The Record) How a user access bug in Ireland’s vaccination website exposed more than a million records (ITPro) Google Paid $10m in Bug Bounties to Security Researchers in 2023 (Infosecurity Magazine) Nearly 100K impacted by Nissan Oceania cyberattack (SC Media) Meta Sues Former VP After Defection to AI Startup (Infosecurity Magazine) Malware Analysis: Blind Eagle's North American Journey (esentire) Only 13% of medical devices support endpoint protection agents (Help Net Security) Billion-dollar boat seller MarineMax reports cyberattack to SEC (The Record) City workers not getting paid overtime amid Hamilton's ransomware attack: unions (CBS News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. House votes to enact restrictions on TikTok.
HHS launches an investigation into Change Healthcare.
An Irish COVID-19 portal puts over a million vaccination records at risk.
Google distributes $10 million in bug bounty rewards.
Nissan Oceana reports a data breach resulting from an Acura ransomware attack.
Meta sues a former VP for alleged data theft.
eSentire sees Blind Eagle focusing on the manufacturing sector.
Clarity outlines threats to healthcare devices.
A major provider of yachts is rocked by a cyber incident.
In our Threat Vector segment,
David Moulton explores the new SEC cybersecurity regulations
with legal expert and Unit 42 consultant Jacqueline Wadika.
And ransomware victims want their overtime pay.
It's Thursday, March 14th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
In a move reflecting growing concerns over digital privacy and national security,
the U.S. House of Representatives passed the Protecting Americans from Foreign Adversary Controlled Applications Act.
This legislation targets TikTok, the wildly popular social media platform owned by the Chinese company ByteDance,
by threatening a ban unless ByteDance divests its ownership.
With the bill now awaiting Senate consideration and President Biden indicating readiness to sign it into law,
the potential implications for TikTok and its vast American user base are significant.
Central to the bill's provisions is the authority it would grant the U.S. president
to compel foreign-owned social media applications
to either sell their interests to non-adversarial entities or face a ban,
should U.S. intelligence deem them a threat.
Specifically, TikTok, with its 170 million American users, has been singled out due
to concerns over data collection and the potential for disseminating Chinese propaganda. However,
privacy advocates argue that TikTok's data practices are not significantly different from
those of other social media platforms and suggest that the real solution lies in enacting a robust
data privacy law for the United States. Should the sale not proceed, the consequences for TikTok's
availability in the United States could be unprecedented. A ban would directly impact
the app's distribution through major platforms like Google's Play Store and Apple's App Store, which have historically complied with U.S. law.
This restriction could significantly diminish TikTok's accessibility,
but experts like Cooper Quinton from the Electronic Frontier Foundation
anticipate that users would quickly seek and find workarounds,
potentially leading to a surge in tech-savvy individuals capable of bypassing
digital restrictions. The global precedent for such workarounds exists, as seen in countries
like India, where TikTok has been banned yet continues to be accessed through various means.
These scenarios suggest that a U.S. ban might not effectively curb TikTok's use,
but could inadvertently foster a generation more adept at circumventing digital barriers,
with all the attendant risks that such endeavors entail,
including exposure to malicious software disguised as the banned app.
This complex situation underscores the challenges inherent in regulating the digital
sphere, where legislative actions aimed at addressing privacy and security concerns
must contend with the realities of technology's pervasive influence and the ingenuity of its
user base. As the U.S. grapples with these issues, the debate over TikTok highlights
broader questions about data privacy,
national security, and the future of digital governance.
The U.S. Department of Health and Human Services has announced an investigation into the major
ransomware attack on Change Healthcare, which caused widespread disruptions in healthcare
services across the country. The Office for Civil Rights is
leading the probe to determine if protected health information was compromised and if Change Health
Care and its parent company, United Health Group, complied with HIPAA regulations. The investigation
follows significant operational impacts on hospitals, clinics, and pharmacies, with reports of severe financial losses due to
halted billing operations. UnitedHealth has announced progress in restoring systems,
but the attack has highlighted the vulnerability of the healthcare sector to cyber threats,
raising concerns about the concentration of healthcare IT services following UnitedHealth's acquisition of Change Healthcare.
Security researcher Aaron Costello from AppOmni discovered a significant data leak in the Irish
Health Service Executive's COVID-19 vaccination portal, potentially exposing over a million
vaccination records, including names and vaccination details. The issue, identified in
December 2021, stemmed from a configuration error that granted users overly broad access via the
Salesforce Health Cloud, also exposing internal HSE documents and staff information. Despite the
potential for widespread data access, there is no evidence the exposed information was exploited.
In 2023, Google dispersed $10 million in rewards through its Bug Bounty program to over 600 security researchers across 68 countries for identifying vulnerabilities in its products and services.
for identifying vulnerabilities in its products and services.
This payout marked a decrease from the $12 million awarded in 2022.
Since the inception of the program in 2010, Google has paid out a total of $59 million to researchers.
The largest single reward in 2023 was over $113,000. The tech giant has increasingly focused
on securing its Android ecosystem,
awarding over $3.4 million
for significant vulnerabilities found therein
and raising the maximum reward
for critical vulnerabilities to $15,000.
New initiatives include adding Wear OS
to the Bug Bounty program
and introducing special incentives for finding exploits in Chrome and AI products,
although some of these incentives remain unclaimed.
Nissan Oceana reported a data breach affecting nearly 100,000 customers
due to a December ransomware attack claimed by the Akira operation.
The breach involved the exfiltration of personally identifiable information,
employment and salary details, and loan transactions.
Up to 10% of affected customers also had sensitive government information like Medicare cards, passports, and driver's licenses stolen.
The incident impacted customers of Nissan's finance services,
including those of Infiniti, Renault, and Mitsubishi.
Nissan Oceana is offering a year of free credit monitoring
and data protection services to affected customers
in Australia and New Zealand,
committing to promptly inform individuals about the breach
and advising on protection against potential harm, identity theft, scams, or frauds.
Some observers have noted the delay over 100 days between the attack and Nissan Oceana's acknowledgement.
Meta has initiated legal proceedings against Dipinder Singh Khurana, a former vice president at the
company, for allegedly misappropriating employee and business contracts before resigning to join
an AI startup. Accused of being brazenly disloyal, Khurana reportedly uploaded sensitive documents
to his personal cloud storage accounts prior to his departure in June of 2023,
after 12 years at Meta. He's also accused of recruiting at least eight Meta employees.
This case surfaces alongside increasing concerns over insider threats, underscored by a similar
incident at Google involving ex-employee Lin-Wei Ding, who allegedly stole AI-related
intellectual property. Insider risks are ongoing challenges for cybersecurity defenders,
particularly with the shift toward remote work and digital collaboration.
Blind Eagle, identified as APTC36 since 2018, is a South American threat actor
primarily targeting Colombia and neighboring countries.
It uses phishing emails to infiltrate systems.
Trend Micro reported in 2021
that Blind Eagle deployed various RATs,
including NJRAT and REMCOS.
The eSentire Threat Response Unit
recently noticed Blind Eagle focusing on the
manufacturing sector, delivering malware via phishing emails with malicious VBS files in
RAR and BZ2 archives. These files, once executed, ensure persistence by copying themselves into the
startup folder and use obfuscated PowerShell commands to download
further malicious payloads. The operation's sophisticated use of encryption and obfuscation
techniques, coupled with targeted phishing, highlights the persistent threat posed by
Blind Eagle to industries in its focus area. Security firm Clarity reports that 63% of CISA-tracked known exploited vulnerabilities
are present in healthcare networks, with 23% of medical devices harboring at least one
exploited vulnerability. This cybersecurity risk encompasses a range of devices,
from imaging to surgical equipment. The study highlights the challenge posed by legacy devices, which are often retained
beyond their cyber-safe lifespans due to traditional replacement schedules not accounting
for cybersecurity risks. Connectivity advances in healthcare have enhanced patient care,
but also increased vulnerability to cyber attacks. With only 13% of medical devices supporting endpoint protection
and 72% connected to the internet, the emphasis shifts to network security strategies like
segmentation to protect patient data and device functionality. Additionally, 22% of hospitals
have devices that connect guest and internal networks, presenting significant security risks.
Marine Max, the world's largest recreational boat and yacht services company, has disclosed
in regulatory filings a cybersecurity incident that began Sunday. The attack involved unauthorized
third-party access to parts of its information environment. Immediate containment measures were taken, causing some business disruptions, though
operations continued. The company has engaged cybersecurity experts and informed law enforcement,
but it's unclear if the incident was a ransomware attack or involved data theft.
Marine Max reported no sensitive data was compromised, and the incident hasn't materially impacted operations yet.
This follows cyberattacks on other boating industry leaders,
including Brunswick Corporation,
which faced significant financial losses due to a cyberincident last year.
Coming up after the break, our Threat Vector host David Moulton explores the new SEC cybersecurity regulations with legal expert and Unit 42 consultant Jacqueline Wadika.
Stay with us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
David Moulton is host of the Threat Vector podcast right here on the N2K Cyber Wire network. In this excerpt from a recent episode, David speaks with legal expert and Unit 42 consultant Jacqueline Wadika about the new SEC cybersecurity regulations.
The hardest bar to get into
within the multi-state exam
is Alaska.
They make their score higher
than anybody else.
Do you know why that is?
I don't know.
The moose really needs
some good lawyers out there.
No explanation.
Have you ever seen a moose
up close and personal?
Not in real life, no.
Horse size, bigger, smaller?
Oh, much bigger than a horse.
Like a horse is a tiny, tiny little animal.
I had read a thing that one of the main predators of a moose is an orca.
Moose can dive very deep into water where orcas are swimming around and going like,
hmm, that looks delicious
and we'll eat a moose. And I thought you couldn't make it up if you tried. That is so bizarre.
Welcome to Uni42's Threat Factor, where we share unique threat intelligence insights,
new threat actor TTPs, and real-world case studies.
Uniforty2 has a global team of threat intelligence experts, incident responders,
and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Uniforty2. Today, we're digging into the new SEC cyber rules with Jacqueline Wadaika, consultant at Palo Alto Networks. Jacqueline is a multilingual legal powerhouse with bar certification in 37
states. As part of Unit 42's cyber risk management team, she specializes in governance, risk,
and compliance with a particular emphasis on data privacy. Today, I'm going to share the
conversation Jacqueline and I had about the SEC's cyber Risk Management Strategy, Governance, and Incident Disclosure Rule that was adopted in December 2023.
But first, a disclaimer.
The information provided on this podcast is not intended to constitute legal advice.
All information presented is for general information purposes only.
The information contained may not constitute the most
up-to-date legal or interpretive compliance guidance.
Contact your own attorney to obtain advice with respect to any particular legal matter.
Now, let's get into our conversation.
Can you give a brief overview of the aims of the new SEC regulations?
Absolutely. So I think to answer what the aim is, right, we have to look at what's the mission of the SEC.
What's their goal? Why do they do what they do?
And that's to protect investors, to create a fair market.
And in order to do that, they have to regulate the playing field.
to create a fair market. And in order to do that, they have to regulate the playing field.
So that means having the same information, consistent and standardized from all registrants.
But what's interesting about it is that this isn't new. This isn't the first time they're trying to have that consistent flow of information. I think their aim with these new regulations is
making it clear, making it prescriptive as to what companies need
to report on. Yeah, I think that's their goal, right? Having that consistent flow of information
across all organizations, across all registrants in order to have that consistency and accurate
information. These new rules went into effect last year, December 15th. What are the tangible impacts the SEC cybersecurity rules have had on public companies?
Absolutely. So taking a step back, we have two main requirements in this rule. We have the reporting side and then we have the governance risk management side.
So on the reporting side, they're really requiring disclosure of material incidents within four days
of that incident being deemed material, right? So to align with this, companies have had to
internally define materiality. We've seen a lot of companies begin doing business impact analysis,
really determining what is material for them. And this has kind of been a pain point, right?
what is material for them? And this has kind of been a pain point, right? Because it's just so specific and dependent on the organization's build. We've also seen them creating a team
or repurposing a team. A lot of these publicly traded companies have a disclosure committee
already. So they'll say, okay, we have our definition of materiality. Now who's going to
actually apply that definition? So they'll have this committee or this team that'll be in charge of determining
and applying that definition. So for the reporting aspect of it, those are two main things we've seen.
And then on the other hand, we have this governance and risk management, right? And
the SEC has told us that they want to know that the
board of directors and executives are being informed of risk and how they're managing this
risk. So we've seen a lot of establishments of processes and procedures and most importantly,
communication paths, having those escalations really set in stone, and also creating documentation to support this.
And another thing the SEC has noted is that they want enough detail so that a reasonable investor
can understand how this risk is being managed and mitigated and governed. So if you already
have these processes and procedures documented somewhere, you're halfway there. It's an excellent starting point. So between the two, between the reporting and the governance and
risk management, we're seeing those proactive assessments, that materiality being defined,
the restructuring to make sure we have stakeholders in place to make those timely determinations.
And we're seeing that executives and board of directors are starting to ask questions to make
sure that they're informed on this topic because that's the biggest i think one of the biggest
points in this rule is starting that conversation within those executives and the boards
if you're a listener what's the most important set of ideas that you want them to take away from this conversation?
I think it's being proactive. Having that approach is going to be
the best way of handling these new rules. Whether that be defining materiality,
establishing who's actually going to apply that definition when the time comes,
configuring your tools, And then, as we
mentioned earlier, just testing backups, plans, procedures. It's that proactive approach where
it's going to take you far. As I reflect on our conversation, it's clear that the intersection of cybersecurity and law is not just evolving, it's dynamically reshaping how organizations approach security and compliance.
rule and other regulations. Scott Becker from Actual Tech hosts Jacqueline and Unit 42 consultants and experts Steve Dyson, David Ferron, and Sam Kaplan. I've included a link to the webinar as
well. Our executive producer is Michael Heller. Content and production by Shada Azimi, Sheila
Drozki, Tanya Wilkins, and Danny Milrad. I edit the show and Elliot Peltzman is our audio engineer.
We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.
Be sure to check out the Threat Vector podcast wherever you get your podcast episodes. Thank you. a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. Get back. CBC News brings the story to you live. Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca. And finally, employees in the city of Hamilton, Ontario,
are increasingly frustrated due to not receiving overtime pay
amidst a ransomware attack that has disrupted the city's central services for two weeks.
Union leaders representing various city workers have voiced their concerns, highlighting the strain on those
who have worked additional hours without compensation. The situation has reached a
critical point for many, with union representatives stating that the lack of serious response from
city officials only adds to the frustration. Plans for a group
grievance are underway, and there's talk of refusing overtime work altogether. This standoff
not only stresses the immediate financial implications for the workers, but also raises
concerns about their personal information security in light of the cyber attack. Despite the city's reassurance that personal data has
not been compromised, trust issues persist. The workers' dissatisfaction is a good reminder of
the broader impact of a ransomware attack on a city's operational and human resource management,
and that management and recovery is as much a people problem as it is a technical one.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.