CyberWire Daily - UnitedHealth breach numbers confirmed.
Episode Date: October 25, 2024UnitedHealth confirms breach numbers. Patient privacy pains. Amazon vs. APT29. CDK vulnerability threatens user security. Fog and Akira take aim at SonicWall. Level up or log off. LinkedIn in hot wate...r. Open source, closed doors. Watt's the risk? Today, we are joined by Itzik Alvas, Entro Security’s CEO and Co-Founder, discussing their research team's work on non-human identities and secrets management. And Muni Metro hits Ctrl+Alt+Delete on floppy disks! Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Itzik Alvas, Entro Security’s CEO and Co-Founder, discussing their research team's work on non-human identities and secrets management. You can learn more here. Selected Reading UnitedHealth: 100 Million Individuals Affected by the Change Healthcare Data Breach (Heimdal) OnePoint Patient Care data breach impacted 795916 individuals (Security Affairs) Amazon identified internet domains abused by APT29 (AWS Security Blog) RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP" (CERT-UA#11690) (CERT-UA) AWS Cloud Development Kit flaw exposed accounts to full takeover (The Register) Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN (Arctic Wolf) Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game (Hackread) LinkedIn hit with $335 million fine for using member data for ad targeting without consent (The Record) Linux creator approves de-listing of several kernel maintainers associated with Russia (The Record) U.S. CISA adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog (Security Affairs) Cybersecurity Isn't Easy When You're Trying to Be Green (Dark Reading) Goodbye, floppies - San Francisco pays Hitachi $212 million to remove 5.25-inch disks from its light rail service (TechSpot) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
UnitedHealthcare confirms breach numbers,
patient privacy pains, Amazon versus APT29,
CDK vulnerability threatens user security, Fog and Akira take aim at SonicWall,
level up or log off, LinkedIn in hot water, open source, closed doors.
Today, we are joined by Itzik Alves, Intro Security CEO and co-founder,
discussing their research team's work on non-human identities and secrets management.
And Muni Metro hits Control-Alt-Delete on floppy disks.
Today is Friday, October 25th, 2024.
I'm Trey Hester filling in for Dave Bittner, and this is your CyberWire Intel Briefing.
In a follow-up to a big story for 2024,
UnitedHealth confirmed the changed healthcare data breach impacted over 100 million individuals,
exposing sensitive information such as health insurance,
medical records, billing, and personal identification.
This is the first time the company admitted
to the number of people that were affected.
The breach, attributed to the Black Cat ransomware group, involved exploiting Citrix Remote Access without multi-factor
authentication. UnitedHealth paid a $22 million ransom, though the attackers later reneged,
escalating the breach's cost to around $2.4 billion by Q3 of 2024.
In adjacent healthcare news, OnePoint Patient Care, a U.S.-based pharmacy service provider
specializing in hospice and palliative care services and also providing customized medications
and support for patients with advanced illnesses, announced a breach affecting 795,916 individuals.
The breach involved unauthorized access to systems containing patient records
with potential impacts on privacy and security.
OnePoint has implemented new security measures and notified affected parties to manage risk and assist with recovery.
Amazon recently identified internet domains exploited by APT29, a.k.a. Midnight Blizzard, to a group affiliated with Russia's Foreign Intelligence Service.
to a group affiliated with Russia's Foreign Intelligence Service.
The group launched a phishing campaign targeting government and military entities,
attempting to steal Windows credentials by imitating AWS domains.
Amazon swiftly moved to seize these compromised domains and to disrupt these malicious activities, according to Amazon CISO C.J. Moses.
Cert.ua has issued an advisory with additional details on their work.
AWS recently patched a vulnerability in the Cloud Development Kit that could allow attackers
to fully compromise user accounts.
This flaw, related to predictable naming in S3 staging buckets, enabled attackers to hijack
bucket names and execute malicious code, risking complete account takeover.
AWS notified affected users and released CDK v2.149.0, urging users to upgrade and apply
additional security measures. Arctic Wolf Labs has observed a surge in activity related to fog
in Akira ransomware groups, specifically exploiting vulnerabilities in SonicWall SSL VPNs.
Attackers are leveraging these weaknesses to gain unauthorized network access,
underscoring the needs for companies using SonicWall VPNs to patch systems promptly and
implement rigorous monitoring protocols. The North Korean hacking group Lazarus exploited
a zero-day vulnerability in Google Chrome to target cryptocurrency investors through a deceptive
fake NFT game. The attack involved a crafted website mimicking a
legitimate DeFi game to lure users with malware hidden and downloadable content. Once the game
was installed, the attackers could gain full access to the victim's systems to extract sensitive
information and potentially launch further attacks. Ireland's Data Protection Commission
fined LinkedIn $335 million for violating GDPR by using data for targeted advertising without consent.
The investigation revealed that LinkedIn processed personal data without transparent consent, breaching EU regulations.
This penalty highlights the risks tech companies face for non-compliance with GDPR, especially in handling user data for ad tracking.
Linux creator Linus Torvalds recently supported the removal of several Russian maintainers from
the Linux kernel project, a decision likely tied to compliance with new U.S. sanctions against
Russia's tech sector. The delisted maintainers were associated with sanctioned companies.
The move has stirred debate with the Linux community,
raising concerns about inclusivity in open-source development and the influence of geopolitical pressures on open-source contributions.
CISA has added vulnerabilities in Cisco ASA, FTD, and RoundCube webmail
to its known Exploited Vulnerabilities catalog.
These flaws are actively exploited, posing serious risks to
affected systems. Cisco's issues involve access controls, while Roundcube's bug affects webmail
security. CISA recommends immediate patching to mitigate potential impacts and to protect
infrastructure. A study of 250 energy companies worldwide indicated that renewable energy firms
deal with a large cyberattack surface area. Oil and natural gas firms scored the highest, with an average company
score of 94 out of 100, while the lowest scores belonged to renewable energy companies, which
scored a medium of 85. Green energy firms tend to have distributed generation infrastructure,
such as rooftop solar or wind turbines, and are usually more internet-connected than
traditional energy companies.
Both attributes can undermine their defensive posture.
Coming up after the break,
Dave Bittner speaks with Entro Security CEO and co-founder Itzik Alvez,
discussing their research team's work on non-human identities
and secrets management. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Itzik Alvez is IntroSecurity's CEO and co-founder,
and he sits down with Dave Bittner
to discuss their research team's work
on non-human identities and secrets management.
Non-human identities and secrets management.
Non-human identities are essentially programmatic access keys that applications are using in order to access and authenticate against services and solutions those applications need, like
databases, storage accounts, and etc.
They can be service accounts, API keys, connection strings,
and so forth. Again, essentially
programmatic access key.
And so what is
the security issue when it comes to
these non-human identities?
There are, at least
from our customer base, there are
92 non-human identities
for every human identity
for every employee in the organization. Gartner are saying there are 45 non-human identities for every human identity for every employee in the organization.
Gartner are saying there are 45 non-human identities for every employee.
So the sheer number is exploding.
But other than that, developers and devops are the ones who are creating,
permissioning, using those non-human identities,
and they give them excessive privileges like admin permissions
over databases, storage accounts, other applications,
and basically data of the organization or the customers of those organizations.
And those developers are also scattering them around.
So they can store them within different vaults,
but they can also send them on Slack messages,
commit them into code, and so forth.
So basically, security teams have no real idea
how many non-human identities they have,
where are they, or how they are being utilized.
And without that, of course, they are unable to protect them.
So for the past four years in a row now,
both IBM and Verizon, the leading reports in the industry,
are stating that secrets and non-human identities
targeted attacks are the second most frequent attack vector out there,
just below phishing,
and the number one most costly or destructive attack to an organization. So that's a huge problem.
And so what's to be done here? I mean, what can organizations
do to get control over this? Right, so
first and foremost is getting an inventory, right? Answer the question of how many
non-human identities they have and where, and how they are being used, and who's
the human owner and some
business context and classification
over them.
So that's the beginning,
understanding
where are all of my non-human
identities, then you would like to
classify and enrich each one of them to understand
what is being used for, who's the
human owner, what's the
blessed reduce, essentially.
And then you can take that inventory and classification
and do static risk analysis, posture management,
understand misconfiguration, how they are being used,
how many of them have not been rotated,
which is replaced, and breaching my compliance,
how many of them are not securely stored,
how many have excessive privileges, and so forth.
Once you achieve that, I assume you would like to monitor their behavior,
their usage for any abnormal behavior.
So let's say someone from Africa is using my tokens,
my non-human identities to access my environment,
and I'm not doing business with Africa.
That's probably something I would like to prevent
and so forth.
So basically what you would like to do
is manage their lifecycle
and secure their lifecycle
and treat them like we're treating human users,
manage their lifecycle.
You would like to do the same
for non-human identities
that have much more permissions
to your organization.
It seems to me that, as you describe, that this information can end up in so many places
and be shared across an organization in so many different ways.
Is it safe to say that perfection is not achievable here,
but that most organizations can do a lot better
than they're doing now?
Perfection is always tough to achieve,
but definitely it can be achieved,
and we have some customers that achieve that.
You do need the right tooling in place,
and you need to understand how to secure them and what to secure
because again, those are
floating credentials
that applications are using to access
data and other resources of your
production environment.
So yes, perfection is achievable.
It's not easy and you do
need the right tooling in place.
What are your recommendations
then for people to get started here
if this is something they feel like
they want to spend more resources on
and better attention to?
How should they begin?
All right.
So we have a lot of data around it in our website.
That's entro.security.
We just did an amazing report.
We are the first in the industry to start securing those non-human identities.
We're the first platform out there.
So we have quite a unique perspective and customer base.
So we conducted research.
And there are so many
tips and tricks
and what should you do
and how do you position
your company within that space
and your posture within that space.
I'll give you,
you know, maybe one example.
We're saying, again,
at our customer base
that 40% out of all those
non-human identities
are actually idle, stale, not in use anymore, no one needs them,
but no one is deleting them, right, or removing them or decommissioning them.
That means that you can go ahead and if you can figure out
how many or what are those non-human identities that are not in use in your environment,
you will probably be able to reduce your attack surface, about 40% of your attack surface
within minutes.
So that is super easy to do.
We're seeing that about 97% of all non-human identities have excessive privileges, like admin permissions they don't need.
So right-sizing those permissions will decrease your attack surface by 97%, right?
So, yeah, be familiar with the data.
There are a few lower fruits that you can go ahead
and grab and reduce your attack surface.
Yeah, just look us up.
Enter.security, go to our resources page.
There are a lot of data over here
and knowledge that you can read
and better understand space
and how to protect yourself.
That's Yitzhak Galvez
speaking with our own Dave Bittner.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And finally, who would have thought that a 1998 floppy disk could bring an entire city to a standstill?
Well, in San Francisco's Muni Metro, those five-and-a-quarter-inch relics are still controlling the automatic train control system, and after 26 years of service, they've reached the end of the line.
Enter a whopping $212 million deal with Hitachi Rail
to ditch the disks,
part of a $700 million overhaul
to modernize the entire system.
The ATCS tech,
installed when Titanic was box office gold,
has been holding its own,
barely.
SFMTA's Jeffrey Tumlin
even warned of a potential catastrophic failure.
The upgrade will swap out outdated floppy disks
and snail-paced loop cables
for high-speed Wi-Fi and cellular communication,
setting the stage for reliable,
real-time control of Muni's trains.
So what's the takeaway here?
Ditching outdated tech doesn't just improve service,
it makes systems safer, faster, and future-ready.
So let's give a round of applause to those floppies.
Safe to say they've earned their retirement.
San Francisco, here is your wandering one saying, I wonder no more.
Other places only make me love you worse. Tell me you're the one in all the golden west.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday, where Dave Bittner is joined by Mick Baccio,
a global security advisor for Splunk Surge, as he shares his research on LLM security, Splunk and OWASP
top 10 for LLM-based
applications. That's Research Saturday.
Check it out. We also have a
special edition podcast this weekend featuring
Brandon Karp's interview with BM&T's
Pete Newell. Their full conversation
touches on the challenges associated with
technology adoption and changes in the
DoD. This special edition podcast
can be found in your daily podcast feed this Sunday.
We'd love to know what you think of this podcast.
Your feedback ensures that we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your favorite podcast app.
Please also fill out a survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is me,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening,
and Dave will be back on the mic Monday. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.