CyberWire Daily - Visa crackdown against spyware swindlers.
Episode Date: April 23, 2024The State Department puts visa restrictions on spyware developers. UnitedHealth says its recent breach could affect tens of millions of Americans. LockBit leaks data allegedly stolen from the DC gover...nment. Microsoft says APT28 has hatched a GooseEgg. The White House and HHS update HIPAA rules to protect private medical data. Keyboard apps prove vulnerable. A New Hampshire hospital suffers a data breach. Microsoft’s DRM may be vulnerable to compromise. On our Industry Voices segment, Ian Leatherman, Security Strategist at Microsoft, discusses raising the bar for security in the software supply chain. GoogleTeller just can’t keep quiet. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Ian Leatherman, Security Strategist at Microsoft, discusses raising the bar for security in the software supply chain. Selected Reading U.S. Gov imposed Visa restrictions on 13 individuals linked to commercial spyware activity (Security Affairs) UnitedHealth Group Previews Massive Change Healthcare Breach (GovInfo Security) Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor (SecurityWeek) Russian APT28 Group in New “GooseEgg” Hacking Campaign (Infosecurity Magazine) HHS strengthens privacy protections for reproductive health patients and providers (The Record) The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers (The Citizen Lab) Records of almost 2,800 CMC patients vulnerable in 'data security incident': hospital | Crime (Union Leader) Microsoft DRM Hack Could Allow Movie Downloads From Popular Streaming Services (SecurityWeek) The creepy sound of online trackers (Axbom) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The State Department puts visa restrictions on spyware developers.
UnitedHealth says its recent breach could affect tens of millions of Americans.
LockBit leaks data allegedly stolen from the D.C. government.
Microsoft says APT28 has hatched a goose egg.
The White House and HHS update HIPAA rules to protect private medical data.
Keyboard apps prove vulnerable.
A New Hampshire hospital suffers a data breach.
Microsoft's DRM may be vulnerable to compromise.
On our Industry Voices segment, Ian Leatherman, security strategist at Microsoft,
discusses raising the bar for security in the software supply chain.
And Google Teller just can't keep quiet.
It's Tuesday, April 23rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
It is great to have you with us.
The U.S. Department of State is implementing visa restrictions
on 13 individuals involved in the development and sale of commercial spyware,
as well as their immediate family members.
These individuals are linked to companies that have financially benefited from
or facilitated the misuse of spyware,
which in severe cases have been associated with human rights violations like arbitrary detentions and extrajudicial killings.
This action is part of a broader initiative to combat the misuse of surveillance technology
that's been used against journalists, academics, human rights defenders, dissidents,
and U.S. government personnel. The policy, which officials say underscore the U.S. commitment to
addressing these threats, includes various measures such as export controls, sanctions,
and the prohibition of spyware use by the U.S. government that risks national security.
Key actions have included adding companies like Intellexa and Citrox
to the Commerce Department's entity list,
which restricts trade with entities posing a national security threat.
UnitedHealth Group has acknowledged a significant data breach
at its Change Healthcare unit following the ransomware attack in February,
which compromised sensitive personal and medical information of potentially millions of Americans.
The breach data includes both protected health information and personally identifiable information.
The full extent of the stolen data is still being determined as the company continues its analysis,
which is expected to take several months.
company continues its analysis, which is expected to take several months.
In response to the breach, UnitedHealth Group has launched a dedicated support system for victims,
including a website, call center, and two years of free credit monitoring and identity theft protections. The attack not only led to the theft of sensitive data, but also caused major
disruptions in U.S. healthcare services, impacting medical
reimbursements and pharmacy prescriptions. UnitedHealth also confirmed that it paid the
ransom to the attackers, a move often discouraged by security experts due to the lack of assurances
that the data will not be misused. Restoration efforts are ongoing, with significant regulatory scrutiny and multiple
lawsuits emerging as a result of the breach. The company estimates the total costs associated with
the attack could reach $1.6 billion. The LockBit ransomware gang has leaked one gigabyte of data
allegedly stolen from the District of Columbia's Department of Insurance,
Securities, and Banking. They claim possession of a much larger trove, 800 gigabytes, which also
includes data from the U.S. Securities and Exchange Commission and various financial entities. This
threat emerges from a cyber attack on Tyler Technologies, a third-party software provider, in late March.
During the breach, unauthorized access was gained
to a cloud environment,
leading to the deployment of ransomware.
Tyler Technologies has been working on recovery
and assessing the full impact,
noting that personal information
such as social security numbers
might have been compromised.
The full scope of the breach is still being determined,
and individual notifications will follow once the affected parties are identified.
Microsoft says Russian APT group APT28, also known as Strontium or Forest Blizzard,
is utilizing a novel tool called GooseEgg to exploit a Windows print spooler
vulnerability since as early as April 2019. This bug, patched in October 2022 after being reported
by the NSA, allowed the group to modify and execute a JavaScript file with system-level permissions,
enabling the theft of credentials and sensitive information.
Guseg serves as a launcher that can initiate other applications with elevated permissions,
supporting activities like remote code execution and lateral movement in compromised networks.
APT28, linked to the Russian GRU and known for cyber espionage, targets entities across Ukrainian, Western European,
and North American government, education, and transportation sectors.
Microsoft urges sysadmins to patch the exploited vulnerability or disable print spooler
and recommends using EDR or XDR tooling to detect goose egg.
The Biden administration introduced new rules on Monday aimed at
protecting the privacy of abortion providers and patients from conservative legal challenges.
These regulations, updated by the Department of Health and Human Services, prohibit health care
providers, insurers, and related entities from disclosing health information to state officials involved in
investigating or prosecuting patients or providers related to abortion services.
The updates to the Health Insurance Portability and Accountability Act, HIPAA,
originally established in 1996, now address modern challenges in reproductive rights,
particularly for those seeking legal abortions across state lines
or under special circumstances like rape. These changes, set to take effect in two months,
come amid significant concerns about the misuse of private medical data in the charged post-DOBs
legal environment. The new rule also mandates that any requests for health information related to reproductive health
must be formally declared as unrelated to criminal investigations or legal actions.
A pinyin keyboard app is used primarily for typing Chinese characters on devices like smartphones, tablets, and computers.
In a pinyin keyboard app, users type out the phonetic spelling of
Chinese words using the Latin alphabet. The app then displays a list of Chinese characters or
phrases that match the typed pinyin sounds. Users can select the correct character from this list
to input into their text. This method simplifies the process of typing in Chinese and is widely
used both in China and globally by those who need to input Chinese text electronically.
Now, research from Citizen Lab uncovers significant security vulnerabilities in cloud-based pinyin keyboard apps used by approximately 1 billion users globally.
users globally. Their study analyzed apps from nine vendors, finding security lapses in eight,
which could expose user keystrokes to passive network surveillance.
Citizen Lab says these vulnerabilities were not previously identified in security literature.
Nearly 2,800 patients at Catholic Medical Center in New Hampshire may have had their personal and health information exposed due to a data breach at Lamont Hanley & Associates, a third-party vendor
handling account receivable management for the hospital. This incident involved unauthorized
access to an employee's email account through a phishing attempt. Although the investigation did
not confirm data theft, the possibility could not
be entirely excluded. Affected individuals will be notified and offered free credit monitoring
services. This disclosure follows significant layoffs at the hospital due to financial difficulties.
Adam Gaudiak of AG Security Research discovered vulnerabilities in Microsoft's PlayReady
technology, which is used by streaming services to protect content. He demonstrated that these
vulnerabilities could be exploited to illegally download movies by extracting plain-text content
keys during a specific phase of the encryption process. This exploit does not require hacking into set-top boxes,
but leverages weaknesses
in Windows' protected media path
and Warbird compiler technologies.
The findings could potentially affect
major platforms like Netflix,
HBO Max, and Amazon Prime Video,
which use PlayReady.
Despite Microsoft's claim
that the issue is related
to third-party client settings,
Gaudiac's continued research suggests systemic vulnerabilities within PlayReady itself.
Coming up after the break, Ian Leatherman, security strategist at Microsoft,
discusses raising the bar for security in the software supply chain.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Ian Leatherman is security strategist at Microsoft.
And in today's sponsored Industry Voices segment, we discuss raising the bar for security in the software supply chain.
It's definitely a complicated landscape,
but I think we're having the best approach with thinking of it as insider threats.
So basically, the software supply chain landscape really is no different than the human supply chain landscape.
And when you look at it from that frame, it becomes at least a more tangible landscape to defend against or at least plan for.
at least a more tangible landscape to defend against or at least plan for.
Can you give us a little detail about that? I mean, in what way are they similar?
Yeah, so you think of a human insider, right? They're coming into your organization,
they were trusted, they were given a job, they were brought in for a reason, right? And you therefore have to give them trusts and responsibilities to accomplish, but they could be doing something nefarious on the side. And so how do you catch
that from a human standpoint? It becomes a very hard, challenging problem. And so when we think
about software supply chain, it's very similar in that the software you're bringing into your
organization, you brought it there for a purpose. It didn't just magically appear there.
You brought it in to perform a function.
And when it deviates from that function or it has an ulterior motive,
that's basically the biggest risk there.
And so how do you catch that and detect it,
knowing that it's something that you intentionally
and willfully brought into your organization?
Yeah. I mean, I suspect that that's a bit more challenging here.
I mean, you can't just use tried and true security methods.
Exactly.
It relies on a lot more behavioral analytics, right?
So just like, again, on the human side,
you do your due diligence.
So you make sure that somebody who is working for you
or who is doing a job inside your organization,
you do a background check,
you make sure that they have a good history,
and you do some due diligence there.
But it really becomes that continuous monitoring.
How do you make sure that the person in your organization is doing what you expect?
And part of that is defining those guardrails.
And so you take that same methodology over into software,
and you say, okay, the software I'm coming in,
yes, it has an accreditation. It's passed those basic security checks. Maybe I've looked at an
SBOM for it, but you don't just leave it at that. It's taking that next step and that continuous
monitoring and saying, this software is supposed to perform the following functions via the
following, whether it be ports, protocols, APIs, and
only those functions, and being able to rapidly detect and respond, preferably autonomously,
if it deviates, is what makes it so hard.
And doing that for a human is challenging, right?
But in a human, your threat is the speed of humans.
And when you're talking software, malicious behavior can be at the speed of software,
which makes it even harder to detect and more imperative that you respond as soon as it's detected.
Well, I mean, when we're talking about this approach of tracking behavior,
are we talking about zero trust here?
I mean, is that a critical part of this equation?
Yeah. So zero trust becomes one of the mechanisms you can use to track that behavior. Because when
we start talking about behavior across your digital environment, you're talking about the
behavior of your endpoint, not just your user, but any identity you have on there. So your endpoint
has its own identity.
The software on it has an identity.
Your network environments have an identity.
So you're looking at what are all of those digital identities doing in aggregate and
making sure that the interactions between them is normal or is expected or is approved.
And so when we talk about behavior, it's really those system of systems integrations and interactions at the lowest level possible.
And the only way to do that is validating raw logs from all of those systems independently, bringing them together in that policy enforcement point to act as a checksum.
And that's really the whole point of zero trust.
some. And that's really the whole point of zero trust. And so you're assuming that everybody is an insider. You're assuming every piece of software is an insider. That just-in-time access
and continuous monitoring is really the critical part of zero trust. And that's how it can give
you a fighting chance against that software supply chain attack as well. You know, we often hear folks
talk about dealing with what they describe as a kind of a firehose of information, of all these signals coming at them.
How do you propose that organizations make sense of all that data that's heading their way?
Yeah, that is absolutely the challenge.
And it's, again, why this is even harder than human-scale adversary interactions.
And this is where AI really can come into play
and start helping out.
Because one of those things
that especially your large language models
are starting to get good at
is looking at lots of data
and data that there isn't necessarily
a defined pattern for,
but finding those patterns.
And so you can now take that accreditation
and say, this is what I hoped the system would do.
This is why I bought this software in the first place. This is why I deployed this digital asset.
You can take that and now take
all of your raw telemetry that you're getting through
your Zero Trust deployment and start comparing the two,
and make sure that the overall trends that you're
seeing from your logs actually match with what you expect.
And then now you can focus your human resources in the organization on what are those anomalies,
why are they different,
and either your accreditation needs to change
or what you expect the system should be doing should be changing,
or you actually have a flaw in your system,
potentially a supply chain attack.
What about putting appropriate guardrails
on an AI system here?
I mean, there are certain perils
this could bring to the table, right?
Absolutely.
Because at the end of the day, what is AI?
It is a piece of software.
It is essentially a big giant function
that's sitting somewhere,
whether it be in the cloud or locally deployed.
And so you need to actually guard against that supply chain attack with AI.
And so this is actually really important.
If you're bringing in AI, like any other piece of software, into your organization,
you have to do that due diligence and make sure that the AI you're getting is not itself acting nefariously.
And so it's this constant battle of getting deeper and deeper into
your trust relationships that you have for your entire digital estate.
Let's head back up to a little higher level here and talk about some of the other steps that
organizations can take. Advice from you and your colleagues there with the expertise that you all
have, just protecting against software supply chain issues.
Yeah. So the biggest thing is,
if you're trying to mitigate against an insider threat,
and if you think again,
like think of your software supply chain
as that insider threat,
you have to have a good inventory of what are your assets
and what are their roles and responsibilities.
So that way you can actually have something to measure against when you start to say this is acting adversely or
nefariously and so getting that initial inventory is so critical um one thing that we're finding is
organizations might have an accreditation or they might have a an approved software list but it's
out of date or it's inaccurate. And so getting that
real-time telemetry and inventory of your entire digital estate becomes so important for that,
so that you actually have a denominator to start measuring against. And so that ties into the zero
trust effort. If you're going to have a chance of locking all the doors to assume breach, you need
to actually know where all the doors are. And so getting those things of where are all of the doors to assume breach, you need to actually know where all of the doors are.
And so getting those things of
where are all of your endpoints?
Where are all of your servers?
What software is actually deployed?
Who is accessing those?
Or what digital identities are accessing those
via API keys, et cetera?
All of that becomes critical
to even have that fighting chance
of detecting a software supply chain attack.
I suppose, I mean, even for things like patching,
knowing what you've got and how up-to-date it is,
that's really a critical element.
Absolutely.
And that's kind of where an EDR comes into play,
and that's just a sensor that you would use in that zero-trust deployment,
that sensor specifically for the user endpoint.
Again, it goes to a risk calculation. All of this is about risk and understanding
at what point does that risk threshold elevate to a level that is of key danger.
And as long as you're thinking of that, of nothing is perfect and you always have that second guess
and you're using all available telemetry to check that, then you at least are aware that
this is a flaw. And it's the same thing with your humans in your organization. Assume every human
has the capability of doing something negative or doing something against you. And so you put
those guardrails in place, still allowing them to do their job that you hired them for, but you need
those sensors there to check for the possibility that they're doing something off the beaten path, so to speak.
Yeah.
Are there any specific tips for folks who are making heavy use of cloud services?
Software as a service in the cloud, does that change the approach here?
It doesn't necessarily change the approach, but it means you need to be aware that there is a significant amount of telemetry that you might not have access to.
So in detecting those anomalies, if it's complete SaaS, it's almost like hiring a contractor in the organization and giving them keys to the kingdom.
and giving them keys to the kingdom,
you don't necessarily know what that contractor is doing at what times because you have passed a lot of the responsibility off to the contractor.
And that also means you've passed logging on to them.
So it's absolutely a key factor.
And it's just understanding that you won't necessarily be able to detect
and therefore mitigate an attack through that mechanism as easily.
But it comes down to how much logging and visibility do you have.
I'm curious, the folks that you work with who are finding success here,
who are doing the right things, what are the common elements there?
Are there things that seem to be the winning strategy?
Yeah, that's a great question.
I think a lot of the winning strategies we're seeing
comes down to telemetry, right?
So there are multiple, as in all of cyberspace,
there are multiple threats, multiple classes of threats.
Especially when we start talking about software supply chain,
it is really your worst, most sophisticated threat.
We found this just even a few weeks ago with the detection of
the XE backdoor. These things are hard to find. They involve human elements. And those organizations
that are the most successful or have the best fighting chance of detecting this, especially
given that this attack vector is used widely by nation states, it comes down to how granular do
you have your logging and how much have you actually done
your due diligence in knowing what expected looks like. Because if you don't know what's approved
and what's expected and you're not measuring for it, then you will never know that you have an
anomaly. And so those organizations that are constantly re-evaluating and questioning their infrastructure
and why isn't a system interacting the way it does,
they tend to be the best in this.
Those that have that systems thinking mentality
and not just, I've deployed a server and they walk away and say they're good.
It's, is the server behaving as I set it up for?
And continue to make sure that the system is behaving as they deployed
or as they designed. And more importantly, they're checking for that behavior in perpetuity,
not just I've deployed it and they walk away.
That's Ian Leatherman, security strategist at Microsoft. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
That sound you're hearing is your computer sharing your data with Google.
Let me explain.
Dutch software developer Bert Hubert created a tool named Googerteller,
which emits a noise whenever his computer sends data to Google.
The idea, which Hubert says he'd contemplated for years,
The idea, which Hubert says he'd contemplated for years, materialized into software that alerts users of data transmission to Google without their consent.
Following viral attention from his initial demonstration, Hubert enhanced the tool to detect data flows to other trackers like Facebook and numerous others,
making evident the frequent and pervasive nature of online tracking.
The tool's audible alerts bring a new dimension to understanding data privacy,
highlighting the constant data exchange that occurs unnoticed.
For example, here's the sound of someone interacting with Google's homepage,
typing in a common search phrase.
Now, here's the sound of browsing a web page from the Daily Mail,
a site notorious for hoovering up as much information as possible.
Sounds like you've left the speaker on from your 1200 baud modem.
This experiment underscores the visceral impact of real-time awareness tools in promoting transparency and fostering critical discussions on privacy.
Hubert hopes to evolve the tool further,
including visual aids for those hard of hearing
and expanding its
availability across more platforms. In our daily editorial team meeting, one of our producers
suggested replacing the clicking sound with the famous Wilhelm scream. Talk about the stuff of And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. Thank you. Music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.