Transcript
Sean Kelly (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, December 18, 2024. I'm Sean Kelly. CISA delivers new directive for securing cloud environments On Tuesday, the Cybersecurity and Infrastructure Security Agency instructed federal civilian agencies to strengthen security practices for cloud services. CISA's binding operational directive instructs agencies to identify its in scope cloud tenants by February 21st of next year. Agencies will also need to bring their environments in line with CISA's Cloud Application Security configuration baselines by June 20. So far, CISA has only finalized configuration baselines for Microsoft 365, but soon plans to release baselines for other cloud platforms, starting with Google Workspace. Texas Tech reports a Data breach affecting 1.4 million people Texas Tech University disclosed the data breach, which occurred back in September, affecting 1.4 million people at its health sciences centers. The Interlock ransomware gang took credit for the breach, claiming they stole 2.6 terabytes of sensitive data, an investigation confirmed. Exposed information included Social Security numbers, driver's license numbers, medical diagnosis and treatment information, and billing and claims data. Texas Tech said it took immediately immediate steps to remediate the issue and is notifying affected individuals and offering them complimentary credit monitoring services. Meta fined $263 million for alleged GDPR violations back in 2018, cyber scoundrels abused some sloppy Facebook code to steal access tokens and access PII belonging to 30 million users. The slow turning wheels of Irish justice finally caught up with Meta on Tuesday as the Irish Data Protection Commission levied a 2 million euro fine against the tech giant. Meta said the vulnerability stemmed from multiple coding issues in Facebook's view as feature. The DPC's investigations concluded that the breach resulted in four violations of the European Union's GDPR. Meta said it intends to appeal the decision, arguing they took prompt action to address the issues and also proactively notified impacted users along with the Irish regulator. If the latest find sticks, it will equate to less than 2% of Meta's third quarter profits. Nebraska AG sues Change Healthcare the Nebraska attorney general has filed a lawsuit against Change Healthcare, blaming the company's historic data breach back in February on its poor security measures. The ransomware attack forced Change Healthcare to shut down its processing services entirely, stopping millions of transactions in February and March. The lawsuit notes that prescriptions went unfilled and patient care was delayed due to disruptions from the attack. Scammers then began contacting Nebraskan patients, posing as hospital representatives and asking for their credit card numbers in order to issue refunds. UnitedHealth Group, who owns Change Healthcare, said quote, we believe this lawsuit is without merit and we intend to defend ourselves vigorously. End quote. And now we'd like to thank today's episode Sponsor Threat Locker does zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you to take a proactive, default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com critical hole in Apache Struts under Exploitation A recently patched critical Apache Struts 2 vulnerability is under active exploitation using a public proof of concept exploit. Apache Struts is an open source framework for building Java based web applications. The bug exists in the software's file upload logic, allowing for malicious file uploads that could lead to remote code execution. To mitigate the risk, Apache says users should upgrade to Strut 6.4.0 or later and migrate to the new file upload mechanism. Multiple national cybersecurity agencies, including those in Canada, Australia and Belgium, have issued public alerts urging impacted software developers to take immediate action. Attackers exploit Microsoft Teams and AnyDesk to deploy malware Last week on Cybersecurity Headlines, we covered the evolving tactics being used by the Black Basta gang to deploy the Dark Gate remote access Trojan. Security researchers have now uncovered a new social engineering campaign that leverages Microsoft Teams to deploy the Dark Gate rat. The attack involved bombarding a target's email inbox with thousands of emails, after which the threat actors contacted the victims via Microsoft Teams masquerading as an employee of an external supplier. The attackers instructed victims to install any desk on their system and then abusing the remote access to deliver multiple payloads including a credential stealer and darkgate. The researchers recommend that organizations enable multi factor authentication use, allow lists for approved remote access tools, block unverified applications, and thoroughly vet third party technical support providers to eliminate the risk of vishing bitter targets defense orgs with new MEA rat malware. A cyber espionage threat group known as Bitter was observed targeting defense organizations in Turkey using mirat, a remote access trojan coded in C. The attack started with a phishing email containing a malicious attachment and using a foreign investment project Lure, Miarat provides data exfiltration, remote control, screenshot capturing, command execution, and system monitoring capabilities. Miarat also improves upon its predecessor, wmrat, including more advanced data and communications encryption, an interactive reverse shell, and enhanced directory and file control. Proofpoint has published indicators of compromise associated with Bidder's latest attack, and a Yara rule is now available to help with detecting the threat. Fake Ledger Data Breach Emails Try to Steal Crypto Wallets Ledger is a provider of hardware cryptocurrency wallets, which are secured using 12 to 24 word recovery phrases. Anyone who has access to the recovery phrases can access the wallets and the crypto inside them. Over the past few days, multiple users have reported receiving phishing emails claiming that Ledger suffered a data breach and warning that some recovery phrases have been exposed. Ironically, the email then instructs victims to verify the recovery phrase using Ledger's secure validation tool. No matter what recovery phrase is entered, the site states that it is invalid. Others have also recently reported Ledger phishing emails masquerading as new firmware updates, again with the same goal of stealing user recovery phrases. Ledger said it will never ask users for the recovery phrases and said they should refrain from entering them into any other sites or apps apps and that does it for today's cyber security headlines. But if you're in the San Diego area and have ever wanted to meet up with some like minded CISO Series fans, you're in luck. We're hosting a CISO Series Meetup in San Diego, California on September 18th. It's at the Novo Brazil Brewing, Mission Valley at 6pm Pacific. Come on down and meet the big boss, David Spark. Play some games and network with your fellow fans. We've got more details over at the events page@cisoseries.com we hope to see you there. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headline.