CISA cloud directive, Texas Tech breach, Meta GDPR fine - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Detailed Summary Podcast Episode: CISA Cloud Directive, Texas Tech Breach, Meta GDPR Fine
Host: Sean Kelly, CISO Series
Release Date: December 18, 2024

Introduction

In this episode of Cyber Security Headlines, host Sean Kelly delves into the latest developments in information security, covering significant events such as the new CISA cloud directive, the Texas Tech data breach, Meta's GDPR fine, and other critical cybersecurity incidents. This summary encapsulates all key discussions, insights, and conclusions presented, complete with notable quotes and timestamps for reference.

1. CISA Issues New Cloud Security Directive

Timestamp: [00:00]

Sean Kelly opens the episode by discussing the recent directive from the Cybersecurity and Infrastructure Security Agency (CISA) aimed at enhancing the security of cloud environments within federal civilian agencies.

Directive Details:
- Identification of Cloud Tenants: Agencies are mandated to identify all in-scope cloud tenants by February 21, 2025.
- Compliance with Security Baselines: By June 20, 2025, agencies must align their cloud environments with CISA’s Cloud Application Security configuration baselines.
Current Focus:
- CISA has finalized configuration baselines for Microsoft 365.
- Plans are underway to release baselines for other platforms, starting with Google Workspace.

Key Insight: This directive underscores the federal government's commitment to strengthening cloud security, emphasizing compliance deadlines and the expansion of security standards across major cloud service providers.

2. Texas Tech Announces Massive Data Breach

Timestamp: [00:00]

The podcast highlights a significant data breach at Texas Tech University affecting 1.4 million individuals within its health sciences centers.

Breach Details:
- Date of Breach: September 2024.
- Perpetrator: The Interlock ransomware gang claimed responsibility.
- Data Compromised: Approximately 2.6 terabytes of sensitive information, including:
  - Social Security numbers
  - Driver’s license numbers
  - Medical diagnoses and treatment records
  - Billing and claims data
Response Measures:
- Texas Tech promptly initiated remediation efforts.
- Affected individuals are being notified and offered complimentary credit monitoring services.

Quote: "We took immediate steps to remediate the issue and are committed to supporting those affected," stated Sean Kelly ([00:45]).

Key Insight: The breach at Texas Tech underscores the persistent threat of ransomware gangs targeting educational and healthcare institutions, highlighting the need for robust data protection measures.

3. Meta Fined for GDPR Violations

Timestamp: [00:00]

Sean Kelly covers the hefty fine imposed on Meta Platforms Inc. by the Irish Data Protection Commission (DPC) for violations of the European Union's General Data Protection Regulation (GDPR).

Violation Overview:
- Incident: In 2018, vulnerabilities in Facebook’s code were exploited to steal access tokens and personally identifiable information (PII) of 30 million users.
- Fine Details: Meta has been fined 2 million euros for four GDPR violations related to this breach.
Meta's Response:
- Acknowledged multiple coding issues in Facebook's “view as” feature.
- Announced intentions to appeal the decision, arguing prompt action was taken to address vulnerabilities and notify affected users.

Quote: "We believe we took all necessary steps to mitigate the issues promptly," Meta spokesperson stated ([02:10]).

Financial Impact: The fine represents less than 2% of Meta's third-quarter profits, indicating the scale of penalties imposed on large tech companies.

Key Insight: This case illustrates the long-lasting repercussions of GDPR non-compliance and the importance of maintaining secure coding practices to protect user data.

4. Nebraska Attorney General Sues Change Healthcare

Timestamp: [00:00]

The episode details the lawsuit filed by the Nebraska Attorney General against Change Healthcare, attributing a historic data breach to the company's inadequate security measures.

Breach Impact:
- Date: February 2024 ransomware attack.
- Consequences: Shutdown of processing services, halting millions of transactions over February and March.
- Patient Impact: Unfilled prescriptions and delayed patient care.
Post-Breach Exploitation:
- Scammers posed as hospital representatives to obtain credit card information from Nebraskan patients for fraudulent refunds.
Change Healthcare's Stance:
- UnitedHealth Group, the parent company, declared:
  "We believe this lawsuit is without merit and we intend to defend ourselves vigorously." ([03:15])

Key Insight: The lawsuit against Change Healthcare emphasizes the legal and operational ramifications of cybersecurity failures in the healthcare sector, highlighting the critical need for robust security infrastructures.

5. Critical Apache Struts Vulnerability Under Exploitation

Timestamp: [00:00]

Sean Kelly brings attention to an actively exploited vulnerability in Apache Struts 2, a widely used open-source framework for Java-based web applications.

Vulnerability Details:
- Nature: Exploits the file upload logic, enabling malicious file uploads and potential remote code execution.
- Current Exploitation: A public proof-of-concept exploit is being used by attackers.
Mitigation Steps:
- Upgrade Recommendation: Users should update to Struts 6.4.0 or later.
- Migration Advice: Move to the new file upload mechanism provided in the latest versions.
Global Response:
- National cybersecurity agencies in Canada, Australia, and Belgium have issued public alerts urging immediate action from developers.

Key Insight: The exploitation of Apache Struts vulnerabilities highlights the ongoing risks associated with widely-used open-source frameworks and the necessity for timely updates and security patches.

6. Malware Deployment via Microsoft Teams and AnyDesk

Timestamp: [00:00]

The podcast discusses sophisticated malware deployment tactics involving Microsoft Teams and AnyDesk by cybercriminal groups.

Attack Overview:
- Group Involved: The Black Basta gang, known for deploying the Dark Gate remote access Trojan (RAT).
- Methodology:
  - Flooding targets’ email inboxes with thousands of emails.
  - Contacting victims through Microsoft Teams, masquerading as external supplier employees.
  - Instructing victims to install AnyDesk, which is then abused to deliver multiple payloads, including credential stealers and Dark Gate RAT.
Recommendations:
- Enable multi-factor authentication (MFA).
- Implement allow lists for approved remote access tools.
- Block unverified applications.
- Thoroughly vet third-party technical support providers to prevent vishing attacks.

Key Insight: The exploitation of legitimate collaboration tools like Microsoft Teams for malware deployment demonstrates the evolving sophistication of cyberattacks, necessitating comprehensive security measures and user awareness.

7. Defense Organizations Targeted with Bitter MEA RAT

Timestamp: [00:00]

Sean Kelly highlights a cyber espionage campaign targeting defense organizations in Turkey using a new Remote Access Trojan (RAT) named Miarat.

Campaign Details:
- Threat Group: Known as Bitter.
- Infection Vector: Phishing emails containing malicious attachments and lures related to foreign investment projects.
- Capabilities of Miarat:
  - Data exfiltration
  - Remote control
  - Screenshot capturing
  - Command execution
  - System monitoring
Enhancements Over Predecessors:
- Advanced data and communications encryption.
- Interactive reverse shell.
- Enhanced directory and file control.
Mitigation Measures:
- Proofpoint has released indicators of compromise and a Yara rule to aid in detecting and preventing these threats.

Key Insight: The targeting of defense sectors with advanced RATs like Miarat underscores the persistent threats faced by critical infrastructure and the need for advanced threat detection and response strategies.

8. Fake Ledger Data Breach Emails Attempt to Steal Crypto Wallets

Timestamp: [00:00]

The episode covers a phishing campaign targeting users of Ledger, a provider of hardware cryptocurrency wallets.

Phishing Tactics:
- Emails falsely claim that Ledger has experienced a data breach, urging users to verify their recovery phrases via a fraudulent validation tool.
- Other scams involve fake firmware update prompts designed to steal users' 12 to 24-word recovery phrases.
Ledger’s Advisory:
- Security Statement: Ledger has clarified that it will never ask for recovery phrases.
- Users are advised to refrain from entering recovery phrases into any other sites or applications.

Key Insight: This phishing campaign highlights the critical importance of user education in safeguarding cryptocurrency assets, emphasizing that recovery phrases should remain confidential and never be shared.

Conclusion

Sean Kelly wraps up the episode by reiterating the importance of staying informed about the latest cybersecurity threats and responses. He encourages listeners to visit CISOseries.com for in-depth stories behind the headlines and announces an upcoming CISO Series Meetup in San Diego, fostering community engagement among information security professionals.

Final Thoughts: This episode of Cyber Security Headlines provides a comprehensive overview of current cybersecurity challenges and responses, emphasizing the need for continuous vigilance, robust security practices, and proactive threat mitigation strategies.

For more detailed discussions and the full transcript, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Sean Kelly
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, December 18, 2024. I'm Sean Kelly. CISA delivers new directive for securing cloud environments On Tuesday, the Cybersecurity and Infrastructure Security Agency instructed federal civilian agencies to strengthen security practices for cloud services. CISA's binding operational directive instructs agencies to identify its in scope cloud tenants by February 21st of next year. Agencies will also need to bring their environments in line with CISA's Cloud Application Security configuration baselines by June 20. So far, CISA has only finalized configuration baselines for Microsoft 365, but soon plans to release baselines for other cloud platforms, starting with Google Workspace. Texas Tech reports a Data breach affecting 1.4 million people Texas Tech University disclosed the data breach, which occurred back in September, affecting 1.4 million people at its health sciences centers. The Interlock ransomware gang took credit for the breach, claiming they stole 2.6 terabytes of sensitive data, an investigation confirmed. Exposed information included Social Security numbers, driver's license numbers, medical diagnosis and treatment information, and billing and claims data. Texas Tech said it took immediately immediate steps to remediate the issue and is notifying affected individuals and offering them complimentary credit monitoring services. Meta fined $263 million for alleged GDPR violations back in 2018, cyber scoundrels abused some sloppy Facebook code to steal access tokens and access PII belonging to 30 million users. The slow turning wheels of Irish justice finally caught up with Meta on Tuesday as the Irish Data Protection Commission levied a 2 million euro fine against the tech giant. Meta said the vulnerability stemmed from multiple coding issues in Facebook's view as feature. The DPC's investigations concluded that the breach resulted in four violations of the European Union's GDPR. Meta said it intends to appeal the decision, arguing they took prompt action to address the issues and also proactively notified impacted users along with the Irish regulator. If the latest find sticks, it will equate to less than 2% of Meta's third quarter profits. Nebraska AG sues Change Healthcare the Nebraska attorney general has filed a lawsuit against Change Healthcare, blaming the company's historic data breach back in February on its poor security measures. The ransomware attack forced Change Healthcare to shut down its processing services entirely, stopping millions of transactions in February and March. The lawsuit notes that prescriptions went unfilled and patient care was delayed due to disruptions from the attack. Scammers then began contacting Nebraskan patients, posing as hospital representatives and asking for their credit card numbers in order to issue refunds. UnitedHealth Group, who owns Change Healthcare, said quote, we believe this lawsuit is without merit and we intend to defend ourselves vigorously. End quote. And now we'd like to thank today's episode Sponsor Threat Locker does zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you to take a proactive, default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com critical hole in Apache Struts under Exploitation A recently patched critical Apache Struts 2 vulnerability is under active exploitation using a public proof of concept exploit. Apache Struts is an open source framework for building Java based web applications. The bug exists in the software's file upload logic, allowing for malicious file uploads that could lead to remote code execution. To mitigate the risk, Apache says users should upgrade to Strut 6.4.0 or later and migrate to the new file upload mechanism. Multiple national cybersecurity agencies, including those in Canada, Australia and Belgium, have issued public alerts urging impacted software developers to take immediate action. Attackers exploit Microsoft Teams and AnyDesk to deploy malware Last week on Cybersecurity Headlines, we covered the evolving tactics being used by the Black Basta gang to deploy the Dark Gate remote access Trojan. Security researchers have now uncovered a new social engineering campaign that leverages Microsoft Teams to deploy the Dark Gate rat. The attack involved bombarding a target's email inbox with thousands of emails, after which the threat actors contacted the victims via Microsoft Teams masquerading as an employee of an external supplier. The attackers instructed victims to install any desk on their system and then abusing the remote access to deliver multiple payloads including a credential stealer and darkgate. The researchers recommend that organizations enable multi factor authentication use, allow lists for approved remote access tools, block unverified applications, and thoroughly vet third party technical support providers to eliminate the risk of vishing bitter targets defense orgs with new MEA rat malware. A cyber espionage threat group known as Bitter was observed targeting defense organizations in Turkey using mirat, a remote access trojan coded in C. The attack started with a phishing email containing a malicious attachment and using a foreign investment project Lure, Miarat provides data exfiltration, remote control, screenshot capturing, command execution, and system monitoring capabilities. Miarat also improves upon its predecessor, wmrat, including more advanced data and communications encryption, an interactive reverse shell, and enhanced directory and file control. Proofpoint has published indicators of compromise associated with Bidder's latest attack, and a Yara rule is now available to help with detecting the threat. Fake Ledger Data Breach Emails Try to Steal Crypto Wallets Ledger is a provider of hardware cryptocurrency wallets, which are secured using 12 to 24 word recovery phrases. Anyone who has access to the recovery phrases can access the wallets and the crypto inside them. Over the past few days, multiple users have reported receiving phishing emails claiming that Ledger suffered a data breach and warning that some recovery phrases have been exposed. Ironically, the email then instructs victims to verify the recovery phrase using Ledger's secure validation tool. No matter what recovery phrase is entered, the site states that it is invalid. Others have also recently reported Ledger phishing emails masquerading as new firmware updates, again with the same goal of stealing user recovery phrases. Ledger said it will never ask users for the recovery phrases and said they should refrain from entering them into any other sites or apps apps and that does it for today's cyber security headlines. But if you're in the San Diego area and have ever wanted to meet up with some like minded CISO Series fans, you're in luck. We're hosting a CISO Series Meetup in San Diego, California on September 18th. It's at the Novo Brazil Brewing, Mission Valley at 6pm Pacific. Come on down and meet the big boss, David Spark. Play some games and network with your fellow fans. We've got more details over at the events page@cisoseries.com we hope to see you there. Thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headline.