Cyber Security Headlines - January 10, 2025

Hosted by CISO Series

In this episode of Cyber Security Headlines, hosted by Steve Prentiss from the CISO Series, several critical events unfolded in the information security landscape. The discussion provides an in-depth analysis of major outages, data breaches, and vulnerabilities impacting organizations worldwide. Below is a comprehensive summary of the key topics covered.

1. Proton Experiences Worldwide Outage

Overview: Privacy-focused firm Proton suffered a significant service disruption beginning at 10:00 AM Eastern Time on January 9, 2025. The outage affected multiple Proton services, including ProtonVPN, ProtonMail, calendar, drive, Pass, and wallet functionalities.

Service Restoration:

• ProtonVPN, drive, Pass, and wallet: Restored promptly after the outage began.
• ProtonMail: Service was brought back online by approximately 1:09 PM Eastern Time.
• Calendar: As of the recording time, the calendar service remained inaccessible.

Cause of Outage: Proton has not yet disclosed the underlying cause of the disruption, leaving members uncertain about the factors leading to the outage.

Notable Quote:

"Proton is dealing with a massive outage that started at 10am Eastern Time yesterday, leaving members unable to access ProtonVPN mail, calendar, drive Pass and wallet."
— Steve Prentiss [00:07]

2. Baymark Health Data Breach Announcement

Incident Details: Baymark Health, North America's largest provider of substance use disorder treatment and recovery services, disclosed a data breach affecting patients' personal and health information. The breach occurred between September 24 and October 1, 2024.

Detection and Response:

• Discovery Date: October 11, 2024, following an IT systems disruption.
• Data Compromised: Included Social Security numbers, driver's license numbers, dates of birth, services received, and insurance information.
• Affected Population: While the exact number of individuals notified has not been revealed, Baymark operates across 400 service sites in 35 states and three Canadian provinces.

Company Profile: Based in Texas, Baymark Health provides medication-assisted treatment and mental health disorder services through a vast network of facilities.

Notable Quote:

"North America's largest provider of substance use disorder treatment and recovery services is now notifying patients that their personal and health information was stolen in a September 20202024 breach."
— Steve Prentiss [00:07]

3. Treasury Department Breach Linked to Silk Typhoon Group

Incident Overview: An update on the breach within the U.S. Treasury Department has revealed that the Silk Typhoon APT Group, also known as Hafnium, was responsible for the attack. The group exploited stolen remote support SaaS API keys via the cybersecurity vendor Beyond Trust to infiltrate Office of Foreign Assets Control and the Treasury Department's Office of Financial Research.

Group Profile: Hafnium is notorious for targeting sectors such as education, healthcare, defense, and non-governmental organizations. The "Typhoon" nomenclature is part of Microsoft's convention for categorizing Chinese APT groups, paralleling other labels like "Blizzard" for Russian actors.

Notable Quote:

"Silk Typhoon APT Group was responsible for the treasury hack using stolen remote support SaaS, API keys."
— Steve Prentiss [00:07]

4. Russian ISP Network Destroyed by Ukrainian Hackers

Attack Details: Hacktivists from the Ukrainian Cyber Alliance group successfully breached the Russian Internet Service Provider Nodex. They wiped the ISP's systems, deleting sensitive documents and leaving the infrastructure barren, sans backups.

Evidence Presented: The attackers shared screenshots showcasing compromised VMware Veeam Backup and Hewlett Packard Enterprise virtual infrastructure systems, highlighting the extent of the breach.

Notable Quote:

"Hacktivists from the Ukrainian Cyber alliance group announced on Tuesday they had breached the network of Russian Internet service provider Nodex and had wiped its systems after stealing sensitive documents."
— Steve Prentiss [00:07]

5. CISA Updates on Ivanti Products and ZTA Gateways Vulnerabilities

Vulnerability Details: The Cybersecurity and Infrastructure Security Agency (CISA) added two Ivanti products to its Known Exploited Vulnerabilities (KEV) catalog:

• Ivanti Connect Secure Vulnerability: Scored 9.0 on the CVSS scale, allowing unauthenticated remote code execution (RCE).
• ZTA Gateways Flaw: Could enable local authenticated attackers to escalate privileges.

Action Required: Federal agencies are mandated to address these vulnerabilities by January 15, 2025. Private companies are also strongly encouraged to update their systems to mitigate potential threats.

Notable Quote:

"The Ivanti Connect Secure vulnerability, with a CVSS score of 9.0, was added to the agency's known Exploited Vulnerabilities catalog alongside ZTA Gateways."
— Steve Prentiss [00:07]

6. CAIO Ransomware Attack Post-Mortem

Incident Overview: CAIO released a post-mortem report on their ransomware attack dated October 5, 2024. The breach impacted:

• Employees: 6,456
• Business Partners: 1,931
• Customers: 91

Attack Vector: The ransomware infiltration was attributed to phishing emails that granted hackers access to CAIO’s servers. The incident resulted in the theft of personally identifiable information (PII) and caused significant delivery delays.

Attacker Claims: An underground ransomware gang claimed responsibility, stating they stole over 200 gigabytes of data.

Notable Quote:

"The stolen data included PII employees... and customer's data was PII along with product purchase information."
— Steve Prentiss [00:07]

7. Critical RCE Flaw in GFI Kerio Control

Vulnerability Details: Security researcher Adigio Romano identified a critical reflected cross-site scripting (XSS) vulnerability in GFI Kerio Control that can be exploited to perform one-click Remote Code Execution (RCE) attacks.

Impact: Census, a threat intelligence firm, reported observing 24,000 instances of GFI Kerio Control accessible from the Internet, with many located in Iran. The exact number of vulnerable systems remains unclear.

Solution: Organizations using GFI Kerio Control are urged to apply patches and implement security measures to prevent exploitation.

Notable Quote:

"GFI Kerio Control is a network security solution that provides firewall functionality and unified threat management capabilities."
— Steve Prentiss [00:07]

8. MedusInd Announces Data Breach

Incident Details: MedusInd, a medical and dental billing and revenue cycle management company, reported a data breach occurring on December 29, 2023. The breach compromised:

• Individuals Affected: Over 360,000
• Data Stolen: PII, health information, Social Security numbers, and other government IDs.

Attack Attribution: While the company suggests the breach may have been the result of a ransomware attack, no cybercrime group has claimed responsibility as of the report.

Notable Quote:

"MEDUSIND says that an intrusion the Incident occurred on December 29, 2023 and involves the PII, health information, Social Security numbers and other government ID on just over 360,000 people."
— Steve Prentiss [00:07]

Upcoming Segment: Week in Review Show

Event Details: Listeners are invited to join the Week in Review show scheduled for later the same day at 3:30 PM Eastern Time. The session will feature Bill Harmer, Operating Partner and CISO at Craft Ventures, who will provide expert commentary on the week's news.

Participation: Engagement is encouraged through comments and participation via the CISO Series' YouTube live channel. Details can be found on the events page at cisoseries.com.

Closing Quote:

"Make sure to join us later today at 3:30pm Eastern for our Week in Review show."
— Steve Prentiss [07:12]

Additional Resources

For comprehensive details and full stories behind these headlines, listeners are directed to visit cisoseries.com.

This summary encapsulates the critical cybersecurity events discussed in the January 10, 2025, episode of Cyber Security Headlines by the CISO Series. Stay informed and secure by regularly following trusted sources and implementing recommended security measures.