Transcript
Dave Bittner (0:02)
You're listening to the Cyberwire Network powered by N2K. A ransomware attack exposes personal medical records of VA patients New joint guidance from CISA and the NSA emphasize asset inventory and OT taxonomy the UK government reportedly spent millions to cover up a data breach. Researchers identified two critical flaws in a widely used print orchestration platform. Phishing attacks increasingly rely on personalization. Routing and jailbreaking frameworks pose serious enterprise risks. Fortinet warns of a critical command injection flaw. Estonian nationals are sentenced in a crypto Ponzi scheme. Michaela Campobasso from Forescout joins us to separate the hype from reality around vibe hacking and meet the blockchain bandits of Pyongyang Foreign It's Thursday, August 14, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A ransomware attack on Davita, a major dialysis provider contracting with the Department of Veterans affairs, exposed about 1 million medical records, including veterans Social Security numbers, lab results and insurance details. The breach affected VA patients receiving dialysis and lab services through the Veteran Community Care program. Additional data such as names, check images and tax IDs may have been compromised. The VA paid DaVita $206 million in early 2025 for services, but its internal systems were not impacted. Forensic teams and the FBI are investigating. Davita has restored affected systems and will offer 12 months of free credit monitoring to victims. Kidney disease is more prevalent among veterans, with the VA caring for about 600,000 affected individ nationwide. New joint guidance from agencies including CISA, the NSA, EPA and international partners emphasizes that building a modern, defensible architecture for operational technology relies on a well maintained asset inventory and OT taxonomy. Titled Foundations for OT Asset Inventory Guidance for Owners and Operators, the document outlines a structured, multi step process, define governance, scope and roles, identify OT assets and collect key attributes like IP addresses, manufacturer and criticality. Create a taxonomy classifying assets by function or criticality and organizing them using zones and conduits. Manage inventory data centrally and apply lifecycle management beyond inventory. It guides organizations in improving cybersecurity through vulnerability tracking, performance monitoring, training and continuous improvement. Appendix examples include conceptual taxonomies for oil and gas, electricity and water infrastructure. While voluntary and not prescriptive, this guide aids asset owners in enhancing information clarity, security posture and operational resilience for critical OT environments. Separately, CISA warned that attackers are actively exploiting two vulnerabilities in enable's n central remote monitoring and management platform. The flaws which require authentication, could allow command execution and input injection. Enable patched them in the recent version and urged immediate upgrades. About 2,000 instances are exposed online, mostly in the U.S. australia and Germany. CISA added the bugs to its known Exploited vulnerabilities catalog, giving US federal agencies until August 20 to patch and advised all organizations to secure systems promptly to reduce exploitation risk. In 2022, a British military error exposed the personal details of 18,700 Afghans who had worked with UK forces, risking Taliban reprisals, according to the New York Times. The Conservative government sought a rare contra mundum super injunction, barring disclosure even to its victims, spending $3.2 million in legal costs. The breach wasn't discovered until August 2023, when part of the data appeared on Facebook. Journalists who inquired were served with secrecy orders. The injunction lasted 18 months, until Labor's 2024 review prompted its lifting. Critics argue the order increasingly served to avoid political embarrassment. The breach triggered a £400 million secret relocation program for 4,500 Afghans. The case, unprecedented in scope, has sparked debate over press freedom in Britain, with legal experts noting such gag orders would be impossible under U.S. first Amendment protections. Researchers at Horizon3AI have identified two critical flaws in Xerox Free Flow Core, a print orchestration platform widely used by commercial print shops, universities and government agencies. The XXE injection vulnerability and path traversal flaw allow unauthenticated remote attackers to execute arbitrary code on affected systems. One of the vulnerabilities enables server side request forgery via improperly handled XML entities. The other allows attackers to upload files to arbitrary locations, enabling web shell deployment and remote execution. Both vulnerabilities are patched in the latest version and immediate upgrading is advised. The flaws were discovered during an investigation into unusual exploit callbacks and and disclosed under Horizon 3 AI's vulnerability policy. Cofence intelligence reports that subject customization personalizing email subjects, attachments and links is a key phishing tactic for delivering malware, especially remote access trojans and information stealers. From the third quarter 2023 through the third quarter of 2024, the top malware delivery themes with customized subjects were travel assistance, finance, taxes and notification. Travel assistance most often delivered Vidar stealer response used Picabot and Finance commonly used jrat. Customized file names often contained pii, particularly with JRAT and remcosrat in finance or taxes themed emails. This sort of personalization increases engagement and aiding attackers in stealing credentials or enabling brokered access for ransomware operations. Zimperium's Z Labs warns that modern routing and Jailbreaking frameworks, often developed without security oversight, pose serious enterprise risks by enabling malware infections, app compromise, and full system takeover. Many use Android kernel patching, as in Kernel Su, apatch and Skroot, hooking kernel functions to gain root access. Weak authentication between user apps and kernel interfaces creates exploitable flaws. A kernel SU 5.7 vulnerability let attackers spoof the manager app via file descriptor manipulation, bypassing signature checks to gain root before the legitimate manager launched. Similar weaknesses, such as Apache's past weak password protection and Magisk's impersonation bug show these risks are common. Z Labs stresses continuous monitoring as improper authentication, insecure communication, and poor privileged isolation in routing tools create persistent real world exploitation opportunities. Fortinet warns of a critical remote unauthenticated command injection flaw in Fortisim, a security monitoring platform used by governments, enterprises and MSSPs. Exploit code is already active in the wild, allowing attackers to execute unauthorized commands via crafted CLI requests with no distinctive IOCs for detection. Multiple versions are affected. Only supported releases will receive patches. Admins should upgrade immediately to fixed versions or restrict access to PH monitor on port 7900. Older, unsupported versions remain permanently vulnerable. Estonians Sergey Potapenko and Ivan Torogin were sentenced in Washington State to time served for running a $500 million cryptocurrency Ponzi scheme. Starting in 2013. They sold Bitcoin mining equipment via hashcoins but never had adequate inventory. They later launched Hashflare, offering remote mining contracts showing fake profits to investors while operating only a fraction of the claimed capacity. Assets worth over $450 million were seized for victim compensation. Prosecutors sought 10 years and the DOJ may appeal the sentence. Coming up after the Mikayla Campobasso from Forescout joins us to separate the hype from the reality around vibe hacking and meet the blockchain bandits of Pyongyang.