Biden signs cybersecurity executive order
On his way out the door, President Biden’s latest executive order builds off of President Obama’s April 2015 EO 13694, updating the criteria used by the Secretary of the Treasury “in designating a person for sanctions for engaging in specified malicious cyber-enabled activities and related conduct.” The order also calls on Federal Government agencies to better secure communications against adversaries, adopt industry cybersecurity best practices across the federal system, and promote security with and in AI systems. Deputy National Security Advisor Anne Neuberger said the goal of the order “is to make it costly and harder for China, Russia, Iran, and ransomware criminals.”
Star Blizzard targeting WhatsApp
New research from Microsoft found that the Russian state-sponsored threat group Star Blizzard has significantly changed its TTPs to incorporate WhatsApp into its phishing campaigns. A mid-November 2024 campaign saw the group sending emails from a US government official with an intentionally broken QR code under the guise of showing support for Ukranian NGOs. When users requested a new link, the operator would send a malicious shortened link that posed as a WhatsApp group invite. Instead, this took users to a phishing site with an account-linking QR code, opening the door to access their messages. Microsoft hasn’t seen the campaign in operation since the end of November. This isn’t Microsoft’s first look into Star Blizzard, it collaborated with the US DOJ to shut down over 180 sites used by its previous phishing operations.
US healthcare sector saw 585 breaches in 2024
That figure comes from an analysis by Security Week, pulling from the US Department of Health and Human Services Office for Civil Rights healthcare breach database. These attacks impacted roughly 180 million user records. The Change Healthcare breach accounted for approximately 100 million. 75% of attacks targeted healthcare providers, with 17% impacting healthcare business associates. “Hacking/IT incident,” which includes ransomware, was cited as the cause in most attacks, with unauthorized access a distant second. Healthcare organizations in Texas saw the most incidents last year, with 56.
More details on the PowerSchool breach
Details on how many school districts have been impacted by the breach at the cloud platform provider PowerSchool have been hard to find. The company hasn’t given a comprehensive list, with school districts contacting impacted families directly. However, sources at two impacted school districts speaking to TechCrunch said attackers accessed a large amount of personal data from current and former students and staff. One source said PowerSchool did not implement basic security controls like MFA even after seeing evidence of outside access in their logs. PowerSchool spokesperson Beth Keebler said data retention policies for PowerSchool vary widely between districts and even among individuals, but said: “We expect the majority of involved customers did not have Social Security numbers or medical information exfiltrated.” Still, no word on what threat actors orchestrated the attack.
Huge thanks to our sponsor, Dropzone AI
Law firm disclosed data breach from 2023
The firm Wolf Haldenstein Adler Freeman & Herz disclosed it suffered a data breach on December 13, 2023, impacting the personal information of roughly 3.4 million people, including names, social security numbers, medical diagnoses, and claim information. Even though the incident was detected over a year ago, the firm said digital forensic complications delayed its investigation. While it has published a general breach notice and informed Maine’s Attorney General of the incident, it hasn’t been able to send notices to many impacted individuals due to a lack of contact information. The breach notice claimed no evidence of misuse of this data, but Wolf Haldenstein will offer credit monitoring for those who believe they were impacted.
Nvidia releases AI safeguard agents
Nvidia Inference Microservices, or NIM, are containerized lightweight AI models that can moderate response from larger models. The company released three new NIM offerings specifically trained around topic control, content safety, and jailbreak protection. The topic control NIM prevents AI agents from getting off-topic in things like service interactions. The content safety NIM was trained on the human-annotated Aegis Content Safety Dataset. The jailbreak service will help users bypass system restrictions. Because they are relatively lightweight, NIM allows developers to implement multiple guardrails without adding much latency to responses.
Tunneling protocol flaws expose millions of hosts
New findings from noted Wi-Fi security researcher Mathy Vanhoef of KU Leuven university and Top10VPN show that several tunneling protocols, including IPIP and GRE, can be made to accept tunneling packets without verifying the sender. The researchers said this could be used to abuse hosts as one-way proxies, conduct DoS attacks and DNS spoofing. The team found 4.26 million vulnerable hosts, including VPN servers, ISP provided home routers, and CDN nodes. Most of the vulnerable nodes were located in China. The researchers published full technical details and defense recommendations for hosts, so look for those in our show notes.
(Security Week, Technical Details)
Feds need to speed up cloud adoption
A bipartisan report from the Center for Strategic and International Studies found that the federal government significantly lags the private sector in adopting cloud services, “which has created problems for citizen service delivery and cybersecurity.” As of 2024, only 13% of the $130 billion in federal IT spending went to cloud services. The report calls on the Office of Management and Budget to accelerate the removal of legacy IT systems and include minimum cybersecurity standards in federal contracts for cloud services. As the federal government looks to expand the use of AI in federal projects, cloud services become essential for processing and data storage for models.