In today’s cybersecurity news…
CISA delivers new directive for securing cloud environments
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) instructed Federal civilian agencies to strengthen security practices for cloud services. CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify its in-scope cloud tenants by February 21st, 2025. Agencies will also need to bring their environments in line with CISA’s Secure Cloud Business Applications (SCuBA) configuration baselines by June 20th. So far, CISA has only finalized configuration baselines for Microsoft 365, but soon plans to release baselines for other cloud platforms, starting with Google Workspace.
(CyberScoop and Bleeping Computer)
Texas Tech reports a data breach affecting 1.4 million people
Texas Tech University disclosed the data breach, which occurred back in September, affecting 1.4 million people at its Health Sciences Centers. The Interlock ransomware gang took credit for the breach claiming they stole 2.6 terabytes of sensitive data. An investigation confirmed exposed information included Social Security numbers, driver’s license numbers, medical diagnosis and treatment information and billing and claims data. Texas Tech said it took immediate steps to remediate the issue and is notifying affected individuals and offering them complimentary credit monitoring services.
(Security Affairs and Dark Reading)
Meta fined $263 million for alleged GDPR violations
Back in 2018, cyber scoundrels abused some sloppy Facebook code to steal access tokens and access PII belonging to 30 million users. The slow-turning wheels of Irish justice finally caught up with Meta on Tuesday, as the Irish Data Protection Commission (PDC) levied a €251 million ($264 million) fine against the tech giant. Meta said the vulnerability stemmed from multiple coding issues in Facebook’s “View As” feature. The DPC’s investigations concluded that the breach resulted in four violations of the EU’s General Data Protection Regulation (GDPR). Meta said it intends to appeal the decision, arguing that they took prompt action to address the issues and also proactively notified impacted users along with the Irish regulator. If the latest fine sticks, it will equate to less than 2 percent of Meta’s third quarter profits ($15.7 billion).
Nebraska AG sues Change Healthcare
The Nebraska Attorney General has filed a lawsuit against Change Healthcare blaming the company’s historic data breach on its poor security measures The ransomware attack forced Change Healthcare to shut down its processing services entirely, stopping millions of transactions in February and March. The lawsuit notes that prescriptions went unfilled and patient care was delayed due to disruptions from the attack. Scammers then began contacting Nebraskan patients, posing as hospital representatives and asking for patient credit card numbers in order to issue “refunds.” United Health Group, who owns Change Healthcare, said, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.”
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Critical hole in Apache Struts under exploit
A recently patched critical Apache Struts 2 vulnerability (CVE-2024-53677) is under exploitation using public proof-of-concept exploits. Apache Struts is an open-source framework for building Java-based web applications. The bug exists in the software’s file upload logic, allowing for malicious file uploads that could lead to remote code execution. To mitigate the risk, Apache says users should upgrade to Struts 6.4.0 or later and migrate to the new file upload mechanism. Multiple national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued public alerts urging impacted software developers to take immediate action.
Attackers exploit Microsoft Teams and AnyDesk to deploy malware
Last week on Cyber Security Headlines we covered the evolving tactics being used by the BlackBasta gang to deploy the DarkGate remote access trojan (RAT). Security researchers have now uncovered a new social engineering campaign that leverages Microsoft Teams to deploy the DarkGate RAT. The attack involved bombarding a target’s email inbox with “thousands of emails,” after which the threat actors contacted victims via Microsoft Teams, masquerading as an employee of an external supplier. The attackers instructed victims to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, including a credential stealer and DarkGate. The researchers recommend that organizations enable multi-factor authentication (MFA), use allowlists for approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the risk of vishing.
‘Bitter’ targets defense orgs with new MiyaRAT malware
A cyberespionage threat group known as ‘Bitter’ was observed targeting defense organizations in Turkey using MiyaRAT, a remote access trojan coded in C++. The attacks started with a phishing email containing a malicious attachment and using a foreign investment project lure. MiyaRAT provides Bitter data exfiltration, remote control, screenshot capturing, command execution (CMD or PowerShell), and system monitoring capabilities. MiyaRAT improves upon its predecessor, WMRat, and includes more advanced data and communications encryption, an interactive reverse shell, and enhanced directory and file control. Proofpoint has published indicators of compromise (IoCs) associated with Bitter’s latest attack and a YARA rule is now available to help with detecting the threat (linked within Bleeping Computer’s story).
Fake Ledger data breach emails try to steal crypto wallets
Ledger is a provider of hardware cryptocurrency wallets which are secured using 12 to 24-word recovery phrases. Anyone who has access to the recovery phrases can access the wallets and the crypto inside them. Over the past few days, multiple users have reported receiving phishing emails claiming that Ledger suffered a data breach and warning that some recovery phrases have been exposed. Ironically, the email then instructs victims to verify their recovery phrase using Ledger’s “secure validation tool.” No matter what recovery phrase is entered, the site states it is invalid. Others have also recently reported Ledger phishing emails masquerading as new firmware updates, again with the same goal of stealing user recovery phrases. Ledger said it will never ask users for their recovery phrases and said they should refrain from entering them into any other sites or apps.