In today’s cybersecurity news…
Over 5 million impacted by Episource breach
In a notice on its website, the healthcare technology services provider Episource disclosed that threat actors accessed its systems from January 27 through February 6, 2025. In disclosure filings with the US Department of Health and Human Services, it disclosed this impacted over 5.4 million people, with information stolen including Social Security numbers, insurance and Medicaid-Medicare ID numbers, and medical records. The company is working with partnered doctors and health plan providers to provide notice to all impacted victims. Episource urges victims to review benefit statements for fraud. Episource experienced a similar loss of data from a cyberattack back in 2023.
Predatory Sparrow strikes Iran again
The pro-Israel hacktivist group took another swipe at Iran’s financial sector, stealing over $90 million in assets from Nobitex, the country’s largest crypto exchange. Predatory Sparrow took credit for the attack on social media and threatened to release Nobitex source code and other internal information. Researchers at Elliptic confirmed that it saw a $90 million asset transfer, with vanity addresses used supporting Predatory Sparrow’s claims. The attack came a day after the group also took credit for an attack on the state-owned Bank Sepah. c
Data leak at Swiss banks
Both UBS and Pictet confirm they had internal data leaked through a breach “at an external supplier,” identified by the Swiss newspaper Le Temps as the business service company Chain IQ. Leaked data includes employee data on tens of thousands of UBS staff, direct internal phone lines to UBS executives, and Pictet invoice information. Both banks said the attack did not compromise any client information. Attackers published data from the attack on illicit forums on June 12th. Chain IQ said it would not disclose information on any negotiations or potential ransom demands.
(Reuters)
Microsoft 365 to block legacy auth protocols
Starting mid-July, Microsoft will begin changing security defaults for Microsoft 365 tenants to block legacy authentication protocols across SharePoint, OneDrive, and Office files. It estimates this transition will be completed by August. This will include blocking browser authentication for SharePoint and OneDrive using Relying Party Suite (RPS) and blocking opening Office files with FrontPage Remote Procedure Call protocol, FPRPC. Microsoft said these protocols are vulnerable to brute force and phishing attacks. The company will also update App Consent Policies to prevent users from granting third-party apps file access by default without admin approval.
Huge thanks to our sponsor, Adaptive Security
Trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI, Adaptive helps you stay ahead of AI-driven threats.
Learn more at adaptivesecurity.com.
State healthcare exchanges share data with Big Tech
An investigation by The Markup and CalMatters found that four state-run insurance marketplace sites share sensitive information through embedded advertising trackers on their sites. The investigation looked at exchanges operated by 20 states. Nevada’s exchange shared prescription and dosage information with LinkedIn and Snapchat, Maine’s and Rhode Island’s exchanges shared the same information, as doctors visited with Google. Massachusetts shared some disability and pregnancy information with Google. Part of the issue is that some exchanges used a separate site to connect users with insurance plans, and those services use embedded trackers. All exchanges removed the trackers when alerted by the investigators, maintaining that they do not store any personally identifiable information.
Linux distros vulnerable to LPE vulnerabilities
Researchers at the Qualys Threat Research Unit discovered two new local privilege escalation (LPE) vulnerabilities impacting many prominent Linux distributions. One flaw in the Pluggable Authentication Modules framework on SUSE Linux 15 allows attackers to obtain “allow_active” user privileges. The other s the udisks daemon, a default storage management service on most distributions, that allows the same privilege escalation through a flaw in libblockdev. While these can be chained easily to attack SUSE systems, the researchers also created POCs to obtain root privileges on Ubuntu, Debian, and Fedora. Patches for both are available now.
Feds seize crypto funds linked to investment scams
The US Department of Justice announced it filed civil forfeiture action to obtain over $224 million in cryptocurrency tied back to scams fooling victims who believed they were investing in legitimate crypto ventures or through romance scams. A network of scammers worked at least 400 victims globally, including dozens in the US. The US Secret Service and FBI worked with Tether to trace back the stolen assets. The Department of Justice hopes that the successful forfeiture will eventually allow it to return funds to victims.
(CNBC)
More details on Keir Giles hack
Citizen Lab and Google Threat Intelligence Group separately released reports detailing a recent hacking campaign that successfully accessed the email of Russian military expert Keir Giles. Attributed to the Russian-linked threat group UNC6293, the campaign stood out for its slow role and focus on one individual, rather than an organization. To that point, Citizen Lab senior researcher John Scott-Railton said, “It’s as if they knew everything we’d been taught to expect from Russian hackers, and then did the opposite.” The whole report is worth a read, but the final step saw the attackers getting Giles to share a screenshot of an app-specific password, which allowed them to compromise his Google accounts.