In today’s cybersecurity news…
Change Healthcare data breach confirmed as largest-ever in U.S. healthcare history
UnitedHealth Group (UHG) has confirmed that more than 100 million individuals were impacted during the ransomware attack on its subsidiary, Change Healthcare, in February making it the largest known digital theft of U.S. medical records in history. UHG’s CEO confirmed cybercriminals broke into employee systems using stolen credentials that were not protected with multi-factor authentication (MFA). Stolen data varied by victim but included sensitive health treatment data as well as personal details like names, dates of birth, contact info, government IDs, as well as Social Security, driver’s license, and passport numbers. United Health began notifying victims in July and continues to do so as “the investigation is still in its final stages.” The ramifications are likely to be lifelong for the millions of Americans whose private medical information was exposed.
Authorities investigate telecom hacks following reports of campaign intrusions
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said Friday that they are investigating allegations that Chinese government-linked hackers, Salt Typhoon, breached systems at AT&T, Verizon and Lumen, and targeted systems used by U.S. law enforcement for wiretaps. Friday’s statement coincided with reports from several news outlets claiming that Salt Typhoon used their access to the telecoms to target phones used by Vice President Harris and several other top Democrats as well as former President Trump and J.D. Vance. Investigators and law enforcement indicated, “they are deeply concerned about the potential extent of compromised data” and indicated that the hackers may still have access to Verizon systems.
Delta sues CrowdStrike over sensor update that prompted mass flight disruptions
On Friday, Delta Air Lines sued cybersecurity firm CrowdStrike following the global outage back in July that caused the carrier to cancel 7,000 flights, impacting 1.3 million customers and costing them more than $500 million. Delta’s lawsuit called the incident “catastrophic” and said CrowdStrike is liable for their losses as well as lost profits, expenditures, and reputational harm. Crowdstrike responded late Friday, saying, “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
(Reuters)
Irish authorities fine LinkedIn €310M for GDPR infringement
The Irish Data Protection Commission (DPC) has fined LinkedIn €310M after finding the company’s use of behavioral data for targeted ads violated privacy laws. LinkedIn’s reliance on user consent was deemed insufficiently informed, and its interests were found to override user rights and freedoms. The authority has given LinkedIn three months to revise its data processing practices to align with GDPR standards.
Thanks to today’s episode sponsor, Dropzone AI
New Windows Driver Signature bypass allows kernel rootkit installs
In October on Cyber Security Headlines [1][2], we brought you the story about SafeBreach security researcher Alon Leviev discovering an attack that takes control of the Windows Update process to roll back to vulnerable software components on an up-to-date machine (without the operating system changing the fully patched status). He created the “Windows DownDate” tool to execute the attack which he demonstrated at BlackHat and DEFCON earlier this year. Leviev reported the issue to Microsoft but the problem remains unfixed with Microsoft saying that the attack did not cross a defined security boundary. In new research published over the weekend, Leviev demonstrates how an attacker can build on the rollback attack and bypass kernel-level Driver Signature Enforcement (DSE) protections on fully updated Windows 11 systems. This attack replaces the dynamic link library (DLL) file responsible for enforcing DSE with an unpatched version that ignores driver signatures. Leviev underscores the importance of using endpoint security tools to closely monitor downgrade procedures. Microsoft now says that the company is “actively developing mitigations to protect against these risks.”
TeamTNT launches new cloud attacks for crypto mining
Security researchers at Aqua have spotted the infamous cryptojacking threat actor, TeamTNT, targeting Docker Hub to deploy a crypto mining worm called Sliver malware. TeamTNT’s use of the open-source Sliver command-and-control (C2) framework is a notable shift away from the Tsunami backdoor to for remotely commandeering infected servers. TeamTNT was then observed brokering its victims’ computational power to other parties for illicit cryptocurrency mining. This new attack activity is a testament to the threat actor’s persistence and its ability to evolve its tactics to mount multi-stage assaults and diversify its monetization strategies.
Malicious RDP files used in latest attack on Ukrainian entities
The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted a new malicious email campaign targeting government agencies, enterprises, and military entities. CERT-UA said, “The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture.” The messages contain Remote Desktop Protocol (RDP) files that, once executed, establish a connection with a remote server, enabling the threat actors to steal data, and plant additional malware for follow-on attacks. CERT-UA has attributed the campaign to a threat actor it tracks as UAC-0215.
Apple will pay security researchers up to $1 million to hack its private AI cloud
The tech giant said it will pay security researchers to find security bugs within its new private AI cloud offering, dubbed “Private Cloud Compute”, which will debut this week. Apple’s Private Cloud Compute is an online extension of its on-device AI model and can handle much heavier AI tasks while preserving customer privacy. Apple says it will pay up to a $1 million bounty for exploits that can remotely run malicious code on its Private Cloud Compute servers. Exploits capable of extracting sensitive user information, including customer AI prompts, could allow researchers to haul in up to $250,000.