NY Stock Exchange owner fined $10 million by SEC
The SEC is putting its foot down that nobody or company is above the law. The Intercontinental Exchange (ICE), which owns nine of the world’s largest financial exchanges including the NY Stock Exchange, failed to report a 2021 cyber incident. The SEC claims the financial giant knew a hacker had inserted malicious code into the corporate network but did not notify any of the subsidiary companies for days. This lack of reporting violated federal regulations and the company’s own procedures, resulting in this $10 million fine. It should be noted that ICE reported a net revenue of $2.3 billion in the first quarter of 2024. ICE told The Record that the settlement “involves an unsuccessful attempt to access our network more than three years ago and had zero impact on market operations.”
(The Record), (Bleeping Computer)
US agency pledges $50 million to automate hospital security
Hospitals may be getting some relief in the form of funding to better protect against an attack. The US government’s Advanced Research Projects Agency for Health (ARPA-H) has pledged over $50 million to boost hospital cybersecurity through a new program called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE). This initiative aims to automate the process of securing hospital IT environments by developing software tools that scan for vulnerabilities and automatically deploy patches, all with minimal disruption to patient services. The agency is inviting teams to apply for funding by submitting proposals on four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.
(The Register), (Security Week), (ARPA-H), (UPGRADE | ARPA-H)
LockBit no longer reigns supreme
The takedown of LockBit in February has allowed rival gangs like Play to overtake it as the leading ransomware criminals, ending LockBit’s eight-month dominance in attack numbers. The National Crime Agency’s (NCA) takedown made a major impact, significantly reducing LockBit’s capacity with the gang posting 23 attacks in April, a 60% drop from its previous numbers but the criminal gang is still trying to maintain appearances. The NCA group reported that the day before their Russian leader was revealed, the group posted inflated numbers of supposed new victims, which were later found to be reposts of previous attacks.
Canadian pharmacy ‘unwilling and unable to pay ransom.’
This might seem like a contradiction to the prior story, but LockBit isn’t completely out of the picture. Canadian pharmacy chain London Drugs reports the LockBit ransomware gang is demanding $25 million after stealing corporate files containing employee information. The attack forced London Drugs to shut down 79 locations across Canada, but told The Record that no patient or customer information appears to be compromised. Despite stating they won’t pay the ransom, LockBit has threatened to leak the stolen data if the demand isn’t met by Thursday, May 23rd.
And now a word from our sponsor, Tines
Jeff Greene expected to become new CISA Assistant Director
We’re getting a better idea as to who may be taking over the role of assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). Following Eric Goldstein’s announcement that he was departing the agency last week, multiple sources report Jeff Greene is to step into the position. According to CISA’s website, the role of the executive assistant director for cybersecurity is vague, to say the least; it says the role is to “lead CISA’s mission to protect and strengthen federal civilian agencies and the nation’s critical infrastructure against cyber threats.” Greene previo usly served as the chief of cyber response and policy in the National Security Council’s Cyber Directorate and as a director at the National Institute of Standards and Technology (NIST).
LastPass to start encrypting URLs
Rolling out next month, password management platform LastPass announced they will now be encrypting URLs stored in user vaults for better protection against potential breaches. The company is calling this a significant step in their commitment to implementing zero-knowledge architecture in the product. LastPass says they were not able to offer this extra layer of security before due to restrictions in processing power in 2008 when the system was created. The first phase of the encryption is set to begin in June, and according to the company the process should happen automatically without users noticing any changes.
Critical Netflix vulnerability in need of patching
A critical vulnerability in the open-source version of Netflix’s Genie job orchestration engine, designated CVE-2024-4701, allows remote attackers to potentially execute arbitrary code on affected systems. The bug, which scores 9.9 out of 10 on the CVSS scale, affects organizations running their own instance of Genie OSS by exploiting the local file system used for user-submitted file attachments. Netflix has fixed the issue in Genie OSS version 4.3.18 and urges organizations to upgrade to this version to mitigate the risk.
Georgia Man Sentenced to 10 Years for Medicaid Scam
A Georgia man was sentenced to 10 years in prison for stealing millions from a state Medicaid program through business email compromise (BEC) and romance scams. Malachi Mullings laundered money using 20 bank accounts opened through a sham company, resulting in over $3.8 million in Medicaid payments redirected to his accounts and $260,000 extorted in a romance scam. This conviction is part of a broader federal crackdown on scams targeting health insurance providers, with several recent convictions for BEC-related crimes. The FBI reports that BEC scams have surged, with nearly $3 billion in losses last year.