Information Security News 2-26-2024

United Health Confirms Optum Hack Behind US Healthcare Billing Outage

Article Link: https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/

• According to the largest healthcare organization in the world, United Health Group (UHG), their subsidiary Optum suffered a massive cyberattack. Optum operates the Change Healthcare platform, the largest payment exchange platform between healthcare providers and pharmacies in the U.S. The incident also impacted Availity, a healthcare claims clearing house associated to Optum.
• Optum is providing continual updates; however, it was noted that over 100 Change Healthcare and Optum services and platforms were impacted in some manner. Due to this, many pharmacies across the United States have struggled to fulfill medicine prescription orders.
• Optum is still investigating the incident and actively working to return systems to working condition. Details on the incident are limited, but UHG suggested that the incident was carried out by a foreign nation-state. Additionally, healthcare organizations are encouraged to disconnect from Optum, Change Healthcare, and UHG to limit the possibility of the incident spreading. Likewise, many healthcare organizations have begun blocking email from domains associated with UHG, Optum, and Change Healthcare.
• Link to Incident-Specific Updates: https://status.changehealthcare.com/incidents/hqpjz25fn3n7
• Link to Entire Incident History: https://status.changehealthcare.com/history

Privacy Beats Ransomware as Top Insurance Concern for Some

Article Link: https://www.darkreading.com/data-privacy/privacy-ransomware-top-2024-cyber-insurance

• Concerns around cyber insurance payouts due to noncompliance and data privacy are considered a top concern, second to ransomware, for insurance companies, according to a survey of cyber insurance providers conducted by Woodruff Sawyer, a cyber insurance broker firm.
• While privacy claims tend to take several years before claims are made, compared to several days for ransomware claims, the cost is often seen as just as devasting by many.
• A key issue for many organizations is that they struggle to know either what regulations they must abide by and/or what type of data they are collecting on customers and where the data is stored. Likewise, if an organization makes a small error or misrepresents their security posture, they can be held accountable by government agencies and sued by their cyber insurance provider.
• Link to Woodruff Sawyer’s Report: https://woodruffsawyer.com/cyber-liability/cyber-looking-ahead-guide/

The Old, not the New: Basic Security Issues Still Biggest Threat to Enterprises

Article Link: https://www.helpnetsecurity.com/2024/02/23/2024-x-force-threat-intelligence-index/

• According to IBM, who leveraged data from 150 billion daily security events, bad actors saw more opportunities to directly log into corporate networks via valid accounts rather than actively hack into corporate systems.
• IBM also noted that 85% of the attacks on critical sectors could have been mitigated with patching, MFA, or the application of least-privilege principles.
• Last, IBM’s X-Force team highlighted that 70% of the incidents they responded to were against critical infrastructure. Likewise, of the 70%, 85% of the attacks were caused by the exploitation of public-facing applications, phishing emails, and/or the abuse of valid accounts.
• Link to IBM’s Report: https://www.ibm.com/reports/threat-intelligence

Misconfigured Custom Salesforce Apps Expose Corporate Data

Article Link: https://www.darkreading.com/cloud-security/misconfigurated-custom-salesforce-apps-expose-corporate-data

• According to researchers at Varonis, developers who create Salesforce add-ons with the Apex programming language may be inadvertently exposing sensitive data stored in their Salesforce instances. In essence, the misconfiguration allows guest users (and others) to execute code.
• The researchers noted that the key issue is in regard to configuring permissions in code made with Apex in “without sharing” mode, which ignores user permissions, versus “with sharing” mode which respects user record-level permissions but ignores other permissions.
• Overall, the Apex misconfiguration issue highlights a larger problem with Salesforce administrators leveraging relaxed permission configurations and onboarding Salesforce add-ons developed by 3^rd parties (and not managed by Salesforce) with minimal review.
• Link to Varonis’ Report: https://www.varonis.com/blog/apex-code-vulnerabilities

Attack Velocity Surges with Average Breakout Time Down to only 62 Minutes

Article Link: https://www.helpnetsecurity.com/2024/02/22/stolen-credentials-exploit/

• According to a report from Crowdstrike, malicious hackers have continued to increase the speed of their attacks.
• Specifically, Crowdstrike noted that the average eCrime breakout time, the time it takes for a threat actor to move into the next part of an organization following the initial compromise, sped up from 84 minutes in 2022 to 62 minutes in 2023 with the fastest escalation being only 2 minutes and 7 seconds.
• The Crowdstrike report also highlighted several other ideas. These include that attackers continued to focus on stealth during their attacks and that 75% of observed attacks utilized compromised accounts instead of malware.
• Link to Crowdstrike’s Report: https://www.crowdstrike.com/blog/crowdstrike-2024-global-threat-report/

Biden to Sign Executive Order Boosting Cybersecurity of Ports, Maritime Vessels

Article Link: https://www.nextgov.com/cybersecurity/2024/02/biden-sign-executive-order-boosting-cybersecurity-ports-maritime-vessels/394323/

• On February 21, 2024, President Biden signed an Executive Order to expand the U.S. Coast Guard’s national security role to include maritime cybersecurity.
• Alongside the Executive Order, the U.S. Coast Guard proposed a rule that mandates minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations.
• In addition to other subjects, the proposed rule outlines requirements for incident reporting, the development of a cybersecurity plan, penetration testing, and more.
• Link to the Executive Order: https://www.whitehouse.gov/briefing-room/presidential-actions/2024/02/21/executive-order-on-amending-regulations-relating-to-the-safeguarding-of-vessels-harbors-ports-and-waterfront-facilities-of-the-united-states/
• Link to the U.S. Coast Guard’s Proposed Rules: https://www.federalregister.gov/documents/2024/02/22/2024-03075/cybersecurity-in-the-marine-transportation-system

How Your Sensitive Data can be Sold After a Data Broker Goes Bankrupt

Article Link: https://themarkup.org/privacy/2024/02/23/what-happens-to-your-sensitive-data-when-a-data-broker-goes-bankrupt

• The article raises the question of what happens to your data when organizations are purchased or go bankrupt. Specifically, it uses the data broker Near, who boasts the world’s largest dataset of people’s behavior and recently went bankrupt, as a conceptual example.
• As the article notes, Near’s privacy policy mirrors most privacy policies in that they are able to buy and sell any data they collect in addition to the business itself.
• In the case of Near, the FTC blocked the sale of personal data belonging to Americans. However, this appears to have been a one-off instance rather than a routine practice of the FTC.