Project Hyphae

Information Security News 5-13-2024

Share This Post

Dell API Abused to Steal 49 Million Customer Records in Data Breach

Article Link:

  • Recently, Dell began informing customers of a security incident that led to malicious hackers allegedly scraping over 49 million customer records off of Dell’s partner portal.
  • According to reports, the attackers acted as a fake vendor, accessed Dell’s partner portal, and then exploited the APIs within the portal. The threat actors generated up to 5,000 record searches per minute for three weeks to remain undetected.
  • Allegedly the culprits emailed Dell in early April detailing the API abuse, which received no response, before posting the data for sale several weeks later. The alleged attacker also noted that gaining access to Dell’s partner portal only required the completion of a simple questionnaire and then access was granted within 24-48 hours.
  • As the article noted, this incident is an example of a growing trend where hackers target APIs as a key part of their attack.

Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service

Article Link:

  • On May 8th, the large healthcare provider Ascension began taking systems down in response to an ongoing ransomware incident that is impacting their electronic health records system, MyChart communication platform, phone systems, test ordering system, and more.
  • As a result of the incident, the organization’s hospitals have switched over to paper records and enacted their downtime procedures which, among other functions, divert ambulances from certain facilities. Likewise, patients are being asked to bring notes on their symptoms, a list of current medications, and prescription numbers or the prescription bottles to their appointments.
  • As of May 13th, Ascension is still operating in a reduced capacity and actively responding to the incident with assistance from Mandiant.
  • Link to Updates from Ascension:

FBI Warns of Gift Card Fraud Ring Targeting Retail Companies

Article Link:

  • The FBI recently issued a warning regarding malicious hackers phishing organizations and then pivoting to target victim organizations’ gift card departments.
  • Once in, the attackers will try to steal the credentials of gift card employees, acquire SSH passwords and keys, and generate their own gift cards or steal legitimate gift cards that are already registered.
  • The FBI suggests companies train users on phishing, leverage MFA, and review their IR Plans within considerations for teams like an organization’s gift card department.

You’ve Been Breached: What Now?

Article Link:

  • The article provides insight on how organizations can not only just respond to a cyber incident, but also enhance their organization in the wake of an incident.
  • Four key components discussed in the article include gathering the correct information to address the incident in question in the near-term, going beyond the initial help desk triage and locking down any impacted accounts, having leadership communicate to the organization about the incident, and then enhancing the organization’s security posture as part of the recovery process.
  • As the article emphasizes, incidents are inevitable. While each incident is unique, components of the response process, such as the considerations outlined in the article, are beneficial regardless of the scenarios organizations may experience.

New Case Study: The Malicious Comment

Article Link:

  • The article looks at how malicious hackers have begun to weaponize the comment section of social media posts.
  • Specifically, the article reviews a case study where threat actors slightly alter a picture’s pixels and input malicious code within the pixels via stenographic processes. In the example discussed, the data within the pixels was directly communicating with the website’s embedded JavaScript.
  • In the instance used for the case study, the website in question was actively monitoring, identifying, and blocking unknown third-party web components which led to the threat being identified and addressed.

6 Tips to Implement Security Gamification Effectively

Article Link:

  • The article looks at how organizations can gamify information security in practice.
  • Essentially, the article recommends organizations offer up real-world challenges and provide realistic tracking mechanisms like points for tasks and leaderboards. By empowering middle managers, challenges can be specialized to specific teams, scale difficulty based on past successes, and apply what employees learn through information security-related training.
  • The article also discusses several key considerations to make gamification more successful. Specifically, define your organization’s success metrics, identify key performance indicators and tie them to your organization’s security goals, design mechanics that make sense for your organization, ensure there are ways for personnel to share their progress, communicate clearly and effectively, and offer up recognition and rewards for employee participation and progress.

The Fundamentals of Cloud Security Stress Testing

Article Link:

  • As organizations continue to migrate to cloud services, many see the cloud as a safe haven that is virtually untouchable by attackers. The article encourages organizations to get rid of their false sense of security and actively work to harden their cloud environments through activities like penetration testing instead.
  • Before organizations jump into any cloud security reviews, it is vital to understand the scope of any and all leveraged cloud services and their assets as well as understand their place as part of an organization’s attack surface. Likewise, it is important to consider that cloud security reviews and penetration tests aren’t “one and done” tasks.
  • Five key components of a true cloud-based systems penetration test include reconnaissance and discovery, a vulnerability assessment, privilege escalation reviews, lateral movement identification, and possible opportunities for data collection and exfiltration.

Maryland Enacts Comprehensive Consumer Privacy Legislation: What You Need to Know

Article Link:

  • On May 9th, the Governor of Maryland signed into law the Maryland Online Data Privacy Act of 2024 (MODPA). The law establishes transparency, assessment, and consumer rights requirements. Likewise, it was observed as being second only to California’s data privacy laws in terms of restrictiveness and has a higher likelihood of applying to organizations due to lower-than-normal consumer thresholds.
  • While the law reads similar to nearly all other data privacy legislation that has been developed by other states, it does have several key differences.
  • Specifically, protected consumer health data includes data the controller actually uses to identify a consumer’s physical or mental health status, rather than information “reasonably linkable” to a consumer’s health and biometric or genetic data are protected regardless of if the data is processed to uniquely identify a user. Likewise, it requires data controllers to conduct data protection assessments on processing activities, with a particular emphasis on processes with a higher risk of potential harm.
  • While MODPA officially goes into effect on October 1, 2025, it was written so that the requirements related to personal data processing won’t go into effect until April 1, 2026.
  • Link to MODPA’s Full Text (MD SB541):

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.