Project Hyphae

Information Security News 5-6-2024

Share This Post

Change Healthcare Hacked Using Stolen Citrix Account with No MFA

Article Link:

  • Recently, the CEO of UnitedHealth, Andrew Witty, testified in front of Congress regarding the Change Healthcare ransomware incident. According to his testimony, the source of the incident was a Citrix account that lacked multi-factor authentication (MFA).
  • According to the organization’s after-incident investigation, the initial threat actors gained system access on February 12, 2024, and began spreading out across UnitedHealth’s systems and stealing data before deploying ransomware on February 21, 2024.
  • It was noted that UnitedHealth decided to pay the ransom as part of the incident response process. Witty specifically stated, “As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Dropbox Sign Hack Exposed User Data, Raises Concerns for e-Sign Industry

Article Link:

  • Dropbox recently reported that their e-sign platform, Dropbox Sign, suffered a security incident. Dropbox was made aware of and began responding to the incident on April 24th, published an SEC filing on April 29th, and released a blog post further discussing the incident on May 1st.
  • According to Dropbox, the bad actors accessed customer information such as emails, usernames, phone numbers, hashed passwords, and authentication information like API keys. Additionally, the names and email addresses of third parties who received or signed documents through Dropbox Sign were accessed as well. However, other Dropbox services and users were not impacted.
  • Dropbox stated that the attack likely stemmed from a third party accessing a Dropbox Sign automated system configuration tool by compromising a backend service account with elevated privileges to the production environment.
  • Link to Dropbox’s Announcement:

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

Article Link:

  • According to researchers at Symantec, malicious hackers have increasingly begun using the Microsoft Graph API to facilitate communication with their command-and-control (C2) infrastructure.
  • The Graph API is a legitimate tool intended to be used by developers to access resources and data hosted on Microsoft cloud services, such as calendars events, emails, and more.
  • The usage of the Graph API highlights a continued trend of threat actors leveraged trusted and built-in services to launch their attacks and evade detection.
  • Link to Symantec’s Report:

NSA Warns of North Korean Hackers Exploiting Weak DMARC Email Policies

Article Link:

  • On May 2nd, the NSA, FBI, and U.S. Department of State released an advisory regarding North Korea-linked hacking groups exploiting weak DMARC policies to camouflage their spearphishing attempts.
  • The threat actors abuse the misconfigured DMARC policies to send spoofed emails appearing to come from credible sources such as journalists, academics, and others in an attempt to collect intelligence on geopolitical events, foreign policy strategies, and other topics.
  • The report noted that the threat actors leverage DMARC policies in which “p=none.” The advisory authors recommended that organizations update their DMARC policy to “v=DMARC1; p=quarantine” or “v=DMARC1; p=reject” to quarantine or outright block emails that fail DMARC checks.
  • Link to the NSA’s Advisory:

Ransom Recovery Costs Reach $2.73 Million

Article Link:

  • According to a report from Sophos, who surveyed 5,000 IT and cybersecurity leaders across 14 countries who work at companies with 100 to 5,000 employees, 59% of organizations were hit by ransomware over the past year, compared to 66% over the last two years. Despite the decrease in attack rate, the recovery costs rose from $1.82 million to $2.73 million.
  • Sophos also reported that of the 1,701 organizations that were ransomed and could share a number, the initial average ransom demand was $4.3 million, and the median was $2 million. Despite this, of the 1,097 who paid the ransom, 44% reported paying less than the originally demanded amount and 24% paid the original amount.
  • The report also highlighted that most attacks were linked to exploited vulnerabilities, bad actors target backups in ransomware attacks, threat actors rarely encrypt all of a victim’s devices, and ransom demands vary by industry.
  • Link to Sophos’ Report:

The Cybersecurity Checklist That Could Save Your M&A Deal

Article Link:

  • The article looks at risk reducing measures that organizations can take when they merge and acquire other companies. As the article highlights, merging with organizations that have a poor security posture opens the door for threat actors to attack.
  • The author provides a list of key considerations for organizations that are (or will be) going through the merger and acquisition process. In addition to several other key considerations, the article emphasizes the importance of collaboration between both merging organizations and their IT/security teams from the beginning, the adoption of risk metrics and a review of overarching risks, and the establishment of identity and access governance and management.

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches

Article Link:

  • Verizon’s 2024 Data Breach Investigations Report (DBIR) analyzed 30,458 incidents of which 10,626 were confirmed breaches, double the number of incidents and breaches from the 2023 DBIR.
  • According to Verizon, 14% of breaches involved vulnerability exploitation as the initial point of entry, which is a 180% increase from the 2023 DBIR. Likewise, it noted that it takes many organizations 55 days to address 50% of their critical vulnerabilities identified in CISA’s Known Exploited Vulnerabilities (KEV) catalog after patches become available and only five days for threat actors to begin mass exploiting KEVs.
  • Additionally, 68% of the identified data breaches involved a non-malicious human element, which includes phishing or accidental misconfigurations. Likewise, users who fall for phishing attempts click on the malicious link a median of 21 seconds after an email is opened and have entered their credentials into the malicious link 28 seconds later.
  • At the heart of the 2024 DBIR is a call for focusing on the basics of information security.
  • Link to Verizon’s Report:

Minnesota Lawmakers Tackle Online Data Privacy

Article Link:

  • Currently, the Minnesota Legislature are in the process of creating the Minnesota Consumer Data Privacy Act (MCDPA), which would outline data privacy requirements for Minnesotans.
  • The MCDPA follows in the footsteps of other state data privacy regulations in terms of content with inclusions such as a list of consumer privacy rights and the prohibition of the sale of data in certain circumstances. The bill also defers to certain pre-established laws, such as HIPAA, where relevant.
  • The bill would require data controllers (the organizations collecting data) to conduct data privacy and protection assessments to describe policies and procedures to show their compliance with the act.
  • As the bill states, small businesses are exempt from the act generally with the exception that small businesses can’t sell a consumer’s “sensitive data” without the consumer’s permission.
  • If the bill were to be passed and signed into law in its current form, it would have an effective date of July 31, 2025, for all applicable organizations except for postsecondary institutions who would be required to comply by July 31, 2029.
  • Link to the Full Text (H.F. 2309 / S.F. 2915):
  • Link to the Omnibus Reference (Article 4, H.F. 4975):

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.