Researchers at Tenable uncovered severe vulnerabilities in Microsoft’s Azure Health Bot Service. Scammers use deepfakes on Facebook and Instagram. Foreign influence operations target the Harris presidential campaign. An Idaho not-for-profit healthcare provider discloses a data breach. Research reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. Patch Tuesday roundup. Palo Alto Networks’ Unit 42 revealed a significant security risk in open-source GitHub projects. Enzo Biochem will pay $4.5 million to settle charges of inadequate security protocols. Our guest is Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, joins us to discuss the ongoing Snowflake account attacks driven by exposed legitimate credentials. Mining for profits on Airbnb.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, joins us to discuss the ongoing Snowflake account attacks driven by exposed legitimate credentials and how enterprises can boost their defenses against these types of attacks.
Selected Reading
Critical Vulnerability Found in Microsoft’s AI Healthcare Chatbot (Infosecurity Magazine)
UK Prime Minister Keir Starmer and Prince William deepfaked in investment scam campaign (Bitdefender)
FBI told Harris campaign it was target of 'foreign actor influence operation,' official says (Reuters)
3AM ransomware stole data of 464,000 Kootenai Health patients (Bleeping Computer)
Report reveals lag in disclosure of ransomware attacks in 2023 (Security Brief)
Fortinet, Zoom Patch Multiple Vulnerabilities (SecurityWeek)
Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities
Adobe Patches 72 Security Vulnerabilities Across Multiple Products (Cyber Security News)
Microsoft Fixes Nine Zero-Days on Patch Tuesday (Infosecurity Magazine)
ICS Patch Tuesday: Advisories Released by Siemens, Schneider, Rockwell, Aveva (SecurityWeek)
Are your GitHub Action artifacts leaking tokens? (SC Magazine)
Enzo Biochem to pay $4.5 mln over cyberattack, NY attorney general says (Reuters)
Airbnb host adds ‘no crypto mining’ rule after tenant installs 10 rigs (Protos)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Sound of seagulls] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] Researchers attendable, uncover severe vulnerabilities in Microsoft's Azure Health Bot Service. Scammers use deep fakes on Facebook and Instagram for an influence operations target the Harris Presidential campaign. An Idaho not-for-profit healthcare provider discloses a data breach. Research reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. We got a patch Tuesday roundup. Palo Alto Networks Unit 42 reveals a significant security risk in open-source GitHub projects. Enzo Biochem will pay $4.5 million to settle charges of inadequate security protocols. Our guest is Stephanie Schneider, cyber threat intelligence analyst at LastPass, joining us to discuss the ongoing snowflake account attacks driven by exposed legitimate credentials. And mining profits on Airbnb. [Music] It's Wednesday, August 14, 2024. I'm Gabe Bittner and this is your Cyberwire Intel Briefing. [Music] Thank you for once again joining us here today. Researchers at Tenable uncovered severe vulnerabilities in Microsoft's Azure Health Bot Service, a platform for AI-powered healthcare chatbots, which allowed unauthorized access to user and customer information. Among the vulnerabilities was a critical privilege escalation issue that enabled attackers to move laterally within Microsoft's cloud infrastructure. By exploiting a server-side request forgery, researchers bypassed security filters, gaining access to Azure's internal metadata service and obtaining an access token. This token allowed them to list hundreds of resources belonging to other customers. Microsoft quickly mitigated this flaw by rejecting redirect status codes for data connection endpoints. Additionally, another privilege escalation vulnerability was found in the data connections feature, although it was less severe and did not provide cross-tenant access. Both vulnerabilities were promptly addressed by Microsoft and there is no evidence of exploitation by malicious actors. Scammers are leveraging deep-fake technology to promote fraudulent cryptocurrency investments on meta-platforms, using AI-generated videos featuring British Prime Minister Sir Keir Starmer and Prince William. These deep fakes, seen by an estimated 890,000 users on Facebook and Instagram, falsely endorse a scam platform called Immediate Edge. The video's claim users have been selected for life-changing opportunities, with one depicting Starmer announcing a national invest platform. Despite meta's efforts to remove the ads, over 250 deep-fake ads featuring Starmer have appeared, leading to significant financial losses for victims. Even after being scammed, some victims continued to believe in the fake endorsements. Researchers highlight the growing problem of disinformation on meta-platforms, noting that this trend seems to be worsening despite the company's policies against such misuse. Following reports of Donald Trump's campaign being targeted by Iranian hackers, Vice President Kamala Harris' presidential campaign revealed that it was also notified by the FBI last month about a foreign influence operation aimed at it. Despite the targeting, Harris' campaign stated that no security breaches have occurred and they remain in contact with authorities. The FBI has yet to comment on either case, while Iran has denied involvement in the alleged hacking of Trump's campaign. Qutani Health, a not-for-profit healthcare provider in Idaho, has disclosed a data breach affecting over 464,000 patients. The breach was carried out by the 3 a.m. ransomware group, which gained unauthorized access to Qutani's systems on February 22nd of this year, and remained undetected for 10 days. The cyber criminals stole sensitive data, including full names, dates of birth, social security numbers, medical records, and health insurance information. The breach was discovered on March 2nd, and an investigation confirmed the data theft by August 1st. The 3 a.m. ransomware gang leaked a 22-gigabyte archive of the stolen data on their darknet portal, indicating that no ransom was paid. Qutani Health is offering affected individuals up to two years of identity protection services. Research from intelligence platform provider Silo Breaker, titled Ransomware What Ransomware, reveals a troubling trend of delayed and non-disclosure of ransomware attacks by organizations. Analyzing 922 Ransomware incidents from 2023, researchers Hana Bumgardner and Peter Kreuer-Bramson found that over 50% of affected organizations did not acknowledge an attack until it became public, and nearly half of the victims didn't disclose the attack at all. The study also highlighted a 90-day average delay in notifying customers of data breaches. Despite a slight improvement in reporting speed, only 5% of incidents were reported within a day in 2023. The research underscores the growing exploitation of vulnerabilities with health care, education, and government sectors being prime targets. The U.S. remains a top target for ransomware due to its financial resources. The study emphasizes the need for robust cybersecurity measures, including better patch management and staff training, counter-evolving ransomware tactics. The August 2024 patch Tuesday brought critical security updates from major tech companies, addressing a wide range of vulnerabilities across various industries. Here's a roundup of the key updates. Microsoft's August 2024 patch Tuesday addressed 87 vulnerabilities, including nine zero-day flaws actively exploited in the wild. Critical patches were released for Windows, Office, and Edge, focusing on remote code execution and privilege escalation threats. Siemens, Schneider Electric, Rockwell Automation, and Aviva released security advisories addressing numerous vulnerabilities in their industrial control systems. Siemens fixed issues in products like Sinek INS, while Schneider Electric patched vulnerabilities in eco-structure and Modicon PLCs. Rockwell Automation and Aviva also addressed critical flaws that could impact industrial operations, highlighting the ongoing need for robust security measures in critical infrastructure. Adobe's August security updates included patches for 56 vulnerabilities across several products, including Adobe Acrobat, Reader, and Dimension. The updates addressed critical issues that could lead to arbitrary code execution, privilege escalation, and information disclosure. Chipmakers Intel and AMD released patches for over 110 vulnerabilities, with Intel alone addressing 83 security issues. The vulnerabilities span various products, including Intel's firmware, drivers, and software, as well as AMD's processors and chipsets. Fortinet released patches for several vulnerabilities in its 40 OS and 40 proxy products, some of which could lead to remote code execution and unauthorized access. Zoom also addressed multiple security flaws in its video conferencing platform, including issues that could be exploited to bypass security controls and execute arbitrary code. Organizations are urged to prioritize these updates to protect against increasingly sophisticated cyber threats, targeting software, hardware, and critical infrastructure systems. Palo Alto Networks Unit 42 revealed a significant security risk in open-source GitHub projects, where GitHub Actions workflows could expose sensitive secrets and allow attackers to inject malicious code. These workflows often use tokens, such as cloud service tokens, which may inadvertently be included in publicly accessible artifact files generated during the workflow. Researcher Yaron Avital discovered that these artifacts often contain sensitive data, like GitHub token and Actions runtime token, which attackers could exploit to replace artifacts with malicious code or inject harmful content into repositories. Avital created a proof of concept, Repo Reaper, to demonstrate how an attack could exploit GitHub token to push malicious code. To mitigate this risk, project maintainers are advised to review artifact creation and privilege levels, ensuring that sensitive artifacts are not published and that least privilege is enforced. Palo Alto also developed a tool to block the upload of artifacts containing secrets. Enzo Biochem will pay $4.5 million to settle charges that inadequate security protocols led to a cyber attack in April of 2023, compromising the personal and health information of 2.4 million patients. The settlement with New York, New Jersey, and Connecticut, resolves claims that Enzo failed to protect patient data. Attackers accessed Enzo's network using outdated shared credentials and installed malware, which went undetected for days. As part of the settlement, Enzo is enhancing security measures, including stronger passwords and two-factor authentication. Coming up after the break, my conversation with Stephanie Schneider, cyber threat intelligence analyst at LastPass. She's joining us to discuss the ongoing snowflake account attacks. Stay with us. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health, and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at Vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure, user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 Level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. Its intuitive UI mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks' universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. [Music] Stephanie Schneider is cyber threat intelligence analyst at LastPass. I recently caught up with her to discuss the ongoing snowflake account attacks. It's just a matter of time until we start to hear about more potentially impacted entities from the snowflake breach. I think we're starting to see that the cloud service provider snowflake. It's probably one of the biggest data breaches of 2024 so far this year. I think there's a couple of notable things about this attack that stand out to me. One is that the attackers didn't even have to use sophisticated tactics to pop them. This all came about due to breached credentials that were just available on the dark web. It's also now led to I think the latest figure I've seen is about $1.6 billion in costs so far that may continue to grow as more information comes out and victims come forward. So really this was a simple attack with a pretty significant impact. In terms of sort of spreading around the responsibility or trying to unpack the things that could have been done to prevent something like this, and we're talking about credential stuffing, how much of this is the responsibility of the users and would a cloud provider also have a responsibility to kind of protect users from themselves? Yeah, I think that's a really interesting point. It's kind of come out of this whole debacle is what is the responsibility of companies to really enforce some of these better cyber hygiene standards, like multi-factor authentication. In this instance, the threat actors really went after accounts that did not have MFA enabled. It wasn't a requirement that Snowflake had for its customers. And so that was kind of the low hanging fruit here. So, you know, when we think about what led to this, I think there are a few reasons. One MFA successful authentication only required a valid username and password, which allowed the threat actors easy access to those targeted accounts. Two, some of the credentials identified an infostealer malware output had been for sale on the dark web for years. I think some of it was available as early as 2020. And those were still valid credentials. So that means that those credentials hadn't been rotated or updated in quite some time. There, you know, the compromised snowflake instances didn't have network allow lists. And allow listing involves compiling a list of sanction entities, like IP addresses or domains applications. And only the entities on this designated list are granted access to a specific resource or they can perform specific actions. So this really helps to, you know, reduce the attack surface and limit access to trusted verified entities. So, you know, I think that there's probably a few things that we can kind of go back and look at that really led to this large data breach. Yeah. From the point of view of a person who's responsible for security at their organization and then they're looking to do a better job with their access controls. I mean, the folks who are in the kind of business that you all are in at last pass, you know, and there are a handful of organizations who provide that kind of service. What sort of tools are the state of the art these days and making sure that people aren't going to have an issue here with things like credential stuffing? You know, I think it's actually a pretty simple cyber hygiene that this all really comes down to. I mean, if you don't have simple protections in place, like enabling MFA, maintaining patches, having good password management, having that secondary verification method like multi-factor authentication, you're really raising the likelihood of getting hit by a cyber attack. It doesn't take very sophisticated attacks to pull off this type of data breach, honestly. You know, I've seen more and more as well that I guess folks are subscribing to some of these databases of known passwords. You know, we talk about Troy Hunt's list, have I been pwned list? And there's a lot of places I've seen where if you try to use a password that's been in one of these breaches, the system will stop you and say, you know, not so fast. This is something that's shown up in one of these databases, you know, to choose something a little more complex. You know, apart from MFA, right, it's pretty straightforward, but highly effective. It can really substantially improve that baseline security posture and resilience. You know, credentials are stolen through phishing or malware like info stealers and MFA does add that extra layer of security by requiring more than just a password to really access an account. It makes it that much harder for act hackers to gain authorized access. You know, another thing that folks can do to really make sure that they're boosted and in defense against these types of attacks is managing their credentials. The sheer amount of data out there is staggering. If it's not already, it should probably keep you up at night. And then you can see that there's a link to the list that was recently released and leaked on a popular hacking forum has about 10 billion passwords. And the chances that you or someone you know has information that's been leaked in that breach is pretty staggering. And, you know, this is just out there readily available. And right actors can exploit this password compilation to conduct brute force attacks and gain unauthorized access to online accounts. So, you know, I think from an enterprise perspective, you know, consider what does your coverage look like in terms of managing your credentials. How do you know that your employees personal passwords aren't in there? That's how the actors can get their foot in the door and in the case of snowflake. The majority of compromised credentials were available from historical information for stealer infections, some of which dated back as far as 2020. So, this is, you know, all pretty simple, straightforward kind of guidance. I think another thing that folks can do is to be monitoring for cyber campaigns that may be interested in targeting their enterprise. So, that probably looks like establishing monitoring via open source reporting or other means to get those early warnings on cyber attack campaigns that may be targeting your critical service providers. And as you're collecting and sharing information with your enterprise, security teams can use that advanced notice to proactively change credentials and confirm policy compliance and your connections to affected companies in the supply chain. So, those are all, you know, a few things that enterprises can really do to boost their defenses against these types of attacks. Our thanks to Stephanie Schneider, cyber threat intelligence analyst at LastPass, for joining us. Elevate your enterprise identity solutions with strata, seamlessly connect legacy apps to any identity provider, apply MFA effortlessly, and maintain identity continuity without disruptions. Strata reduces tech debt, enhances security, and provides a robust, efficient identity management system. Feel secure and efficient managing your identity infrastructure. Strata helps you streamline operations and ensure continuous identity availability. Visit strata.io/cyberwire, share your identity challenge, and receive a free set of AirPods Pro. Take control of your identity management today. Visit strata.io/cyberwire. And our thanks to Strata for being a longtime friend and supporter of this podcast. This episode is brought to you by Experian. Are you paying for subscriptions you don't use, but can't find the timer energy to cancel them? Experian could cancel unwanted subscriptions for you, saving you an average of $270 per year, and plenty of time. Download the Experian app. Results will vary, not all subscriptions are eligible, savings are not guaranteed, paid membership with connected payment account required. And finally, our "Wearing Out Your Welcome" desk tells us of a bizarre twist in the Airbnb experience. Ashley, an Airbnb host, found herself drafting a new no-crypto mining policy after a guest turned her rental into a mini-crypto mining operation. The tenant set up 10 mining rigs and even installed an EV charging station all within a three-week stay that racked up a staggering $1,500 electricity bill. Ashley, who shares her hosting adventures on TikTok, was shocked when the guest casually mentioned he made over $100,000 mining crypto during his stay. Apparently, renting her house was a cost-effective way for him to pay the electricity. Ashley isn't alone in this unexpected side hustle. Other Airbnb hosts have chimed in with similar tales of guests running up sky-high electric bills. One UK host saw their bill soar by thousands of pounds, while another had to boot guests before they could rack up a $6,000 power tab. It seems the latest must-have for Airbnb hosts isn't just fresh linens and free Wi-Fi, it's a strict ban on crypto mining. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Peltzman, our executive producer is Jennifer Eiben, our executive editor is Brandon Karp. Simone Petrela is our president, Peter Kilby is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. [Music] [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at MYs.io/Cyberwire. That's MYs.io/Cyberwire. [Music]
