Cyber Security Today, Week in Review for week ending Friday, April 26, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday April 26, 2024. From Toronto, I’m Howard Solomon.

In a few minutes David Shipley, head of Beauceron Security, will be here to discuss some of the biggest news of the past week. They include the latest developments in the ransomware attack on Change Healthcare, a vulnerability found in an abandoned open source project, the next step in Canadian cybersecurity legislation for overseeing critical infrastructure and the passing in the U.S. of a law demanding China’s TikTok become Americanzied.

But before we get to the discussion here’s a review of other headlines from the past seven days:

The Top 10 countries hosting the greatest cybercriminal threats are led by the usual suspects: Russia, Ukraine and China. That’s according to university researchers. Others nations in descending order are the U.S., Nigeria, Romania, North Korea, the United Kingdom, Brazil and India. The countries in the Cybercrime Index were ranked on the professionalism and technical skill of resident threat actors. Russia was easily ahead of number two Ukraine by more than 20 points.

A threat actor has been interfering with the software update mechanism of the eScan antivirus product. According to researchers at Avast, the goal is to install backdoors and coinminers on corporate IT networks by substituting a maliicous update for a real one. Based in India, eScan is also sold in the U.S., Latin America, Germany and Malaysia. The vulnerability was supposed to have been fixed last July. Avast says it is still seeing new infections, perhaps because some eScan software on corporate computers hasn’t been updated properly.

Among the continuing problems suffered by the city of Leicester, England from a ransomware attack seven weeks ago is the inability to shut some city street lights. A local news site reports the problem is a residue of having to shut municipal IT systems. The attackers stole and published city data.

Some brands of booze in Sweden may be hard to get hold of this weekend because of a ransomware attack on a liquor distributor, the company has warned.

Pressure from police to block end-to-end encryption on common apps continues. Last week European police chiefs issued a statement urging governments and industry to stop allowing end-to-end encryption of apps and social media platforms. They say it will stop law enforcement from obtaining evidence for criminal charges. Others say end-to-end encryption protects privacy.

A veterinary clinic in Marysville, Kansas is notifying almost 26,000 customers their data was stolen when the company’s online payments page was compromised. Credit card data was among the information copied earlier this year.

The public school board of Buffalo, New York is notifying just over 19,000 people some of their personal information was seen by a hacker. The incident took place in February when two email accounts were accessed. Names, contact information and Social Security numbers could have been seen.

And the Catholic Diocese of Cleveland is notifying almost 10,000 people that personal data was copied when a hacker compromised an employee’s email account early this year or late last year. Information included names and Social Security numbers. You may recall last Friday I reported that the Catholic Diocese of Phoenix was notifying people of a data breach.

(The following is an edited transcript of the first of four topics in the discussion. For the full discussion play the podcast)

Howard: Joining me now from Fredericton, New Brunswick is David Shipley, CEO of Beauceron Security.

Let’s start with the latest from the February ransomware attack on Change Healthcare, a technology and payments provider to hospitals and clinics across the United States. On Monday parent company UnitedHealth Group acknowledged that data stolen “could cover a substantial proportion of people in America.” That’s short for “this was a huge data breach.” Data stolen included protected health information or personally identifiable information, but not doctors’ charts or full medical histories. In addition, UnitedHealth told TechCrunch that a ransom was paid to the hackers “to do all it could to protect patient data from disclosure.” This lines up with claims by an affiliate of the BlackCat/AlphV ransomware gang that Change Healthcare paid US$22 million to the gang — but the gang leaders took all of the money and didn’t pay the affiliate their cut. Meanwhile, a second ransomware gang, RansomHub, is posting data it says is from Change Healthcare. It isn’t clear if that was part of the original data theft or a new hack.

David Shipley: Keep in mind that the previous high water mark for a substantial proportion of the population was the Anthem Blue Cross breach in 2015 in which 80 million people’s records were stolen and resulted in a $117 million dollar class action settlement in which Anthem did not admit any wrongdoing. The attack was allegedly tied to nation-state level espionage and was quite sophisticated. But it was the pre-ransomware cowboy era , not the that we’re in now. So my thoughts are, this one is going to be massive.

Howard: What did you think about the UnitedHealth announcement and this whole ransomware attack — in particular where the AlphV/BlackCat gang seems to have taken all the money and then announced they were disbanding?

David: It’s not the first time bad actors have taken the money and run exit scams. I think what we’ve just discovered is number 1, when you cripple the healthcare system to the level that they just did, when you mess with the pharmacy for the U.S. military, you start thinking, ‘Maybe it’s time to get out of Dodge.’ Yes, they are probably getting a whole lot of heat. So it made sense. Essentially these are little cockroaches, though. They just scurry they hide and then they reform and they come back again a rebranded group. But there’s still the awfulness.

What I’m dying to know is did UnitedHealth get the [data] unlock keys, because if they [AlphV/BlackCat] stiffed the affiliate and they ran with the money did they at least throw them [United Health] a bone so they can lock their data? Or did they just completely run? Even though healthcare data is the one area where I’ve given a hall pass on [allowing] paying ransoms, I kind of hope they didn’t give them the key because this might finally the nail in the coffin of people thinking, ‘Paying the ransom is the sanest option for our business.’

Howard: I want to go back to the huge numbers [of potential victims]. This is 2024. Maybe organizations can’t stop every cyber intrusion but shouldn’t IT leaders know enough that that systems have to be segmented so that no more than a small chunk of data can be stolen?

David: I don’t necessarily disagree. But I think what you’re saying presumes that people can accurately simulate or test chains of consequences in the digital environment. That each on their own is not catastrophic. But when combined in very unique ways, boom! What do I mean by that? Let’s just take a story: A server that was in the testing environment that never got switched off on its own, probably not that big of a deal [if it’s compromised]. Take that server and now it’s actually in production, problematic if it’s not getting patched, if it’s being over-provisioned with way too much access. See Microsoft’s recent pain. Think if people knew things like that, where big glaring red alerts are, would they do something about it? They absolutely would act on it. I am completely convinced that we cannot accurately deal with this [cybersecurity] because of cyber chaos theory … We presume with great arrogance that we have control over increasingly complex opaque systems or systems-in-systems and that we can somehow get a handle on all the possible permutations and combinations that can lead to cyber attacks. See Microsoft’s two very painful breaches this year [as evidence] that even the biggest of us can’t do it.

Howard: Also on Monday the Wall Street Journal said that whoever broke into Change Healthcare used a stolen username and password. That’s still a highly usable weapon [for threat actors].

David: Usernames and passwords have been in play in computing for 50-plus years. Mark my words they will be around for at least another 50 years. Change is hard in technology. Change is even harder in humans. We are not even through the beginning of the end chapter when it comes to passwords. This is why people, process and culture are the root of cyber events, not just technology.

Howard: Next Tuesday, UnitedHealth CEO Andrew Witty is scheduled to testify before a committee of the U.S. House of Representatives. They won’t be in a good mood.

David: Grab your popcorn. But also in a certain sense UnitedHealth is paying the price that all of us have incurred by not demanding better when it comes to cyber hygiene for critical infrastructure, by demanding increasingly digital systems and never anticipating the negative consequences that come from the use of technologies. As a species we have a damn near fatal blind spot when it comes to the risk side of technology. We are so overly hyper-focused on all the benefits all the rewards, all the gains, or all the coolness, of something bright and shiny that we never stop to think, ‘Just because we can do something doesn’t mean we should do something.’

Howard: And this attack has been hugely expensive for the company. Last week UnitedHealth estimated that costs so far for remediating this mess is US$872 million. On top of that, it’s provided billions of dollars in advance funding and no-interest loans to healthcare institutions, their customers, that were caught short when Change Healthcare systems had to be temporarily closed …

David: Maybe the best thing that comes from that is that people will invest [in cybersecurity] because you know that $800 million remediation cost? We have a term for that: We call it ‘technical debt’ …

Howard: What if they had spent, say, $10 million [more] on increased cyber security [before the attack]?

David: The lack of independent, academic peer-reviewed studies into root cause analysis [of incidents], like a CSRB [Cybersecurity Safety Review Board] report could point at that. That is the most important thing we’re missing. In this industry we love to haul around and scare the pants off people. “Six billion dollars is going to be lost to cybercrime!” But we don’t tell them how easy it could have been to avoid, or the massive amount of ROI [return on investment] that just comes from doing it [cybersecurity] proactively.