Change Healthcare Shows Signs of Life; Microsoft Discloses Additional Information About Breach; CISA Systems Compromised Through Ivanti Vulnerabilities

"Signs of life" are welcome by all the small businesses like pharmacies and doctor's offices depending on Change Healthcare. To Change Healthcare's parent, United Healthcare, paying $20 Million in ransom was likely a bit more than a minor inconvenience and is not going to substantially affect financial results. However, many of the businesses depending on Change Healthcare for payment processing have a much harder time to deal with the delayed income.

Johannes Ullrich

Having heard from friends about the impact of the service outage, restoration of service, for those who didn't switch to alternatives Optum services, is both anticipated and welcome. This is a good time to consider where you have weaknesses in common targets such as your RDP, VDI and VPN services. Make sure these are only available to authorized users and systems, you're both patched and implementing security best practices. Have you scheduled a security posture assessment to validate that?

Lee Neely

Change Healthcare continues to be under the microscope and offers many lessons that we will relearn. For example, yes it was a malicious attack, but it also demonstrated a lack of implementation of basic cybersecurity controls for a Fortune 50 company. For the healthcare industry and every industry vertical for that matter, it demonstrated that vendor consolidation can easily lead to supply chain disruption. I suspect many hearings will be held; many reports will be written in the coming months, but these are lessons we are already familiar with.

Curtis Dukes

People often talk about "assume compromise" when it comes to initiatives like "zero-trust." There is another side to this that is mentioned less frequently: "assume incomplete remediation." Evicting a skilled attacker from your network is hard. Once they gained a foothold, and were able to access significant parts of your infrastructure, evicting an attacker can become difficult and it is even more difficult to impossible to proof that the attacker no longer has access to any systems.

Johannes Ullrich

Threat actors continue to use the secrets/tokens exfiltrated to attempt to access systems. Some of those secrets were traded with customers in email. Microsoft has been reaching out to those customers to assist them with mitigations. Microsoft is continuing to take steps to harden their systems. If you're a Microsoft Office customer, you should make sure you're following current best practices, to include, MFA, then check for updates to those practices which support an increased security posture.

Lee Neely

Being the world’s largest software vendor has both advantages and disadvantages, the disadvantage being you have a rather large bullseye painted on your back. Unfortunately for Microsoft, 2024 is continuing where 2023 ended: continued scrutiny of the company and its application of cybersecurity practices.

Curtis Dukes

With all respect to CISA, this is a reminder that none of us is immune from an attack. Even so, learn from examples like this to help make your case to prioritize and implement updates. This was a perfect storm of both a weakness of their VPN and the two back-end systems that hadn't been updated to be more secure. When reviewing your systems, consider the two systems allegedly breached, CSAT system which houses private sector chemical security plans and the IP Gateway that contains critical information about the interdependency of U.S. infrastructure, as examples of systems which should have higher assurance access control mechanisms, even when protected by firewall and VPNs.

Lee Neely

Well done to the British Library on sharing the report on this breach so that others can learn from it. Open and transparent sharing of incident reports will enable us all to improve our defences.

Brian Honan

The Library was not able to bring back EOL it systems, and had approved funding for their replacements. Even with funding it can be tempting to postpone implementing a replacement, keeping in mind the old system has to be viable until the cutover happens. In the past we've justified keeping an old system online, assuming we can restore it from the intended backup mechanism. Unless you test that restoration, to include verifying operation of the restored system, don't check it off as recoverable. Now the really icky part: you need to not only have your system inventory but also interdependencies, so you know how to wire things back up.

Lee Neely

Legacy systems are a double-edged sword. The longer you’re able to maintain systems, the lower the CAPEX, and the longer you maintain legacy systems the higher the risk of something bad happening from software EOL. Too often, organizations trade IT modernization budget for other competing priorities – failing in its standard duty of care to provide appropriate, credible, and defensible protection.

Curtis Dukes

CVE-2024-21899, improper authentication, CVSS score 9.8, can be exploited remotely. The other two are CVE-2024-21900, arbitrary command execution, CVSS score 4.3, and CVE-2024-21901, SQL injection, CVSS score 4.7 are both exploitable over the local network. Beyond making sure that your NAS is not Internet accessible, and only contains known accounts and applications, you need to be making sure the OS and applications are kept updated to help mitigate local threats. QNAP released updates for QTS 5.1.x; QTS 4.5.x; QuTS hero h5.1.x; QuTS hero h4.5.x; QuTScloud c5.x; and my QNAPcloud 1.0.x.

Lee Neely

While big payment processors like Visa and Mastercard have fraud services, smaller FIs, particularly in Asia or Africa regions don't have the wherewithal to implement such systems. This is intended to bridge that gap and increase trust of those institutions. Tazama analyzes transactions against 270 rules for about 30 types fraud checks, at a rate of about 2300 transactions per second, effectively real-time detection. It is expected that organizations such as the Central Bank of West African States is going to mandate the use of an anti-fraud service which should result in a large uptake of the service.

Lee Neely

Fortinet devices are often used by small businesses without the resources and processes to update devices regularly. It must become easier to keep SMB devices up to date. The short downtime caused by automatic downtime usually poses much less of a risk than the extended downtime cause by a possible compromise.

Johannes Ullrich

It's been a month, have you patched your Fortinet devices? Did you check to see if your device shows vulnerable in Shodan? Yes, there isn't evidence of wide spread exploitation, and, as boundary control devices these should be top of your list to update.

Lee Neely

If they can be counted, they can be warned. If they can be counted, the bad guys can exploit them.

William Hugh Murray

While cloud migration may feel like old news, what's needed is to make sure the security is covered uniformly. Use these ten guides to make sure you're mitigating cloud risks consistently, building your cloud service adoption playbook accordingly. Review your existing cloud services, particularly ones you've had for a while, to make sure your bases are covered.

Lee Neely

A good compendium of cloud mitigation strategies. While specific to cloud environments, most, if not all the mitigation strategies are applicable to on-prem implementations as well. Other useful best practice guidance can be found at both the Cloud Security Alliance and Center for Internet Security.

Curtis Dukes

Understand what controls your provider has provided and you are expected to use them.

William Hugh Murray

While I feel immediate sympathy for any organization these attacks are directed towards, my first response when I read about DDoS attacks is to make sure I've got protections in place to ensure I have a chance of surviving such an attack. Talk to your providers – ISP, Cloud and outsource – and verify they have protections in place. Chat with your network team for their input, not only on what's in place but also where they see gaps. Don't forget to visit your CSOC to make sure they are prepared and properly equipped.

Lee Neely

You will need help from an upstream provider to help you deal with a DoS attack. The time to identify who to call is before the attack.

William Hugh Murray

If you're wondering what can be done with OSINT, this short doc is something you need to read. Part of the strategy is moving forward with industry partners, including academia, private sector and foreign counterparts to keep pace with technology advances and develop best practices. Watch for an OSINT Strategy Action Plan to see the specific activities planned for the future.

Lee Neely

As government produced strategies go, this one is decidedly short, only six pages. Perhaps a reflection of the importance it garners within the IC compared against other robustly funded intelligence disciplines.

Curtis Dukes