MITRE Discloses R&D Network Breach, UnitedHealth Group Says Patient Data Compromised in Change Healthcare Breach; Palo Alto Network PAN-OS Vulnerability Update

The attackers leveraged CVE-20232-46805 and CVE-2024-21887 to bypass authentication and run arbitrary commands, then moved laterally to infiltrate their VMware infrastructure using a compromised administrator credential. MITRE is no different than the rest of us; we all need to keep an eye on both updating systems as well as credential strength. The attack was limited to this R&D network, not impacting their core enterprise network or partner systems. The question here is do you have networks you've deemed low risk and are you comfortable with your ability to secure and detect compromise there, to include publicity related to a compromise?

Just a historical note: 35 years ago, Cliff Stoll's book The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage came out, detailing how German hackers broke into Mitre and accessed all kinds of information from there. Remote access that was not sufficiently protected was the problem back then, too.

Given MITRE's position as a federally funded research and development center (FFRDC), this attack has garnered much attention. MITRE is to be applauded for communicating details of the attack. Let's hope they continue by fully explaining how the attackers got around its MFA system and were able to operate undetected for three months. There must be best practices that enhance enterprise security we can learn from those details.

The question isn't when/how/who breached them as much as how they respond and what their outbound communications will be.

Nobody should be surprised that patient data was leaked. What surprised me is that it took so long for UnitedHealth to make this statement. There still appear to be significant outages in UnitedHealth's systems affecting patients as well as providers.

This is quickly becoming the next Equifax breach in both size and scope, potentially impacting a huge part of the nation. In fact, the PHI that cyber criminals took from United Healthcare could be far more sensitive and damaging than the financial data stolen from Equifax. As an added twist, it appears that competing cybercriminal gangs are fighting over who should be paid the ransom. Now that ALPHV has been paid their $22 million, an affiliate involved in the breach called RansomHub wants their ransom also. I hope either congress or the new Cyber Safety Review Board will be providing a report at some point on the details of this breach.

Interesting scenario here: a new gang RansomHub is claiming to have their data, where previously it was reported the ALPHV gang had it, and that UnitedHeath reportedly paid ALPHV $22 million in ransom. While you mind spins of the possible scenarios, from multiple attackers to an elaborate hoax, consider this is the case where you pay for your extorted data and it's still out there, taking us back to considering our stance on paying the ransom. While UnitedHealth is still working to determine which data is exfiltrated, if you're a customer, I wouldn't wait for that to get sorted: get credit monitoring in place now.

UnitedHealth Group has acknowledged what many have suspected for some time: the compromise of PHI data. Unfortunately, many Americans will have to wait months to be notified. In the meantime, check your credit history using the free credit report service, as its doubtful that UnitedHealth Group will offer free identity monitoring any time soon.

It is unclear whether healthcare is breached more because it is targeted or because it is vulnerable.

You MUST patch this vulnerability. Mitigations and signatures protecting the device will only buy you time. The vulnerability is relatively easy to exploit. Early mitigations have already been bypassed.

Attackers are going to target your PAN devices, based on their OS version, so even if you're not running GlobalProtect, you need to apply the update. Updates for commonly used maintenance releases were released between April 15th and 18th, which means if you didn't find an update for your version, you need to re-check, it may be there now. The urgency has increased after POC exploit code was released last week resulted in a corresponding increase in attack attempts.

There are three vulnerabilities here. CVE-2024-28890, insufficient file validation during upload, CVE-2024-31077, SQL Injection flaw, CVE-2024-31857, XSS flaw allowing arbitrary code execution. Make sure that you already have version 1.29.3 installed. While your WAF may shut down the XSS and SQLI attacks, update the plugin to be sure you're covered.

Several years after we began to recognize the risk associated with WordPress plugins, it should be the case that these plugins are used only by design and intent and special management attention is given to the risk of those that are used.

Plugins are the Achilles heel of WordPress applications. Given the large number of web sites that use the plugin, download the updated version and patch soonest. While you're at it, take the time to review existing plugins and remove those no longer used.

File transfer services, of any form, are hot targets, (remember MoveIT?) so make sure you're not only staying on the supported version but also keeping it patched. While this flaw, tracked as CVE-2024-4040, sandbox escape, doesn't have a CVSS score yet, don't wait on that to jump on applying fixes. All prior versions of CrushFTP are affected by the flaw. No workarounds are published. Note that to update to version 11, you need a version 11 license file, which is free if your maintenance is current.

I am looking at the results from Shodan for a particular string indicating CrushFTP, and it appears that about 1000 systems have responded to that request. Understanding whether these systems are part of a giant corporation, smaller businesses, or just a one-off, obscure set of systems will take some time.