MITRE Discloses R&D Network Breach, UnitedHealth Group Says Patient Data Compromised in Change Healthcare Breach; Palo Alto Network PAN-OS Vulnerability Update

The attackers leveraged CVE-20232-46805 and CVE-2024-21887 to bypass authentication and run arbitrary commands, then moved laterally to infiltrate their VMware infrastructure using a compromised administrator credential. MITRE is no different than the rest of us; we all need to keep an eye on both updating systems as well as credential strength. The attack was limited to this R&D network, not impacting their core enterprise network or partner systems. The question here is do you have networks you've deemed low risk and are you comfortable with your ability to secure and detect compromise there, to include publicity related to a compromise?

Lee Neely

Just a historical note: 35 years ago, Cliff Stoll's book The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage came out, detailing how German hackers broke into Mitre and accessed all kinds of information from there. Remote access that was not sufficiently protected was the problem back then, too.

John Pescatore

Given MITRE's position as a federally funded research and development center (FFRDC), this attack has garnered much attention. MITRE is to be applauded for communicating details of the attack. Let's hope they continue by fully explaining how the attackers got around its MFA system and were able to operate undetected for three months. There must be best practices that enhance enterprise security we can learn from those details.

Curtis Dukes

The question isn't when/how/who breached them as much as how they respond and what their outbound communications will be.

Moses Frost

Nobody should be surprised that patient data was leaked. What surprised me is that it took so long for UnitedHealth to make this statement. There still appear to be significant outages in UnitedHealth's systems affecting patients as well as providers.

Johannes Ullrich

This is quickly becoming the next Equifax breach in both size and scope, potentially impacting a huge part of the nation. In fact, the PHI that cyber criminals took from United Healthcare could be far more sensitive and damaging than the financial data stolen from Equifax. As an added twist, it appears that competing cybercriminal gangs are fighting over who should be paid the ransom. Now that ALPHV has been paid their $22 million, an affiliate involved in the breach called RansomHub wants their ransom also. I hope either congress or the new Cyber Safety Review Board will be providing a report at some point on the details of this breach.

Lance Spitzner

Interesting scenario here: a new gang RansomHub is claiming to have their data, where previously it was reported the ALPHV gang had it, and that UnitedHeath reportedly paid ALPHV $22 million in ransom. While you mind spins of the possible scenarios, from multiple attackers to an elaborate hoax, consider this is the case where you pay for your extorted data and it's still out there, taking us back to considering our stance on paying the ransom. While UnitedHealth is still working to determine which data is exfiltrated, if you're a customer, I wouldn't wait for that to get sorted: get credit monitoring in place now.

Lee Neely

UnitedHealth Group has acknowledged what many have suspected for some time: the compromise of PHI data. Unfortunately, many Americans will have to wait months to be notified. In the meantime, check your credit history using the free credit report service, as its doubtful that UnitedHealth Group will offer free identity monitoring any time soon.

Curtis Dukes

It is unclear whether healthcare is breached more because it is targeted or because it is vulnerable.

William Hugh Murray

You MUST patch this vulnerability. Mitigations and signatures protecting the device will only buy you time. The vulnerability is relatively easy to exploit. Early mitigations have already been bypassed.

Johannes Ullrich

Attackers are going to target your PAN devices, based on their OS version, so even if you're not running GlobalProtect, you need to apply the update. Updates for commonly used maintenance releases were released between April 15th and 18th, which means if you didn't find an update for your version, you need to re-check, it may be there now. The urgency has increased after POC exploit code was released last week resulted in a corresponding increase in attack attempts.

Lee Neely

Synlab Italia, which operates hundreds of medical diagnostic and testing centers in Italy, has disclosed that its network was the target of a ransomware attack last week. The company took its IT systems offline and testing and diagnostic services have been temporarily suspended. Synlab Italia has not ruled out the possibility that sensitive data have been compromised.

Lee Neely

There are three vulnerabilities here. CVE-2024-28890, insufficient file validation during upload, CVE-2024-31077, SQL Injection flaw, CVE-2024-31857, XSS flaw allowing arbitrary code execution. Make sure that you already have version 1.29.3 installed. While your WAF may shut down the XSS and SQLI attacks, update the plugin to be sure you're covered.

Lee Neely

Several years after we began to recognize the risk associated with WordPress plugins, it should be the case that these plugins are used only by design and intent and special management attention is given to the risk of those that are used.

William Hugh Murray

Plugins are the Achilles heel of WordPress applications. Given the large number of web sites that use the plugin, download the updated version and patch soonest. While you're at it, take the time to review existing plugins and remove those no longer used.

Curtis Dukes

File transfer services, of any form, are hot targets, (remember MoveIT?) so make sure you're not only staying on the supported version but also keeping it patched. While this flaw, tracked as CVE-2024-4040, sandbox escape, doesn't have a CVSS score yet, don't wait on that to jump on applying fixes. All prior versions of CrushFTP are affected by the flaw. No workarounds are published. Note that to update to version 11, you need a version 11 license file, which is free if your maintenance is current.

Lee Neely

I am looking at the results from Shodan for a particular string indicating CrushFTP, and it appears that about 1000 systems have responded to that request. Understanding whether these systems are part of a giant corporation, smaller businesses, or just a one-off, obscure set of systems will take some time.

Moses Frost

Both of these outages highlight the importance of path diversity and automatic failover. The 911 service outages appear to be related to a fiber cut done to install a new light pole, while the SMF outage appears to be a deliberate cut of an arial fiber optic line. When setting up backup or redundant services, make sure you understand how they are, and are not, isolated from incidents impacting your primary services. Make sure you regularly test your fail-over so you can communicate the impact during an actual failure.

Lee Neely

This is intended as a free service which is available to about 12,500 cleared companies. While the companies will still need to deal with vulnerabilities disclosed, having the program centrally managed and provided makes adoption and participation much simpler. A VDP disclosure of a flaw remains preferable to a ransomware notice.

Lee Neely

Microsoft is tracking the gang as Forest Blizzard, aka Fancy Bear or APT28, which targets state, nongovernmental, education and transportation organizations in Ukraine, Western Europe and North America. While GooseEgg targets the print spooler vulnerability, this gang also targets flaws such as CVE-2023-23397 which impacts Outlook on Windows. Even if you're not in their target set, make sure you're applying patches, including the print spooler and Outlook/Office updates.

Lee Neely