Optus Breach Traced to API Coding Error; Zyxel EoL NAS Devices Under Attack; CDK Warns Customers to be on the Lookout for Social Engineering Attacks Following Ransomware Attack

The API had two entry points, each of which was secured in 2017. In 2021, a coding error broke one of the ACLs, but the defect was only detected in one of the entry points, despite both being impacted by the same flaw. While the obvious move was to make sure that the same fixes were applied to all entry points, the better move for your future self is to only have one entry point, one set of security controls and one instance to support, secure, document and implement.

APIs are still untested; we see such common flaws. It's web hacking like the 2000s all over again. If you haven't dug into APIs, start. If you think they are not vulnerable to the more traditional attacks, they probably are.

This is the second such determination in recent weeks by an Australian government authority that a commercial business failed in implementing reasonable cybersecurity. While CIS's guide to defining reasonable cybersecurity is specific to the United States, defining reasonable cybersecurity applies globally. Reasonable cybersecurity is becoming the bar businesses will be measured against.

There is a non-zero chance that the EOL devices will remain unpatched for the same reason they are still operating. CVE-2024-29973 has a CVSS score of 9.8. Even with the patches, the best move is to replace these with supported devices. Scan your environment for them, then take actions to patch and decommission them, don't let them go into the rainy-day pile. Make sure you're not exposing NAS to the Internet.

It's interesting to see what types of systems are being attacked as we have such an American view into the state of things. Zyxel may not be the most 'relevant' company in the US, but overseas its used quite frequently. Interesting to see how this was targeted. You must imagine that someone sat on these bugs.

This disclosure should serve as a reminder that NAS devices should not be visible to the public networks, that any device vulnerabilities are likely to become more visible as time passes, and that all devices must be managed and maintained for as long as they are in use.

Seeing blood in the water, attackers are cranking up their social engineering playbook. If you and your team haven't participated in a social engineering village, you need to, even if on video, to see just how effective these techniques are. Don't forget it's not that hard to create legitimate looking correspondence or other communication, encourage staff to verify if they have any doubts about a request for access or information. Remember to call your known-good contact, not the information in the email/document/etc.

Another area of the market no one thinks about. The automotive service industry is now at the core of your mechanics and dealerships. CDK is important in that space, but we probably don't know how far this will go because it's not widely known or understood.

Push Notification Fatigue is not theoretical, it's a thing, which is why you're getting pushed towards phishing-resistant MFA. Don't throw your existing MFA under the bus: it's better than mere passwords, it's that attack techniques have evolved to circumvent many of the less robust MFA options. The good news is you probably already have staff chomping at the bit to roll out passkeys, FIDO2, Certificate Based Authentication, or other robust options. Let them loose on a POC or two, then pick one to deploy this year.

Social engineering, the acquisition of special knowledge or privileges, by means of fraud or deceit, remains the most efficient form of attack.

Another ransomware event targeting the healthcare sector - check, the sector has been a frequent target for years. Here's the dilemma: when to inform patients that their PII and/or PHI data was compromised. HHS rules say within 60-days following the discovery of the breach. That puts notification at mid-April. Or is it 60-days after the investigation concludes, that's mid-June. The rules are loose enough that the only thing at risk is the patient's private data.

Both LockBit and Qilin are taking credit for the attack. Russia-based Qilin claims to have made off with more than 70GB of Consulting Radiologist's data. This is the same group behind the politically motivated Synnovis healthcare attack in London, which was intended to cause a crisis, which is consistent with the Russian gang Modus Operandi of causing disruption. Consulting Radiologists is focused on raise-the-bar activities to prevent recurrence and is also offering a year of credit monitoring, credit report and credit score services to affected individuals.

The original purpose of Social Security Numbers was to remedy inevitable name collisions among all the workers in America across time. When used to resolve name collisions in small populations, the last four digits are sufficient. Collection and retention, much less disclosure, of the whole number is reckless. Do not put your organization at risk.

Having worked in IT, I've seen some strange setups. What makes these health issues worse is that they ask for your social security number, which exposes your identity, and then whether you pay up, they may go after your patients. Many are susceptible to thinking they owe money for their medical bills.

Change Healthcare is still sifting through data to determine who was or was not affected by the breach, telling us this is going to take a bit. I don't fault them for caution to accurately identify affected individuals: in today's environment, of both highly connected information sharing and concentrated attacks, especially on healthcare providers, you really need to be proactive about having credit monitoring and restoration services. Don't wait for the breach notification. When was the last time you checked that your credit was locked/frozen? Trust but verify here, your peace of mind is worth it.

Note that much of the PII data disclosed, while useful for resolving identity collisions at application or enrollment time, should never have been retained. The lesson for the rest of us is that retaining data longer than necessary creates a liability and a risk.

Medical device manufacturer LivaNova was still refining the extent of the breach, during which 2.2 terabytes of data was exfiltrated. LockBit claimed responsibility for the attack in December. LivaNova was notifying US based individuals in April, and started notifying non-US based individuals in May; they are not offering credit monitoring, but rather pointing folks to free credit monitoring services. While the timeline is tricky to follow, they fixed the vulnerable systems and services right away, but the identification of affected individuals took a lot longer than expected. Make sure you are aware of where your sensitive data is, so you can rapidly identify what is affected in an incident.

Another example of the gap in victim notification. While these two incidents are specific to the healthcare sector, victim notification also lags in most sectors. There are legitimate arguments for the time it takes to investigate, but that's time the criminal can use to their advantage. More often than not, the investigation concludes that data was stolen as it has for LivaNova.

Indonesia is emphatic they are not paying the ransom. This attack is the Brain Cipher, which is a new variant of the LockBit ransomware; it's not certain they are behind it as many other threat actors are running with the leaked LockBit 3.0 builder, also this attack is not listed on the resurrected LockBit leak site. Entry to systems was due to disabling the Windows Defender security which allowed malware to be installed. While more information is still forthcoming, it'd be a good idea to verify an alert would trigger, and be responded to, when security services were disabled.

Ransomware gangs pretty much target every sector to include national government. While it is doubtful they will get a payout, the information has value as part of the criminal supply chain.