SANS NewsBites

Change Healthcare Says February Breach Affects 100 Million People; Hospitals are Using AI Transcription Tools that Hallucinate; Older Adults Struggle with Technology in Healthcare

October 29, 2024  |  Volume XXVI - Issue #83

Top of the News


2024-10-28

Change Healthcare Estimates 100 Million Affected by February Breach

In a recent updated filing with US Department of Health and Human Services Office for Civil Rights (HHS OCR), Change Healthcare now estimates the number of individuals affected by the February 2024 breach to be 100 million. HHS OCR has published an updated FAQ about the breach. The new statistics make the Change Healthcare incident the largest healthcare breach on record.

Editor's Note

Back in April, Change Healthcare publicly admitted that 'the impacted data could cover a substantial proportion of people in America.' That statement and 'largest healthcare breach on record' should be required to be shown prominently on all their marketing material, kinda like the warnings on cigarette packaging.

John Pescatore
John Pescatore

A breach of this scope and size deserves to be a case study in lessons learned. I hope in 2025 our friends at the Cybersecurity Review Board (CSRB) can publish a report detailing findings and key takeaways, just as they did earlier this year for the Microsoft breach in 2023.

Lance Spitzner
Lance Spitzner

Oddly as breach notifications continue to arrive, I've seen notifications for my deceased neighbors. My point is breach notifications are taking a long time and you need to get proactive and setup your own identity restoration/credit monitoring. Lock your credit. Don't wait to find out you've got a problem.

Lee Neely
Lee Neely

2024-10-28

Hospitals are Using Untrustworthy AI Transcription Tools

When OpenAI introduced their transcription tool, Whisper, in 2022, they claimed it 'approache[d] human level robustness and accuracy.' However, the tool in fact is prone to hallucinations and a ChatGPT-generated description of Whisper recommends against the tool being used in 'high-risk domains.' Despite the warning, healthcare organizations are using Whisper; software engineers, developers, and researchers found high levels of inaccurate chunks of text and even entirely false sentences in Whisper-generated AI transcriptions they examined.

Editor's Note

AI literally has decades of over-hype but has gotten Bitcoin-like levels of promotion in the past few years. All too often, using an AI-generated document is like eating a meal you created from room service trays left outside of hotel room doors on your way from the elevator to your room.

John Pescatore
John Pescatore

Troubling, as this deals with patient healthcare records. Is it simply that in the rush to get to market the tool had insufficient data from which to train, or are there underlying assumptions made by the model that are incorrect? Whatever the cause, a general warning not to use in high-risk domains is insufficient.

Curtis Dukes
Curtis Dukes

We should all be investigating AI capabilities, but not without careful review of the results. Remember this is still new technology and we are still learning not just how to use it but also where the information provided is stored, leveraged, and shared.

Lee Neely
Lee Neely

2024-10-28

Health Aging Poll: Older Adults Wouldn't Trust AI-Generated Health Information

According to the University of Michigan National Poll on Health Aging, nearly three-quarters of adults over the age of 50 say they would not trust AI-generated health information. Overall, 20 percent of those responding said they had 'little or no confidence' in their ability to identify health misinformation.

Editor's Note

As an old fart, I have trouble with chat/audio assistants trying to assist me with my call. While these have improved the experience, and are designed to allow services to scale, and numbers show they have a lot of success, they are not yet a complete human replacement, particularly for those of us who grew up with non-automated response. If you're providing automated response services, make sure there is an easy option to request a human.

Lee Neely
Lee Neely

It is good to see this level of skepticism around AI tools. Hopefully people will continue to rely on medical experts rather than Dr. AI or indeed Dr. Google.

Brian Honan
Brian Honan

The Rest of the Week's News


2024-10-28

US Copyright Office Grants Partial DMCA Exemption for Retail Food Prep Equipment Repair

The US Copyright Office has granted a partial Digital Millennium Copyright Act (DMCA) exemption 'allowing for repair of retail-level food preparation equipment.' The exemption was requested by Public Knowledge, a consumer advocacy group, along with iFixit. The original, broader request sought 'to expand the repair exemption for consumer electronic devices to include commercial industrial equipment such as automated building management systems and industrial equipment (i.e. soft serve ice cream machines and other industrial kitchen equipment).' The Copyright Office considered a total of seven proposed classes for exemption and granted all but one: a request regarding the preservation of video games.

Editor's Note

The "right to repair" movement has significant implications for device security. As more and more "smart devices" are reaching end of support, or vendors go out of business, it becomes more and more important for owners to have the ability to apply fixes to software and hardware. While it may sound benign to be able to fix an ice cream machine, the implications could be far reaching.

Johannes Ullrich
Johannes Ullrich

A win for 'consumer right to repair' advocates and McFlurry lovers around the world. The US would be well served modeling federal law off the NY State Digital Fair Repair Act. This State law addresses many of the concerns of manufacturers (i.e., protection of trade secrets, liability, etc.).

Curtis Dukes
Curtis Dukes

With increased 'right to repair,' the burden passes to the consumer to ensure the repair is done with genuine components by trained technicians. Consider the supply chain risk when screening alternate repair services.

Lee Neely
Lee Neely

2024-10-28

Russian Prison Sentences for Members of REvil Ransomware Group

Russian courts sentenced members of the REvil gang to prison terms for hacking and money laundering. The group is best known for 2021 attacks on meat-packing company JBS and IT services firm Kaseya. Members of the REvil team were arrested in 2022 with cooperation from US law enforcement.

Editor's Note

With Russia's invasion of Ukraine in 2022, the US Department of Justice stopped cooperating with Russian authorities. Many of us thought that would be the end of the case against REvil, especially where hacking companies in foreign countries is not illegal in Russia. While several gang members were released, you've got to hand it to Russian authorities for following through to prison sentences on some of the key players.

Christopher Elgee
Christopher Elgee

2024-10-25

Arcadyan Routers Vulnerable Through Wi-Fi Test Suite

The Software Engineering Institute's (SEI) Computer Emergency Response Team Coordination Center (CERT/CC) following up on disclosure by independent researcher "fj016" and SSD Secure Disclosure, has released an advisory describing a command injection vulnerability in the Wi-Fi Alliance's Test Suite tool. Using "specially crafted packets," an attacker could gain root privileges and execute code, posing particular risk to any "commercial router deployments" where the Wi-Fi Test Suite is not meant to be used. The vulnerable code is found on the Arcadyan FMIMG51AX000J model device. There is no patch from the manufacturer; CERT/CC recommends the Wi-Fi Test Suite be updated to at least version 9.0 or removed entirely.

Editor's Note

This issue may affect other brands as well. The vulnerability was introduced by a test suite used by the Wi-Fi Alliance to verify compliance with Wi-Fi standards. Arcadyan did ship their devices leaving the test suite enabled. Others may have made the same mistake.

Johannes Ullrich
Johannes Ullrich

2024-10-24

S3 Bucket Vulnerability in AWS Cloud Development Kit

Amazon Web Services' (AWS) Cloud Development Kit (CDK) has been vulnerable to S3 bucket "namesquatting," according to researchers at Aqua, which could lead to many security issues including "full account takeover." Aqua's research was published on October 24, 2024 and details their communication with AWS after reporting the flaw in June, 2024. An S3 staging bucket is created as part of the CDK bootstrapping process, and named using an easily predictable and exploitable naming system, which creates a vulnerability: "Criminals could predict AWS S3 bucket names, pre-load malicious code into a bucket, and then sit back and wait for the target org to execute it unwittingly. Once that happened, the attackers could steal data, or even take over a user's account without them knowing." Aqua notes "there's no way to know if the vulnerability, which doesn't have an associated CVE number, has been exploited in the wild." Amazon has patched the issue and notified customers, and Aqua suggests updating and re-running the boostrap command, or applying an "IAM policy condition ... similar to the AWS patch."

Editor's Note

I guess the analogy here is if you are going to use dishes directly from the dishwasher, make sure you run the dishwasher first.

John Pescatore
John Pescatore

2024-10-28

Windows Kernel Vulnerable to Rootkits via Downgrade Attack

Beginning at the Black Hat conference in August, 2024, and in subsequently released research, SafeBreach's Alon Leviev has demonstrated a Windows vulnerability he calls Windows Downdate, in which an attacker with administrative privileges can bypass Driver Signature Enforcement and downgrade the OS kernel, drivers, DLLS, and other components, allowing rootkit installation on a completely up-to-date machine. In some cases, virtualization-based security (VBS) can also be bypassed or disabled if no "mandatory" flag is set with UEFI lock. Leviev stated: "I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term 'fully patched' meaningless on any Windows machine in the world." While Microsoft at first stated that this issue "did not cross a defined security boundary," the company has since created a "revocation policy mitigation" for CVE-2024-21302 (Windows Secure Kernel Mode Elevation of Privilege Vulnerability), and patched CVE-2024-38202 (Windows Update Stack Elevation of Privilege Vulnerability), though some systems may require additional action.


2024-10-25

NIST Evaluating 14 PQC Digital Signature Candidates

After finalizing three encryption algorithms in August, 2024, all designed to withstand quantum computing attacks, the National Institute of Science and Technology (NIST) has continued to seek variety in its Post-Quantum Cryptography (PQC) standards. "While several non-lattice-based KEMs remained under consideration in the fourth round, no signature schemes remained," and from a selection of 40, now 14 candidates comprise a second evaluation round of "additional [digital] signatures" open for comments and tweaks, only one of which is lattice-based. NIST predicts quantum computing will be employed in attacks on encryption within ten years.


2024-10-28

Operation Magnus: International Effort Results in Infostealer Malware-as-a-Service Disruption

The Dutch National Police (Politie) say they have obtained 'full access' to servers used by the Redline and Meta infostealers, both of which operate as malware-as-a-service. Operation Magnus, which involved law enforcement agencies from the US, the UK, Portugal, Australia, and EuroJust (the European Union Agency for Criminal Justice Cooperation), 'gained access to the Redline and Meta source code, including the license servers, REST API servers, panels, stealers, and Telegram bots.' The operation also turned up information that could be helpful in identifying people who used the malware.

Editor's Note

A success is a success. That said, these sorts of tools are easy to replicate. Defenders are still best served by updating their software as patches become available, using a secure configuration, and actively monitoring their enterprise for compromise.

Curtis Dukes
Curtis Dukes

Yet again another great example of international law enforcement cooperation. Well done to all the agencies involved. No doubt the intelligence gathered from this operation will lead to multiple arrests. It also is a reminder why it's important that victims of cybercrime engage with law enforcement so that those agencies can prioritise and plan operations against criminal gangs.

Brian Honan
Brian Honan

Internet Storm Center Tech Corner

Apple Updates Everything

https://isc.sans.edu/diary/Apple+Updates+Everything/31390

Self-contained HTML Phishing Attachment Using Telegram to Exfiltrate Credentials

https://isc.sans.edu/diary/Selfcontained+HTML+phishing+attachment+using+Telegram+to+exfiltrate+stolen+credentials/31388/

Two currently (old) exploited Ivanti vulnerabilities

https://isc.sans.edu/diary/Two+currently+old+exploited+Ivanti+vulnerabilities/31384

Okta iOS App Vulnerability CVE-2024-10327

https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327/

ChatGPT-4o Guardrail Jailbreak: Hex Encoding for Writing CVE Exploits

https://0din.ai/blog/chatgpt-4o-guardrail-jailbreak-hex-encoding-for-writing-cve-exploits

Arcadyan FMIMG51AX000J (WiFi Alliance) RCE CVE-2024-41992

https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce/

Threat Alert TeamTNT's docker gatling gun campaign

https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/