Change Healthcare Breach Prompts Proposed US Healthcare Cybersecurity Legislation; Protect AI Bug Bounty Program Reveals 24 Vulnerabilities; Sophos X-Ops' Five-Year Investigation into State-Sponsored Attacks on Perimeter Devices

In September 2024, US Senators Ron Wyden (D-Oregon) and Mark Warner (D-Virginia) introduced the Health Infrastructure Security and Accountability Act (HISAA). The proposed legislation is a direct response to the February 2024 Change Healthcare breach that affects 100 million people. HISAA's provisions include updating HIPAA cybersecurity standards; 'Requir[ing] covered entities and business associates to submit to annual independent cybersecurity audits, as well as stress tests to determine if they are capable of restoring service promptly after an incident, which HHS can waive for small providers;' and 'requiring top executives to annually certify compliance with the requirements.'

Protect AI, a company focused on security in AI and Machine Learning (ML) development, published an advisory disclosing 34 vulnerabilities discovered through what they call the "world's first AI/ML bug bounty program" comprising researchers and over 15,000 community members. Protect AI identifies open source "tools used in the supply chain" as an especially vulnerable area in AI development. Among the list are three critical flaws. Lunary, an open source platform with features supporting Large Language Model (LLM) app development, has two: "CVE-2024-7474 ... an insecure direct object reference (IDOR) flaw that could allow an authenticated user to view or delete the user records of any other external user due to lack of proper access control checks for requests to the relevant API endpoints," and CVE-2024-7475, which "enables attackers to user crafted POST requests to this endpoint to maliciously update the SAML configuration, which can lead to manipulation of authentication processes and potentially fraudulent logins." Both are patched in Lunary 1.3.4. ChuanhuChatGPT, a web user interface for ChatGPT API, had the third critical vulnerability: CVE-2024-5982, a "path traversal vulnerability in the user upload feature of Chuahu Chat, which could enable RCE, arbitrary directory creation and leakage of information from CSV files due to improper sanitization of certain inputs," which is patched in version 20240918 of the GUI.

Sophos X-Ops has published details from five years of investigation into Chinese state-sponsored attacks targeting perimeter devices, including the company's firewalls. Sophos X-Ops writes, 'with assistance from other cybersecurity vendors, governments, and law enforcement agencies we have been able to, with varying levels of confidence, attribute specific clusters of observed activity' to previously identified threat actors with ties to China's government. Key takeaways from the investigation include: 'Edge network devices are high-value targets that well-resourced adversaries use for both initial access and persistence; State-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices; and State-sponsored targeting is not limited to high-value espionage targets.'

In an advisory published October 25, development framework Spring disclosed a vulnerability they rate as critical. Applications developed with Spring WebFlux may have security rules that can be bypassed if all the following conditions are true at once: "if WebFlux is used, if the app is using the framework's static resources support, and a non-permitAll authorization rule is applied to that support." Spring assesses the risk of this vulnerability as CVSS 9.1, though Red Hat estimates 7.4 due the multiple concurrent conditions required for apps to be at risk; NISTÕs CVE page lists the vulnerability 'awaiting analysis' as of this publication. A list of affected versions and their respective patched versions is available in Spring's advisory. As of 2020, research showed that perhaps 60 percent of all Java apps rely on the Spring framework.

For the past week and a half, 'Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors.' Microsoft believes that the goal of the campaign is to collect intelligence, and has published a blog to ensure that the public is informed about the threat. The spear-phishing messages 'contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.'

Peru's Interbank says that a data breach may have compromised personal information of as many as three million of their customers. Interbank is one of Peru's largest financial institutions. Earlier this week, researchers detected data allegedly taken from Interbank being offered for sale on the dark web. In a statement posted to social media, the bank said that at least some of those data appear to be legitimate.

A former Disney employee has been arrested and charged with Computer Fraud and Abuse Act (CFAA) violations for allegedly 'log[ging] into the Disney menu creation system contracted by a third-party company and chang[ing] the fonts in the system to Wingdings symbols.' Michael Scheuer was fired from his menu production manager position in June 2024, yet was able to use his credentials to access the system following his termination. Scheuer also allegedly removed allergen information from the menus. Disney was able to identify the affected menus and prevent them from being shipped.

According to the Canadian Centre for Cyber Security's National Cyber Threat Assessment for 2025-2026, Chinese state-sponsored cyber threat actors have targeted no fewer than 20 Canadian government networks over the last four years. The report notes that the attacks 'serve high-level political and commercial objectives, including espionage, IP theft, malign influence, and transnational repression.' The report also notes that 'ransomware is the top cybercrime threat facing Canada's critical infrastructure.'

Researchers from the Sysdig Threat Research Team detected a campaign that targeted exposed Git configuration files to steal more than 15,000 cloud account and email service credentials. The threat actors reportedly 'leveraged a range of private tools to exploit several misconfigured web services.' The Sysdig researchers note that 'the stolen data was stored in a S3 bucket of a previous victim.'