Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more.
Welcome to Cyber Security Today. It’s Wednesday April 24th, 2024. I’m Howard Solomon.
Security teams may be getting better at finding hackers lurking in their IT systems. That’s according to Mandiant’s latest annual M-Trends report. The mean time an attacker spent on Mandiant customers’ networks before being detected dropped last year to 10 days. That’s compared to 16 days before being detected in 2022. However, the report suggests ransomware played a key in the drop because it tends to be detected more quickly than other malware. Having a hacker in your system for 10 days, though, isn’t a lot to cheer about. Here’s something else to think about: Last year 54 per cent of those surveyed who were hacked said they first learned of the compromise from an external source, like a law enforcement agency, customer or a security researcher, and not their own staff. That’s an improvement from 2022. But that number jumped to 70 per cent who learned from an outside source they’d been compromised in cases of ransomware. That’s because most organizations only learn they were penetrated by the ransom note left by the attacker.
The parent company of American healthcare payment processor Change Healthcare has acknowledged it paid a ransomware gang that hit the company in February. UnitedHealth told the TechCrunch news service that a ransom was paid to protect patient data from disclosure. The company wouldn’t confirm reports that $22 million was paid to the AlphV/BlackCat gang. The gang reportedly took all the money and didn’t pay the affiliate that stole data. That data is up for sale by a gang called RansomHub. How much data was stolen? UnitedHealth didn’t say, but does admit it “could cover a substantial proportion of people in America.”
Application developers must make sure their software doesn’t include code from abandoned open-source projects. The warning comes from researchers at Legit Security, who recently discovered a dependency confusion vulnerability in the Apache Cordova App Harness project. That project is no longer supported, but last month was still available in some open-source code repositories. Briefly, if an application included this code it could have been swapped for a malicious version with the same name that had been planted in an open-source repository. Apache has been notified and taken action. But the incident is a warning to developers to audit their codebase and replace archived or unmaintained third-party code.
The U.S. is offering a reward of up to US$10 million for the location of four Iranians who allegedly hacked American government departments, defence contractors and two New York based companies. An indictment naming the four was released Tuesday. The attacks allegedly took place between 2016 and 2021. In one case the group compromised more than 200,000 employee records of an organization.
Separately, the U.S. is imposing visa restrictions on 13 people involved with or family members of developers or sellers of commercial spyware. This is part of a promised crack-down on the misuse of commercial spyware announced in February.
Microsoft has published new research about the tool used by a Russian gang that has been exploiting a vulnerability in the Windows Print Spooler service. The threat actor is called Forest Blizzard, Strontium and APT28 by some researchers. The tool used to exploit the vulnerability is called GooseEgg. Security teams may find the background report to help defend their environments. This hole was discovered and patched in 2022, but the gang may have been using it since 2019.
University of Calgary computer science professor Ken Barker has been named scientific director of Canada’s National Cybersecurity Consortium. He has held the position in an interim role for the past 12 months. The coalition works with the public and private sectors to encourage cybersecurity education and innovation in higher education and businesses. The consortium is currently funding 20 research projects ranging from finding ways to better protect critical infrastructure to supporting a masters degree in cybersecurity management.
Finally, a week today will be World Password Day. So start thinking if your passwords are safe. Make sure your passwords — or better, passphrases — are at least 14 characters long and include a number, a capital letter and a symbol. Use a password manager to keep track of them. That way you aren’t tempted to create a simple password that can be guessed. And IT managers should set up multifactor authentication for employees to guard against a hacker guessing or cracking passwords. Think about this: it will take 22 hours in a brute-force attack to crack an eight-character password made up of only lower-case letters. That’s according to a new calculation by Hive Systems. Twenty-two hours might deter a threat actor who wants fast results. It might not. However, the analysis assumes an organization stores the password using the latest protection algorithms. If not, a brute force attack will crack any password faster. A 14-character password with a mix of upper and lower case letters, a number and a symbol would take 805 billion years to crack in a brute-force attack. Even if it was made up of lower-case letters, it would take 766 years to crack. Passwords should never be common words like ‘elephant’ or ‘Susan’ — or ‘Susan123’ — but a phrase with two or more words that can’t be guessed. And never use the same password on different sites. This advice, of course, applies to home computers as well.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
The post Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more first appeared on IT World Canada.