BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

Source: Andrey Suslov via Alamy Stock Photo

NEWS BRIEF

In an effort to convince consumers that it's safe to answer their phones, root of trust provider SecureG has partnered with CTIA, a trade association that represents the wireless communications industry, on an initiative intended to deliver a secure branded call experience for businesses.

Branded Calling ID (BCID) is an industry-led, standards-based Rich Call Data project to create a secure, interoperable ecosystem in which businesses can embed information like their logos and reason for calling when they reach out to consumers by phone. BCID digital signatures are secured by SecureG's public key infrastructure (PKI) solutions. 

"No one wants to answer their phone because of all the spam and scams, and it is only getting worse now that AI-generated voices can impersonate people and businesses," said Todd Warble, CTO of SecureG, in a statement. BCID has a secure-by-design foundation that enables consumers to trust the authenticity of the brands and intentions of the caller, Warble said.

To secure the caller's brand identity, SecureG provides high-assurance operations of the CTIA Secure Telephone Identity Certification Authority (CTIA STI-CA), Intermediate Certification Authority, and the Certificate Repository. The SecureG trust anchors, secured in hardened concrete bunkers, give BDIC the ability to authenticate participants to sign calls. The BCID system is designed to work across networks and mobile phones, and enterprise customers pay only for branded calls that are confirmed delivered. 

BCID allows businesses to brand their calls while preventing scammers and spammers from gaining access to NCID signing certificate. BCID is designed to work seamlessly across networks and mobile phones, so enterprise businesses can deliver trusted, branded calls to their consumers.

The initiative is aimed at reducing the risk of fraud and spam calls from bad actors who impersonate real businesses. A recent survey found that three-quarters of respondents would answer a call if the caller was authenticated by a name, logo, or reason for the call, the company said in a statement. BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

SecureG, CTIA Project Secures Business Phone Calls

Organizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.

Source: ArtemisDiana via Shutterstock

Many organizations using Web application firewall (WAF) services from content delivery network (CDN) providers may be inadvertently leaving their back-end servers open to direct attacks over the Internet because of a common configuration error.

The problem is so pervasive that it affects nearly 40% of Fortune 100 companies leveraging their CDN providers for WAF services, according to researchers at Zafran who studied the cause and scope of the problem recently. Among the organizations that the researchers found susceptible to attacks included recognizable brands, including Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.

**Pervasive Issue**

WAFs act as intermediaries between users and Web applications. They inspect traffic for a range of threats and block or filter anything deemed suspicious or matching known patterns of malicious activity. Many organizations have deployed WAFs in recent years to protect Web applications against vulnerabilities they haven't had time to patch.

Organizations have multiple options for deploying WAFs, including on-premises in the form of physical or virtual appliances. There are also cloud- and host-based WAFs.

In total, Zafran found some 2,028 domains belonging to 135 companies among the Fortune 1000 that contain at least one supposedly WAF-protected server that an attacker could directly access over the Internet to launch denial-of-service (DoS) attacks, distribute ransomware, and execute other malicious activities.

"The responsibility \[for\] the misconfiguration lies primarily \[with\] the customers of CDN/WAF providers," says Ben Seri, chief technology officer of Zafran. But CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place, he says. 

The problem, as Seri explains it, has to do with organizations not adequately validating Web requests to back-end origin servers that host the actual content, applications, or data that users are trying to access.

**A Failure to Follow Best Practices**

With a CDN-integrated WAF service, the CDN provider — like a Cloudflare or an Akamai — provides the WAF as part of its edge infrastructure. All incoming traffic to an organization's Web applications is routed through the CDN's WAF — a reverse proxy server within the vendor's edge network. The reverse proxy identifies which back-end server or resource a particular Web request is intended for and then routes it there in an encrypted fashion. "This means that when a CDN service is used as a WAF, the web application it protects is open to Internet traffic and is expected to validate that it responds only to web traffic that originates from and by the CDN service," according to the Zafran blog post.

If the customer is using best practices, the IP address of the back-end server is something that only the customer and CDN provider would know. CDN providers also recommend that organizations add IP filtering mechanisms to ensure that only requests from the CDN provider's IP address range are permitted access to back-end servers. Other recommendations include using pre-shared digital secrets known only to the CDN provider and the back-end server as a validation mechanism, and using what is known as mutual TLS authentication to validate both the origin server and the CDN provider's proxy server.

These measures are effective in protecting back-end servers when implemented correctly. But what Zafran discovered was that many organizations have not adopted any of these recommended validation precautions, thereby leaving back-end servers directly accessible over the Internet. "It is a lack of validation in Web applications that are designed to be protected by a CDN/WAF that leaves them open to all Internet traffic," Seri says. "It is like having a private S3 bucket left open to the Internet as a public bucket. Only in this case, it is protected Web applications that are left open to the Internet, instead of allowing only inbound traffic from the CDN provider."

**Easy to Find**

Exacerbating the situation is the fact that the IP addresses of enterprise origin services are not as private as many assume, Zafran's researchers found. The security vendor pointed to certificate transparency (CT) logs as one example of a relatively easy place for attackers and researchers to discover all domains belonging to a specific organization. CT logs provide a publicly accessible record of all SSL/TLS certificates that certificate authorities issue to website operators and are meant to improve trust and accountability around certificate issuance. Unfortunately, they also provide a starting point for attackers to gather detailed information on all the domains and subdomains belonging to an organization, including those associated with critical back-end servers and services.

"The issue was discovered to be extremely widespread," Seri says. "From a random sample of Internet servers that were designed to be protected by Cloudflare, 13% were found to suffer from this misconfiguration. This means that, potentially, 13% of all domains protected by Cloudflare can be directly attacked." Unfortunately, CDN/WAF providers require the cooperation of their customers, who control their own load balancers and Web applications, to mitigate this threat, he adds. Zafran is contacting affected companies as well as impacted CDN/WAF providers to help them quickly identify the full extent of this misconfiguration and address it, Seri says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Misconfigured WAFs Heighten DoS, Breach Risks

PRESS RELEASE

NEW YORK, Dec. 3, 2024 /PRNewswire/ -- BigID, a data security, privacy, compliance, and AI data management company, today announced the launch of Data Activity Monitoring. BigID empowers organizations to proactively identify risks, respond faster to potential threats, and help strengthen regulatory compliance. BigID's Data Activity Monitoring helps organizations manage the risk of data breaches and strengthens their overall security posture by alerting on potential insider risk, unauthorized access, and data misuse.

Unlike traditional Data Detection & Response (DDR) tools that are limited to sensitive data discovery and policy violations, BigID's Data Activity Monitoring goes further by tracking data access activity. With insights into who is accessing data, when, how, and what they're doing with it, Data Activity Monitoring enhances the contextual intelligence needed for comprehensive data security and proactive breach prevention.

Key Benefits of BigID's Data Activity Monitoring:

*   Enhanced Security Decision-Making: Get contextual, data-driven insights for more accurate decisions on access control, retention, and remediation.
    
*   Proactive Risk & Access Management: Monitor activity around sensitive data to identify unnecessary permissions, over-permissioned users, and potential insider threats before breaches occur.
    
*   Streamlined Compliance & Auditing: Generate detailed audit trails that help meet regulatory requirements, simplifying compliance and enhancing data governance.
    
*   Efficient Security Investigations: Gather contextual insights into data access patterns, enabling faster investigations and accurate remediation.
    
*   Improved Data Ownership Accountability: Track user interactions with data to clarify ownership and facilitate efficient delegation of security tasks.
    

"With Data Activity Monitoring, we're redefining the level of control and visibility organizations have over their data," said Dimitri Sirota, CEO of BigID. "Our customers need to be able to not only have visibility into their sensitive data but also understand how it's accessed and used, and enact controls around it. BigID's Data Activity Monitoring goes beyond detection, providing near real-time insights necessary to help prevent data breaches, support compliance, and empower security teams to make informed decisions."

To learn more: 

About BigID

BigID empowers organizations to know their enterprise data and take action for data-centric security, privacy, compliance, AI innovation, and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape.

BigID has earned numerous accolades, including being highlighted as CRN's top 100 security companies two years in a row in 2024 and 2023, a finalist in CRN's 2024 Tech Innovator Awards, recognized as the most innovative security company of the year for its AI data security in the 2024 Globee Awards, and named as a "Market Leader Data Security Posture Management (DSPM)" in the 2023 Global InfoSec Awards. Additionally, BigID's impressive growth earned it a spot on the 2024 Deloitte 500 for the fourth consecutive year, one of CNBC's Top 25 Startups for the Enterprise, named to the Forbes Cloud 100, and recognized on the 2024 Inc. 5000 for the fourth consecutive year.

You May Also Like

BigID Releases Data Activity Monitoring to Extend DDR, Detect Malicious Actors, and Strengthen Data Security Posture

PRESS RELEASE

TAMPA BAY, Fla., Dec. 3, 2024 /PRNewswire/ -- KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today released its Q3 2024 Phishing Report. This quarter's findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts.

KnowBe4's Q3 2024 Phishing Report reveals that HR and IT-related phishing emails claim a significant 48.6% share of top-clicked phishing types globally. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks. KnowBe4's 2024 Phishing by Industry Benchmarking Report reveals that about one in three users is susceptible to interacting with malicious links or fraudulent requests. Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.

The report spotlights the ongoing threat posed by email-embedded phishing links, which continue to be the top attack vector of choice. These malicious links, PDF attachments and spoofed domains, when interacted with, often result in disastrous cyberattacks, including ransomware attacks and business email compromise. The report also reveals a surge in phishing campaigns leveraging QR codes. Popular QR code phishing subjects include HR reminders for policy reviews, DocuSign emails to sign an urgent document, and Zoom meeting invitations. These messages, often masquerading as communication from HR, colleagues or external vendors, pose substantial risks as they can easily be replicated by malicious actors.

"Our latest phishing report underscores the evolving sophistication of phishing tactics, with cybercriminals increasingly exploiting the trust employees place in internal communications," said Stu Sjouwerman, CEO of KnowBe4. "The prevalence of HR and IT-themed phishing attempts, coupled with emerging techniques like QR code integration, presents a complex threat landscape. These tactics are particularly deceptive as they leverage the perceived legitimacy of trusted sources, often prompting hasty actions before verification. In this rapidly changing environment, a well-trained workforce and a robust security culture are not just beneficial—they are essential. By prioritizing human risk management, organizations can effectively build a formidable defense against avoidable cyberthreats."

To download a copy of the Q3 2024 KnowBe4 Phishing Report infographic, visit here.

About KnowBe4 

KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset.

You May Also Like

KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report

A change in ownership and what it means for our readers.

Source: Informa TechTarget

Dear Reader,

Today, Informa Tech, the company behind Dark Reading, is combining with TechTarget's technology websites and Industry Dive's award-winning industry publications to create a new company: Informa TechTarget.

Our editorial footprint is greatly expanding. The combined Informa TechTarget newsroom features many of the most trusted publications in B2B media, over 300 world-class business journalists, and in-depth coverage across 30+ technology segments and 45+ industry verticals. In 2025 alone, we expect to produce over 60,000 stories that provide essential information for our readers across many markets. 

For more information, you can read the company's press release and check out our combined portfolio of publications.

Our commitment to you remains the same here at Dark Reading. Our group of highly experienced cybersecurity journalists will continue to independently report on the most notable developments, innovations, and disruptions in our industry. Whether navigating new technologies, cyber threats and vulnerabilities, regulations, or market dynamics, you need insight you can trust to make smart decisions and navigate the evolving cybersecurity business landscape. Readers who come to Dark Reading can expect reliable industry information they can't get anywhere else. 

Thank you for reading — and stay tuned for more vital coverage and resources as we continue to grow.

Kelly Jackson Higgins

Editor-in-Chief, Dark Reading

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Note From the Editor-in-Chief

Cisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors.

The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack.

In 2014, Cisco noted that "the vulnerability is due to insufficient input validation of a parameter," adding that an attacker could exploit the vulnerability by convincing the user to click on a malicious link.

Cisco now reports it became aware of in-the-wild exploitation attempts in November 2024 and recommends that customers upgrade to a fixed software release to mitigate the vulnerability. There are no workarounds for this flaw.

"Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity, that legacy vulnerabilities often remain unaddressed due to the sheer volume of security issues organizations face today," Meny Har, CEO and co-founder of Opus Security, said in an emailed statement to Dark Reading. "Without effective prioritization frameworks, critical vulnerabilities can slip through the cracks."

Decade-Old Cisco Vulnerability Under Active Exploit

Too much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.

Source: Yuri Arcurs via Alamy Stock Photo

NEWS BRIEF

A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk.

The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own.

In addition to this, the CyberArk study found that employees often practice bad cybersecurity habits. About half (49%) of respondents admitted to reusing the same login credentials for multiple work applications, while 36% use the same credentials for both work and personal applications; about 65% copped to bypassing cybersecurity policies for personal ease. All of these practices heighten the risk of organizations falling victim to leaks and data breaches.

The security firm warned that such behaviors will only continue with the growing use of on-the-rise tools, such as artificial intelligence, which are increasingly being introduced into the workplace. Roughly 72% of employees use AI tools, which can pose a threat when sensitive data is inputted into them — a likely scenario as 38% of employees only sometimes, if ever, adhere to guidelines dictating the handling of sensitive data when it comes to AI.

Cyber-Unsafe Employees Increasingly Put Orgs at Risk

A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

Source: Photo Spirit via Shutterstock

A known threat actor in the malware-as-a-service (MaaS) business known as "Venom Spider" continues to expand capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate attacks in a recent two-month period.

Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this year that leveraged a backdoor called called RevC2, as well as a loader called Venom Loader, in attacks that use known MaaS tools from Venom Spider (aka Golden Chickens), according to a blog post published Dec. 2.

RevC2 uses WebSockets to communicate with its command-and-control (C2) server and can steal cookies and passwords, proxy network traffic, and enable remote code execution (RCE). Venom Loader meanwhile uses the victim's computer name to encode payloads, thus customizing them for each victim as an extra personalization tactic.

Venom Spider is a threat actor known for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor that are widely used by groups such as FIN6 and Cobalt for cyberattacks. In fact, FIN6 was seen leveraging Venom Spider's MaaS platform in October, in a spear-phishing campaign spreading a novel backdoor dubbed "more\_eggs" capable of executing secondary malware payloads.

Related:Ransomware's Grip on Healthcare

**Even "More\_Eggs"**

That platform apparently has been enhanced yet again, this time with two new malware families observed in recent phishing campaigns. RevC2, observed by researchers in a campaign that occurred from August to September, used an API documentation lure to deliver the novel payload.

The attack began with with a VenomLNK file that contains an obfuscated batch (BAT) script that when executed downloads a PNG image from the website hxxp://gdrive\[.\]rest:8080/api/API.png. The PNG image aims to lure the victim with a document that is titled "APFX Media API Documentation."

Upon execution, RevC2 used two checks for specific system criteria and then executed only if they both pass, to ensure it's launched as part of an attack chain, and not in analysis environments such as sandboxes.

Once launched, the backdoor's capabilities include the ability to: communicate with the C2 using a C++ library called "websocketpp"; steal passwords and cookies from Chromium browsers; take screenshots of the victim's system; proxy network data using the SOCK5 protocol; and execute commands as a different user using the stolen credentials.

A second campaign occurring between September and October used a cryptocurrency lure to deliver Venom Loader, which in turn spread a JavaScript backdoor providing RCE capabilities that the researchers dubbed "More\_eggs lite." The malware is so-named because it has fewer capabilities than the previously discovered "more\_eggs," ThreatLabz security researcher Muhammed Irfan V A noted in the post.

Related:2 UK Hospitals Targeted in Separate Cyberattacks

"Although it is a JS backdoor delivered via VenomLNK, the variant only includes the capability to perform RCE," he wrote.

One notable feature of Venom Loader is that the DLL file it used in the observed campaign is custom built for each victim and is used to load the next stage, according to ThreatLabz.

The loader is downloaded from :hxxp://170.75.168\[.\]151/%computername%/aaa, "where the  %computername% value is an environment variable which contains the computer name of the system," Irfan V A wrote.

Venom Loader then uses %computername% as the hardcoded XOR key to encode its stages of attack, which in this case executes the More\_eggs lite backdoor for attackers to carry out RCE.

**MaaS Capabilities Expected to Expand**

ThreatLabz believes that the new malware included in Venom Spider's MaaS platform "are early versions, and expect more features and anti-analysis techniques to be added in the future," Irfan V A wrote.

Zscaler detected the malware using both a sandbox and its cloud security platform, which detected the following threat-name indictors related to the campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.

Related:Incident Response Playbooks: Are You Prepared?

Zscaler also is providing a Python script that emulates RevC2's WebSocket server on its GitHub repository as well as included a long list of indicators of compromise (IoCs) in the blog post so defenders can check their respective organization's systems for evidence of the malware.         

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Venom Spider Spins Web of New Malware for MaaS Platform

Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives.

The reason is that all healthcare organizations are treasures of highly critical information: Medical records, personal information, and financial details all command a high price in the black market. What's more important, healthcare services cannot afford any downtime, and because these systems need to be online and working at all times, victims usually pay the ransom.

The growing sophistication of ransomware, combined with the complex IT environments in healthcare, means that traditional defenses like patching fall short. Meanwhile, attackers are finding a way to expose the open gaps that patching alone cannot close, even with regular updates.

**The Patching Problem**

Many believe patching is a line of defense that stops ransomware in its tracks, but patching has gradually reached its threshold of limitations. Most healthcare IT systems are amalgamating old legacy technology, critical life-supporting medical devices, and modern infrastructure, making it very difficult to implement patching. For instance, most medical devices run operating systems that are no longer supported by vendors. Patching is very risk-prone and might involve downtime, which affects patient service.

Patching covers only the known vulnerabilities. On the other side, ransomware attackers are increasingly leveraging zero-day vulnerabilities, those that have not yet been discovered, or do not have any patch available for them. Even fully patched systems can be vulnerable to such an attack, leaving the organization at risk for ransomware.

Then, we need to think about a lateral movement problem. Once inside a network, ransomware can easily cross over into unpatched or misconfigured systems. One more factor in the case of ransomware attacks is that there are no more single-entry points; the attackers simply use stolen credentials and/or unprotected routes of access to move across the network, infecting multiple systems and amplifying resultant damage.

**Expanding the Scope of Defense**

With such challenges, health organizations really do need to rethink their approach toward ransomware defense; patching, though necessary, represents only one piece of a much larger jigsaw puzzle.

The first recommended strategy is implementing advanced threat protection (ATP) solutions to provide an extra layer of security. These utilities use artificial intelligence and machine learning to detect suspicious activities and block ransomware before they actually cause serious damage. Instead of waiting for a patch that will fix a vulnerability, ATP systems can detect emergent threats in real-time, offering a proactive approach to defense.

Segmentation of a network can prevent ransomware from spreading; this is where healthcare organizations isolate the network into smaller segments. This is important, as once a part of the network is compromised, then the rest of it will always be safe. This is a very crucial tactic in containing ransomware and limiting its damage.

Phishing remains one of the most common methods for deploying ransomware, and healthcare staff are often targeted. Training employees to recognize phishing attempts, combined with multifactor authentication (MFA), adds an essential layer of protection. Even if attackers manage to steal credentials, MFA can stop them from gaining access to critical systems.

Incident response planning is also essential. Organizations need to be prepared for the worst-case scenario. Regularly updated backups, stored separately from the main network, are important for recovery after an attack. These backups ensure that healthcare services can be restored without paying a ransom. These plans should be tested periodically to make sure they work when needed most.

**Healthcare Can't Afford to Ignore the Need for a Broader Defense**

Ransomware is not just a technical issue; it's most definitely a business problem that no healthcare organization can afford to dismiss. Recent high-profile attacks have proved how vulnerable the providers of healthcare are; while patching remains an essential process, it only forms one part of the much larger total solution.

Security in healthcare must go beyond patching and involve a more strategic approach. This can be shown by the ever-increasing pressure placed by regulatory bodies, such as DHHS, to even further restrict cybersecurity guidelines for providers. Patch management falls under compliance, but it seems obvious that a more encompassing proactive approach to security must be enacted if patient data and operations are to be secured.

Healthcare leaders need to take this into consideration and invest a larger focus on enterprise-wide risk management. Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Ransomware's Grip on Healthcare

Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Design Pics Inc Alamy Stock Photo

Researchers are warning that an otherwise positive European data regulation has introduced massive risks to individuals and the companies they work for.

Ever since the passage of the General Data Protection Regulation (GDPR), Internet users in Europe — and in many places around the world following suit — have been able to download the entirety of the data that websites save about them. Besides the obvious benefits to privacy and transparency, the idea was portability: Anyone could take the data one site possessed about them and transfer it to another.

In a new blog post, CyberArk highlights a theoretical yet severe cost to this new right to data portability. Before the rule, everyone's most sensitive data was protected behind brick walls at ultrasecure data centers. Now that users can retrieve that data via a cloud-based mechanism, hackers can access their accounts and steal it all. Considering the extent of the data that websites collect about us today, the possibilities for malfeasance are endless.

"It's my legal right, and it's perfectly fine that I'm capable \[of seeing\] what information is being kept about me," says Lior Yakim, threat researcher at CyberArk Labs, who dubs the attack "White FAANG," since the vulnerable data could be exported from services provided by major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG).

Related:'Bootkitty' First Bootloader to Take Aim at Linux

However, he warns, "Because it's so easy to get all of that highly intrusive information — together with the fact that people use the same devices for corporate and personal purposes — there's a major risk."

**The Data Sites Have on You**

Companies hoard gobs of sensitive information, especially the largest technology companies most central to our online lives. They possess everything from our most sensitive personally identifying information (PII) to the long histories of our online activity. But even the most jaded Internet users might be surprised just how deep this hole goes.

Meta, for example, records not only your documented Facebook activity, but also plenty of undocumented data, like what posts you viewed, and exactly how long you viewed them.

Google, likewise, saves not only your entire search history, but even searches you typed but didn't ultimately execute.

GDPR's well-intentioned data portability regulations forced companies to make all of this information exportable at the click of a button, in a machine-readable format. And what's stopping a hacker in possession of your account from doing just that? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

Related:China's Cyber Offensives Built in Lockstep With Private Firms, Academia

**The Risks to Individuals and Corporations**

With export data, there is no limit to what an attacker can do. They can use your Google search history to blackmail you, your GPS data from Meta to find where you live, and your Apple calendar history to know where you've been and where you'll be, to say nothing of the endless possibilities for cyberattacks.

Beyond all that, there's the risk to employers. Individual accounts can house all kinds of data that pertains to, or can otherwise be used to attack the companies they work for.

Again, the scenarios are limitless. With an Apple export, for example, a hacker could take the MAC address associated with an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access to them, then listen in on corporate meetings. Or, Yakim suggests, they can leverage information like the operating system version of the employee's mobile phone. "If I know, for example, that the mobile device of the employee is not up to date, I can search for specific, known vulnerabilities in order to target this employee," he says.

And there are far simpler, more present dangers than that. CyberArk surveyed 14,000 employees, finding that around 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. Thanks to this comingling, work passwords tend to end up stored in far less secure personal accounts, from which they can be exported. This was how Cisco got breached in 2022, and Okta in 2023, a case that affected every one of its customers as well.

Related:VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

To prevent that from happening, employees need to draw a clear line in the sand between their business and pleasure online. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading