Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability is fixed in 0.12.1.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-3phv-83cj-p8p7: nope-validator Regular Expression Denial of Service vulnerability

SafeBreach Labs unveils ‘Windows Downdate,’ a new attack method which compromises Windows 11 by downgrading system components, and…

SafeBreach Labs unveils ‘Windows Downdate,’ a new attack method which compromises Windows 11 by downgrading system components, and reviving old/ptched vulnerabilities like the DSE bypass.

In a recent research, SafeBreach Labs researcher Alon Leviev exposed a new attack technique that could compromise the security of fully patched Windows 11 systems. This technique, dubbed Windows Downdate, involves manipulating the Windows Update process to downgrade critical system components, effectively resurrecting previously patched vulnerabilities. 

The attack was initially reported in August 2024 at Black Hat USA 2024 and DEF CON 32. Researchers have now published additional details to enhance public understanding of the attack.

One such vulnerability is the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, which allows attackers to load unsigned kernel drivers. This bypass allows attackers to replace a verified security catalogue with a malicious version, enabling the loading of unsigned kernel drivers.

According to SafeBreach’s blog post shared with Hackread.com ahead of publishing on Saturday, by leveraging Windows Downdate, attackers can target specific components, such as the “ci.dll” module essential for parsing security catalogues, and downgrade them to a vulnerable state, enabling the exploitation of this bypass and gaining kernel-level privileges. 

For your information, the “ItsNotASecurityBoundary” DSE bypass is part of a new class of flaws called False File Immutability (FFI), exploiting incorrect assumptions about file immutability, allowing “immutable” files to be modified by clearing the system’s working set. 

Leviev outlines the steps to exploit vulnerabilities in Windows systems with different levels of Virtualization-Based Security (VBS) protection. They identified multiple ways of disabling VBS key features, including features like Credential Guard and Hypervisor-Protected Code integrity (HVCI), even with UEFI locks for the first time. 

> _“To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access. As a result, I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world.”_
> 
> Alon Leviev

To exploit a system without UEFI lock, an attacker must disable VBS by modifying registry settings. Once disabled, they can downgrade the ci.dll module to a vulnerable version and exploit the “ItsNotASecurityBoundary” vulnerability.

For systems with UEFI lock, the attacker must invalidate the SecureKernel.exe file to bypass VBS protection. However, VBS with UEFI Lock and “Mandatory” Flag” was the securest configuration, preventing VBS from being disabled even if the lock is bypassed. Researchers explain that currently there is no known way to exploit a system with this level of protection without physical access.

Nevertheless, this Windows Update takeover capability poses a major threat to organizations by allowing attackers to load unsigned kernel drivers, enable custom rootkits to neutralize security controls, hide processes, and maintain stealth. 

Attackers can craft custom downgrades for critical OS components, including DLLs, drivers, and even the NT kernel. By downgrading these components, the attacker can expose previously patched vulnerabilities, making the system susceptible to exploitation.

To mitigate the risks, organizations should keep systems up-to-date with the latest security patches to address vulnerabilities. It is essential to deploy robust endpoint detection and response (EDR) solutions to detect and respond to malicious activity, including downgrade attempts, and implement strong network security measures to prevent unauthorized access and data breaches. In addition, enabling VBS with UEFI lock and the “Mandatory” flag can provide additional protection against attacks.

1.  Decade-Old Linux Flaw Exploited for DDoS Attacks on CUPS
2.  7-Year-Old Pre-Installed Google Pixel App Flaw Puts Millions at Risk
3.  7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
4.  Windows SmartScreen Flaw Open Data Theft in Major Stealer Attack
5.  Black Hat USA: AWS Bucket Monopoly Flaw Led to Account Takeover

New Attack Lets Hackers Downgrade Windows to Exploit Patched Flaws

Plus: Apple offers $1 million to hack its AI cloud infrastructure, Iranian hackers successfully peddle stolen Trump campaign docs, Russia hacks the nation of Georgia, and a “cyberattack” that wasn’t.

The Chinese spy operation adds to the growing sense of a melee of foreign digital interference in the election, which has already included Iranian hackers’ attempt to hack and leak emails from the Trump campaign—with limited success—and Russia-linked disinformation efforts across social media.

**Apple Releases Security Research Tools for Private Cloud Compute**

Ahead of the full launch next week of Apple’s AI platform, Apple Intelligence, the company debuted tools this week for security researchers to evaluate its cloud infrastructure known as Private Cloud Compute. Apple has gone to great lengths to engineer a secure and private AI cloud platform, and this week’s release includes extensive detailed technical documentation of its security features as well as a research environment that is already available in the macOS Sequoia 15.1 beta release. The testing features allow researchers (or anyone) to download and evaluate the actual version of PCC software that Apple is running in the cloud at a given time. The company tells WIRED that the only modifications to the software relate to optimizing it to run in the virtual machine for the research environment. Apple also released the PCC source code and said that as part of its bug bounty program, vulnerabilities that researchers discover in PCC will be eligible for a maximum bounty payout of up to $1 million.

**Iranian Hackers Found Takers for Their Stolen Trump Emails**

Over the summer, Politico, The New York Times, and The Washington Post each revealed that they’d been approached by a source offering hacked Trump campaign emails—a source whom the US Justice Department says was working on behalf of the Iranian government. The news outlets all refused to publish or report on those stolen materials. Now it appears that Iran’s hackers did eventually find outlets outside the mainstream media that were willing to release those emails. American Muckrakers, a PAC run by a Democratic operative, did publish the documents after soliciting them in a public post on X, writing, “Send it to us and we'll get it out.”

American Muckrakers then published internal Trump campaign communications about North Carolina Republican gubernatorial candidate Mark Robinson and Florida Republican representative Anna Paulina Luna, as well as material that seemed to suggest a financial arrangement between Donald Trump and Robert F. Kennedy Jr., the third-party candidate who dropped out of the race and endorsed Trump. Independent journalist Ken Klippenstein also received and published some of the hacked material, including a research profile on Trump running mate and US senator J.D. Vance that the campaign assembled when assessing him for the role. Klippenstein subsequently received a visit from the FBI, he’s said, warning him that the documents were shared as part of a foreign influence campaign. Klippenstein has defended his position, arguing that the media should not serve as "gatekeeper of what the public should know.”

**Russian Cyberspies Hacked the Entire Nation of Georgia**

As Russia has both waged war and cyberwar against Ukraine, it’s also carried out a vast campaign of hacking against another neighbor to the West with whom it’s long had a fraught relationship: Georgia. Bloomberg this week revealed ahead of the Georgian election how Russia systematically penetrated the smaller country’s infrastructure and government in a yearslong series of digital intrusion operations. From 2017 to 2020, for instance, Russia’s military intelligence agency, the GRU, hacked Georgia’s Central Election Commission (just as it did in Ukraine in 2014), multiple media organizations, and IT systems at the country’s national railway company—all in addition to the attack on Georgian TV stations that the NSA pinned on the GRU’s Sandworm unit in 2020. Meanwhile, hackers known as Turla, working for the Kremlin’s KGB successor the FSB, broke into Georgia’s Foreign Ministry and stole gigabytes of officials’ emails over months. According to Bloomberg, Russia’s hacking efforts weren’t limited to espionage, but also appeared to include preparing for disruption of Georgian infrastructure like the electric grid and oil companies in the event of an escalating conflict.

**This May Be the Worst-Ever Headline About a “Cyberattack”**

For years, cybersecurity professionals have argued about what constitutes a cyberattack. An intrusion designed to destroy data, cause disruption, or sabotage infrastructure? Yes, that’s a cyberattack. A hacker breach to steal data? No. A hack-and-leak operation or an espionage mission with a disruptive clean-up phase? Probably not, but there’s room for debate. The Jerusalem Post this week, however, achieved perhaps the clearest-cut example of calling something a cyberattack—in a headline no less—that is very clearly not: disinformation on social media. The so-called “Hezbollah cyberattack” that the news outlet reported was a collection of photos of Israeli hospitals posted by “hackers” identifying as Hezbollah supporters that suggested weapons and cash were stored underneath them and that they should be attacked. The posts seemingly came in response to the Israeli Defense Forces’ repeating similar claims about hospitals in Gaza that the IDF has bombed, as well as another more recently in Lebanon’s capital city of Beirut.

“These are NOT CYBERATTACKS,” security researcher Lukasz Olejnik, the author of the books _The Philosophy of Cybersecurity_ and _Propaganda_, wrote next to a screenshot of the Jerusalem Post headline on X. “Posting images to social media is not hacking. Such a bad take.”

Chinese Hackers Target Trump Campaign via Verizon Breach

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.
"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure

Cloud Security / Cryptocurrency

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.

"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said in a report published Friday.

The attack activity is once again a testament to the threat actor's persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm.

Besides using Docker Hub to host and distribute their malicious payloads, TeamTNT has been observed offering the victims' computational power to other parties for illicit cryptocurrency mining, diversifying its monetization strategy.

Rumblings of the attack campaign emerged earlier this month when Datadog disclosed malicious attempts to corral infected Docker instances into a Docker Swarm, alluding it could be the work of TeamTNT, while also stopping short of making a formal attribution. But the full extent of the operation hasn't been clear, until now.

Morag told The Hacker News that Datadog "found the infrastructure in a very early stage" and that their discovery "forced the threat actor to change the campaign a bit."

The attacks entail identifying unauthenticated and exposed Docker API endpoints using masscan and ZGrab and using them for cryptominer deployment and selling the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, effectively offloading the job of having to manage them themselves, a sign of the maturation of the illicit business model.

Specifically, this is carried out by means of an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. It subsequently deploys a container running an Alpine Linux image with malicious commands.

The image, retrieved from a compromised Docker Hub account ("nmlm99") under their control, also executes an initial shell script named the Docker Gatling Gun ("TDGGinit.sh") to launch post-exploitation activities.

One notable change observed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the infected servers.

"Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign," Morag said.

"In this campaign TeamTNT is also using anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries), in order to point to their web server."

The findings come as Trend Micro shed light on a new campaign that involved a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto mining botnet.

"Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB)," the company said, highlighting the threat actor's efforts on setting up persistence, evading security tools, and gaining deeper access to an organization's network through credential dumping and lateral movement.

"The affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim's knowledge."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.
Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.

Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware.

To that end, Zaets and Malozemov were sentenced to 4.5 and 5 years in prison. Khansvyarov and Puzyrevsky received a jail term of 5.5 and 6 years, respectively.

The four individuals are part of a group of 14 people who were initially detained in connection with the case. As reported by TASS back in January 2022, eight of them were charged by the court for their malicious activities.

The remaining four members, Andrei Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotaev, are being prosecuted under a new criminal case related to unlawful access to computer information, Kommersant added.

REvil, which was once one of the most prolific ransomware groups, was dismantled after Russia's Federal Security Service (FSB) announced arrests against several members in an unprecedented takedown.

Earlier this year, a 24-year-old Ukrainian national named Yaroslav Vasinskyi was sentenced to 13 years in prison in the U.S. and ordered to pay $16 million in restitution for carrying out more than 2,500 REvil ransomware attacks and demanding ransom payments to the tune of more than $700 million.

The sentencing of REvil members in Russia also comes a month after authorities in the country opened an investigation into Cryptex and UAPS, both of which were sanctioned by the U.S. for offering money laundering services to cybercriminals.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions

An issue was found in funadmin 5.0.2. The selectfiles method in `\backend\controller\sys\Attachh.php` directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).

GHSA-j9wp-x5q5-xh2f: Funadmin Cross-site Scripting vulnerability

funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php.

**SQL injection in funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-2mv8-jjm5-f3hr: SQL injection in funadmin

The networking company found liable for illegally gathering user data for targeted advertising by the Irish Data Protection Commission.

Source: Iain Masterton via Alamy Stock Photo

LinkedIn earned itself a €310 million ($335 million) fine by European Union regulators on Oct. 24 for its violations of the General Data Protection Regulation (GDPR) data privacy rules.

Ireland's Data Protection Commission (DPC) cited concerns regarding the lawfulness, fairness, and transparency of personal data processing for the professional networking site's advertising purposes.

As LinkedIn's lead privacy regulator, the DPC reported that it carried out an investigation and found that LinkedIn did not have lawful basis to be compiling data to target its users with ads, ultimately breaching GDPR. This investigation was launched following a complaint initially made by the French Data Protection Authority.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members)," according to a DPC press release. "The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million."

LinkedIn asserts that it believes it has been in compliance with the rules but acknowledges that it will work to ensure its ad practices meet the requirements.

**About the Author**

LinkedIn Hit With $335M Fine for Data Privacy Violations

Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.

Source: Design Pics Inc via Alamy Stock Photo

Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across "a wide geography."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus \[its typical more\] narrowly focused attacks."

**AWS and Microsoft**

The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers weren't after Amazon, or its customers' AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection \[upfront\],'" Narang says.

Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasn't all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.

**Block RDP**

APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the group's malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. "First and foremost, don't allow RDP files to be received. You can block them at your email gateway. That's going to kneecap this whole thing," he says.

AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russia's APT29 Mimics AWS Domains to Steal Windows Credentials

Eight months after the breach occurred, Change Healthcare has finally sent out millions of notices of compromised data to affected individuals.

Source: Jim West via Alamy Stock Photo

For the first time since being breached, United Healthcare has admitted to the number of individuals affected by the Change Healthcare ransomware attack — a staggering 100 million people.

The incident occurred in February, yet Change Healthcare didn't send out a notification warning to those impacted until June. In May, Andrew Witty, CEO of UnitedHealth, hinted at the massive scale of the breach, estimating that it was possible a third of all American health data had been compromised in the ransomware attack.

The breach has caused wave after wave of issues and prompted numerous calls for action regarding the state of cybersecurity in the healthcare sector. The ransomware attack was perpetrated at the hands of BlackCat/ALPHV, which Change Healthcare ultimately decided to pay off in order to get its systems back up and running. 

But the breaches didn't stop there. The company faced yet another attack, this time at the hands of RansomHub, which demanded a payment for the 4TB of data it stole, most of it medical records and financial data belonging to US military personnel. RansomHub has threatened to sell the sensitive information to the highest bidder.

After testifying in Congress in May, Change Healthcare revealed it had paid $22 million in ransom to the attackers who compromised its systems in February. It also revealed that the attackers were able to use previously compromised credentials to get into Change Healthcare’s system, which was not protected with multifactor authentication (MFA). Overall, the revelations in the hearing pointed to a lack of security maturity, leading to easy access for the attackers and a breach that caused delays in healthcare services.

"UnitedHealth is a very large, very complex entity from a systems point of view, and the regulatory framework is equally large and complex — considering all the variables and processes involved — the time frame for confirmation seems within reason," Dan Ortega, security strategist at Anomali, wrote in an emailed statement. "However, this doesn't mean that it's acceptable from an operational efficiency or public safety standpoint."

For the 100 million Americans affected by this breach who have received notice of their compromised data, their information that was stolen includes health insurance data; health information such as medical records, prescriptions, test results, images, diagnoses, and more; billing, claims, and financial and banking information; and Social Security numbers, driver's license information, and passport numbers.

Tag

#auth