The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

PRESS RELEASE

Intel 471, a global provider of cyber threat intelligence (CTI) solutions, today announced that the company acquired Cyborg Security, founded in 2019, to provide organizations with advanced threat hunting capabilities and expertise. With this acquisition, Intel 471 is setting the standard for intelligence-led threat hunting by cementing CTI as a key requirement to enable accurate hunts and proper measurements for operational success, ensuring return on investment for customers’ threat hunt programs. 

“We are excited to add Cyborg Security’s innovative platform and approach to threat hunting to our solution portfolio," said Jason Passwaters, CEO and Co-Founder of Intel 471. “Our customers have grown to rely upon Intel 471’s expertise to unlock the power of cyber threat intelligence and support all aspects of their business. This acquisition is a natural extension of our leadership by including advanced behavioral threat hunting packages that are fully customized to the client’s environment. Customers will benefit from the HUNTER Platform fueled by our premier cyber threat intelligence to streamline the hunt process, improve their team’s efficiency, and stay ahead of emerging threats.”

The convergence of CTI and threat hunting practices across the cybersecurity industry is evidenced by the rapid adoption of complementary use cases, defined methodologies, and a growing trend to integrate the two within the same organizational construct and budget. Economic buyers and practitioners alike increasingly recognize the need for intelligence-led threat hunting as a core component of their overall cybersecurity program. Intel 471 is well-positioned to meet these emerging security requirements with the merging of Cyborg Security and its innovative Hunter Platform into its solution portfolio.

“Intel 471 is a company that embraces the same values as Cyborg Security. Our organizations were built by practitioners – threat hunters, threat intelligence analysts, and security researchers who appreciate the importance of defending the threat landscape,” said David Amsler, CEO and Founder of Cyborg Security. “Threat hunting requires continuous monitoring of the threat landscape, which includes ever-evolving cyber adversary behaviors, TTPs and targeted technologies, as observed across various phases of the attack lifecycle. Intel 471’s CTI prowess and data contextualization deliver those relevant and timely insights. Together, our capabilities provide enterprises the tools and systems to deliver best-in-class threat hunting.”

For more information, please visit: https://intel471.com/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

You May Also Like

Intel 471 Acquires Cyborg Security

By Deeba Ahmed
Uncover the "Muddling Meerkat," a China-linked threat actor manipulating the DNS. Infoblox research reveals a sophisticated group with deep DNS expertise and potential ties to the Great Firewall. Learn their tactics and how to stay protected.
This is a post from HackRead.com Read the original post: Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Infoblox, a provider of cloud networking and security solutions, has discovered a highly skilled Chinse State threat actor known as “Muddling Meerkat.” This actor appears to be able to control the Great Firewall of China (GFW), a previously undisclosed phenomenon.

This group operates through the Domain Name System (DNS), a critical internet infrastructure component. In a joint research involving undisclosed security vendors, threat researchers, an independent non-profit corporation, Merit Network, and DomainTools, researchers revealed that Muddling Meerkat operates through the Domain Name System (DNS), a critical internet infrastructure component, and has remained under the radar since 2019.

“Muddling Meerkat operations are complex and demonstrate that the actor has a strong  
understanding of DNS, as well as internet savvy” Infoblox’s Threat Intelligence Team wrote in the report.

For your information, Meerkat is a mongoose species known for its cleverness, persistence, and ferocity despite its small size. Muddling Meerkat activity is characterized by its “popping up and down” over time and location, similar to meerkats from their burrows.

Here’s what makes Muddling Meerkat unique:

1.  **DNS Expertise:** Their operations demonstrate a deep understanding of DNS, uncommon among most threat actors. This highlights the growing weaponization of DNS for malicious purposes.
2.  **Great Firewall Control:** Muddling Meerkat manipulates China’s Great Firewall (GFW), the system controlling internet access within China. This ability to influence a national-level infrastructure raises serious concerns.
3.  **False MX Records:** A key tactic involves generating false MX (mail exchange) records from Chinese IP addresses for specific domains. This behaviour has never been observed before and suggests a direct connection with the GFW operators.
4.  **Global Reach:** Muddling Meerkat leverages open DNS resolvers worldwide, creating a vast network to conduct their activities, potentially for reconnaissance or laying the groundwork for future attacks.
5.  **Unclear Motive:** While the ultimate goal remains unclear, Infoblox experts suggest it could be information gathering or setting the stage for a large-scale DNS denial-of-service (DDoS) attack.

This research validates the threat posed by the Chinese Communist Party (CCP) to the US’s critical infrastructure. The FBI calls CCP a “broad and unrelenting” hybrid threat involving crime, counterintelligence, and cybersecurity. 

According to FBI Director Christopher Wray, this threat is “driven by the CCP’s aspirations to wealth and power,” adding that the PRC wants to “seize economic development in the areas most critical to tomorrow’s economy.” 

Muddling Meerkat is a skilled actor, demonstrating their sophistication in DNS-based attacks and ability to manipulate the Great Firewall. Implementing advanced DNS security measures is crucial to understand and defend against this evolving threat.

1.  Why are Google and Facebook banned in China?
2.  Great Firewall of China at Work, Apple News Blocked
3.  Chinese Man Who Sold VPNs Gets 9 Months Prison Sentence
4.  ‘Great Cannon’ of China Blocks Websites Like No One Else Can
5.  Chinese Great Cannon resurfaces against Hong Kong protestors
6.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files.

Wednesday, May 1, 2024 12:00

Cisco Talos’ Vulnerability Research team has disclosed more than a dozen vulnerabilities over the past three weeks, five in a device that allows employees to check in and out of their shifts, and another that exists in an open-source library used in medical device imaging files. 

The Peplink Smart Reader contains several vulnerabilities, including one issue that could allow an adversary to obtain the administrator’s login credentials and the MD5-hashed version of their password. 

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Code execution, information disclosure vulnerabilities in Peplink Smart Reader **

_Discovered by Matt Wiseman._ 

The Peplink Smart Reader is an internet-connected device associated with the PepXIM Time-Logging and Security System. Companies’ employees use this device to check in and out of their shifts, allowing administrators to keep track of time cards and pay. It also can control access to certain buildings, and even public transportation. 

There are two information disclosure vulnerabilities, TALOS-2023-1863 (CVE-2023-43491) and TALOS-2023-1865 (CVE-2023-45209), that are triggered if an adversary sends a specially crafted HTTP message to the targeted device.  

If successful, the attacker could eventually view the active administrator’s username and MD5-hased password. And in the case of TALOS-2023-1865, it goes a step further, potentially allowing the adversary to view wireless network credentials, network configuration details and SNMP configuration details. 

With those credentials (or admin credentials obtained by other means), an adversary could exploit TALOS-2023-1868 (CVE-2023-40146), a privilege escalation vulnerability in the Smart Reader. An adversary could execute a specially crafted command line argument to cause a limited-shell escape and execute unblocked, default busybox functionality to eventually gain access to an uninhibited root shell. 

TALOS-2023-1866 (CVE-2023-45744) is also triggered by a specially crafted HTTP request, but in this case, could allow an adversary to manipulate certain configuration settings on the device. 

The most serious of the issues Talos discovered in the Smart Reader is TALOS-2023-1867 (CVE-2023-39367), a command injection vulnerability that could allow an attacker to execute arbitrary commands. This vulnerability has a 9.1 CVSS score out of 10. An authenticated attacker can leverage this vulnerability to execute arbitrary commands on the device with root privileges and elevate their access to the vulnerable system. 

**Silicon Labs Gecko Platform invalid pointer dereference vulnerability **

_Discovered by Kelly Patterson._ 

An invalid pointer dereference vulnerability exists in the HTTP server header parsing functionality of the Silicon Labs Gecko Platform.  

The Gecko Platform SDK is the collection of Silicon Labs’ wireless software development kits and Gecko Platform into an integrated package. It allows users to develop applications inside Silicon Labs’ internet-of-things software ecosystem. 

TALOS-2024-1945 (CVE-2023-51391) is triggered if an adversary sends the target a specially crafted network packet, which could lead to a denial-of-service condition. 

_Discovered by Emmanuel Tacheau._ 

There is an incorrect type conversion vulnerability in OFFIS DCMTK, an open-source library often used to manage, store and convert DICOM files. DICOM is the commonly used file type to transfer, send and store medical imaging files, such as X-rays and ultrasounds.  

Hospitals and companies use DCMTK for various purposes, ranging from product testing to being a building block for research projects, prototypes and commercial products. 

TALOS-2024-1957 (CVE-2024-28130) could allow an adversary to execute arbitrary code on the targeted machine if they trick the user into opening a specially crafted file.  

_Discovered by Emmanuel Tacheau._ 

Another open-source library for handling DICOM files, Grassroots DiCoM, contains three out-of-bounds writer vulnerabilities.  

TALOS-2024-1944 (CVE-2024-25569) and TALOS-2024-1935 (CVE-2024-22373) can be triggered if an adversary tricks the target into opening a specially crafted, malicious DICOM file, eventually allowing them to read out-of-bounds memory. 

TALOS-2024-1924 (CVE-2024-22391) works in the same way, but in this case, causes a heap-based buffer overflow, leading to memory corruption.  

**Three vulnerabilities in Foxit PDF Reader could lead to arbitrary code execution **

_Discovered by KPC._ 

Three vulnerabilities exist in Foxit PDF Reader that could allow an adversary to execute arbitrary code on the targeted machine. 

Foxit PDF Reader is one of the most popular pieces of PDF-reading software currently available and aims to have feature parity with Adobe Acrobat Reader. It also includes a browser plugin to allow users to open files in their web browsers.  

TALOS-2024-1959 (CVE-2024-25648) and TALOS-2024-1958 (CVE-2024-25938) are use-after-free vulnerabilities that can be triggered if an attacker tricks a user into opening a malicious, specially crafted PDF. This could also work if the user has the browser plugin enabled and the adversary tricks them into opening an attacker-controlled webpage. These vulnerabilities could lead to a use-after-free issue, potentially leading to memory corruption and arbitrary code execution. 

There is also a type confusion vulnerability, TALOS-2024-1963 (CVE-2024-25575), that could also lead to memory corruption and arbitrary code execution.

Vulnerabilities in employee management system could lead to remote code execution, login credential theft

Red Hat Security Advisory 2024-2583-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2583.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: linux-firmware security updateAdvisory ID:        RHSA-2024:2583-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2583Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2022-46329====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-46329References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2238961

Red Hat Security Advisory 2024-2583-03

Red Hat Security Advisory 2024-2582-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2582.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security and bug fix update  
Advisory ID:        RHSA-2024:2582-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2582  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2021-46915  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* kernel: netfilter: divide error in nft_limit_init (CVE-2021-46915)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

Bug Fix(es):

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-18996)

* rbd: don't move requests to the running list on errors [8.x] (JIRA:RHEL-24201)

* TRIAGE CVE-2021-46915 kernel: netfilter: divide error in nft_limit_init (JIRA:RHEL-28179)

* [RHEL 8.4] Soft Lockups from BZ-2174623 hit on RHEL 8.4 (JIRA:RHEL-16035)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (JIRA:RHEL-26386)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (JIRA:RHEL-29181)

* Intel i40e driver performance issue (JIRA:RHEL-30402)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-46915

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2266423  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695

Red Hat Security Advisory 2024-2582-03

With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% — to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic.

When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.

Cybersecurity is critical to protect and safeguard the integrity of confidential data and can make or break an M&A deal. Having worked across a range of industries in my career, from banking and finance to healthcare, technology, and government, I've witnessed firsthand the cybersecurity challenges associated with managing M&As. Each M&A transaction I've been involved with has been far more complex than initially envisioned and took longer than anticipated to complete. This is especially true when it comes to integrating the technology stack.

**Understanding Cybersecurity in M&A**

Merging with or acquiring a company with a poor cybersecurity posture makes it much easier for cybercriminals to launch an attack. A data breach not only carries severe financial consequences, including legal fees and financial penalties, it also can be extremely damaging to an organization's reputation.

Without effective prevention and mitigation of cyber-risks, organizations could lose the trust of customers, partners, and investors, jeopardizing the deal. This is why cybersecurity must be a key consideration right from the beginning of the M&A lifecycle — not after it has happened. Regulators are also ramping up scrutiny of M&A deals and issuing significant fines for non-compliance. In many states and countries, rules such as the EU's General Data Protection Regulation (GDPR) protect personal data when it is transferred between entities.

**M&A Cybersecurity Checklist**

Leveraging more than 25 years of experience in risk, governance, and cybersecurity, I've put together this checklist to help organizations safeguard their digital assets before, during, and after a merger and acquisition:

*   Conduct early due diligence. Both entities must collaborate to assess the target company's current cybersecurity practices, internal IT infrastructure, and incident history to identify any weaknesses and security vulnerabilities. They might even want to bring in external auditors and cybersecurity experts specializing in M&A transactions.
    

*   Adopt risk metrics. Before making a plan, both entities must agree on an accepted level of risk and how this risk will be measured. Standardized risk metrics ensure that risk stays within the agreed levels, facilitating communication and collaboration at all levels of leadership in the new organization.
    

*   Establish a cybersecurity team. Create a dedicated team, bringing together experts from both entities to work together on addressing and managing potential cyber-risks. This will ensure that security practices are consistent across the entire new organization.
    
*   Develop a risk mitigation strategy. Based on the early assessment, the cybersecurity team can determine what procedures, processes, and technologies must be implemented to enhance the target company's cybersecurity posture before the entities combine. This plan should also clearly outline company policies and the roles and responsibilities across both entities for managing cybersecurity.
    

*   Plan for IT integration. Security measures are essential when integrating IT systems and networks. These include reviewing and enhancing current security architecture, implementing security policies, and testing for any security vulnerabilities. Adopting new tools and technologies to safeguard data during the integration process may be necessary.
    

*   Check for third-party risks. If external vendors are involved in the M&A process, ask them to detail their processes around managing and monitoring cybersecurity risks. The assessment must ensure vendor practices align with the target company's cybersecurity standards.
    

*   Establish identity and access governance and management. Implement strong controls so only authorized people can access sensitive information, digital assets, data, or systems — with different access levels depending on roles and responsibilities. This will help prevent or minimize hacking, fraud, internal data breaches, and human error.
    

*   Create an incident response plan. If a data breach occurs, organizations need a plan to minimize disruption to the business. It's essential to back up critical databases and store them off of the network to ensure data can still be accessed. The incident response plan should be printed out or distributed among staff so everyone knows what to do during a cyberattack.
    

*   Ensure ongoing monitoring. Cybersecurity doesn't end when the deal closes, and the post-M&A period can be a particularly vulnerable time for companies — so it's essential to be vigilant. That's why organizations need mechanisms for continuous 24/7 monitoring of systems and networks and real-time threat detection to identify security vulnerabilities and potential breaches.
    

*   Train employees. Ensure all employees of both entities involved in the merger or acquisition receive comprehensive and regular training about cybersecurity best practices. It's vital to communicate that each person can help play a part by watching out for threats and promptly reporting them. Consider conducting cybersecurity drills to prepare staff for what a cyberattack might look like.
    

**About the Author(s)**

CISO, Gathid

As the Chief Information Security Officer and an Executive Director of Gathid Ltd., Craig Davies is passionate about helping organizations strengthen access management without completely overhauling their people, processes, physical infrastructure, and technology. He has spent more than 25 years in cybersecurity, working in a number of fields, including infrastructure operations, security architecture and software, web development, and operations. As the first CEO of AustCyber, he negotiated agreements with states and territories to establish innovation notes across the country and set out a plan to make Australia a global force in the cybersecurity market.

The Cybersecurity Checklist That Could Save Your M&amp;A Deal

MOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.

Security bugs are having a cybercrime moment: For 2023, 14% of all data breaches started with the exploitation of a vulnerability, which is up a jaw-dropping 180%, almost triple the exploit rate of the previous year.

Let's put this in context, though. The MOVEit software breach, which wreaked supply chain havoc on companies across every sector, accounted for a large chunk of the increase in using exploits as an initial access method, and likely drove overall breach volumes up as well.

That's according to Verizon Business' 2024 Data Breach Investigations Report (DBIR), which analyzed a record 30,458 security incidents, out of which 10,626 were confirmed breaches — as a stat in itself, that's more than double the numbers from a year ago.

**Organizations Still Lack Security Maturity**

The DBIR, released today, detailed just how far patching can go in heading off a data breach. It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus. That's about the same percentage as last year, indicating that practitioners are not having much success when it comes to patching the human vulnerability.

In all, a picture in this year's DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with "experiencing a cyber incident."

"It can be a bit overwhelming for CISOs, particularly in environments where the security maturity of the organization is not as high as they would like," Suzanne Widup, distinguished engineer in threat intelligence at Verizon Business, tells Dark Reading. "But seeing organizations (large and small) still falling down in some of the basics is disheartening."

She adds, "Sometimes it takes the stakes being raised to get the attention of the appropriate people to affect change, sadly. What began with the data breach reporting laws has moved into serious consequences to company officers being codified into laws and regulations. But the bottom line is most organizations are not in business to worry about security. It has been an add-on after the fact for so long."

Other trends in the DBIR underscore the fact that teams need to address their cyber risk as a priority, and soon: A full 15% of breaches in the past year came from the supply chain, including issues with data custodians, vulnerabilities in third-party code, malicious packages in software repositories, and so on. That is an eyewatering 68% increase from 12 months previous, indicating that adversaries have copped to the fact that this is a tough area for security teams to get their arms around.

**MOVEit Moves the Cybercrime Needle**

Using the MOVEit bug was like shooting proverbial fish in a barrel — the world suddenly became a target-rich environment in the middle of last year for the Cl0p extortion gang and those cybercriminals that followed in its footsteps.

MOVEit Transfer is a managed file transfer app from Progress Software that organizations use to exchange sensitive data and large files both internally and externally. Progress claims thousands of customers for MOVEit, including major brands such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Cl0p reportedly spent two years developing the MOVEit file transfer zero-day exploit, first discovered and disclosed on May 31, 2023, by researchers after months of surreptitious attacks. Within a week of its public debut, CVE-2023-34362 was under mass exploitation by an array of threat actors; within a month, it had been used to breach at least 160 confirmed victims, including whales like Avast parent company Gen Digital, British Airways, Siemens, and UCLA. By the end of September 2023, it was linked to breaches at 900 different universities.

This MOVEit bonanza, which accounted for 8% of the breaches in Verizon Business' data set, had a ripple effect on several metrics in the DBIR, including a finding that 32% of all breaches involved some type of extortion technique (the MOVEit attacks involved stealing information and holding it for ransom) and the bump in supply chain breaches. And the DBIR found that the spike in the use of exploits for initial access was driven primarily by the increasing frequency of zero-day vulnerabilities by ransomware actors — a category that fits MOVEit to a T.

It should be noted, however, that zero-day use was up even outside of MOVEit: "The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises," said Chris Novak, senior director of cybersecurity consulting at Verizon Business, in a media statement.

And finally, 32% of breaches had an extortion or ransom element, with an average loss of $46,000 per company per incident.

**Challenges in Large-Scale Vulnerability Management**

Dovetailing with the increase in the use of bugs for initial access, Verizon Business also found that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Cybercriminals are a bit more johnny-on-the-spot: The median time for how long it takes for mass exploitations of the CISA KEV to develop on the Internet is just five days.

This "n-day" gap is one that threat actors have looked to exploit for years. But given the increasingly broad resources available to track and prioritize vulnerability patches, and the high stakes that now come with suffering a data breach (i.e., new mandatory SEC disclosure rules and personal liability for the CISO), it's clear that security teams need to make a coherent effort to move the needle on this risk.

"Time to patch the critical vulnerabilities getting faster would be welcome news," says Widup. "Having a background as a system admin, though, I do understand the necessities of testing the patches on complex environments to make sure you don't break production systems and cripple the organization. But at least working on that metric would be a good place to start."

One potential answer to getting off the patch-management hamster wheel is gaining more visibility into the attack surface, she advises.

"It's a bit like the tree falling in the forest — these software vulnerabilities exist whether or not someone finds them, and if we have more people looking for them by whatever means or motives, then we see them exploited (maliciously) or submitted to bug bounty programs (as a security researcher), which just means they are coming to light then," she explains. "The real action item for security teams is to do vulnerability scanning of the software that is deployed in their environments to see if they can find and report problems before they are found by someone with malicious intentions."

She also notes that considering vulnerability rates when bringing new platforms into the environment can help close the n-day gap simply by restricting the attack surface. "\[This means\] having security standards as part of the software vendor selection process, to make sure that the vendor is cognizant of the risks to their own organization and that of their customers. It may be that the best choice of a software vendor from a risk perspective is the one that follows the \[tenets\] of Secure by Design."

The overall lack of timely patching has had a surprise halo effect, according to the report: Despite the hype around AI risks, Verizon Business found little evidence that AI-enabled cybercrime was about to deliver organizations a data-breach Waterloo.

"While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach," said Novak.

**Humans Still the Weakest Cyber Link**

The DBIR found one trend that saw almost no change, ready for filing under "no surprise there": Most breaches (68%) involve a "non-malicious human element" who falls for phishing, misconfigures something, or otherwise makes a mistake. In other words, it's us. The problem is us.

And we fail fast, too. It takes less than 60 seconds for a mark to fall to a phishing routine, according to Verizon Business' phishing test results. The median time to click on a malicious link after an email is opened is 21 seconds, and then only another 28 seconds before the victim is obliviously entering their data into an attacker-controlled form.

Falling for social-engineering attacks in general is costly, too: The analysis found that the median loss in the past two years for business email compromise (BEC) scams is $50,000.

There was one slight glimmer of hope in the data-crunching: One-fifth (20%) of users identified and reported phishing in simulation engagements, and 11% of users who clicked on a decoy email went on to report it.

"So we did see some improvement in people not falling for the phish in simulations, and then those who have fallen for it, at least realizing it fairly quickly and reporting it," Widup explains. "It is vital to make sure that people can easily and quickly report when they have made a mistake, and not to discourage them with punishments. It is also important to have multiple layers of controls in place so that if someone does fall for a social attack, it doesn't necessarily mean a breach."

**Supply Chain Threats Accelerate to Warp Speed**

For the first time, Verizon is specifically breaking out supply-chain breaches as its own metric, which, as previously mentioned, are up significantly in volume in the last year.

"The threat actors are definitely turning towards compromising the larger third-party software companies, and it makes a lot of sense from their perspective if you think about it," says Widup. "They can compromise one vendor, and gain access to a large number of downstream victims in the form of their customer base. If they use the same kind of processes that push code updates, like we saw with SolarWinds, they have the opportunity to push malware to those systems without having to do the work of going into each of their environments. It's definitely more bang for their buck in terms of resources and effort expended. Then they can decide which of these newly compromised systems they want to leverage for further attacks."

The DBIR defines these as breaches that occur through a third-party "custodian," such as a managed service provider (common in the MOVEit cases); entry via a business partner (i.e, the HVAC incident that led to the 2013 Target breach); physical breaches in a partner company facility or even partner vehicles used to gain entry to a target; SolarWinds and 3CX-style breaches where software development processes and updates were hijacked; and vulnerabilities in open source or third-party software.

"This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other," according to the report's authors. "Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up."

They added, "We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners."

**Time to Shore Up the Security Basics**

For companies looking to take the DBIR findings to heart and take action, the report includes CIS Critical Security Controls for consideration in the sections where they apply.

"If they haven't already, I would recommend taking a look at them and all of the CIS Critical Security Controls as well, since their recommendations are tailored to the security maturity level of the organization," advises Widup. "It's a very helpful place to go for developing a security strategy, and we'd love to see more organizations adopting this or some other formal security methodology towards making their environments more secure. We break our metrics down into organizational size, industry, and regions to help our readers determine which threats they are most likely to face, and to point them in a direction where they can get some help with deciding how to increase their ability to defend against those threats."

The DBIR's focus on real-world metrics will hopefully be a tool for security teams to use to bring the stakes into focus for business owners and the board, she adds.

"People use the DBIR metrics to bring the threat from the theoretical 'this bad thing might happen to us' into the reality of 'this is already happening to other organizations of a similar size and in the same industry, and we need to address it now,'" she explains. "Breaches are not going away anytime soon, and any organization that thinks they are flying under the radar is in for a rude awakening. It is not a matter of if. It is a matter of when."

**For more information on the DBIR and what it means for your organizations, don't miss "Anatomy of a Data Breach: What to Do If It Happens to You," a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.**

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches

As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.

SourceL Skorzewiak via Alamy Stock Photo

In the 20 years since then-Harvard University student Mark Zuckerberg launched Facebook, there has been a profound shift in our understanding of privacy and security in the digital age. Facebook's path to becoming a digital town square has been fraught with challenges as the company — and the rest of the world — balanced the human desire to share information with the expectation of personal privacy.

In February, Zuckerberg went before a Senate committee and made apologies to parents who blame social media for what they say was its role in their children's death by suicide or from drug overdoses. Zuckerberg has appeared before congressional committees multiple times over the years to address concerns about the platform's impact. The issue of privacy, security, and Facebook has been a long-standing lightning rod, says Martin J. Kraemer, a security awareness advocate at KnowBe4 who has a doctorate in cybersecurity.

"Facebook's fundamental purpose, centered around the systematic collection of information, naturally conflicts with privacy and data protection laws," Kraemer says.

The social media company's missteps over the years have shaped the broader discussions and regulations around data privacy. In fact, it is that tension between social connectivity and privacy rights that prompted the need for robust data protection measures, influencing the creation of significant legal frameworks, like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Cambridge Analytica scandal in 2016 was a watershed moment for many, as the company's decision to grant third-party entities with unethical access to user data underscored the potential for personal data to be weaponized against democratic processes. This incident, according to Kraemer, was a direct catalyst for the CCPA and marked a decisive turn in how policymakers and the public at large perceived and prioritized online privacy and data security.

"Cambridge Analytica was the first time the dangers of mass data collection and processing became a tangible reality for the public," Kraemer says.

**The 'Attention Economy': Your Data Up For Sale**

Facebook has also been a key player in the development of the "attention economy," says Justin Daniels, a faculty member at IANS Research. Its creation catalyzed a shift toward the sale of user data as a commodity sold to the highest bidder under the guise of a "free" service.

"Their algorithm, designed to keep you on the site with things that you emotionally respond to, has resulted in the following: Information is available everywhere, yet the facts prove elusive, and anyone who disagrees with you becomes your adversary," Daniels says. "Our need to have convenience above all has made privacy and security afterthoughts for too many people."

The platform's initial slow response to recognize its role in disseminating misinformation, as evidenced by Zuckerberg's later retracted comments on the 2016 election, underscores the company's significant impact, Daniels says. Resulting state laws in Texas and Florida, targeting big tech, highlight a legislative response to privacy concerns directly influenced by Facebook's actions. Facebook's long-standing stance of neutrality as mere "engineers" has also allowed misinformation to proliferate, causing harm and dividing communities, he says.

Looking ahead, Daniels foresees a challenging future for online privacy and security, particularly with the advent of AI.

"If you connect the dots, you see that we are paying the price in privacy and security for Congressional inaction on the digital economy," he says. "They basically let the private sector innovate without any rules. Since big tech business models depend on collecting personal information, they are never going to voluntarily limit themselves, as data collection is critical to their business model. They are the richest companies in human history and now have great influence. An AI black swan event will be the culmination of this lack of regulatory oversight."

**A Privacy-Free Future?**

Like Daniels, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, also thinks the quest for profitability, driving platforms like Facebook to maximize user engagement, comes at the expense of user privacy. Social media companies are neither legally accountable for user content, thanks to Section 230(c)(1) of the Communications Decency Act, nor are they obligated to adhere to First Amendment principles, he notes. That means policy changes within these platforms are primarily motivated by either the pursuit of growth or forced with governmental mandates, such as GDPR.

"If the user base shrinks or engagement drops as a result of user concerns regarding censorship, mis/dis/malinformation, privacy, or security \[for example\], social media platforms will likely be motivated to address those concerns with new policies," Nash says. "Beyond that, the only motivation any private corporation — including social media platforms — has for making any policy changes will likely be when they are required to do so by a government with the authority to enforce such mandates."

And as anyone working in security knows, social media's extensive data collection practices have also become a goldmine for attackers, enabling crimes ranging from theft to influence campaigns designed to sway public opinion — underscoring the complexity of securing user data against cyber threats on social sites that are designed to be, well, social.

"I recently read that 1.4 billion social media accounts are hacked every month, showing that hackers aren't reluctant to attack users directly," Nash says. "Social media platforms can \[and do\] collect an impressive amount of information about their users, including name, age, gender, location, IP address, devices used, hobbies/interests, shopping tendencies, political views, and individual or group pattern of life analysis … the list goes on. Most \[if not all\] social media platforms have reportedly been compromised at least once."

In light of this near-constant onslaught of attacks, Nash thinks there will be a shift toward resignation and skepticism among users. The concept of privacy also will be increasingly viewed as untenable in the face of the Internet and social media's expansion, he says.

"I think we've reached a point where most people believe they've been compromised and are becoming numb to — and skeptical of — the idea that their privacy can be protected," Nash says. "The two youngest generations seem largely less concerned with privacy than their predecessors. Social media probably played a significant role in all of this. As people spent more time on these platforms over the last two decades, they have grown accustomed to the news of data leaks, while becoming more interested in the potential benefits of less privacy than the associated risks. To be frank, I think we are nearing — if not already at — the dawn of a post-privacy world."

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Facebook at 20: Contemplating the Cost of Privacy

President Joe Biden has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

“It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.

In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.

To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.

The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.

The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.

“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.

In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.

Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.

CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.

First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.

The government will work with the companies on the important-entities list—there are fewer than 500 of them—“to ensure they have the resources necessary to manage risk,” a second senior administration official told reporters on Monday. Those companies will also be priorities for regulation.

While it updates key parts of the government’s defensive playbook, the memo does not change the basic structure underpinning this work: the 16 sectors—each containing a collection of related industries—that together comprise the nation’s critical infrastructure. A CISA report published in late 2021 recommended that the administration consider adding new sectors for the space and bioeconomy industries, but officials decided not to do so.

“Because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector,” the second senior official says. (CISA is, however, focused on space cybersecurity.) Government leaders similarly decided that bioeconomy risks were not unique enough to merit a new sector. But both industries could receive their own sectors in the future “if there are significant changes” to the risks they face, says the second official.

In light of how quickly those risks and other conditions could change, the memo directs DHS to submit a “national risk management plan” to the White House every two years summarizing what the government is doing to prevent harm.

Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

Tag

#intel