Daily Brief

UnitedHealth Group acknowledged a significant data breach following a ransomware attack targeting its subsidiary Change Healthcare. Personal identifiers and health information affecting a vast number of Americans were involved, with exact figures still undisclosed. The breach, initiated in February, disrupted services across U.S. hospitals and pharmacies, affecting electronic prescription capabilities. ALPHV, a known cybercrime group, accessed Change Healthcare's networks using stolen remote access credentials and later activated ransomware. UnitedHealth has paid a reported $22 million ransom to mitigate the risk of data exposure and is continuously monitoring for leaked data on the dark web. RansomHub, another cybercriminal entity, claims to have released sensitive patient data from the hack and has demanded further ransom. Recovery and analysis by third-party cybersecurity experts are expected to take several months, with UnitedHealth estimating financial impacts could reach up to $1.6 billion for the year. The company ensures ongoing vigilance in data monitoring to prevent further unauthorized disclosures and damages.

An upcoming webinar titled "Supply Chain Under Siege: Unveiling Hidden Threats" focuses on proactive techniques for identifying and mitigating threats within the supply chain. The session is designed for cybersecurity professionals and business executives, aiming to equip them with advanced threat-hunting skills. Industry experts Rhys Arkins and Jeffrey Martin will lead the webinar, offering insights into the evolving landscape of supply chain vulnerabilities. Participants will learn how to proactively detect and neutralize potential breaches by understanding the complex networks of interconnected systems and third-party interactions. The webinar emphasizes the importance of staying ahead in cybersecurity by transforming reactive security measures into proactive defenses. Registration is currently open for those interested in enhancing their capabilities to prevent supply chain attacks and protect their organizations.

Leicester City Council was victim to a ransomware attack by INC Ransom in March, affecting its operational systems. Nearly two months post-attack, the council's streetlight management system is malfunctioning, causing streetlights to stay on continuously. The council deployed a default mode forcing lights to stay on to maintain public safety, due to inability to detect and repair faults remotely. Residents experience inconvenience and disturbance, with expectations for the issue to be resolved by early May, although delays are anticipated based on past recovery predictions. The ransomware group leaked 1.3 TB of data after the council refrained from paying the ransom, revealing considerable sensitive information. Leicester City Council's response involved coordinating with local police and the National Cyber Security Centre to navigate consequences without yielding to ransom demands. The council is in the process of notifying individuals at high-risk due to the breach and prioritizing their security.

European Police Chiefs emphasized the growing challenge posed by end-to-end encryption (E2EE) which limits access to crucial data for crime investigation. Authorities highlighted that privacy measures like E2EE prevent law enforcement from accessing evidence needed to prosecute serious crimes including terrorism and human trafficking. The U.K. National Crime Agency criticized Meta's decision to implement E2EE in Messenger, arguing it impedes efforts to combat online child sexual abuse. Police agencies advocate for a balanced approach, where tech companies ensure user privacy and security while still enabling access to data for crime prevention and investigation. Technical solutions that allow for both cybersecurity and government access to potential evidence are considered feasible but require cooperation between governments and the tech industry. Meta employs various mechanisms to monitor and handle illegal content on platforms like WhatsApp and Instagram, even with E2EE in place, using unencrypted data and user reports. New features in Instagram aim to protect users through client-side machine learning, analyzing potentially harmful content directly on devices.

Cybercrime costs are projected to soar to 10.5 trillion USD annually by 2025, up from 3 trillion USD in 2015, indicating a robust growth in criminal sophistication and success. Beyond ransomware payments and immediate recovery expenses, businesses face extensive hidden costs including operational disruptions and revenue loss, particularly in key services like finance and healthcare. Extended downtime not only results in direct revenue loss but also damages reputation, trust, and customer loyalty, potentially leading to a long-term impact on business health. Data breaches complicate relationships with customers and suppliers, increase regulatory fines, and lead to higher insurance premiums, adding to the financial strain on businesses. The vulnerability to cyberattacks is exacerbated by human errors, with 88 percent of breaches linked to employee mistakes, emphasizing the need for robust security training and awareness. Cybersecurity strategies must encompass technological upgrades, employee education, regular security audits, and advanced threat detection to mitigate risks effectively. National cybersecurity efforts, similar to military defenses, are being increased in countries like the U.S., China, and the UK to combat the evolving threat landscape. Both individual and organizational efforts are critical in enhancing cybersecurity defenses and reducing vulnerability to cyberattacks.

German authorities have issued arrest warrants for three individuals suspected of espionage activities for China. The suspects reportedly gathered information on technologies and scientific research beneficial to Chinese military capabilities. A specific instance involved a contract with a German university to study high-performance marine engines for combat ships. The suspects also illegally exported a laser to China, which falls under EU regulation due to its potential dual-use in military applications. Additions to the case include the arrest of another individual spying within the European Parliament and Chinese opposition in Germany. These arrests come alongside other international incidents, highlighting a pattern of alleged espionage activities linked to China. Chinese officials have responded to these accusations, denouncing them as "malicious slander" and criticizing political moves against China.

Over a million Neighbourhood Watch members' data was compromised due to a vulnerability in the Neighbourhood Alert communications platform. The bug allowed unverified users to register as coordinators and access personal information such as names, addresses, and phone numbers without any approval process. The platform, operated by Nottingham-based VISAV, is endorsed by local authorities across the UK and has over half a million users. The security flaw was identified and reported by a user in late March, with the potential for significant personal data harvesting by drawing large geographical schematics. Police officers, MPs, and other individuals with elevated privacy needs had their details exposed, increasing the risk of misuse of their information. VISAV's product director Mike Douglas acknowledged the breach, termed it a "security anomaly," and confirmed that corrective measures were promptly implemented. The company has informed all potentially affected users and reported the incident to the Information Commissioner's Office (ICO) to comply with regulatory requirements and prevent future incidents.

The U.S. State Department is imposing visa restrictions on 13 individuals linked to the development and exploitation of commercial spyware. These targeted individuals are either directly involved, or are family members of those who engage in the spyware business, financially benefiting from its abuse. The impacted spyware has been used to surveil journalists, academics, human rights defenders, dissidents, critics, and U.S. government personnel, violating privacy norms. The action builds on a previously announced U.S. policy aimed at countering the misuse of spyware and is intended to promote accountability and protect freedom of expression. This policy also addresses concerns about authoritarian governments using such technology to spy on civil society members. In related news, the U.S. Treasury's Office of Foreign Assets Control sanctioned the Intellexa Consortium for deploying spyware against various targets, including government officials and journalists. Kaspersky’s report reveals an increase in stalkerware victims, with significant occurrences in Russia, Brazil, and India, highlighting the ongoing challenge of illicit surveillance technologies.

A misconfigured cloud server using a North Korean IP address exposed potential covert outsourcing of animation work to North Korea by studios like BBC, Amazon, and HBO Max. Discovery made by Nick Roy, an NK Internet blog author, and analyzed by Stimson Center revealed daily uploads of animation work and directives, often translated into Korean from Chinese. The involved animations included Amazon Prime’s “Invincible”, Cartoon Network and HBO Max’s “Iyanu, Child of Wonder”, and potentially BBC's "Octonauts". Mandiant’s review of the server’s access logs indicated VPN use and direct logins from China and Spain. Files did not directly identify the outsourcing organization, but suspicions point to April 26 Animation Studio (SEK Studio) in Pyongyang, which is under U.S. sanctions. There is no evidence that the contracted companies were aware their animation work was sub-outsourced to North Korean labor. Stimson Center highlighted dangers of North Korean entities covertly participating in digital sectors like software development. Increased vigilance and advisories recommended for cloud service providers to prevent unknowingly supporting North Korean IT operations and regime funding.

APT28, a Russian nation-state threat actor, exploited a vulnerability in Microsoft Windows Print Spooler to deploy the GooseEgg malware. The security flaw, known as CVE-2022-38028 with a CVSS score of 7.8, was patched by Microsoft in October 2022 following NSA's identification. GooseEgg allows for privilege escalation and the execution of commands with SYSTEM-level permissions, targeting entities in Ukraine, Western Europe, and North America. The malware primarily affected government, NGO, education, and transportation sectors, serving as a tool for intelligence collection aligned with Russian foreign policy. GooseEgg is capable of launching applications that facilitate further exploits such as remote code execution, installing backdoors, and lateral movement within networks. APT28, also known as Fancy Bear and Forest Blizzard, has been leveraging multiple other public exploits, demonstrating their rapid adaptation of new vulnerabilities. This disclosure coincides with IBM X-Force's revelation of new phishing attacks by related Russian actor Gamaredon, indicating increased tempo and sophistication in Russian cyber operations.

Russian cyberespionage group, Fancy Bear, uses "GooseEgg" malware to exploit a dated Windows print spooler vulnerability. Microsoft Threat Intelligence uncovered the activity, which involves stealing credentials and elevating privileges on compromised networks. This vulnerability, known as CVE-2022-38028, was patched by Microsoft in October 2022, but exploitation dates back to as early as April 2019. The hackers gain access through modified JavaScript files, executing them with SYSTEM-level permissions to drop additional payloads. Targeted sectors include government, education, transportation, and NGO in regions such as Ukraine, Western Europe, and North America. Microsoft advises patching affected systems immediately and disabling the print spooler service on domain controllers to prevent misuse. Detailed threat hunting queries and indicators of compromise have been released by Microsoft to help organizations detect potential breaches.

Russian APT28 threat group exploiting Windows Print Spooler vulnerability, CVE-2022-38028, initially reported by the NSA. Microsoft detected the use of a tool called GooseEgg by APT28 to escalate privileges and execute commands with SYSTEM-level access. The exploitations have been ongoing since at least June 2020, with indications of activity as early as April 2019. GooseEgg used to deploy additional malware, facilitate backdoor installation, and enable lateral movement within networks. Targets include government, non-governmental, educational, and transportation sectors across Ukraine, Western Europe, and North America. Microsoft patched the vulnerability in October 2022 but had not flagged it as actively exploited in its advisory. APT28, also known as Fancy Bear, has a history of high-profile cyberattacks, including breaches on the German Federal Parliament and the DNC. Microsoft's findings underscore the ongoing threat posed by nation-state actors in cyber espionage and sabotage.

The U.S. Senate voted 60-34 to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), permitting warrantless surveillance for another two years. President Biden quickly signed the Reforming Intelligence and Securing America Act (RISAA), which also expands the entities required to cooperate with U.S. intelligence. The Senate rejected six amendments aiming to limit the scope of surveillance and require warrants for accessing U.S. persons' data caught in intelligence sweeps. RISAA broadens the definition of electronic communications service providers, increasing the range of companies and individuals who must assist in intelligence operations. Critics, including Senator Ron Wyden, voiced strong objections to the renewal, highlighting ongoing concerns over privacy violations and insufficient oversight of intelligence activities. FBI Director Christopher Wray defended Section 702 as a vital tool against threats, including cyber activities by foreign entities, notably Chinese hacking groups. Civil liberties organizations like the ACLU expressed disappointment with the bill's passage and vowed to continue advocating for reform and accountability in surveillance practices.

Russian APT28 hacking group exploits a Windows Print Spooler vulnerability, initially reported by the NSA, to escalate privileges and steal data. The group employs a hacking tool known as GooseEgg, designed to exploit CVE-2022-38028, which Microsoft patched in October 2022. GooseEgg allows attackers to run commands with SYSTEM-level privileges, deploy additional malicious tools, and maintain persistence on compromised systems. The exploit also enables the deployment of a malicious DLL that can execute apps with elevated permissions, facilitating the launch of backdoors and lateral movement through networks. Microsoft has observed attacks against Ukrainian, Western European, and North American targets in government, education, and transportation sectors. Historically, APT28 has conducted high-profile cyberattacks, including exploiting Cisco router zero-days and hacking Ubiquiti EdgeRouters. The U.S. and EU have imposed charges and sanctions on APT28 members linked to breaches at the German Federal Parliament and U.S. political organizations.

Europol, along with European police chiefs, has released a declaration urging tech companies to not fully implement end-to-end encryption (E2EE) to preserve lawful access to communications for law enforcement purposes. The declaration emphasizes the threat of serious crimes such as terrorism, human trafficking, and child exploitation becoming undetectable due to E2EE, which prevents scanning of direct messages. The statement critiques the concept of completely private communication spaces as dangerous and unprecedented in society, advocating for balanced user privacy that still allows for crime prevention and intervention. Europol's stance reflects similar concerns raised by other international organizations and aligns with the UK's National Crime Agency's views expressed in joint cooperation. The issue particularly targets Meta (formerly Facebook), which has been progressively implementing E2EE across its messaging platforms. Meta has resisted pressures from law enforcement, citing the potential compromise in user trust and privacy, emphasizing that their encryption methods do not obstruct their ability to monitor and report harmful activities. Meta continues to develop alternative methods to detect illicit activities without reverting from its encryption stance, aiming to balance both security and privacy.