This Month in Cybersecurity - April Edition

Ransomware Attack Costs Change Healthcare Nearly $1B

United Healthcare, the parent company of Change Healthcare, has released financial information about the recent ransomware attack that disrupted cashflow and the ability to provide care to hospitals and pharmacies across the United States. The company published their quarterly earning results in which they disclosed that repairs are likely to exceed $1 billion over time, including the $22 million ransom payment that was made.

The attack, which has been attributed to an ALPHV/BlackCat associated criminal group, saw Change Healthcare’s data taken ransom and held until an initial payment was made to the group. Once the group started to recover from the initial attack a second group was able to come in and steal around 4TB of data pertaining to personally identifiable information, setting efforts back and driving up the costs of recovery.


Hotfixes for Palo Alto Zero-Day Bug in Firewall OS

Palo Alto Network recently released an update that addresses a critical security flaw, being tracked as CVE-2024-3400, on its PAN-OS platform. The vulnerability affects firewalls that are utilizing versions 10.2, 11.09, and 11.1 of the OS and was found after independent researchers at Volexity noticed suspicious activity on a customer’s firewall.

Palo Alto has noted that limited attacks have been made utilizing this vulnerability, which allow for threat agents to gain unauthorized access to a user’s system and execute harmful commands. While the hotfix has been pushed to all versions of the affected OS, Palo Alto has said that disabling device telemetry can temporarily mitigate the risk, but cannot guarantee the long term efficacy of the practice.

Both researchers and Palo Alto stress the importance of updating to the new, patched versions of the OS, and issues like these are a great example why regular maintenance of all systems and keeping systems up to date with the latest security patches are imperative in the day to day.


Microsoft Fights Spam by Limiting Bulk Emails

Microsoft has announced measures to combat spam by implementing a daily limit of 2,000 external recipients for bulk emails sent via Exchange Online starting in January 2025. Prior to this initiative Microsoft, did not limit the amount of outgoing emails, but now they aim to prevent abuse of resources and ensure fair usage.

The new External Recipient Rate (ERR) limit will be a subset of the existing Recipient Rate limit of 10,000 recipients per day. This change will roll out in two phases, affecting newly created tenants first and then existing ones by the end of 2025.

Customers needing to exceed the ERR limit can consider using Azure Communication Services for Email, tailored for high-volume business-to-consumer communication. This is similar to a practice recently implemented by Google, who requires user accounts to set up SPF/DKIM and DMARC email authentication for their domains.

 

Defensible Strategies

Learn from those who have been attacked

CISA Issues Warning About Breach at Sisense

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at business intelligence company, Sisense, that may have exposed user data. The breach itself seems to be due to a compromise of Sisense’s self-managed deployment of Gitlab.

The method that the threat agents used to gain access to the company’s Gitlab code repository, but by gaining access to that, the agents were able to make their way into Sisense’s Amazon S3 cloud storage. This allowed data like access tokens, email account passwords, and even SSL certificates to be accessed.

CISA has raised the concern that Sisense may not have been doing enough to protect the sensitive data, but also notes that the clean up of the breach will largely not be able to be handled by Sisense, as the data in question can only be changed by the end users of the online dashboard.


X.com Hands Gift to Phishers As it Pivots From Twitter.com

The Company formerly known as Twitter, has started to automatically modify links mentioning “twitter.com” to read as “x.com”, which has led to dozens of new domain registrations trying to exploit this and create convincing phishing links. Domains like “goodrtwitter.com” were registered, but displayed as “goodrx.com” due to the new modifications.

Most of these newly registered domains were created defensively to prevent abuse, but some were not properly limited, and allowed threat agents to divert traffic away from legitimate sites. Twitter/X has since corrected the error, but this incident sparked concern and amusement from social media users and security analysts, alike.