Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

The ransomware group claimed it had breached the Federal Reserve, but the target now appears to have been an Arkansas-based bank, Evolve.

Source: Anthony Pierce via Alamy Stock Photo

Evolve Bank, a financial institution headquartered in Arkansas, was the victim of an attack by the LockBit ransomware group which resulted in a data leak onto the Dark Web this week.

LockBit had drawn attention to itself earlier this week after claiming to have hacked the US Federal Reserve.

The announcement was seen by some within the IT security community as a bold — some used the word "desperate"­ — comeback attempt following the recent, high-profile law enforcement takedown of the ransomware giant. 

After publishing a post on its data leak site threatening to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, LockBit then released some of the data, which was actually stolen from Evolve.

"It appears these bad actors have released illegally obtained data, including personal identification information (PII), on the Dark Web," according to an Evolve statement. "The data varies by individual, but may include your name, Social Security number, date of birth, account information and/or other personal information."

The statement noted the company had contacted law enforcement authorities as part of the bank's investigation and response efforts.

"Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," the statement said.

The company added that retail banking customers’ debit cards, online, and digital banking credentials did not seem to be affected by the breach.

"Those credentials appear to be secure," a statement said.

**Evolve Already Target of Fed Action**

Earlier this month, the Federal Reserve Board issued an enforcement action against Evolve Bancorp and Evolve Bank & Trust, accusing the company of deficiencies in their anti-money laundering, risk management, and consumer compliance programs.

"Examinations conducted in 2023 found Evolve did not maintain an effective risk-management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers," the Fed statement read.

Stephen Gates, principal security SME for Horizon3.ai, said in an emailed statement that once an organization experiences a breach, and the smoke begins to clear, the biggest decision is what to do next.

"Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden," he said.

That means that teams must find the attack path that allowed the breach to happen, and they need to uncover other attack paths that could enable it to happen again.

"Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer," Gates said.

**Financial Sector Defenses Must Evolve**

Piyush Pandey, CEO at Pathlock, says the recent enforcement action against Evolve Bancorp underscores the critical importance of robust sensitive data and application access controls within financial institutions.

"As traditional banking continues to intersect with innovative fintech solutions, maintaining stringent identity and access controls is a must," he says.

He also points out that the interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access.

"Given how highly regulated the financial sector is with regards to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, yet challenging," Pandey explains.

He adds that by focusing on rigorous controls testing and enforcement, including stringent management of third-party identities and access, financial institutions can significantly strengthen their security posture, protect sensitive data, and ensure compliance with regulatory requirements.

"This proactive approach not only safeguards customer data — and trust — but also enhances the institution's overall resilience against these types of attacks," Pandey says.

Narayana Pappu, CEO at Zendata, notes that financial and medical institutions store significant amount highly sensitive data with significant monetary impact for exposed organizations.

"Therefore, it makes sense that organizations like LockBit are going after this information," he says.

From his perspective, data minimization — not capturing or storing data that is not needed — would help these institutions significantly.

"The trend to date has been to capture, store and make multiple copies of information that is not really needed to run the business," Pappu says. "Just 5% of data collected is properly labeled and governed, for example."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

LockBit Attack Targets Evolve Bank, Not Federal Reserve

There is an extreme lack of evidence of AI-related danger, and proposing or implementing limits on technological advancement isn't the answer.

Aaron Rosenmund, Senior Director of Content Strategy and Curriculum, Pluralsight

June 28, 2024

4 Min Read

Source: Mopic via Alamy Stock Photo

COMMENTARY

Skynet becoming self-aware was the stuff of fiction. Despite this, reports that stoke apocalyptic fears about artificial intelligence (AI) appear to be on the uptick. Published insights on AI need to be handled and reported responsibly. It is a disservice to us all to showcase survey findings in a way that invokes the doomsday endgame brought on by the non-human antagonists of the Terminator films. 

Earlier this year, a governmentwide action plan and report was released based on an analysis that AI may bring with it catastrophic risks, stating AI poses "an extinction-level threat to the human species." The report also finds that the national security threat AI poses likely will grow if tech companies fail to self-regulate and/or work with the government to reign in the power of AI. 

Considering these findings, it's important to note that survey results are not grounded in scientific analysis, and published reports are not always backed by a thorough comprehension of AI's underlying technology. Reports focusing on AI that lack tangible evidence to back up AI-related concerns can be viewed as inflammatory rather than informative. Furthermore, such reporting can be particularly damaging when it's provided to governmental organizations that are responsible for AI regulation.

Beyond conjecture, there is an extreme lack of evidence of AI-related danger, and proposing or implementing limits on technological advancement is not the answer. 

In that report, comments like "80% of people feel AI could be dangerous if unregulated" prey upon our country's cultural bias of fearing what we don't understand to stoke flames of concern. This kind of doom-speak may gain attention and garner headlines, but in the absence of supporting evidence, it serves no positive goal.

Currently, there's nothing to point to that tells us future AI models will develop autonomous capabilities that may or may not be paired with human-aimed catastrophic intent. While it's no secret that AI will continue to be a highly disruptive technology, this does not necessarily mean it will be destructive to humanity. Furthermore, AI as an assistive tool to develop advanced biology, chemistry, and/or cyber weaponry is not something that the implementation of new US policies or laws will solve. If anything, such steps are more likely to guarantee that we'd end up on the losing side of an AI arms race.

**The AI That Generates a Threat Is the Same AI That Defends Against It**

Other countries or independent entities who intend harm can develop destructive AI-based capabilities outside of the reach of the US. If forces beyond our borders plan to use AI against us, it's important to remember that the AI that can, for example, create bioweapons, is the same AI that would provide our best defense against that threat. Additionally, the development of treatments for diseases, cures to toxins, and the advancement of our own cyber industry capabilities are equal outcomes of advancing AI technology and will be a prerequisite to combating malicious use of AI tools in the future.

Business leaders and organizations need to proactively monitor the implementation of regulations related to both the development and use of AI. It's also critical to focus on the ethical application of AI across the industries where it's prevalent and not just how models are advancing. For example, in the EU, there are restrictions on using AI tools for home underwriting to address concerns over inherent biases in datasets that could allow for inequitable decision-making. In other fields, "human in the loop" requirements are employed to create safeguards related to how AI analysis and decision-making are applied to job recruitment and hiring.

**No Way to Predict What Level of Computing Generates Unsafe AI**

As reported by Time, the aforementioned report — Gladstone's study — recommended that Congress should make it illegal "to train AI models using more than a certain level of computing power" and that the threshold "should be set by a federal AI agency." As an example, the report suggested that the agency could set the threshold "just above the levels of computing power used to train current cutting-edge models like OpenAI's GPT-4 and Google's Gemini."

However, while it is clear that the US needs to create a road map for how AI should be regulated, there is no way to predict what level of computing would be required to generate potentially unsafe AI models. Setting any computing limit to put a threshold on AI advancement would be both arbitrary and based on limited knowledge of the tech industry. 

More importantly, a drastic step to stifle change in the absence of evidence to support such a step is harmful. Industries shift and transform throughout time, and as AI continues to evolve, we are simply witnessing this transformation in real-time. That being the case, for now, Terminator's Sarah and John Connor can stand down. 

**About the Author(s)**

Senior Director of Content Strategy and Curriculum, Pluralsight

Aaron Rosenmund is a cybersecurity operations expert, with a background in federal and business defensive and offensive cyber operations and system automation. Leveraging his administration and automation experience, Aaron actively contributes to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community. As an educator and cybersecurity researcher at Pluralsight, he is focused on advancing cybersecurity workforce and technologies for business and national enterprises alike. In support of the Air National Guard, he contributes those skills part time in various initiatives to defend the nation in cyberspace.

Unfounded Fears: AI Extinction-Level Threats &amp; the AI Arms Race

Just because mainframes are old doesn't mean they're not in use. Mainframe Security Posture Management brings continuous monitoring and vigilance to the platform.

1touch.io has announced the launch of its mainframe security posture management (MSPM) product, which relies on contextual artificial intelligence (AI) to provide visibility and accuracy in data discovery and classification across mainframe environments.

With new technologies proliferating and attention focused on modern architectures, it's easy to forget that mainframes continue to run much of the world. They handle 68% of the world's production IT workloads and are used by 71% of Fortune 500 companies, according to 1touch.io. Use is particularly heavy in industries such as banking, insurance, healthcare, and the government, where organizations rely on mainframes for their reliability, security, and massive processing capabilities.

Even so, mainframe security — which includes data security, compliance, and governance — is particularly challenging when integrating mainframes into hybrid cloud environments. Keeping these challenges in mind, 1touch.io added comprehensive visibility across hybrid environment and fast database scanning.

1touch.io MSPM integrates with all mainframe data sources to continuously monitor and analyze sensitive data, which it integrates with other enterprise data — regardless of whether it is structured, unstructured, stored locally, or stored in the cloud — to provide a single, accurate record for each mainframe data asset.

MSPM supports various mainframe data sources, including Virtual Storage Access Method files and IBM Z's Db2. There are plans to extend to IBM Information Management System and flat files, the company said.

**About the Author(s)**

1Touch.io Integrates AI Into Mainframe Security

Responding to an incident quickly is important, but it shouldn't come at the expense of reporting it to the appropriate regulatory bodies.

Source: Nico El Nino via Alamy Stock Photo

When the Intercontinental Exchange (ICE) identified a breach in its virtual private network (VPN), the organization immediately launched investigation and remediation efforts. However, it was not until four days later that the company reported the breach to regulators, violating not only the Security and Exchange Commission's (SEC) compliance requirements but also the company's own internal cyber incident reporting procedures. This is according to the SEC in its May announcement of a $10 million fine. The question of why ICE delayed reporting the incident was never answered publicly.

The SEC stated: "The SEC's order finds that ICE personnel did not notify the legal and compliance officials at ICE's subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE's failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI (Regulation Systems Compliance and Integrity), which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants."

Both ICE and the SEC declined to answer Dark Reading's inquiries, but there are some possible explanations. It is also a cautionary tale for other critical infrastructure organizations that consider bypassing compliance for quicker incident response.

A popular misconception is that enterprises have a cavalier attitude about compliance and think that it is easier to pay the fine and chance the consequences of bad press and lawsuits, rather than file the necessary compliance documents and deal with the outcome of suffering a breach.

"I've never been in a situation or a meeting where someone has seriously said, 'Well, we'll just pay the fine,'" says Fred Rica, a partner at certified public accounting firm BPM Associates. "I think most boards and management committees strive to do the right thing and abide by the rules and regulations that they're bound to."

The challenge remains that nontechnical board members often do not understand cybersecurity implications, while CISOs may struggle to explain threats in business terms. Rica emphasizes the need for boards to ask better questions and be more engaged with cybersecurity issues. 

"The first thing that has to change is, boards need to start asking better questions," he says, adding that the time where boards could pass off cyber threats to the technical team has passed.

"What was sufficient even three years ago probably is not sufficient anymore," Rica says.

In the case of ICE, the VPN attack turned out to have “de minimis impact on their operations or on market participants," the SEC said. While that alone does not change the need to report attacks against critical infrastructure within 24 hours, it could indicate that the company focused on fixing a problem as quickly as possible. Or it simply might mean that the company dropped the ball on what should have been a task that should have been done within 24 hours.

A company that doesn't report a data breach could face greater scrutiny of its cyber insurance policy. Companies with adequate security controls get better rates and terms on their cyber policies, while those with shortcomings face higher rates and less favorable terms, notes Bridget Quinn Choi, an attorney at Woodruff-Sawyer & Co.

In this case, she says, ICE was on top of the incident almost immediately.

"They had a criticality matrix. They had reporting controls, they were looking at the severity, and they fairly quickly went in and found the vulnerability. They found that there was a minor intrusion, and they remediated so quickly," she says. "It wasn't a big deal. So it was a pretty good result from an incident response perspective. The thing that was missing is that in their incident response plan, they had to report within 24 hours if there was a reasonable suspicion of an intrusion. They didn't do it."

Choi notes that while the response was fast, the company had procedural issues.

"Even the SEC came back and said this was de minimis. But it's their second violation," she says. (The company previously violated the SEC's Regulation SCI for failing to have appropriate backup and backup procedures.)

"I think that there's a common misconception that cyber is an infosec issue," she says.

Rather, cybersecurity is a business process that can have a wide-ranging effect on the company, its reputation, and revenue.

"The impact to the company can be wide-ranging," she says. There can be cascading costs, there's regulatory issues, \[and\] there's a plaintiff's bar that is hungry to get into this game. So it's not just doing things, right? It's doing things right."

**About the Author(s)**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Don't Forget to Report a Breach: A Cautionary Tale

Data-rich and resource-poor, schools and libraries around the country make attractive targets for cybercriminals looking for an easy score, but a new federal program is looking to aid their defenses by providing much-needed financial support.

Gregg Vignal via Alamy Stock Photo

One month after the Seattle Public Library's systems went down as part of a ransomware attack, the library is just beginning to restore services to staff and patrons. Some resources are back and running, but the library is far from being fully functional. 

"While staff will be back on the Library's network after Tuesday, June 25, they will still not be able to access patron accounts or our catalog for a bit longer," the library said this week. "This is due to the Library's operational capacity throughout the recovery process — each newly recovered system requires appropriate assessment, testing, communication, documentation, and if necessary, troubleshooting."

After that is complete, the technology team plans to work toward restoring access to patron accounts, the library catalog, and other services, like free in-building Wi-Fi, computers, and printers, that are vital to community members. However, it's still not clear when services will be fully restored, leaving many who rely on the library for access to these resources out in the cold. 

The Seattle Public Library is just one of many public institutions that have fallen victim to cyberattacks. A cyberattack last October has the British Library still scrambling to restore services more than nine months after the infiltration. And according to the Center for Internet Security nearly a third of U.S. K-12 schools in its network have been victims of a cyberattack.

Around the world, schools and libraries face an increasing number of cybersecurity threats and attacks targeted at disrupting and disabling critical networks, leading to the disruption of school and library operations, reduced bandwidth, monetary losses, loss of learning opportunities, and theft and leaks of student, staff, and library patron personal information, according to the Federal Communications Commission (FCC). 

To combat this threat, the FCC recently voted to approve the Schools and Libraries Cybersecurity Pilot Program, a three-year initiative that will provide up to $200 million in Universal Service Fund support to pay for advanced firewalls, endpoint protection, identity authentication, and monitoring systems. (Schools and libraries interested in learning about how to apply for program funding can find information at the FCC website.)

"This is a landmark moment for schools and libraries across the nation," said John Harrington, CEO of Funds for Learning, in a statement. "The cybersecurity threats facing our educational institutions are significant. This pilot program represents a crucial step in providing the resources necessary to safeguard sensitive information and maintain secure, reliable access to digital learning tools." 

**Investing in Schools, Libraries Is Key**

The federal funding fills a gap in school and library budgets because, with everything on their plates, it's challenging for these organizations to make cybersecurity a priority, says Johnathan Kim, director of technology at the Woodland Hills School District in North Braddock, Penn.

“A big part of it, especially here in western Pennsylvania, is budgeting,” says Kim. "Since I have been in education, since around 2017, the budgets keep getting smaller and smaller or staying flat, while everything else is raising. While we have a million-dollar budget for technology, it's been the same." 

The average school spends less than 8% of its technology budget on cybersecurity, and one in five spends less than 1%, according to the Center for Internet Security. 

Participants in the pilot program will receive funding on a per-student or per-library basis to help cover the costs of enhancing cybersecurity equipment and services, according to an FCC spokesperson. Funding will be split among rural and urban large and small organizations, with an emphasis on funding programs for low-income and tribal applicants.

The FCC encourages consortia of schools and libraries to apply together, as consortia have buying power that can help reduce costs and allow less technically savvy organizations to partner with better-resourced schools and libraries. State and local government entities, including educational service agencies, are not eligible for discounts or funding under the pilot program, but they can serve as a consortium leader for eligible schools and libraries. 

The Woodland Hills district was able to reduce spend on endpoint protection from $300,000 to $20,000 per year by participating in a state consortia, Kim said. 

**Don't Have to Have a Big Budget**

While increased funding is important, not all cybersecurity success for schools and libraries depends on having a big budget. 

"I think one of the big things is to understand that this is a huge puzzle. You don't start by consuming it all at once," said Curt Godwin, network operations coordinator for the Forsyth County Schools in Georgia, at a June webinar held by Funds for Learning. "You start with the small pieces. Do the things that you can do that cost very little time, effort, money or personnel."

Things to tackle first could include evaluating and establishing cybersecurity policies and training staff and students to handle information security.

"All of these things you do and look at can make a huge impact in reducing your threat surface, while having a very minimal impact on your finances," Godwin said. "Now, that's not to say that there aren't things that you will have to spend money on, and, thankfully, this program may help in going a long way to address that, but there are things you can do to shore up your defenses that cost very little money. Hit those first. Start changing the culture of your organizations to make this an easier thing to protect because if you try to do it all at once, it's going to fail." 

David Vignery, director of technology at Lawrence Public Schools in Kansas, echoed Godwin’s sentiment. 

"There are a lot of things that you can do today that don't cost a whole lot of money," he said, adding that making sure you have a strong firewall and leveraging best practices is a good start. 

Helping the community understand what threats they actually face, and how they could be impacted, is important to getting buy-in. To drum up support and educate the district in Lawrence, Vignery created a security awareness group to work on an incident response playbook that helped different groups understand what kinds of events could occur and how they would be affected. 

"It created some buy-in at all levels across the organization," Vignery said. "And so now, when we talk about \[security threats\], people really, truly understand why we need to focus some budget dollars to this or that, and to protect tech information and our infrastructure. You're not too small to do this, and you're not too big to do this. So you just get in there and go."

**About the Author(s)**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

New FCC Pilot Shores Up Security for K-12, Libraries

With many popular apps, users must hand over personal information to prove their identity, and the big downside is they have no control over how that information gets processed and stored.

Source: Pamela Au via Alamy Stock Photo

Swaths of personal data and documents belonging to users of the world's most popular apps have been exposed online for well over a year now, and may have leaked to cybercriminals a while ago.

The company responsible for the leak, AU10TIX, is based in a suburb of Tel Aviv and specializes in identity verification via personal documents, biometrics, and more. Its customers include major companies like X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, Uber, and others.

Recently, a security researcher discovered exposed credentials that belonged to a network operations center manager at AU10TIX. They included the manager's passwords and tokens for various accounts, including an AU10TIX logging platform, where the company handled data belonging to individuals whose identities it had vetted.

**The Extent of the Damage**

The logging platform data included names, birth dates, nationalities, and images of ID documents such as driver licenses and passports.

Though the researcher limited his snooping, some data fields appeared to indicate the nature and purpose of the stored data, such as a chart with values such as "Impersonation\_XCorp" and "uber-carshare-passport."

He also found proprietary data from the innards of the company's verification tech. One table, for example, contained results of live face scans, with a field rating the "probability" that the user's face was "live" on a scale from 0 to 1. Others measured the authenticity of documents and photos of faces.

Crucially, the exposed credentials seem to have been sucked up by malware back in December 2022, and posted to Telegram in March 2023.

In statements to 404media, AU10TIX initially claimed that "a thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded." When the publication informed the vendor that the credentials were still exposed online as of this month, 18 months after the fact, the company said it would work to take down the exposed logging system. It also claimed to have notified affected customers, and highlighted that "based on our current findings, we see no evidence that such data has been exploited."

**The Catch-22 for App Users**

Customers today are faced with an unfortunate choice (if it can even be considered a choice). Whether it be a cryptocurrency or payments, social media or dating, in order to use popular apps today, you often must hand over extra-sensitive information and documents that prove your identity. At the same time, you don't have any control over how that information and those documents are processed and stored.

Is there no way to achieve app security without a cost to personal security?

"Companies can adopt several methods for verifying identities that minimize the need to store sensitive documents and personally identifiable information," says Jason Soroko, senior vice president of product at Sectigo. "One approach is tokenization, which involves storing tokens or hashed values representing the documents instead of the actual documents. This reduces the risk in case the storage system is compromised."

"Another method uses zero-knowledge proofs, a cryptographic technique that allows one party to prove to another that they know a value without conveying any information beyond the fact that they know the value. "This can verify identity without exposing the actual data," Soroko explains. "Additionally, decentralized identity verification leverages blockchain technology, enabling users to control their identity information and share only the necessary parts with services that require verification, thereby enhancing privacy and security.

"These methods, while enhancing security and privacy, require careful implementation and ongoing management to avoid introducing new vulnerabilities."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Authenticator for X, TikTok Exposes Personal User Info for 18 Months

The combined skills from Beazley's cybersecurity services team and Lodestone will go into the company's new managed extended detection and response (MXDR) service.

Source: Egor Kotenko via Alamy Stock Photo

Beazley Security went live this week as an integrated cyber-risk management company, providing a portfolio of services that include a new managed extended detection and response (MXDR) service. The new company is the result of a merger, originally announced in February, between insurance company Beazley's in-house cybersecurity services team and its wholly owned cyber security company, Lodestone.

Beazley Security plans to integrate the risk management services that are included as part of a Beazley cyber insurance policy with Lodestone's technical cybersecurity services. The combined company will provide integrated cyber preparedness and response capabilities. Other core offerings will include a lineup of professional services to help clients prepare for defense against cyberattacks, as well as incident response, forensics, and restoration after an attack. The MXDR service will also offer always-on monitoring and advanced capabilities to rapidly identify and contain threats, the company said.

The new company integrates the risk management services provided as part of a Beazley cyber insurance policy with Lodestone’s technical cybersecurity services. Beazley Security will offer cyber preparedness and response capabilities and invest in new services, such as a managed extended detection and response (mXDR) solution that provides around-the-clock monitoring, enabling rapid identification and containment of threats.

Beazley Security will be led by Alton Kizziah, currently CEO of Lodestone. He will report to Paul Bantick, Beazley's global head of cyber risks.

**About the Author(s)**

Beazley Security Launches With MXDR Offering

Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Dark Reading Confidential: Meet the Ransomware Negotiators

While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.

Source: Color4260 via Shutterstock

Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.

While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept (PoC) exploit available in the wild.

**Patching Alone Is Insufficient**

Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.

The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module. They allow an attacker to potentially impersonate any user on an affected instance and take control of it. One of the flaws, tracked as CVE-2024-5806, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The other, identified as CVE-2024-5805, affects MOVEit Gateway: 2024.0.0.

When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale. Progress quickly upgraded that score to 9.1 after researchers at watchTowr discovered a vulnerability in a third-party component (IPWorks SSH) used in MOVEit Transfer. Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.

In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.

An Internet scan that Censys conducted on June 25 unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806 almost immediately after Progress disclosed the flaw, identified some 1,800 instances online as of June 27.

**Relatively Easy to Exploit**

"Based on our understanding of the vulnerability, exploitation doesn't appear exceptionally difficult," says Emily Austin, principal security researcher at Censys. In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says. "While knowing a valid username might seem like a hurdle, a little OSNIT combined with watchTowr researchers' discovery of a method for enumerating valid MOVEit Transfer instance usernames makes this somewhat trivial," Austin notes.

The new flaws come a year after Progress disclosed CVE-2023-34362, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023. The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.

Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1. "The consequences can be devastating because these vulnerabilities allow an attacker to take over the server," Walters says. "With a CVSS score of 9.1 and a PoC available, the vulnerability will likely be added to the toolkit of leading APT groups rather quickly." If the companies that were attacked last time have not ramped up their information security in any way, the consequences for them could well be the same as last time, he warns.

Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023. Even so, instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.

"We don't have a way to see exploitation or patch status of MOVEit Transfer instances, but we know that as of Tuesday, June 25, 2024, there are 2,700 MOVEit Transfer instances exposed to the Internet," Austin says. "This is very similar to the number of MOVEit Transfer exposures we observed around this time last year, suggesting that the tool is still widely used in spite of various security issues."

**Cause for Optimism?**

Despite the severity of the threat, there is still some optimism that the new flaws that Progress disclosed this week — especially CVE-2024-5806 — won't cause quite as much damage as last year's SQL injection flaw because patches are already available.

At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last year's massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard. "That was a zero-day vulnerability, giving threat actors more time to exploit it before a patch became available," he says. "In this case, threat actors have less time because patches are already available; the most that they can do is take advantage of organizations’ delays in patching it, so this window of time is crucial to minimizing its impact."

Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806. "A layered security approach, combining patching with threat intelligence and proactive risk management, is essential," he says. "Organizations can build resilience against evolving cyber threats by prioritizing a multifaceted approach to security.”

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading