Home
cover of episode Risky Biz News: Change Healthcare blames it all on a Citrix password

Risky Biz News: Change Healthcare blames it all on a Citrix password

2024/4/30
logo of podcast Risky Business News

Risky Business News

Chapters

UnitedHealth CEO Andrew Whitty revealed that Change Healthcare was hacked through a Citrix account without multi-factor authentication, leading to a ransom payment that was stolen by the ransomware group.

Shownotes Transcript

Change Healthcare blames a hack on an unsecured Citrix account, the FTC fines US telcos millions for selling location data, researchers propose a new privacy.txt format and Finland sentences the Vastamo hacker to prison.

This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 1st of May, and this podcast episode is brought to you by Socket Security. Socket makes a security platform for developers that protects their software from vulnerable and malicious open source dependencies. Find them at socket.dev.

In today's top story, UnitedHealth CEO Andrew Whitty says hackers breached the network of its Change Healthcare subsidiary using stolen credentials for the company's Citrix web portal. Whitty says Change Healthcare did not use multi-factor authentication on the hacked Citrix account.

The UnitedHealth CEO didn't mention the exploitation of any Citrix vulnerabilities. He also took credit for deciding to pay the hackers ransom demand. The decision backfired after the leaders of the Alpha V ransomware group stole the $22 million for themselves. This led the Alpha V affiliate, who carried out the attack, to continue the extortion against Change Healthcare seeking a new payment.

In other news, academics, security and privacy researchers have proposed a new standard for the management of privacy policies and consumer rights. The new standard is named Privacy.Text and was inspired by similar solutions like Robots.Text or Security.Text.

It's designed to work as a text file placed in a website's root or well-known directory. It will provide information about a site's privacy policy. It will also list email addresses or URLs where users can have their accounts or personal data deleted. Researchers designed the standard as more countries are adopting privacy regulations and as tools are being made to automate the removal of user data from the internet. The new standard will allow website operators to comply more easily with such requests.

The U.S. Federal Communications Commission has fined the U.S.'s four largest wireless carriers for selling customer location data without consent. The FCC has fined T-Mobile $80 million and AT&T $57 million. It also fined Verizon $47 million and Sprint $12 million.

The sale of location data gained attention following a 2018 New York Times article on Securus Technologies, a company that sold location data to US law enforcement.

The USFTC has expanded its data breach reporting rules to cover the makers of healthcare apps. The updated rules will apply to fitness trackers, fertility apps and similar technologies. App makers will have to notify regulators, consumers and the public when they suffer a security breach. The new rules also apply to third-party service providers, which will have to notify healthcare organisations when their data is compromised.

The new rules will go into effect 60 days after publication in the Federal Register. The UK government says it's on track to remove all Chinese-made security cameras from sensitive government sites by April next year. Officials say the vast majority of secure sites never deployed such equipment anyway. Half the sites that did use Chinese cameras have already replaced the devices. The European Commission has opened an investigation into Meta over deceptive advertising and its handling of political content.

EU officials are looking at Meta for failing to detect a pro-Russian propaganda network that ran ads on Facebook and Instagram for months. Non-profit research organisation AI Forensics linked the campaign to Russian disinfo group Doppelganger. AI Forensics says the campaign reached 38 million users and that Meta flagged only 20% of the ads as political in nature.

A judge has sentenced Finnish hacker Aleksandri Kivimäki to six years and three months in prison. Kivimäki was found guilty of hacking Bastimo, a chain of psychotherapy centres, stealing medical records and extorting the company and its patients. He leaked medical records on the dark web and sent ransom demands to 33,000 patients asking for 200 euros from each.

Kivimaki was detained in France last year while attempting to use a fake passport. His lawyer says they will appeal the sentence. The Vassimo hack is considered one of the worst in the country's history due to the highly sensitive nature of the leaked information and the massive extortion campaign that followed.

Pharmacy chain London Drugs has closed its stores across Western Canada in the aftermath of a cyber attack. The incident took place over the weekend and is suspected to be a ransomware attack. The company operates more than 80 stores. Nearly 20% of all Docker Hub repositories hosted malware or malicious content, according to DevSecOps company JFrog. The percentage accounts for nearly 3 million Docker images out of the 15 million hosted on the platform.

JFrog says that most of the malicious repositories did not even contain functional Docker images. They hosted metadata or resources for malware operations taking place outside the Docker Hub ecosystem, such as spam or black hat SEO campaigns.

A threat actor known as Secret Crow is conducting vishing operations targeting South Korean users. The group is luring users to install malicious Android apps on their devices that are infected with a new malware strain called Secret Calls. According to South Korean security firm S2W Talon, the malware is designed to intercept calls to financial institutions and divert payments to the attacker's accounts.

The group has been active since last year and some of its apps were available on the Google Play Store.

Researchers at Hidden Layer have discovered a vulnerability in the R programming languages used for statistical analysis and data visualization. The vulnerability is a classic code execution attack through the deserialization of untrusted data. Many other programming languages have been vulnerable to this class of attack. R joins the likes of Java, Ruby, PHP and .NET.

Prices for IPv4 addresses started to decline for the first time last year. Dutch Internet Registry, SIDN, says cloud providers appear to have played a major role in the IPv4 market slowdown. The organisation says cloud companies have already secured enough IPv4 inventory and have exited the IPv4 market, causing demand and prices to go down.

Other reasons also included the increase in IPv6 adoption and the proliferation of better dual-stack technologies.

And finally, QNAP has released the first version of its NAS operating system that has an anti-ransomware feature. It works by constantly monitoring file operations for unusual activity. Once a possible attack is detected, it will act to block and back up the user's data. Internet-exposed QNAP devices have been the target of several ransomware strains over the years.

And that is all for this podcast edition. Today's show was brought to you by our sponsor, Socket Security. Find them at socket.dev. Thanks for your company.