Posted in Commentary with tags Hacked on December 17, 2024 by itnerd
After-hours Telehealth platform ConnectOnCall started notifying 914,138 patients that their personal and health data was exposed in a May breach. The company’s Notice of Security Incident notes: “On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment.”
Social security numbers, diagnoses and medications are among patient data potentially compromised. ConnectOnCall is a subsidiary of Phreesia, a patient intake software as a service provider. Based on the investigation, there is no evidence that Phreesia’s other services have been affected. In response, Dispersive cybersecurity expert Lawrence Pingree (formerly with Gartner) offers perspective.
Lawrence Pingree, VP, Dispersive had this comment:
“This breach looks like it’s application security related, likely a breach of the application via SQL injection or credential theft exposure, but since no details of the breach are available, it’s hard to say. In any case, isolating critical systems and applications with the best possible multi-factor authentication and protecting applications through micro-segmentation are key approaches to isolate the breadth of breach.”
This is yet another example of health care being the target of a cyberattack. This was an ongoing theme in 2024, and it is likely going to be an ongoing theme in 2025 unfortunately.
Posted in Commentary with tags TEMU on December 17, 2024 by itnerd
Temu has been the Top downloaded iPhone app in Canada for 2024, according to App Store data just released by Apple. Temu is also the only e-commerce app in the top 15 free apps in the Apple rankings.
Launched in Canada in February 2023, Temuempowered qualified sellers to manage their logistics and ship products directly from local warehouses in Canada. This initiative expanded our product range and significantly reduced delivery times for local customers. Canadian consumers can now enjoy the convenience of receiving their Temu orders in as little as one business day.
Globally, Temu is ranked #1 in Canada, as well as 23 other markets out of the 30+ countries and regions with an official ranking released by Apple such as the U.S., UK, Germany, and South Korea. In the US, Temu has maintained its #1 position for two consecutive years (2023 and 2024).
Temu launched in the U.S. in 2022 and has since expanded to serve consumers in over 80 markets across the Americas, Europe, the Middle East, Africa, Asia, and Oceania. Through its direct-from-factory model, Temu connects consumers directly with manufacturers, minimizing the number of intermediaries and associated costs. These savings are passed directly to customers through competitive pricing.
Since I am a WordPress user, any security news related to WordPress tends to catch my attention. The this research by Data Dog certainly did. In short A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials. This campaign is huge and has been going on for years. Thus it is far from trivial. Full details in terms of how this campaign worked are in the research that I linked to. But if you want the TL:DR, Matt Bromiley, Lead Solution Engineer at LimaCharlie can help you with that:
“This attack utilized two initial access mechanisms. These techniques are the methods by which adversaries attempt to infect victim users. The two mechanisms were:
Spearphishing – This mechanism targeted academics. The phishing emails were crafted to look like kernel upgrade notifications, providing a link to run malicious code.
Trojanized GitHub Repositories – This mechanism mimicked GitHub repositories of legitimate proof-of-concept (PoC) exploits for known CVEs. However, the PoC code was changed to utilize malicious libraries, subsequently infecting the systems of victims who ran the copied repositories.
The term same second-stage payload indicates that regardless of phishing or malicious PoC code, the secondary payload dropped onto the victim systems was the same. Essentially, this means that the attackers had two delivery mechanisms – and targeted victims – to deliver the same payload, which was a backdoor that exfiltrated systems details and credentials, amongst other information.
The report indicated 49 malicious repositories masquerading as legitimate PoC code. They were strategically named to appear legitimate, as not to tip off adversaries. It is not irregular to see these types of numbers, as replicating a code repository with malicious code is trivial.
This is classified as a supply chain attack due to the exploit of libraries or tools utilized in code. In this case, the victims did not executed inherently malicious code. Instead, they executed code that incorporated a malicious package. Thus, analysis of the initial code would not warrant suspicion. It would require that users analyze the imported libraries in order to identify the malicious backdoor.”
This attack is very crafty which is why it has been so successful. It shows that defenders need to alter how they defend so that the next attack that uses methods like these aren’t nearly as successful.
Connect Secure Srikant Sreenivasan, CEO has offered the following 2025 technology predictions on trends in the governance, risk and compliance industry as it relates to MSPs.
Secure Data Clouds Become Non-Negotiable for Compliance
With compliance frameworks like CMMC (Cybersecurity Maturity Model Certification) and stricter global regulations, secure data clouds will shift from being optional enhancements to essential infrastructure. Organizations in defense, healthcare, and other regulated industries will prioritize secure, compliant cloud solutions to meet mandatory standards and avoid penalties. Businesses not adopting these technologies risk falling behind or being excluded from critical contracts.
Exploited Vulnerabilities Emerge as the Fastest-Growing Threat
By 2025, exploited vulnerabilities will surpass phishing as the most rapidly growing cybersecurity threat. Attackers are increasingly automating the discovery and exploitation of unpatched systems, leaving organizations exposed. The sheer volume and sophistication of attacks will force Managed Service Providers (MSPs) to evolve, incorporating proactive vulnerability management solutions into their service offerings to protect clients and mitigate risks.
Demand for Proactive Cybersecurity Outpaces Traditional Approaches
As exploited vulnerabilities dominate headlines and compliance mandates intensify, businesses will demand proactive cybersecurity measures over reactive ones. MSPs that offer real-time threat detection, vulnerability assessments, and patching services will become the trusted partners of the future. The expectation will shift from simply responding to incidents to ensuring systems are continually hardened against evolving threats.
RunSafe Security, a leader in immunizing software from cyberattacks through a patented, frictionless process, today announced the release of the RunSafe Security Platform that automates risk identification, exploit prevention, and runtime software monitoring. Now, developers can generate a high-fidelity software bill of materials (SBOM) at build time, ensuring the highest level of accuracy in identifying software components and related vulnerabilities. This powerful, comprehensive solution includes the authoritative, build-time C/C++ SBOM generation for embedded systems and enhances a system’s resiliency by automating the remediation of memory safety vulnerabilities in compiled code.
Software supply chain transparency can reduce risks and build trust. With regulations such as the Cyber Resiliency Act and the FD&C Act, building and including SBOMs is quickly becoming a business must. These requirements are driven by software supply chain security concerns, which underscores the critical need for SBOMs to identify risks and stay ahead of potential threats.
Leading global software organizations, including Lockheed Martin, Vertiv, and Critical Software, already use the RunSafe Security Platform. “RunSafe’s platform is timely given the new EU Cyber Resilience Act’s product liability,” says Critical Software CEO Joao Carreira. “Not only can organizations generate a complete SBOM, they can immediately mitigate vulnerabilities and future-proof against zero days using automated tools freeing developers to focus on new feature development.”
Powered by 400-plus vulnerability data sources, the RunSafe Security Platform delivers comprehensive cybersecurity solutions for embedded systems deployed across critical infrastructure. By generating an SBOM with complete visibility into software components, the platform reveals software dependencies, identifies vulnerabilities and quantifies risks. Organizations are provided with actionable insights to reduce exploit paths and enhance their security posture using automated tools throughout the development lifecycle.
Key capabilities and benefits include:
RunSafe Identify generates SBOMs for embedded systems at software build time, identifies software vulnerabilities, and quantifies available risk reduction technologies for those vulnerabilities. By offering insights into software components, vulnerabilities, and effective mitigation strategies, RunSafe empowers organizations to enhance their software’s resilience against evolving cyber threats.
RunSafe Protect mitigates cyber exploits by relocating software functions in memory every time the software is run. This results in a unique memory layout to prevent attackers from exploiting memory-based vulnerabilities. This approach maintains system performance and functionality without modifying the original software. RunSafe also offers a repository of pre-hardened open-source packages and containers, providing immediate protection against attacks in open-source software commonly used in proprietary software.
RunSafe Monitor provides real-time crash data and heuristics to determine whether a crash was a software bug or the result of a cyber attack. This capability enables precise triage, minimizing time and effort wasted on false positives. RunSafe’s passive monitoring listens for software crashes, collecting data on stability, reliability, and potential vulnerabilities. When a crash occurs, this data is swiftly directed to incident response teams for accurate and efficient triage, enhancing overall software security and resilience.
Posted in Commentary with tags Hacked on December 17, 2024 by itnerd
Rhode Island officials have revealed that hundreds of thousands of residents’ personal and financial information was likely stolen in a ransomware attack on the state’s government assistance programs. The breached data affects people who have applied for or received benefits since 2016 such as Medicaid, SNAP benefits, TANF, Childcare Assistance, long-term services and supports, HealthSource RI and other benefits. Data involved may include names, addresses, dates of births, social Security numbers and certain banking information.
The online benefits platform, RIBridges, was taken offline on Friday, after the state was informed that there was a major security threat to the system. Applications are being processed on paper until the issue is remediated.
“Ransomware continues to plague many organizations and the strategies of protection against ransomware threat actors continually evolves. A keen focus on endpoint prevention, micro segmentation along with protection and isolation of Identity systems is key to reducing the impact of ransomware threats.”
As we come to the end of the year, I fully expect to see more situations like this where governments are targeted. That’s not good and it means that defenders should act accordingly.
Posted in Commentary with tags Equifax on December 17, 2024 by itnerd
Equifax Canada is excited to announce the successful completion of a multi-year cloud transformation of all customer products and platforms onto the Equifax CloudTM. This ambitious move allows Equifax Canada to help customers and partners leverage unique, proprietary Equifax data and patented EFX.AI capabilities to help them solve their business challenges, manage risk, and grow their business.
The Equifax Cloud is a top-tier global technology and security infrastructure backed by a more than $1.5 billion multi-year investment. It has changed nearly every aspect of the Equifax infrastructure and is one of the largest Cloud initiatives ever undertaken in the financial services industry. Today, Canada’s largest consumer credit bureau, and the largest commercial credit bureau are operating on The Equifax Cloud, delivering a new agile foundation of improved speed, security and resiliency, and more powerful insights than ever before.
Equifax partnered with Google Cloud in 2019 for this transformation and received three consecutive Google Cloud Financial Services Customer Awards for demonstrating innovative thinking, technical excellence and transformation execution.
Phreesia ConnectOnCall Breach Exposes Medications SSNs of 900K Patients
Posted in Commentary with tags Hacked on December 17, 2024 by itnerdAfter-hours Telehealth platform ConnectOnCall started notifying 914,138 patients that their personal and health data was exposed in a May breach. The company’s Notice of Security Incident notes: “On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment.”
Social security numbers, diagnoses and medications are among patient data potentially compromised. ConnectOnCall is a subsidiary of Phreesia, a patient intake software as a service provider. Based on the investigation, there is no evidence that Phreesia’s other services have been affected. In response, Dispersive cybersecurity expert Lawrence Pingree (formerly with Gartner) offers perspective.
Lawrence Pingree, VP, Dispersive had this comment:
“This breach looks like it’s application security related, likely a breach of the application via SQL injection or credential theft exposure, but since no details of the breach are available, it’s hard to say. In any case, isolating critical systems and applications with the best possible multi-factor authentication and protecting applications through micro-segmentation are key approaches to isolate the breadth of breach.”
This is yet another example of health care being the target of a cyberattack. This was an ongoing theme in 2024, and it is likely going to be an ongoing theme in 2025 unfortunately.
Leave a comment »