Archive for January 17, 2025

2024 US Healthcare breaches: 585 incidents, 180 million compromised records 

Posted in Commentary with tags on January 17, 2025 by itnerd

SecurityWeek conducted an analysis of the US Department of Health and Human Services Office for Civil Rights (HHS OCR) healthcare breach database which stores information on incidents with over 500 victims.

The OCR was informed of about 585 incidents impacting the protected health information of roughly 180 million records between January 1, 2024, and December 31, 2024.

Of the total number of data breaches, the type of entities impacted included:

  • 73% – Healthcare providers
  • 17% – Healthcare business associates
  • 10% – Health plans 

Most incidents (86%) were described as ‘hacking/IT incident’, followed by incidents involving unauthorized access or disclosures. Almost 70% involved network servers and roughly 22% involved email. 

The biggest healthcare data breach of 2024 was of course the ransomware attack on Change Healthcare, resulting in the information of roughly 100 million individuals getting stolen.

Other notable incidents include:

  • Kaiser Permanente – 13.4 million
  • Ascension Health – 5.5 million
  • HealthEquity – 4.3 million
  • Concentra Health Services – 3.9 million
  • Centers for Medicare & Medicaid Services – 3.1 million
  • Acadian Ambulance Service – 2.8 million
  • A&A Services, dba Sav-Rx – 2.8 million
  • WebTPA – 2.5 million
  • Integris Health – 2.3 million
  • Medical Management Resource Group – 2.3 million
  • Summit Pathology – 1.8 million
  • Geisinger – 1.2 million

Emily Phelps, Director, Cyware:

The number of healthcare data incidents reported in 2024 underscores the opportunity to strengthen security practices across the sector. In 2025, adopting approaches like real-time intelligence sharing and operationalizing threat intelligence can help healthcare entities work more effectively. By fostering collaboration and integrating automation and orchestration, healthcare organizations can streamline their defenses, improving their ability to identify and respond to threats quickly. A collective defense model enables organizations to share insights and best practices, building a more resilient and connected ecosystem that better protects sensitive patient information and ensures uninterrupted care.”

This is a reminder that the health care sector is a target rich environment for threat actors. This needs to change and ASAP. Otherwise I will have a similar story next year for you to read.

Leave a comment »

It’s Official, TikTok Is Screwed…. Probably

Posted in Commentary with tags on January 17, 2025 by itnerd

The Supreme Court just handed TikTok a virtual death sentence in the US by upholding a law that bans them effective Sunday:

The U.S. Supreme Court on Friday unanimously upheld the federal law banning TikTok, beginning Sunday, unless it’s sold by its China-based parent company, holding that the risk to national security posed by its ties to China overcomes concerns about limiting speech.

TikTok’s parent company, China’s ByteDance, was given until Sunday to find an American owner for the app or face going dark in the U.S., under bipartisan legislation signed last year by outgoing President Joe Biden.

Now there is a possibility that Donald Trump who takes over as President of the United States as of Monday could save TikTok. Which is interesting as he was anti TikTok the last time he was president. So we will have to see if he is able to do so. But as it stands now, it looks like TikTok will be dead in the US as of Sunday. And one has to wonder if other countries will follow suit.

UPDATE: Here’s some commentary from some industry experts:

Lawrence Pingree, VP, Dispersive

“I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address. Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation and the politics of the time.”

Ted Miracco, Approov CEO

“Liberty can only thrive when paired with accountability. As the Supreme Court shutters TikTok, it’s a reminder that safeguarding freedom of speech means not just shouting into the void, but doing so with transparency and responsibility. Regardless of where a platform originates, our online spaces must be protected from manipulation to uphold the integrity of our perspectives.”

Willy Leichter, CMO, AppSOC

“If you peel back all the politics, international negotiations, and social media hype, the TikTok ban came from genuine concerns about privacy and national security. To say that banning one platform will permanently affect free speech seems like a stretch. The fickle social media market will quickly find many alternative ways to share content and amuse themselves. Assuming this ruling doesn’t get watered down by the Trump administration, it’s an example of pursuing and acting upon serious security issues.”

Leave a comment »

CISA shares guidance for Microsoft expanded logging capabilities

Posted in Commentary with tags on January 17, 2025 by itnerd

This week, CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations:

This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.

The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.

Botond Botyánszki, founder and CTO at NXLogcommented:

“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions and continuous monitoring can help detect and prevent breaches before it’s too late.”

“The release of the “Microsoft Expanded Cloud Logs Implementation Playbook” is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”

“The newly added logs available with Microsoft Purview Audit (Standard) include events such as email items accessed, email items sent, user searches in SharePoint and OneDrive, and Exchange Online activities. These audit logs provide critical visibility into key actions, such as monitoring email access for unauthorized data access, tracking outbound email activity to detect possible exfiltration, and identifying unusual searches for sensitive files. The guidance on integrating these logs with SIEM solutions like Microsoft Sentinel and Splunk ensures that security teams can seamlessly leverage their existing tools for proactive threat hunting and incident response. This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”

Every organization should read this playbook from the CISA as it offers excellent guidance which will help them to better defend against cyberthreats which are always evolving.

Leave a comment »

New LA Fire Phishing Campaigns Discovered Exploiting GoFundMe, Cleanup Services, Insurance Claims

Posted in Commentary with tags on January 17, 2025 by itnerd

BforeAI has revealed that its researchers have discovered multiple threats surrounding the recent LA wildfires, involving multiple phishing campaigns centered around various themes, including insurance, fundraising, claims, restorations, and the fire department. 

To maintain the relevance of the campaigns, the majority of domains retrieved since the incident target support, LA, fire, relief, fund, etc. BforeAI’s threat research report examines the patterns of domain registrations related to the LA wildfires, identifying trends and potential risks. 

Key findings include LA wildfire-themed cryptocurrency, GoFundMe campaigns, and misleading malicious merchandise stores. BforeAI also compares the fraudulent domain activity to other campaigns exploiting natural disasters previously, such as hurricanes that hit in 2024. 

You can read the research here: http://bfore.ai/malicious-domain-activity-during-the-los-angeles-wildfires

Leave a comment »