Cybersecurity The State of Enterprise IT Security Podcast - S1 EP. 11: Change Healthcare Ransomware Payment, Apple’s Update for Zero-Day Attacks, CrowdStrike CEO on Cyber Criminals Leveling Up

04:10 Now, I'm sure a lot of you have heard about the change healthcare ransomware attack. Some of you may have heard that there was a payment made in the tune of 22 million. And when you break it down, the ransomware attack targeted change healthcare. And I would say it's probably been one of the most disruptive in years. The main reason is that it's crippled pharmacies across the US, and some of those have been in hospitals, and it's really led to a lot of snags in delivering prescription drugs nationwide.

And this has been going on for ten plus days, and it's still going on now. What's interesting, and the reason I bring this up is there's actually been a dispute in the criminal underground on who actually got paid from the hacker group behind this. Now, I don't ever like to talk about who the hacker groups are because it's almost like you say their name and you give them some power. So I'll just leave it as there's a well known hacker group, you could look it up.

08:08 And there was a $22 million transaction that looked very much like a large ransom payment. Now, there are security research firms and threat intel firms that are monitoring and And so now there's some infighting in this hacker group on who got paid. And I find it interesting that one of these people or peoples are upset about it. You're robbing people, and now you're sad that you didn't get your cut. And I guess, what do you expect from criminals?

So I also want to take a look at this from the standpoint of a large transaction like this. And what does it say? And you heard me talk about this on a previous podcast, it's likely that the victim did pay the ransom. So I've said all of this where the indicators are that change healthcare paid. But what I want to stress is that every ransomware payment that we make, it emboldens the attackers and the groups that are responsible for this. And what it also does, it is encourages other attackers to do the same thing.

So they'll try something similar, basically taking a page out of the playbook. And the fear is that they're going to attack other healthcare services that patients depend on in the same or similar ways. Now, with ransomware gangs, nothing is super known or predictable. But what we found is they are acting relatively predictable in the fact that they see something as lucrative, they're going to attack it and they're going to do it over and over again. And consider this a bit of a warning because of one pretty important piece of information.

10:27 So in going through how this attacker breached the healthcare provider, what we've learned is that there were 28 other companies that have appeared on a dark website. And it's a site that's typically used to extort victims. And it's not just change healthcare that showed up there. It's like 28 other companies that are affiliated. The site that this was on, it looks like it's offline now.

And then there was another one that has a government seizure notice on it. But what's interesting is when you examine the notice, it's actually an exact duplicate of the one that this hacker group got last year for a different attack when the government did take down one of their sites. So everyone's scratching their heads but us. As security practitioners, we're not scratching our heads very hard, because what this is is they're trying to throw everyone off the scent and say, oh, well, this hacker group's been taken down and they're going to just disappear back into the ether like they typically do.

But I think what you'll be able to see is that's not the case. In fact, I think what we're facing is now a target. And those 28 companies that were affiliated with change, I think, are on that list. So there's a lot of threat intelligence out there right now. There's a lot of ways of finding out if you are on that list. And this is one of those things that I don't typically offer up this kind of a thing in our show. However, if you are a healthcare provider and you're a listener, please reach out and contact us if you haven't been able to find if you're on that list, because we do have that. I don't want to go through all of it in the show, but please reach out and we're more than willing to give you some advice on what to do next.

14:35 Second topic of today, Apple blunts zero-day attacks with iOS 17.4 update. Now it's an update for iOS. There's also an update for iPad OS. So 17.4 both ways. There's also an update that they did for the 16 seven six. And I know I'm just throwing out numbers, but what's interesting to know is for those that haven't upgraded to 17, this is a bad enough security defect where they've gone back to a previous build and also patched that.

The reason for this is it's a kernel vulnerability and there's two of them. So if you're interested in nerding out a little bit, CVE 2002 423225 and then you've got 23296. So if you're going to look at these, I'll just break it down simply for you. They're both kernel read write related and they can bypass kernel memory protection. And what's interesting is you don't see this all the time, but Apple marked this flaw as exploited, which means it's already been exploited. And that's concerning because generally, and I said this in a previous episode, Apple's pretty good at getting in front of stuff and quickly, and this one looks like it's already been exploited.

There's also some other privacy flaws that were identified in some of the accessibility features and that allows apps to do things like read sensitive location information. And we know that's fairly dangerous. And then there's a safari private browsing bug and some locked private browsing capabilities, things like that. So I don't always bring this stuff up, but this one, I think is bad enough where if you're listening to me on an Apple device and you haven't got the pop up notification to patch, I would suggest you check manually, take some time, go through and patch your mobile device.

17:00 Third topic today, CrowdStrike CEO George Kurtz. Great guy, says that cybercriminals are leveling up and he's saying something similar to what we on the show have said previously, which is it's going to be a battle of AI in the future. And I think the future is already here in a lot of ways. So I was listening to George Kurtz have a conversation with Jim Kramer, and they noted that cybercriminals are growing in number.

And part of that is because they increasingly have access to advanced Gen AI, and they can carry out attacks even if they themselves are less skilled. And I would say this is fact. So, Gen AI, think of it as it's taking techniques that were once only known by a small group of people, basically adversaries, who don't have the same sophistication or skill level. Now, they've got access to the same tools and tactics of these small elite groups that were either attacking or defending organizations. Now, it's not all doom and gloom.

The good news is, the two shared on the security side, that CrowdStrike leverages Gen AI, and they're doing that to help their customers. Now, granted, I'm not getting paid to talk about CrowdStrike, but I do think it's important to note that this is a company to watch on how they're going to battle AI in the future. And the only way to battle AI is with AI in my mind. So we've talked before about augmented intelligence, and we're still in that phase, but eventually we're going to be in full blown, like, AI, artificial intelligence, kind of doing its own thing. And I think we're eventually going to have companies that have their own ais. And those two, three, four, however many they are, are going to be exchanging information between each other, and we're just going to skip the human entirely. So, more to discuss around that, but let me stay on topic here.

So, in this conversation, the two really hit on cybercrime being more active than ever. And I think a lot of companies are getting frustrated with legacy tech. That requires them to think of it as like a band aid of different technologies and platforms, throwing in middleware APIs that don't truly talk to each other, having to stand up a syslog server to basically feed first and then go to your sim, things that are just counterintuitive, and think of it as technology, debt and drag, and it just makes it harder to do, and we're trying to make things more simple. And I like that. George. He goes into that. He says that this is really why it's important for companies to create something that has a single. And he says it more simple platform that can stop breaches and really plug in new capabilities and do that seamlessly. That's why we're definitely in this stage of platforms as opposed to nothing but best of breed. Do I think best of breed makes sense in certain areas? Absolutely.

But I think platforms are here to stay. And if you look at what a lot of the large players out there, Palo Alto, Microsoft, CrowdStrike, Fortinet, Google, what are they all doing? They're starting to really move towards platforms. And one of the interesting things I found from the conversation is that the CrowdStrike CEO, Mr. Kurtz, he cautioned businesses against using inexpensive cybersecurity programs or leaning on policy and procedure with weaker tool sets.

And I call this being a paper tiger. So essentially passing any of the certifications or basically saying, you are NIST 853 R five compliant. And why is that? Oh, well, we've got all this documentation, but then you look at the tooling and it's minimally effective. So he's cautioning against that. And as someone coming from an organization, that people can look at a platform and say that's not exactly a cheap solution, and he's saying that's actually a good thing.

So I think what really resonated with me from the conversation is about cheap or free cybersecurity. People may try to buy something, they may think it's cheaper, it's not free, definitely isn't free, and strongly feel that you get what you pay for. And in this particular case, you're talking about customers that maybe have had an incident, they had some kind of an issue, and more importantly, they had technology that they couldn't deploy and in a lot of cases, they couldn't operate. So if you're going to visualize this, this is something that I first saw back when I just started in technology. I'm not going to tell you how long ago that was. Wasn't that long ago, but I got to see this triangle.

And on each side it talked about good on one side, cheap on the other, and then fast on the other. And I remember distinctly that there were four words at the bottom and you can only pick two. And I have found in my career that is a very true statement. And I think that is what the conversation ultimately ended up with in, in George having that conversation with Jim Kramer.

So with that, thank you for tuning in, and I will talk to you next episode.