Microsoft Commits To Security...Again

Plus a third of Americans data compromised...yikes

This week, I witnessed a pissed-off gate agent who almost walked off the job and a plane passenger who was very upset because people wouldn’t let him walk to the front of the plane while it was boarding. These were separate incidents in two airports…if anyone needs a hug, let me know.

This week, we’re covering:

  • New details on the Change Healthcare attack

  • Microsoft déjà vu with committing to security

  • A lot of hacker arrests

Also, I have a request. If you enjoy the newsletter, reply to this and let me know what you like. Are you a fan of the deep dives, the weekly news round-up, or both? Your feedback will help me make this better!

-Jason

Spotlight
A Third of Americans Impacted

Cecily Strong Snl GIF by Saturday Night Live

Gif by snl on Giphy

The Change Healthcare (CHC) ransomware attack has dominated the security news for months, and for good reason. The attack crippled CHC’s infrastructure, which many medical practices relied on to operate their own businesses. The downstream impacts were devasting.

But businesses weren’t the only ones impacted. In a House hearing this week, Andrew Witty, the CEO of CHC’s parent company, UnitedHealth Group, said that a third of Americans' information was potentially compromised in the attack - that’s over 113 million Americans. Oof.

Every large attack starts with one security miss. In the case of CHC, that security miss was not having MFA on a Citrix remote access account. If you need another reason why MFA is important, you have a one-billion-dollar reason…the amount the attack will cost UnitedHealth this year.

But MFA is only part of an authentication sequence. So, how were the accounts’ credentials compromised?

One possibility is infostealer malware. Hudson Rock, a cyber threat intel company with great visibility into credentials compromised via infostealers, found something interesting

Hudson Rock’s research found that on February 7th, 2024, a CHC employee’s system was infected with infostealer malware designed to steal passwords. This employee had one password tied to Change Healthcare…a Citrix remote login.

Source: Hudson Rock

We can’t say if this was the reason for the compromised credentials, but the timing is interesting. Regardless, the threat of infostealers is real. Even one missed account in “mandated” MFA can significantly impact an organization.

Deep Dive
Microsoft Makes Security a “Top Priority”…Again

Are You Lying To Me Right Now Weird Al GIF by ABC Network

Gif by abcnetwork on Giphy

The year is 2002. Harry Potter and the Chamber of Secrets was released in theaters, and people still typed "email” as “e-mail.” It’s also the same year Bill Gates emailed all Microsoft employees, saying the company needed to shift from focusing on features to spotlighting security and privacy. He said:

"When we face a choice between adding features and resolving security issues, we need to choose security,"

Bill Gates, in an internal email from 2002

The year is 2024. Since Bill’s email, we have survived a financial collapse, a global pandemic, and the Tide Pod challenge. It’s also the year that the Cyber Security Safety Review Board (CSRB) released a scathing report of Microsoft’s poor security practices.

So, Microsoft is ready to take security seriously…but this time for real. In an email to employees, Microsoft CEO Satya Nadella said:

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.

Satya Nadella, in an internal email from 2024

Hmmm, that sounds familiar…anywho, in a recent blog post, Microsoft provided details on how they would make this security surge happen. They started by expanding on their Secure Future Initiative, which has six core pillars:

  • Protect identities and secrets

  • Protect tenants and isolate production systems

  • Protect networks

  • Protect engineering systems

  • Monitor and detect threats

  • Accelerate response and remediation

These are solid and are something that every organization should look towards improving. But Microsoft went an extra step. They are dedicating themselves to following three security principles. This is straight from their blog post:

  1. Secure by design: Security comes first when designing any product or service.

  2. Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.

  3. Secure operations: Security controls and monitoring will continuously be improved to meet current and future threats.

Oh, and it doesn’t hurt that they’re also making part of the compensation of its Senior Leadership team partially dependent on whether the company is meeting its security plans and milestones.

News
What Else is Happening?

📝 Dropbox Sign, formally known as HelloSign, notified clients that a threat actor had accessed their customer information. Impacted customer information includes email addresses, usernames, phone numbers, hashed passwords, and authentication information (API keys, OAuth tokens, and MFA type).

🔑 Microsoft announced passkey support for Microsoft consumer accounts, which includes personal M365 emails and Xbox. With passkeys, you can authenticate using your face, fingerprint, or device PIN. I have a video that explains how passkeys work.

🎉 While Microsoft starts rolling out passkeys, Google is celebrating a huge milestone. One year after releasing passkeys for their users, they supported 1 billion passkey authentications across 400 million Google accounts. Why switch? Because you can log in 50% faster than with passwords. I have another video that shows how to set up passkeys on Google.

👮 A 24-year-old Ukrainian national with ties to the REvil ransomware group was sentenced to 13 years in prison and ordered to pay $16 million in restitution. This guy was responsible for orchestrating the ransomware attacks against Kaseya VSA software, which ruined many Jully 4th holidays years ago.

💢 There are cyber criminals, and then there are just evil humans. One such example is a 26-year-old Finnish man who hacked into an online psychotherapy clinic, stole very sensitive therapy records, and then began extorting the clinic and its patients. Thankfully, law enforcement caught him, and he has been sentenced to six years in prison.

📞 The FCC slapped AT&T, Spring, T-Mobile, and Verizon with $200M in fines for illegally sharing access to customers’ location data without their consent.

🛑 It’s now illegal in the UK to have default device passwords. This is a big step in protecting consumer devices against an emerging trend of attackers targeting home routers to create botnets.

🫠 A 57-year-old man was arrested for extorting a publicly traded IT company. Ironically, the man was hired as a contractor to assess and remediate potential vulnerabilities that could lead to unauthorized access to company systems and data. After his contract was terminated, the man used access he still had to their systems to download data and then extort the company.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.