HHS Launches Probe Into UnitedHealth Group to Examine Cyberattack

The US Department of Health and Human Services (HHS) said it is opening an investigation into UnitedHealth Group following a cyberattack on a subsidiary that has crippled healthcare payments and probably exposed millions of patients’ data.

HHS said its probe would focus on identifying the extent of the breach and compliance by UnitedHealth and its subsidiary, Change Healthcare, with the Health Insurance Portability and Accountability Act (HIPAA), which is intended to protect patients’ private data.

The HHS Office for Civil Rights said, “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident.”

UnitedHealth said it would cooperate with the investigation. “Our immediate focus is to restore our systems, protect data, and support those whose data may have been impacted,” the company said in a statement. “We are working with law enforcement to investigate the extent of impacted data.” (Dan Diamond / Washington Post)

Related: HHS, Forbes, Associated Press, Modern Healthcare, CNN, Bleeping Computer, The Record, NextGov, 404 Media

A DDoS attack caused intermittent “disruptions” to the websites of multiple Alabama government agencies, requiring state officials to work throughout the day to defend their networks from hackers.

Anonymous Sudan claimed responsibility for the attack on its Telegram social media channel.

“[W]e understand that the disruptions were initially widespread across state services, and those effects have diminished throughout the day as we have worked with our vendors to counter the denial-of-service attack,” a spokesperson for Alabama’s Office of Information Technology said.

According to Republican Gov. Kay Ivey's office, there was no breach of government networks or data theft in the cyberattack. (Sean Lyngaas and Isabel Rosales / CNN)

Related: Alabama NPR, The Cyber Express, Associated Press, WSFA, WPMI, AL.com, The Calhoun Journal, WHNT, The Cullman Times

The US House of Representatives overwhelmingly passed a measure to force TikTok to split from its parent company or face a national ban, a lightning offensive that materialized abruptly after years of unsuccessful negotiations over the platform’s fate.

The legislation attempts to grapple with allegations that TikTok’s China-based parent, ByteDance, presents national security risks.

Private briefings from national security and law enforcement officials, including a classified hearing last week, served as a “call to action” for Congress to “finally” take a stand against TikTok, said Rep. Kathy Castor (D-FL), a member of the House Energy and Commerce Committee. Whether these meetings with the FBI, Justice Department, and Office of the Director of the National Intelligence surfaced new evidence against the company is unclear.

The bill's fate now rests in the Senate, where it picked up two significant endorsements but where key holdouts could grind the effort to a jarring halt. Some senators have expressed concern that it may run afoul of the Constitution by infringing on millions of Americans’ rights to free expression and explicitly targeting a business operating in the United States. (Cristiano Lima-Strong, Jacob Bogage, and Mariana Alfaro / The Washington Post)

Related:  Associated Press, The Verge, CNBC, New York Times, New York Times, Axios, The Hill, Ars Technica, Bloomberg, Washington Post, Reuters, NBC News, The Information, Financial Times, Social Media Today, New York Times, NBC News, Semafor, Washington Post, NPR, Washington Post, CBS News, Variety, Engadget, Macao News, Mediaite, KVIA-TV, Atlantic Council, Daring Fireball, Irish Independent, Adweek, PCMag, Digital Music News, Business Times, New York Sun, The New Arab, W Media Research, Root-Nation.com, TMZ.com, The Independent, Newsweek, Raw Story, The Daily Caller, PetaPixel, USA Today, BroBible, Irish Examiner, Washington Times, PhoneArena, New Jersey Globe, The Drum, 9to5Mac, GSMArena.com, The Information, Yahoo News, USA Today, Rolling Stone, Financial Times, Polygon, Washington Post, Business Insider, TechCrunch, Wall Street Journal, BBC News, The Guardian

The European Parliament approved the world’s most comprehensive legislation yet on artificial intelligence, setting out sweeping rules for developers of AI systems and new restrictions on how the technology can be used.

The rules, set to take effect gradually over several years, ban certain AI uses, introduce new transparency rules, and require risk assessments for AI systems deemed high-risk.

The new legislation applies to AI products in the EU market, regardless of where they were developed. It is backed by fines of up to 7% of a company’s worldwide revenue.

While the law only applies in the EU, it is expected to have a global impact because large AI companies are unlikely to want to forgo access to the bloc, which has a population of about 448 million. Other jurisdictions could also use the new law as a model for their AI regulations, contributing to a ripple effect.

The law still needs final approval from EU member states, but that process is expected to be a formality since they already gave the legislation their political endorsement. (Kim Mackrael and Sam Schechner / Wall Street Journal)

Related: European Parliament, CNBC, Time, France24, Al Jazeera, Euractiv, Euronews, Digiday, The Hollywood Reporter, Silicon Angle, Hunton Privacy Blog, Cyberdaily.au, DataBreachToday.com

In a court filing, The New York Times has denied OpenAI's claims that it "hacked" the company's artificial intelligence systems to create misleading evidence of copyright infringement, calling the accusation "irrelevant as it is false."

As part of its copyright lawsuit against OpenAI, The New York Times said, OpenAI is "grandstanding" in its request to dismiss parts of the newspaper's lawsuit, alleging its articles were misused for artificial intelligence training. The Times sued OpenAI and its largest financial backer, Microsoft, in December, accusing them of using millions of its articles without permission to train chatbots to provide information to users.

"OpenAI's true grievance is not about how The Times conducted its investigation, but instead what that investigation exposed: that Defendants built their products by copying The Times's content on an unprecedented scale — a fact that OpenAI does not, and cannot, dispute," the Times said. (Blake Brittain / Reuters)

Related: The Register, The Hindu, The Decoder, Ars Technica, Daily Mail, Interesting Engineering, Bloomberg Law, Tech Times

Microsoft plans to release its Copilot for Security artificial intelligence tools on April 1 that will help cybersecurity workers produce summaries of suspicious incidents and ferret out the devious methods hackers use to obscure their intentions.

Microsoft unveiled its Copilot for Security about a year ago and has been trialing it with corporate customers ever since. Testers include BP Plc and Dow Chemical Co. and now number “hundreds of partners and customers,” according to Andrew Conway, Microsoft’s vice president of security marketing. Customers will pay a fee based on usage, much as they do with the company’s Azure cloud services.

Copilot works with all of Microsoft’s security and privacy software, offering an assistant pane to produce summaries and answer questions. For example, one of the company’s security programs already collects a variety of security alerts and combines the related ones into a single incident. Now, when a user clicks on each incident, the Copilot can summarize the data and write a report, a typically time-consuming process. During an attack, hackers often use complicated programming scripts to obfuscate what they’re trying to do, making it harder to track. The Copilot is designed to explain the attacker’s aim.

Conway said the software will free up experienced cybersecurity workers for more complex tasks, help newer ones get up to speed more quickly, and supplement their skills. In its tests, Microsoft said newer security workers performed 26% faster and with 35% more accuracy. That’s helpful because the cybersecurity industry suffers from a chronic labor shortage.

Microsoft says Copilot has grown a broad, global ecosystem of more than 100 partners consisting of managed security service providers and independent software vendors. (Dina Bass / Bloomberg)

Related: Microsoft Security Blog, CNBC, The Register, CRN, The Verge, Inc.com, CSO, PCMag, ZDNet, VentureBeat, Bloomberg, Thurrott, Constellation Research, Yahoo Finance, TechRadar,ComputerWeekly.com, Petri IT Knowledgebase, TechRepublic, CNBC Technology, iTnews - Security, Techradar, Tech News Space, VentureBeat, Ars Technica, ZDNET, Thurrott.com

Thirteen computer scientists from Google DeepMind, ETH Zurich, University of Washington, OpenAI, and McGill University have developed an attack that can pry open closed AI services from OpenAI and Google that can recover an otherwise hidden portion of transformer models.

The attack partially illuminates a particular type of so-called "black box" model, revealing the embedding projection layer of a transformer model through API queries. The cost to do so ranges from a few dollars to several thousand, depending upon the size of the model being attacked and the number of queries.

"For under $20 USD, our attack extracts the entire projection matrix of OpenAI's ada and babbage language models," the researchers say. "We thereby confirm, for the first time, that these black-box models have a hidden dimension of 1024 and 2048, respectively. We also recover the exact hidden dimension size of the gpt-3.5-turbo model, and estimate it would cost under $2,000 in queries to recover the entire projection matrix."

The researchers have disclosed their findings to OpenAI and Google, both of which are said to have implemented defenses to mitigate the attack. They chose not to publish the size of two OpenAI gpt-3.5-turbo models, which are still in use. The ada and babbage models are both deprecated, so disclosing their respective sizes was deemed harmless. (Thomas Claburn / The Register)

Related: ARXIV.org, Dark Reading, TweakTown, Security Week, Infosecurity Magazine, Hack Read

Researchers at Salt Security discovered several critical security flaws within ChatGPT plugins that could have allowed unauthorized access to third-party accounts and sensitive user data.

ChatGPT plugins are extensions that enhance the capabilities of the ChatGPT artificial intelligence model by enabling it to interact with external services and perform tasks on third-party websites on behalf of users, such as committing code to GitHub or accessing data on Google Drive. These plugins extend the applicability of ChatGPT across various domains, including software development, data management, education, and business environments.

But, the plugins also introduce new risks. When organizations leverage such plugins, it gives ChatGPT permission to send an organization’s sensitive data to a third-party website and allows access to private external accounts.

The researchers discovered three different types of vulnerabilities within ChatGPT plugins. The first is found within ChatGPT itself when users install new plugins. During this process, ChatGPT redirects a user to the plugin website to receive a code to be approved by that individual. Then, the plugin is automatically installed and can interact with that plugin on behalf of the user.

The researchers found that an attacker could exploit this function to deliver users a code approval with a new malicious plugin. This would enable the attacker to automatically install their credentials on a victim’s account. Any message the user writes in ChatGPT could be forwarded to a plugin, meaning an attacker would have access to a host of proprietary information.

The second vulnerability was within PluginLab, a framework developers and companies use to develop plugins for ChatGPT. During installation, Salt Labs researchers found that PluginLab did not properly authenticate user accounts, allowing a prospective attacker to insert another user ID and get a code that represents the victim, which can lead to account takeover via the plugin.

The third vulnerability found within several plugins was OAuth redirection manipulation. Using this vulnerability, an attacker could send a link to the victim that inserts a malicious URL and steals user credentials. Like in the case of PluginLab, an attacker would then have the victim's credentials and can take over their account in the same way.

The Salt Labs researchers disclosed the vulnerabilities to OpenAI and third-party vendors before going public with the details and fortunately, all the issues were remediated quickly. The report aims to warn that there are emerging vulnerabilities in services such as ChatGPT. (Duncan Riley / Silicon Angle)

Related: Salt Security, r/hacking, PR Newswire, sdxCentral, Infosecurity Magazine

Senator Ron Wyden (D-OR) sent a letter to National Counterintelligence and Security Center (NCSC) Director Michael Casey urging him to alert the public to the possibility that the Chinese government may possess backdoor codes to electronic locks made in China, which he maintains could be exploited by foreign adversaries to steal what U.S. businesses store in safes, such as trade secrets.

The companies named in Wyden’s letter are China-based SECURAM and U.S.-based Sargent and Greenleaf (S&G). Each produces keypad locks, which are then implemented into safes by other manufacturers. The full list of locks that contain backdoor codes is unknown, but online documentation points to multiple SECURAM products that include them, and S&G confirmed to Wyden’s office that some of its own locks also have similar codes.

“The government has opted to keep the public in the dark about this vulnerability after quietly protecting government agencies from it,” Wyden writes in the letter.

The NCSC is tasked with leading the U.S. government’s counterintelligence efforts and, of particular relevance to backdoors in locks, “provide [counterintelligence] outreach to U.S. private sector entities at risk of foreign intelligence penetration,” according to the NCSC’s website. (Joseph Cox / 404 Media)

Related: Senator Ron Wyden

Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers.

The security flaw (CVE-2023-48788) is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.

The flaw affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). It allows unauthenticated attackers to gain RCE with SYSTEM privileges on unpatched servers in low-complexity attacks that don't require user interaction.

Fortinet has not revealed if it has any evidence of CVE-2023-48788 being exploited in attacks before patching.

Horizon3's Attack Team confirmed the bug's critical severity today and said they'll publish proof-of-concept exploit code and a technical deep-dive next week.

The company also fixed another critical out-of-bounds write weakness (CVE-2023-42789) in the FortiOS and FortiProxy captive portal that could let an unauthenticated "inside attacker" remotely execute unauthorized code or commands on unpatched using maliciously crafted HTTP requests.

Two other high-severity flaws, an improper access control (CVE-2023-36554) in FortiWLM MEA for FortiManager and a CSV injection (CVE-2023-47534) in FortiClient EMS, patched this week, allow threat actors to execute arbitrary commands or code on vulnerable systems. (Sergiu Gatlan / Bleeping Computer)

Related: Fortiguard Labs, CRN, Infosecurity Magazine, The Stack

Researchers at Trend Micro report that a new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers.

The flaw tracked as CVE-2024-21412 is a Windows Defender SmartScreen flaw that allows specially crafted downloaded files to bypass these security warnings. Microsoft fixed the flaw in mid-February.

Attackers can exploit the flaw by creating a Windows Internet shortcut (.url file) that points to another .url file hosted on a remote SMB share, which would cause the file at the final location to be executed automatically.

Trend Micro says that DarkGate operators are exploiting the same flaw to improve their chances of success (infection) on targeted systems. The attacks employ DarkGate version 6.1.7, which, compared to the older version 5, features XOR-encrypted configuration, new config options, and updates on the command and control (C2) values. (Bill Toulas / Bleeping Computer)

Related: Trend Micro

Researchers at Fortinet discovered a new phishing campaign in which attackers store malware on public services such as Amazon Web Services and GitHub and then use email to launch an attack campaign and gain control of the newly infected systems.

FortiGuard Labs said the email lures victims into loading up a malicious, high-severity Java downloader that aims to spread a new VCURMS remote access trojan (RAT) and a well-known STRRAT RAT. All platforms with Java installed are vulnerable and can hit any type of organization.

The phishing email targets staff members at organizations, implying that a payment is underway and encourages them to click a button to verify payment details. Once the victim clicks, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.

Even though the VCURMS RAT primarily handles command and control (C2) communication, it also includes a modified version of a Rude Stealer and a keylogger in its second phase that gathers sensitive data from the victim. The researchers discovered that the threat actor uses multiple obfuscation techniques to avoid detection and then leverages email to communicate with the C2 server. (Steve Zurier / SC Media)

Related: Fortinet, GBHackers

Security researcher Aaron Costello discovered that Ireland’s Health Service Executive (HSE)misconfigured a database, exposing the vaccination information of more than one million people.

Costello said the database contained private information on over a million Irish citizens, including full names, vaccination status, and vaccine type received.

The HSE said it fixed the misconfiguration on the day it was alerted to it. (Brian O'Donovan / RTE)

Related: Enumerated, TechCrunch, Cybernews, Breakingnews.ie, RIPT, The Irish Independent, Irish Medical Times, The UBJ

The press service of Ukraine’s Ministry of Digital Transformation said that Ukraine’s IT army has carried out a large-scale attack on the Russian government and local websites, including the Troika public transport fare payment system, causing disruptions to the metro systems in Moscow and Kazan.

The Ministry said, "The cyberarmy has attacked a number of Russian government and local portals, including the Troika public transport payment system. This is one of Russia's largest fare payment systems, operating in 38 regions." (Ukrainska Pravda)

Related: Odesa Journal, Ukraine Ministry of Digital Transformation on Telegram

Over the next few weeks, Nissan Oceania will contact around 100,000 people in Australia and New Zealand whose data was stolen in a December 2023 attack on its systems, for which the Akira ransomware gang took credit.

The attackers stole some form of government identification from up to ten percent of victims. Among the data stolen from the automotive manufacturer was info on 4,000 Medicare cards plus 7,500 driving licenses, 220 passports, and 1,300 tax file numbers.

The other 90% of victims had some data stolen, including copies of loan-related transaction statements, employment details, or salary information. The heist may also include personally identifiable information (PII), such as dates of birth.

In Australia, affected individuals are being offered 12 months of free credit monitoring from Equifax, and in New Zealand, a similar service is being made available through Centrix. (Connor Jones / The Register)

Related: Dark Reading, Cybernews

In a Securities and Exchange Commission filing, MarineMax, which calls itself the world’s largest recreational boat, yacht, and superyacht services company, said it suffered a cyberattack that disrupted operations.

“MarineMax determined… that it experienced a ‘cybersecurity incident,’ as defined in applicable Securities and Exchange Commission rules, whereby a third party gained unauthorized access to portions of its information environment,” the company explained.

“Upon detection, the Company initiated its previously determined incident response and business continuity protocols and took immediate measures to contain the incident. As part of this process, the containment measures resulted in some disruption to a portion of the Company’s business.”

MarineMax said its operations have continued despite the attack, but cybersecurity experts have been hired to help investigate the incident, and law enforcement has been notified. (Jonathan Grieg / The Record)

Related: SEC.gov, Dark Reading

Despite the growing perception that the social media app Telegram has become the new dark web, allowing the illegal sale of guns and other criminal services, in a rare interview, Telegram’s Russia-born chief executive Pavel Durov seeks to cast the platform as a privacy-orientated alternative to big tech platforms, one that is unassailable from government interference.

He says it is a censorship-resistant safe haven for citizens living in repressive regimes, such as Belarus, Iran, and Hong Kong. Headquartered in Dubai, Telegram has escaped much of the regulatory scrutiny and law enforcement demands that have plagued similar platforms in Silicon Valley in recent years. “In Dubai, the government doesn’t bother us,” Durov says, labeling the emirate “neutral.”

But as Telegram continues to scale, monetize via advertising, and gear up for a potential market debut, possibly in the US, it will face increasing pressure to tame its dark underbelly.

And despite Durov’s close relationship with Russia, he dismisses any connection with the Kremlin or Russian President Vladimir Putin as conspiracy theories. (Hannah Murphy / Financial Times)

Related: The Register, The Crypto Times, Business Insider, The Information, iPhone in Canada Blog, Nairametrics

Cyber cloud security startup Wiz is in talks to raise up to $800 million in venture funding at a valuation of more than $10bn, underscoring the sector’s resilience and signaling a revival in venture capital markets.

Founded just four years ago, Wiz is in talks with investors, including Thrive, Light Speed Venture Partners, and G Squared, to raise hundreds of millions of dollars, according to people familiar with the matter.

One source said the company could seek to raise roughly $800mn, adding that Sequoia and the Israeli cyber venture group Cyberstarts were also in talks to participate in the fundraising. (Ivan Levingston and George Hammond / Financial Times)

Related: Silicon Angle, Globes, BankInfoSecurity

Secure enterprise microservices development company Codezero said it had raised $3.5 million in a seed venture funding round.

Ballistic Ventures led the round with participation from Thomas Dohmke (GitHub CEO), Nick Caldwell (Microsoft, HubSpot, and Peloton), Marty Weiner (Pinterest and Reddit), and James Routh (AMEX, CVS, KPMG, and JPMorgan Chase). (FinSMEs)

Related: Dark Reading

Sources say that cloud cybersecurity startup Wiz will buy Gem Security for $350 million in a cash deal.

The New York-based company declined to comment on the acquisition but acknowledged that “these are indeed exciting times for Wiz.” Gem Security, which has offices in New York and Tel Aviv, provides a centralized approach to dealing with threats in the cloud, including incident readiness, real-time threat detection, investigation, and response. (Marissa Newman / Bloomberg)

Related: Calcalist, Globes

Best Thing of the Day: Chipping Away at Fake Presidential Candidate Images

Artificial intelligence image-generator Midjourney has started blocking its users from creating fake images of President Joe Biden and former President Donald Trump ahead of the upcoming U.S. presidential election

Worst Thing of the Day: Want a Little Cyberattack During Your Appendectomy?

Researchers at Claroty discovered 63% of CISA-tracked Known Exploited Vulnerabilities (KEVs) on medical devices connected to healthcare organization networks such as hospitals and clinics and that 23% of medical devices, including imaging devices, clinical IoT devices, and surgery devices, have at least one KEV.

Closing Thought