Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.

CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.

CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

During a call with reporters Tuesday, Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, said that while the directive was “not focused” on any “one specific, recent threat,” it is “responsive to recent threat activity” and part of a post-SolarWinds campaign aimed at creating “a centralized and consistent approach to securing federal cloud configurations.”

The tactics that this directive guards against, Hartman added, “are used consistently by both sophisticated, well-funded actors and common cyber criminals.”

CISA has prioritized the development of SCuBA guidelines in recent years, issuing instructions for agency use of Google Workspace a year ago and putting out standards for Microsoft 365 use in October 2022. Those moves were considered part of a response to the revelation that a Chinese hacking group stole a Microsoft signing key and used it to access emails belonging to senior U.S. officials.

Hartman reiterated during Tuesday’s call that the timing of the new directive was not tied to any specific incident but simply “recognition of the fact that the SCuBA program has matured significantly over the last couple of years. We have completed a number of pilot implementations with a wide range of federal civilian agencies.”

A CISA official said they received plenty of feedback on the directive’s feasibility and control policies from the 13 agencies that participated in those pilots. Hartman, meanwhile, said CISA pursued “a proactive and deliberate approach” in working with CIOs and CISOs ahead of the directive’s release.

As part of the Microsoft 365-specific requirements in the directive, agencies have until Feb. 21, 2025, to provide CISA with the instance name and the system-owning agency or component for each instance. That inventory must be updated yearly in the first quarter, in accordance with CISA reporting instructions.

All SCuBA assessment tools for in-scope cloud instances must be deployed by April 25, 2025, with continuous reporting on the requirements activated. All required SCuBA policies called out in the directive should be implemented by June 20, 2025. 

“As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required,” the agency said in a statement. “CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.”

Unknown hackers are targeting individuals associated with Thailand’s government, using a new and unwieldy backdoor dubbed “Yokai,” potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

Ghost in the Machine: US-Themed Lures in Phishing Attack

From Thai, the lure documents translate to “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx.” Specifically, they made reference to Woravit “Kim” Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

“The lures also suggest they are addressed to the Thai police,” notes Nikhil Hegde, senior engineer for Netskope. “Considering the capabilities of the backdoor, we can speculate that the attacker’s motive was to get access to the systems of the Thai police.”

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn’t so jejune as that might suggest.

Abusing Legitimate Windows Utilities

To begin their attack chain, the attackers made use of “esentutl,” a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows’ New Technology File System (NTFS), files commonly contain more than just their primary content — their main “stream.” An image or text document, for example, will also come packed with metadata — even hidden data — which won’t be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

“ADS is often used by attackers to conceal malicious payloads within seemingly benign files,” Hegde explains. “When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file.”

Related:Hamas Hackers Spy on Mideast Gov’ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

Inside the Yokai Backdoor Malware

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai,” Hegde says. For example, “Its C2 communications, when decrypted, are very structured.” In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn’t, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. “This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor,” Hegde says.

Related:China’s Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. “The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system’s performance issues,” he says.

In all, Hegde adds, “This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed.”

Nvidia has shared a temporary fix for a known issue impacting systems running its recently unveiled NVIDIA App and causing gaming performance to drop by up to 15%.

The company confirmed that these performance issues are triggered when the Game Filters option is enabled in the application and it recommends disabling it and restarting the game as a workaround.

“We are aware of a reported performance issue related to Game Filters and are actively looking into it,” Nvidia staff said in a support forum thread published earlier today.

“You can turn off Game Filters from the NVIDIA App Settings > Features > Overlay > Game Filters and Photo Mode, and then relaunch your game.”

This comes following widespread user reports regarding the app crippling PC gaming performance after enabling Game Filters or Photo Mode, with affected customers saying they were forced to uninstall the buggy app as it was still causing issues even after disabling the overlays and other filters.

“I uninstalled nVidia app for now because it’s causing a lot of problems even though i disabled overlay and other filter stuff. We’ll see how it goes,” one affected user said.

“I did that yesterday, and there are no more random crashes in games. I couldn’t even start delta force. After I uninstalled, it worked first try,” another replied.

These claims were also tested by Tom’s Hardware, which confirmed that the drop in framerates can reach up to 15%. This is a huge performance hit, considering this is usually the difference between standard GPU models and their Ti versions (which come with more memory and CUDA cores).

The NVIDIA App companion application for Windows 10 and Windows 11 laptops and PCs with NVIDIA GPUs was officially released in mid-November following several betas.

The app is designed to keep GeForce Game Ready and NVIDIA Studio drivers up to date and provide gamers with optimal settings for over 1000 games.

“The NVIDIA app incorporates many of the top features from GeForce Experience and RTX Experience, includes an optional login to redeem bundles and rewards, and introduces new RTX capabilities to elevate your gaming and creative experiences,” the company says.

Dec 17, 2024Ravie LakshmananMalware / Credential Theft

A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.

“An attacker used social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system,” Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said.

“The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.”

As recently documented by cybersecurity firm Rapid7, the attack involved bombarding a target’s email inbox with “thousands of emails,” after which the threat actors approached them via Microsoft Teams by masquerading as an employee of an external supplier.

The attacker then went on to instruct the victim to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, including a credential stealer and the DarkGate malware.

Actively used in the wild since 2018, DarkGate is a remote access trojan (RAT) that has since evolved into a malware-as-a-service (MaaS) offering with a tightly controlled number of customers. Among its varied capabilities are conducting credential theft, keylogging, screen capturing, audio recording, and remote desktop.

An analysis of various DarkGate campaigns over the past year shows that it’s known to be distributed via two different attack chains that employ AutoIt and AutoHotKey scripts. In the incident examined by Trend Micro, the malware was deployed via an AutoIt script.

Although the attack was blocked before any data exfiltration activities could take place, the findings are a sign of how threat actors are using a diverse set of initial access routes for malware propagation.

Organizations are recommended to enable multi-factor authentication (MFA), allowlist approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the vishing risk.

The development comes amid a surge in different phishing campaigns that have leveraged various lures and tricks to dupe victims into parting with their data –

• A large-scale YouTube-oriented campaign in which bad actors impersonate popular brands and approach content creators via email for potential promotions, partnership proposals, and marketing collaborations, and urge them to click on a link to sign an agreement, ultimately leading to the deployment of Lumma Stealer. The email addresses from YouTube channels are extracted by means of a parser.
• A quishing campaign that makes use of phishing emails bearing a PDF attachment containing a QR code attachment, which, when scanned, directs users to a fake Microsoft 365 login page for credential harvesting.
• Phishing attacks take advantage of the trust associated with Cloudflare Pages and Workers to set up fake sites that mimic Microsoft 365 login pages and bogus CAPTCHA verification checks to supposedly review or download a document.
• Phishing attacks that use HTML email attachments that are disguised as legitimate documents like invoices or HR policies but contain embedded JavaScript code to execute malicious actions such as redirecting users to phishing sites, harvesting credentials, and deceiving users into running arbitrary commands under the pretext of fixing an error (i.e., ClickFix).
• Email phishing campaigns that leverage trusted platforms like Docusign, Adobe InDesign, and Google Accelerated Mobile Pages (AMP) to get users to click on malicious links that are designed to harvest their credentials.
• Phishing attempts that claim to be from Okta’s support team in a bid to gain access to users’ credentials and breach the organization’s systems.
• Phishing messages targeting Indian users that are distributed via WhatsApp and instruct the recipients to install a malicious bank or utility app for Android devices that are capable of stealing financial information.

Threat actors are also known to swiftly capitalize on global events to their advantage by incorporating them into their phishing campaigns, often preying on urgency and emotional reactions to manipulate victims and persuade them to do unintended actions. These efforts are also complemented by domain registrations with event-specific keywords.

“High-profile global events, including sporting championships and product launches, attract cybercriminals seeking to exploit public interest,” Palo Alto Networks Unit 42 said. “These criminals register deceptive domains mimicking official websites to sell counterfeit merchandise and offer fraudulent services.”

“By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early.”

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s Threat Analysis Group with reporting the flaw.

The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.

Satnam Narang, senior staff research engineer at Tenable, says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.

“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems,” Narang said.

The two other publicly disclosed weaknesses Microsoft patched this month are CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS); and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.

Ben McCarthy, lead cybersecurity engineer at Immersive Labs, called special attention to CVE-2024-43639, a remote code execution vulnerability in Windows Kerberos, the authentication protocol that is heavily used in Windows domain networks.

“This is one of the most threatening CVEs from this patch release,” McCarthy said. “Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”

McCarthy also pointed to CVE-2024-43498, a remote code execution flaw in .NET and Visual Studio that could be used to install malware. This bug has earned a CVSS severity rating of 9.8 (10 is the worst).

Finally, at least 29 of the updates released today tackle memory-related security issues involving SQL server, each of which earned a threat score of 8.8. Any one of these bugs could be used to install malware if an authenticated user connects to a malicious or hacked SQL database server.

For a more detailed breakdown of today’s patches from Microsoft, check out the SANS Internet Storm Center’s list. For administrators in charge of managing larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

As always, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are excellent that someone else reading here has experienced the same issue, and maybe even has found a solution.

Things are not entirely going to plan for Apple’s generative AI system, after the recently introduced service attracted the ire of the British Broadcasting Corporation.

Apple Intelligence generated a headline of a BBC news story that popped up on iPhones late last week, claiming that Luigi Mangione, a man arrested over the murder of healthcare insurance CEO Brian Thomson, had shot himself. This summary was not true and sparked a complaint from the UK’s national broadcaster.

AI-generated content is prone to inaccuracies, and providers like Microsoft and OpenAI typically include disclaimers. Introducing a summary into a user’s news feed without making it clear there is a chance it could be wrong is bad, but worse is attributing the inaccuracy elsewhere.

A source at the BBC, who spoke to The Register on condition of anonymity, admitted that corporation had made its fair share of errors over the years, but said:

“This one caused some jitters and has fed into a mood that AI-generated products can be a bad fit for news especially. Our Head of News is big on verify and truth, etc so [the] BBC will really want to make a fuss when this happens so everyone knows it’s wrong and not our fault.”

The mistake comes as smartphone users show apathy to AI services being hoisted onto their devices. In a recent survey of 2,000 smartphone users (of which more than 1,000 had an iPhone capable of running Apple Intelligence), 73 percent of iPhone users said AI features added little or no value. A little more than one in ten believed AI features were “very valuable.”

More than half (54 percent) of iPhone users had used Apple Intelligence to generate notification summaries. Almost three-quarters (72 percent) had used the services’ Writing Tools for tasks such as proofreading and summarizing.

For context, it seems some Samsung users are even more blasé about AI. Eighty-seven percent said AI features added little or no value, despite the tech giant pumping them into devices.

Apple Intelligence was launched in the UK in the last week. However, those hoping the megacorp’s late entry to AI would be a little more polished may be disappointed by high-profile missteps such as the BBC’s complaint. Apple Intelligence appears equally prone to errors as other AI platforms. ®

Minnesota-based Arctic Wolf, a cybersecurity operations firm, announced an agreement Monday to acquire BlackBerry’s Cylance business for $160 million, a stark drop from the $1.4 billion BlackBerry initially paid to acquire the startup in 2018. 

Arctic Wolf is integrating Cylance’s AI-powered endpoint security technology into its platform to broaden its security solutions. With this acquisition, Arctic Wolf plans to bolster its presence in the competitive cybersecurity market, leveraging Cylance’s technology. It marks Arctic Wolf’s sixth acquisition to date, enhancing its portfolio with previous acquisitions such as RootSecure and Tetra Defense.

The sale includes a cash payment and approximately 5.5 million common shares of Arctic Wolf, with BlackBerry set to receive around $80 million at closing and the remainder following in fiscal 2025. The deal is expected to be finalized in BlackBerry’s fiscal Q4.

John Giamatteo, CEO of BlackBerry, highlighted the sale’s benefits for all stakeholders involved, ensuring continuity for Cylance’s clients. “Our customers will realize the benefits of continuity of service and the expertise that Arctic Wolf provides,” he said in a statement, noting that BlackBerry will remain involved in the sector as a reseller and shareholder post-transaction.

Cylance, founded in 2012 and acquired by BlackBerry in 2018, initially anticipated a strengthened position in the cybersecurity space. Prior to the acquisition, the tool was instrumental in discovering the malware responsible for the historic breach at the Office of Personnel Management. However, market shifts toward threat detection and response — capabilities that Cylance lacked — dampened its market hold. 

Nick Schneider, Arctic Wolf’s CEO, expressed the imperative need for integrated security operations, identifying weakness in isolated point solutions. “Security has an operations and effectiveness problem and endpoint solutions alone have failed to live up to the outcomes they have promised for years,” Schneider stated, emphasizing the need for a unified platform that effectively minimizes risk and enhances resilience.

The planned integration of Cylance’s AI capabilities into Arctic Wolf’s open-XDR Aurora platform is set to advance endpoint security deliverables and harness automated intelligence to preemptively counteract cybersecurity threats.

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called “agentic” capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

“It’s the combinatorics here that actually should make everyone concerned,” he says. “These categorical risks exist in the larger [native language] model-based technology, and when you combine them with the sort of runtime security risks that we’ve been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk.”

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner’s “The State of Microsoft 365 Copilot: Survey Results.” The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven’t even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

Bringing Security to the AI Assistant

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria’s Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

“If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else,” Alkove says. “You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything.”

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

Cyber-Risk: Social Engineering Both Users & AI

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It’s unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

“An LLM gives them the ability to do things on your behalf without any specific consent or control,” he says. “So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human.”

Visibility Into AI’s Black Box

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

“These are all things that the organization needs to control, not the agentic platform,” he says. “You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms.”

The first step to evaluating the risk of Microsoft 365 Copilot, Google’s purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant’s access on a granular level, says Oleria’s Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

“How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?” Alkove asks. “You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical.”

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

“AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources,” a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

Healthcare software as a service (SaaS) company Phreesia is notifying over 910,000 people that their personal and health data was exposed in a May breach of its subsidiary ConnectOnCall, acquired in October 2023.

ConnectOnCall is a telehealth platform and after-hours on-call answering service with automated patient call tracking for healthcare providers.

“On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment,” the company revealed.

“ConnectOnCall’s investigation revealed that between February 16, 2024, and May 12, 2024, an unknown third party had access to ConnectOnCall and certain data within the application, including certain information in provider-patient communications.”

After discovering the breach, Phreesia notified federal law enforcement of the incident and hired external cybersecurity specialists to investigate its nature and impact.

Phreesia also took ConnectOnCall offline and has since been working to restore the systems within a new and more secure environment.

While the statement doesn’t include the total number of people impacted, ConnectOnCall told the U.S. Department of Health and Human Services that the breach affected the protected health information of 914,138 patients.

​The personal information exposed during the almost three-month-long breach includes information shared in communications between patients and their healthcare providers, such as names and phone numbers.

This may have also included medical record numbers, dates of birth, as well as information related to health conditions, treatments, or prescriptions, and, in a small number of cases, the affected individuals’ Social Security Numbers.

“The ConnectOnCall service is separate from Phreesia’s other services, including our patient intake platform. Based on our investigation to date, there is no evidence that our other services have been affected,” Phreesia said in a separate statement on its official website.

“We understand the importance of this service to our clients’ business, and we are working to restore the ConnectOnCall service as quickly as possible.”

Phreesia also advised potentially impacted individuals to report suspected identity theft or fraud to their insurer, health plan, or financial institution, even though the company has no evidence that the exposed personal information has been misused.

Dec 16, 2024Ravie LakshmananCyber Attack / Cyber Espionage

The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia’s Federal Security Service (FSB) that involves recruiting Ukrainian minors for criminal activities under the guise of “quest games.”

Law enforcement officials said that it detained two FSB agent groups following a special operation in Kharkiv. These groups, per the agency, consisted exclusively of children aged 15 and 16.

“The minors carried out hostile tasks of conducting reconnaissance, correcting strikes, and arson,” the SSU said in a statement released Friday. “To mask subversive activities, both enemy cells operated separately from each other.”

As per the quest game rules set by the FSB, the children were given geographic coordinates, after which they were instructed to get to the location, take photos and videos of targets, and provide a general description of the surrounding area.

The results of these reconnaissance missions were subsequently shared to the Russian intelligence agency via anonymous chats. The SSU said the information gathered from these activities was used to carry out airstrikes in Kharkiv.

Ukraine’s principal security arm also revealed that it has detained “all members of the enemy groups” who were found taking photos of air defense facilities in the country. One of the organizers has been taken into custody and faces life imprisonment.

Also charged in connection with the efforts is a “liaison” of the FSB agent groups, a police officer from the Krasnodar region of Russia. He has been charged in absentia under Part 2 of Article 113 of the Criminal Code of Ukraine, which relates to acts of sabotage committed under martial law.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The intrusions have been attributed to a Russia-linked actor tracked as UAC-0185.