Month: January 2025

In February 2024, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack, leading to widespread disruption to the US healthcare system. This disruption prevented doctors and pharmacies from filing claims and pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

It was later discovered that the BlackCat ransomware gang, also known as ALPHV, was behind the attack. The threat actors used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled. After breaching the network, the threat actors stole 6 TB of data and encrypted computers, causing the company to shut down IT systems and its online platforms for billing, claims, and prescription fulfillment.

In October 2024, UnitedHealth reported to the US Department of Health and Human Services Office for Civil Rights that the attack affected 100 million people. However, on January 24, 2025, UnitedHealth confirmed that the figure has nearly doubled to 190 million, which is 56% of the US population.

The Securities and Exchange Commission (SEC) Cybersecurity Disclosure rules require that public companies disclose material cybersecurity incidents within four business days of becoming alerted to them.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. In fact, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Read more about it here.

“On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an “employee CRM application.” The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website. Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig”, reads the report published by CrowdStrike.

The email tricks recipients by claiming they have been selected for a junior developer role and must join a recruitment call by downloading a CRM tool via an embedded link. The phishing message directs the victims to a malicious website that appears to offer download options for both Windows and macOS.

However, regardless of the chosen option, a Windows executable written in Rust is downloaded. The application serves as a downloader for XMRig. The CrowdStrike researchers noticed it uses evasion mechanisms, such as detecting whether an anti-malware tool is running. If these checks are passed, the executable displays a fake error message. Then executable proceeds to download additional payloads to achieve persistence and run the XMRig miner.

The company recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview. It also stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting recruiting@crowdstrike.com.

Read more about it here.

ShadowServer researchers reported that over 3.3 million POP3 and IMAP mail servers lack TLS encryption, exposing them to network sniffing attacks.

POP3 (Post Office Protocol 3) and IMAP (Internet Message Access Protocol) are two protocols used to access emails from mail servers.

With POP3, the e-mails are downloaded to the local device and often deleted from the mail server. With IMAP, emails remain on the server, with synchronized access across user devices.

TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a computer network. It is widely used to secure data transmitted over the internet, such as emails, web browsing, instant messaging, and file transfers.

ShadowServer scanned the internet for hosts running a POP3 service on port 110/TCP or 995/TCP without TLS support. Users connecting to these mail servers may be sending their credentials unencrypted, where they could be intercepted by adversaries.

“This means that passwords used for mail access may be intercepted. Additionally, service exposure may enable password guessing attacks against the server”, reads the post published by ShadowServer.

“If you receive this report from us, please enable TLS support for POP3 as well as consider whether the service needs to be enabled at all or moved behind a VPN.”

“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).”

Read more about it here.