Cyber Intelligence Weekly

Cyber Intelligence Weekly (July 16, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight this insightful article by Jake Murphy, titled "Hacker's Perspective: Web App Vulnerabilities - Hacking GraphQL." Discover the potential vulnerabilities associated with GraphQL and the importance of securing its configuration.

GraphQL is a powerful query language for APIs, allowing developers to fetch data from multiple sources in a single call. However, if not properly configured, it can become an entry point for attackers, leading to devastating consequences.

Learn about the risks of enabling Introspection, which exposes critical information about the API structure, and how attackers can exploit misconfigurations to access sensitive data or manipulate backend information.

Find out the recommended steps to secure GraphQL, including disabling Introspection, masking detailed errors, and implementing proper access controls and authentication mechanisms.

Ensure your web application's security by conducting regular penetration tests to identify and address any vulnerabilities in your GraphQL implementation.

No alt text provided for this image

Read the full article here:

Away we go!

1. From Plan to Action, Implementing the National Cybersecurity Strategy

The Biden Administration has unveiled the National Cybersecurity Strategy Implementation Plan (NCSIP) as part of its ongoing efforts to enhance cybersecurity in the United States. The NCSIP consists of 65 federal initiatives across five pillars aimed at strengthening cybersecurity investment, assigning responsibilities to federal agencies, and providing timelines for completion. Key agencies such as the Office of the National Cyber Director (ONCD), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense will play pivotal roles in leading the initiatives. Notably, the plan does not include specific funding details but references future budget requests for cybersecurity priorities. The NCSIP aims to address cyber risks against critical infrastructure and incentivize long-term cybersecurity investments in both the public and private sectors.

No alt text provided for this image

The five pillars of the NCSIP are as follows: Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. Each pillar encompasses various initiatives that will impact both the private sector and the federal government. Pillar One focuses on establishing regulations and standards for critical infrastructure defense, while Pillar Two emphasizes the coordination of cyberattack disruption efforts. Pillar Three aims to shape market forces through initiatives like securing the software supply chain, while Pillar Four seeks to secure the internet and emerging technologies. Finally, Pillar Five aims to enhance cybersecurity capabilities through international partnerships.

The NCSIP represents a significant step toward improving the United States' cyber resilience, especially given the fragmented nature of the country's cyber defense efforts and the reliance on the private sector for protection against nation-state actors. However, it also means that security and risk leaders in the private sector will need to prepare for and adapt to the additional regulations that will be imposed, particularly on critical infrastructure. The implementation of the NCSIP will bring about changes that necessitate careful planning and adaptation from organizations. Further research and blogs will be published as the NCSIP progresses, providing valuable insights for organizations to navigate the evolving cybersecurity landscape.

2. Microsoft Security Flaw Exposes Intelligence Operation, The Case for a "Secure by Default" Approach

Recent revelations have shed light on a highly targeted and sophisticated cyber-espionage operation conducted by hackers in China. The operation exploited a security flaw in Microsoft's products, ultimately compromising around two dozen entities, including the U.S. Commerce Secretary. Disturbingly, this attack went undetected by most until and agency with Microsoft's premium logging service, which comes at an additional cost, flagged the activity. This incident raises concerns about the reliance on tech giants like Microsoft for critical security initiatives, particularly as the Biden administration advocates for a "secure by default" approach. Critics argue that charging customers for essential security features, even to discover flaws in their own products, undermines the effectiveness of cybersecurity efforts.

Between May 15 and June 16, Chinese hackers successfully breached the email accounts of Secretary of State Gina Raimondo and State Department employees, coinciding with Secretary of State Tony Blinken's important trip to China. While the full extent of the breach's impact remains unclear, officials believe that it provided valuable insights to Beijing about Blinken's visit. Additionally, the breach targeted Raimondo, who has played a role in implementing restrictive export controls on advanced semiconductors to limit China's access. The fact that the hackers exploited an encryption key to create fraudulent identities raises serious questions about the security protocols implemented by Microsoft.

The revelation of this intelligence operation underscores the challenges faced by organizations in countering skilled and well-resourced hackers. However, the reliance on expensive premium security features to detect such attacks raises concerns about the accessibility and affordability of effective cybersecurity measures. The incident also highlights the ongoing debate about the transition to cloud-based services and the expected security benefits. Microsoft's failure to provide robust logging features by default has drawn criticism from officials at the National Security Council and the Cybersecurity and Infrastructure Security Agency. The issue of charging customers for essential security features has fueled frustration among cybersecurity experts, who argue that this approach sets a low security bar for all, leaving those unable to afford premium features vulnerable to cyber threats. In the meantime, CISA provides a great technical overview of these events, as well as some key learning and features to consider.

3. HCA Healthcare Data Breach, Hacker Puts Stolen Data Up for Sale

A recent data breach at HCA Healthcare has come to light, with a hacker putting up the stolen data for sale on a deep web forum. The breach was initially reported by DataBreaches, and the hacker has claimed responsibility for the attack, demanding unspecified actions from HCA Healthcare. In response, the healthcare company issued a press release confirming the unauthorized access of patient information, which includes patient names, contact details, and appointment-related data. While HCA Healthcare asserts that no clinical or sensitive information was compromised, questions remain regarding the extent of the breach and the potential for additional data being compromised.

The stolen data, which was listed for sale, primarily consists of patient information used for email communication, such as appointment reminders and healthcare program notifications. HCA Healthcare has emphasized that clinical information, payment details, passwords, and social security numbers were not included in the breach. However, concerns have been raised about the nature of the compromised information, as the hacker claims to possess emails with health diagnoses that correspond to a client ID. HCA Healthcare has responded by clarifying that the "client ID" mentioned by the hacker does not refer to individual patients but rather to the hospital or entity developing mailings.

The exact number of affected individuals is still under investigation, but HCA Healthcare estimates that approximately 11 million patients' information may be included in the breached data. However, the hacker's claims suggest that the number of affected patients could be higher, and additional samples of stolen data have been uploaded for sale. HCA Healthcare operates across 20 states in the United States and the United Kingdom, and it remains uncertain whether the breach extends beyond the reported 11 million patients. The company and investigators are actively working to determine the full scope and impact of the breach.

The data breach at HCA Healthcare has raised concerns about patient privacy and the security of healthcare information. While HCA Healthcare maintains that the compromised data does not include sensitive information, the potential exposure of patient names and contact details is still significant. The incident highlights the ongoing need for robust cybersecurity measures in the healthcare sector to protect patient data and maintain trust in the digital age.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.