In this week’s Cyber Blurbs Roundup, we take a look at an important list from the Joint Cybersecurity Advisory, a bad couple of months for San Diego’s top hospital, and the latest zero-day vulnerability with the world’s most popular smartphone.
Federal Agencies Unveil Most Exploited Vulnerabilities
A group of federal agencies joined forces to publish a report highlighting the top 30 most exploited vulnerabilities, many of which are pretty old. The Joint Cybersecurity Advisory — composed of the US Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Security Center Centre (ACSC), and UK’s National Cyber Security Center Centre (NCSC) — published the information last week.
The agencies list software from Citrix, Pulse, Microsoft, Atlassian, and Netlogon, among others, as those containing vulnerabilities most often exploited by bad actors. Many of these vulnerabilities have already been issued software patches to mitigate the issue, reminding us that cybersecurity is often really only as good as the end user who may or may not decide to keep systems up to date.
"In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks," CISA Executive Assistant Director Eric Goldstein told the FBI. "Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC, and FBI to highlight cyber vulnerabilities that public and private organizations should prioritize for patching to minimize risk of being exploited by malicious actors."
The full report can be found here.
UC San Diego Health Suffers Data Breach
UC San Diego (UCSD) Health — just one day after being named the sixth-best hospital in California by U.S. News & World Report — announced it was the victim of a cyber attack.
The hospital has not stated how many individuals may have been affected, but did note that protected information may have been compromised during a five-month stretch between Dec. 2 and April 8. Officials confirmed to The San Diego Union-Tribune that the breach resulted from an email phishing attack against one the hospital’s employees. A UCSD Health spokesperson also confirmed to the newspaper that — as a nice change of pace — ransomware was not involved.
Of user data that “may have been accessed or acquired,” here’s what UC San Diego Health had to say (get your scrolling finger ready):
Full names
Addresses
Dates of birth
Email addresses
Fax numbers
Claims information (including dates and costs of care received)
Lab results
Medical diagnoses and conditions
Medical record numbers
Prescription information
Treatment information
Social security numbers
Government identification numbers
Financial account numbers
Student identification numbers
Usernames
Passwords
The hospital was first alerted of suspicious activity back in March, shutting down the compromised email accounts about a month later. An investigation is said to be ongoing, per the Union-Tribune.
News of UCSD’s breach comes just a few months after Scripps Health — another San Diego hospital — suffered a ransomware attack that left 147,000 people with leaked personal data.
Apple Releases (Another) Zero-Day Patch for iPhones
Another week, another quiet (but critical) software update from Apple. Just days after releasing iOS 14.7 — a patch adding support for its totally reasonably priced magnetic battery pack — the company rolled out iOS 14.7.1., a software update addressing a recently discovered zero-day vulnerability.
The company describes the flaw as follows:
“An application may be able to execute arbitrary code with kernel privileges.”
Apple says it is “aware of a report that this issue may have been actively exploited.” The update is available for the following devices:
iPhone 6s and later
iPad Pro (all models)
iPad Air 2 and later
iPad 5th generation and later
iPad mini 4 and later
iPod touch (7th generation)
The security update also applies to macOS 11.5.1 for its Mac computers. Apple released its latest updates on July 26. According to Security Week, this marks the 13th zero-day vulnerability Apple has patched in 2021.