In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Chaunda Dallas, MSIT, who went from emergency room nurse to healthcare cybersecurity specialist on her journey to safeguard patients and their most sensitive data.

First off, we take a look at a Microsoft advisory regarding an affiliate attacker dubbed Vanilla Tempest Leveraging who was observed utilizing the JScript Gootloader malware to drop INC ransomware.

GootLoader is typically spread via SEO poisoning waterhole attacks by a threat actor tracked as Storm-0494, and Vanilla Tempest is assessed to be associated with Vice Society, which has not been very active recently. They have been observed dropping BlackCat, Quantum Locker, Zeppelin, and Rhysida payloads previously.

Then we dive into some post-event regulatory and legal actions which significantly benefit from hindsight, of course. It’s a much different perspective looking back at chain of events than when making decisions in real time pre-event or during an attack.
So, does that make these critical assessments just Monday morning armchair quarterbacking after the fact? Well, the SEC recently dismissed much of SolarWinds case for this very reason.

The SEC had claimed that SolarWinds' website over-stated their compliance with government standards in implementing strong password protections and following a secure software development protocol, insisting that internal conversations uncovered in the investigation suggested otherwise.

The judge in the case disagreed, stating the regulations in question were for financial controls, not security controls. Subsequently, most of the case against SolarWinds and their CISO were dismissed.

Three other cases (very different) from last month also call into question whether it is fair to deeply scrutinize security decisions well after the fact with all information post-event in hand.

Case one involved Enzo Biochem, a biotech company was ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade. Clearly there were egregious lapses in security here – not a best effort.

Case 2 involved attackers accessing Lehigh Valley Health Network (LVHN) and deploying ransomware after exfiltrating healthcare data. The brunt of the enforcement actions involved the attackers leaking sensitive images of breast cancer patients.

A class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data, although there was no indication of poor security practices as we saw with Enzo Biochem, so for the sake of discussion we assumed that none had occurred.

As security pros, we know a determined attacker with enough resources will eventually succeed – so is any and every organization that handles sensitive data basically facing default judgements when they get popped?
Case 3 involved over 2.7 billion records being exfiltrated in an attack on a company called National Public Data, where the information eventually found its way to a hacking forum. The breach resulted in a class action lawsuit against National Public Data for failing to protect this sensitive information.

What is interesting about this case is the fact that the information that was compromised had been scraped from public sources by National Public Data, which aggregates and sells the data for background checks and other purposes.