Ep 91: The Engineers React to Breach News

Show Notes

In this episode, our security engineers break down the latest cybersecurity headlines, from the real scoop behind the “16 billion password” leak to the rise of hacker groups like Scattered Spider. 🕷️

We discuss how attackers bypass MFA, why exploited data keeps resurfacing, and what organizations can do to protect sensitive data. Plus, we dive into industrial control system risks and why basic cybersecurity hygiene matters more than ever. 🛡️

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

00:00:07:22 - 00:00:10:22
Voiceover
You're listening to the Secure AF podcast,

00:00:19:12 - 00:00:39:16
Will:
Welcome to another episode of scare AF podcast. On today's episode, we are going to be talking about recent breaches. Data leaks are in the news. Kind of looking at some of the, fact and fiction trying to separate the myth from reality. So I'm sitting here right now with our, our principal security engineer. Tanner. Yeah.

00:00:39:16 - 00:00:40:10
Tanner:
Thanks for having me.

00:00:40:10 - 00:00:53:20
Will:
And, so today we're going to be talking about with you, the scattered spider, group. And so can you walk us through who scattered spider is and what makes them stand out from other cyber criminal groups?

00:00:53:20 - 00:01:13:04
Tanner:
Sure. Yeah. So scattered spider has been showing up in the news recently. The FBI has stated that they are going after airlines. Which is an interesting thing about them. They're super interesting. We'll get into it a little bit. But I mean, they're they're a financially motivated group. Like a lot of ransomware groups are, although they're not a ransomware group per se.

00:01:13:09 - 00:01:35:21
Tanner:
They have done some ransomware, but it's not not their M.O.. They primarily operate out of North America. Almost all their targeting is done out of North America. What makes them stand out is their operational maturity in social engineering. They're very, very experienced in social engineering. And some of these attacks are unique with them. They do a lot of phishing, a lot of calls.

00:01:35:23 - 00:02:09:04
Tanner:
And they don't really have any accents. They sound like native English speakers. They have a mastery of the English language as a, you know, an American, the United States person would or or maybe Canadian, somebody from English speaking North America, so it's kind of suggesting that they may be the out of North America, which is very unusual because most of the threat actors we see are based out of Eastern Europe or some Asian countries or sometimes some Caribbean countries, but very rarely do we actually find North American based threat actors.

00:02:09:04 - 00:02:33:02
Tanner:
So it's super interesting to me on that aspect. They're known for impersonating employees, so they do a lot of calling help desk, pretending to be, you know, an employee who needs something reset, any kind of publicly available lines. They do a lot of calling and emailing and targeting those lines for for initial access. So they call they're known for being super confident.

00:02:33:02 - 00:02:54:00
Tanner:
Just, like any experienced social engineer person would kind of like we, we aim for on these calls. And they've been really successful at it. They've hit, telecom, tech, hospitality. And now apparently airlines is what they're targeting. So they blend a lot of their tactics with other groups too. They've worked with ALPHV to actually do ransomware.

00:02:54:02 - 00:03:15:00
Tanner:
As I mentioned before. It's not what they always do, but they have worked with them, so they almost act like, an apt or an advanced persistent threat. And then they rope in a lot of these financial aspects like fraud and ransomware and things like that. So they're really unique in that aspect. 

Will: 
So what do you think they're targeting airlines now?

00:03:15:00 - 00:03:32:06
Tanner:
Why airlines? I guess maybe just a bit of an untapped market. I mean, we know there has been some breaches that go on airlines. It's also possible that maybe one of them has some insider knowledge on it. Maybe maybe they know. Maybe they've worked in airlines and they know their way around the system. Some of the unique things about them.

00:03:32:08 - 00:03:51:09
Tanner:
Really, it's just speculation on my part. I haven't seen anything that that would indicate why. But if I were to pick a target, you know, as a somebody who's an attacker, I would I would like to go after things that I have familiarity in. So I could, I could speak the internal lingo, be a little bit more convincing.

00:03:51:11 - 00:04:13:20
Tanner:
You know, in a former life, I did HVAC, and I could probably convince HVAC people that I was an HVAC person. Just because I have that. If I were to call airlines, I'm going to have to do a lot of research on what the thing is to say and do and and the little intricacies of it are, it's also possible that they just noticed, hey, these guys have port security and started exploring that, right?

00:04:13:20 - 00:04:37:14
Will:
So really it's speculation, but those kind of some guesses on my part. Okay. So you mentioned social engineering. That seems to be the weapon of choice. They're very effective with it. So I hear that they've also, they're bypassing multi-factor authentication. So how are they doing that? And what does that say about current cybersecurity practices?

Tanner:
So yeah they've really turned social engineering into like their full blown threat vector.

00:04:37:20 - 00:05:04:23
Tanner:
It seems like that's where all other breaches are coming from. I've not really heard of any that are from it. Not to say that they're there aren't any but not that not that we're really aware of. So they're calling a lot of it helpdesk, pretending to be real employees. They're doing a lot of pretexting, so they're getting the org chart, finding out who's who, who reports to who, what they do, all their information, information about those people that would help them convince to be them.

00:05:05:01 - 00:05:26:18
Tanner:
As far as MFA, there's a several techniques that we've already seen them use. One of them is actually sort of a I want to call it a dying technique. Maybe it's not, SIM swapping where we could do a whole talk on SIM swapping, but they are getting a phone number to be switched to their phone or their clothing, where they will be.

00:05:26:18 - 00:05:44:09
Tanner:
Whenever you get your text message for MFA, they're able to get that on their phone and then they can use that to log in because they're actually getting the MFA code usually involves, exploiting a telecom group. There's a lot of underground groups that are doing this big money involved in it. It's big business has been for quite some time.

00:05:44:11 - 00:06:00:15
Tanner:
But it's not the only way. Also just just good social engineering where you could say, I'm not getting it. I don't know my my MFA is broken. I guess I need you to help me reset that, too. And if the help desk will help you do it. I mean, you're only as good as you know the person who you're talking to, right?

00:06:00:17 - 00:06:22:00
Tanner:
And then another aspect that we know that they've used is MFA bombing, which is something that is continuously effective, which is kind of crazy, which is basically I can log into your account. So at 3 a.m., I'm going to log into at 120 times until you're so sick of getting notifications at three in the morning that you just click okay to shut it up, you think, something's broken?

00:06:22:00 - 00:06:42:07
Tanner:
I don't know why this is doing this. Okay. Shut up. And, it's effective. It works. Well. So that probably explains why I get all the PPS or another fixations from you in the middle of the night. That's it. So. Okay, so, what what companies be doing differently to defend against groups like Scattered Spider?

00:06:42:07 - 00:06:44:14
Tanner:
Harden your MFA resets.

00:06:44:16 - 00:07:05:05
Tanner:
That's a big one for sure. Make sure your helpdesk isn't just, able to reset this stuff. Make sure that they understand that this is an attack vector. People will try to do this against them. Locking down vendor access. Another thing that they've done is compromise vendors and be able to go from the vendors into the business.

00:07:05:07 - 00:07:34:01
Tanner:
So harden your your processes and procedures to see what your vendors actually have access to inside of your network. And make sure that that is a lock down process that even if they get in with a vendor account, they can't do a lot, or that you at least understand the risk and have mitigations and expectations and policies in place for if they do get in, because it's a lot easier to train at, expect things of your own employees and it is a vendor.

00:07:34:03 - 00:07:38:23
Tanner:
So that's always something to be concerned about. Especially with how many that we have.

00:07:38:23 - 00:07:51:20
Tanner:
They exploit help Desk a lot. So I would say train your helpdesk. People like their SoC, like, give them full blown security training, make sure that they understand what threats are, how to fund the threats, give them real life examples. Keep them up to date.

00:07:51:20 - 00:08:09:07
Tanner:
You know, send out a newsletter to your help desk, be like, hey, guys, just so you know, we're an airline. These guys have been targeting airlines. Here's some things that they've been able to do. Be on the lookout for this. Don't let this be you, that sort of thing. And then of course, there's some tools you can have in place for a lot of the, you know, the technical aspects.

00:08:09:07 - 00:08:34:13
Tanner:
Right, where you want to be looking for behaviors and known signatures with your Sims and things like this, you can catch exfiltration when it starts happening. If they're getting persistence, what's really, really hard is whenever they call in their social engineering, they gain access through standard means, just like an employee would. That's whenever it's hard. Because if you there's nothing out of the norm, it's really hard to tell, you know, what's going on there.

00:08:34:15 - 00:08:52:09
Tanner:
So then you can look for anomalous logins and things like that. So there's still things that you can do. But largely I think education and make sure your MFA and vendor policies are going to be kind of the biggest things, in my opinion, at least for for the way that this group is working, which is unusual. Yeah.

00:08:52:10 - 00:09:16:22
Will:
Yeah, I'd say also very unusual. It's, I think companies a lot of times train their employees mainly on like being aware of phishing tactics or, and not phishing, and especially if we're talking about a group of social engineers that are coming in and they don't have an accent and they basically just sound like they are local. Then there needs to be a lot more training to be aware of that.

00:09:17:02 - 00:09:29:14
Tanner:
Yeah. Well, the trope, the kind of stereotype is, you know, somebody calls in with with an Indian accent or a Nigerian accent, right? They call in and then, you know, oh, this guy, you know, he's a scammer or whatever. People get those, those kind of low level scam calls all the time.

00:09:29:14 - 00:09:41:06
Tanner:
But whenever there's millions and millions of dollars on the line and there's there's all kinds of, you know, reasons for them to want to do this and really sink effort and skilled attackers into this.

00:09:41:07 - 00:09:51:12
Tanner:
Then it becomes a bit of a different ball game where it's okay, you can't just rely on obvious stuff. You have to use your brain. You have to have. Not even just that. You have to have checks and processes in place. You can't even they might call in and they might know the password and the verification and everything like that.

00:09:56:15 - 00:10:17:01
Tanner:
Maybe that's because your process doesn't verify enough, you know, maybe you need extra steps of verification. Maybe you need things that are harder for somebody else to figure out rather than just, okay, give me your your four digit Pin that they already social engineering or that person. Right. Okay. Any final notes? I expect to see more social engineering popping up as we're seeing how effective this group is.

00:10:22:22 - 00:10:28:09
Tanner:
I wouldn't be surprised if we saw, a little bit of AI stuff coming in where people we've seen tools that can remove accents to help naturalize language. As right now it still kind of sounds like you're talking to a robot. But as that improves, I would not be surprised if that becomes a very common cause.

00:10:42:07 - 00:11:04:11
Tanner:
That really lowers the bar, that you need to to talk where I mean, anybody in any part of the world who speaks enough English would theoretically be able to do that, you know, with their AI. And as live translation happens, maybe not even speak English. Maybe that attack vector just becomes open to the whole world. You know, where we can't really know for sure what what the future will hold for that.

00:11:04:13 - 00:11:26:18
Tanner:
As well as there might be more people, you know, more North American, Canadian, American people who start going, hey, I could probably do this. If they're doing it, I could get away with it. I will say, if anybody's listening to this and thinking about that, they are not very kind to, United States citizens. If you do hack things, they put you in jail and they do not mess around with it.

00:11:26:20 - 00:11:43:16
Tanner:
You do not have the leeway that you do in Eastern Europe. Yeah. Very different, very different ballgame for us, right? Yeah. Yeah. 

Will:
Well, Tanner, thank you so much for guy hanging talking about scattered spider and, Yeah, yeah. Thank you. We will be right back.

00:11:52:01 - 00:12:17:23
Will:
Welcome back to the Secure AF podcast. I'm sitting here now with our SOC analyst, Dax. 

Dax:
Thanks for having me. 

Will:
So we are, we've been talking about, recent data breaches, leaks there in the news. Kind of looking at some of the fact versus fiction. A lot of those. So there's been a lot of buzz, around over the last few weeks about this so-called 16 billion password breach.

00:12:18:01 - 00:12:56:13
Will:
Can you walk us through what was initially reported? Yeah. So back in June, which was not that long ago at all, we got reports or a lot of people got reports and news stories buzzing around this alleged 16 billion passwords that were breached or would have been the biggest password breach in the whole world. I mean, they were saying things like Google, Apple, Facebook, etc. they were all supposedly breached and it was billions upon billions of unique credentials and and leaked leaked information with the websites, usernames, passwords, all that kind of information, just heaps of it.

00:12:56:15 - 00:13:23:07
Dax:
That's kind of what was being reported on back in back in June. Okay. And so the story caught attention really quickly because of just the sheer number of and or these biggest, the biggest breach in history. So, what did cybersecurity experts. What did we find out? When we looked at this a little bit closer, well of course, everybody was freaking out after they saw, like, 16 billion passwords, you know, is my password in there?

00:13:23:07 - 00:13:44:03
Dax:
Is your password in there? That's a lot. So we obviously looked into it pretty quickly and we were as we got deeper into it, it was it's a lot of duplicate data. I mean it's going to happen in 16 billion different 16 billion lines of text. There's a lot of duplicate data that was inflating the numbers.

00:13:44:09 - 00:14:08:12
Dax:
But then on top of that, what was originally sold as a new breach of like 30 different companies. It's not a new breach. It's more of like a collection of old or old ish data, all compiled together into one file or one torrent. And even then, there's not a lot of places you can actually find to pull that torrent like.

00:14:08:14 - 00:14:15:00
Dax:
I mean, we had our red team are looking for it and we couldn't find one reliable source to pull it. So supposedly there is a file somewhere that has 16 billion lines of text in there, but nobody's really been able to verify it. And even the sources that it came from have it's been confirmed as not a breach, but a collection of data other than previous breaches.

00:14:32:12 - 00:14:54:18
Will:
Interesting. Okay. So that makes this different from a traditional data breach?

Dax:
Correct. Because this in itself is not a data breach. It is a collection of data breaches over the past several years or so. Okay. I mean, we see stuff like this happen decently often where every like the Rockyou password list. It's not one breach, as you go to Rockyou 2024, that's a collection of passwords that were exposed in different breaches that is most similar to what we're dealing with right now is a collection of multiple breaches, all compiled into one area. Gotcha it again. Supposedly since we can't find a reliable source.

00:15:15:05 - 00:15:41:14
Will:
So allegedly. Yes, that is the key. Yeah. Okay. So you mentioned that, there's inclusion of duplicates. There's a lot of recycled data that's inflated the numbers. 

Dax:
Yes, absolutely. 

Will:
I'm going to switch gears a little bit here. How did mainstream media outlets contribute to the spread of, I would say, misinformation in this case? 

Dax:
Absolutely. I would say, again, it originally originally stemmed from maybe a misuse of words or, miscommunication where everybody saw it and was like 16 billion passwords breached.

00:15:50:13 - 00:15:58:20
Dax:
And then it listed a bunch of mainstream companies and like, oh my gosh, you know, this is huge. You know, again, it would have been the biggest breach in history

00:15:58:20 - 00:16:09:11
Dax:
when mainstream news or just news in general hears of that. That is news. I mean, I can tell you that is something you should report on. Like that is something you should at least look deeper into.

00:16:09:11 - 00:16:31:18
Dax:
If not, report on it. So that story just caught on like wildfire because everybody thought it was, you know, even us. At first we were like, oh my goodness, this could be big. That that would be something you would look into. And just as you saw it, they took they took a source, didn't maybe didn't verify that source and just threw it out there as well as is.

00:16:31:23 - 00:16:55:00
Dax:
And that's where everybody was getting like, oh my gosh, like, this is real. Because there were a million sources reporting the same thing. Berman looking deeper into it, it was like this. The original source isn't quite the most reliable. 

Will:
You know, you don't have to say names, but, I think yeah, if you're in the community, you know.

00:16:55:02 - 00:17:17:19
Dax:
Right. Yeah, yeah. 

Will:
So what are the risks when media outlets sensationalize cybersecurity stories like this? I mean, I would say it's the same thing in a similar vein to, like, health scares, where every once in a while you'll get a health scare of like, oh, no, monkeypox is coming to America or coming to come into your area.

00:17:17:21 - 00:17:41:20
Dax:
It's similar where everybody's like, it's fear mongering. People are gonna freak out or lose their mind, you know? I mean, it's scary to think that you are not safe anymore. Of course, people really aren't ever safe, technically, but that's another story, right? Right. I would just say it's a lot of a lot of panic. That is not necessarily due in this case.

00:17:41:22 - 00:18:05:04
Will:
Yeah. We don't we don't want to cause unnecessary panic. Right. Well, and I would also say that waters down, let's say, kind of like, crying wolf kind of situation where it's, you know, if there's all these false stories that are coming out in the news and people are hearing it constantly, the more they hear, the more, they just they're they're so used to it, they start ignoring it. They become jaded to it.

00:18:05:04 - 00:18:25:21
Dax:
We touched on that back in the SOC brief podcast. 

Will:
Oh yeah. Yeah. Talking about false positives, right. 

Dax:
Yeah. So but that's a real fear where you hear it so many times and it's like when something big actually does happen, then people are like, yeah, yeah, yeah, I know, or I already heard about this because they don't know what's the difference between this one and this one.

00:18:25:21 - 00:18:29:07
Will:
Absolutely. But there is that situation where the more people hear about it and it turns out to be false when something big does happen, people aren't going to care as much. 

Dax:
Correct. It's almost desensitization.

00:18:39:20 - 00:18:54:08
Will:
Yeah. So what role should cybersecurity researchers play in helping the public understand these events? 

Dax:
Well, I would say to the public, you know, we would be the experts. We being cybersecurity professionals, But yes, toot my horn a little bit there as experts, people are going to listen to, you know, you as a cybersecurity professional, we need to make sure the information we are providing the public is true is valid. So we don't give off those false positives or give off unverified news.

00:19:19:05 - 00:19:25:18
Will:
We need to protect our credibility and give out valid information to the public.

00:19:25:18 - 00:19:45:20
Dax:
We don't want to causes unnecessary fear or or just spreading misinformation, right? As especially not as the experts. I mean, that's huge too, right?

Will:
It's very important in our line of work that we have integrity. And that we are credible.

00:19:45:20 - 00:20:12:01
Dax:
Absolutely. 

Will:
And so we've got to be very careful with what we put out there and what we say, because if our integrity or credibility is hurt, then people trust us a little bit less. And people have a mistrust of cybersecurity professionals in the first place. 

Dax:
Absolutely. I mean, I would say I would trust a lot of my coworkers with several things, but I would not leave my computer unlocked around them.

00:20:12:03 - 00:20:34:20
Will:
That is very true. Well, Dax, do you have any last notes? 

Dax:
I would just say. I mean, again, this wasn't a breach. It's just a collection of data. But that doesn't mean you can ignore it either. You know, we're always harping on people have multifactor authentication or two factor authentication.

00:20:34:22 - 00:20:59:05
Dax:
Change your passwords. If you can go on like websites like have I Been pawned or in and see like, hey, has my password appeared in a breach? It's good to practice good cyber hygiene. You know, don't reuse passwords. It's always good to check that stuff. But in this specific case, you don't have to freak out about.

00:20:59:07 - 00:21:11:00
Dax:
Is my data leaked? Just make sure you're doing all the proper things that you need passwords, multifactor authentication. And of course, we're always going to harp on that. 

Will:
Awesome. Well, thank you for joining. 

Dax:
Of course. Thank you. Will.

00:21:18:23 - 00:21:22:05
Will:
and I'm here with our security engineer lead, Andrew Hickman. 

Hickman:
Howdy.

00:21:22:05 - 00:21:41:12
Will:
The leak that we're gonna discuss is the AT&T repackaged leak of 2025. Okay. All right. So a lot of times you hear when we're talking about data leaks, oh, this is a repackaged leak or this is rehashed. What's the difference between those two words?

00:21:41:12 - 00:22:06:19
Hickman:
Yeah. The main thing with the repackaging is that we see is it may be two different sets of data that have been combined. So the initial leak may have had things like Social Security numbers, and names, while there's another set of data that they then correlate, put together or repackage in that second set of data may have things like names and birthdates.

00:22:06:21 - 00:22:33:21
Hickman:
And so once you put those together and repackage it, it kind of creates, kind of the perfect storm for things like, fraud, credit card, credit card fraud, different types of, identity theft. Right. And so instead of just having, like a name of a Social Security number, now you have a phone number associated with that, a home address associated with that, social Security numbers that all ties in together.

00:22:33:23 - 00:22:56:19
Will:
Oh, gotcha. And so and with this, with this repackaged breach. So one of the things that we're seeing is that there's now the Social Security numbers, I guess in the first breach, they were they were encrypted. Now they're decrypted?

Hickman:
It's not necessarily that, they were decrypted. It may have been encrypted at some point in time.

00:22:56:21 - 00:23:20:19
Hickman:
It could be either. It could have been that they had the data, but they were encrypted and now they're decrypted. It could have just been a completely separate data set that they pulled into this and associated them together. Okay. So this affected how many people. So the initial breach I believe was around, 86 million AT&T customers. Wow.

00:23:20:21 - 00:23:47:01
Hickman:
And what they were able to do is, this repackaging affects around 44 million customers. So it's not quite, you know, the same, but 44 million is still, you know, a lot of customers. That's that's a huge number. So, why why is it that the numbers are so different right there from the original breach? It's most likely due to what data they had to correlate or what extra data they were able to get.

00:23:47:03 - 00:24:14:05
Will:
So when they're repackaging it, they're making sure that they have all of those matching names Social Security number, birthdate, phone number, address, things like that. And so they may have been able to, from that initial data set, correlate that information with the new data set or, you know, the decryption of data. And then from there repackage it into, kind of more valuable data for, fraudsters or threat actors out there.

00:24:14:07 - 00:24:15:05
Will:
Okay. We've been hearing a lot about the snowflake breach from last year. And at first they were saying that this was repackaged from the snowflake breach, but that's not correct. Correct? 

Hickman:
No. So, the this repackaged one that just came up in May. So this was just a couple months ago.

00:24:34:23 - 00:24:55:21
Hickman:
It's actually from a 2021 data breach that we're aware of. Yeah. It's not associated with the 2024 snowflake breach. Do we know who was responsible for this? As far as we've been able to determine. No. There. So this data, this appeared on, a Russian dark web form. That's where our first showed up in May.

00:24:55:23 - 00:25:25:16
Hickman:
It was uploaded in June, and it really gained traction towards middle June. And that's when, we started seeing different media outlets cover it. 

Will:
Okay. So going back to so what caused this breach in the first place? What exploitation, what weaknesses were there? 

Hickman:
I don't know if we if we've got transparency behind that, we'd kind of have to trust whatever AT&T is reporting on.

00:25:25:18 - 00:25:48:17
Hickman:
It likely happened from exploited weaknesses in 18 teams, either systems or vendors, but that would be speculation. Really, it hit us customers the hardest. It kind of has a global effect there. But what actually caused the, you know, kind of up in the air?

00:25:54:10 - 00:26:20:17
Will:
So because of the fact that there's full names, birthdates, Social Security numbers, all of this data has been mapped together. We're going to see probably a lot more, vishing calls, phishing scams out of this, identity theft.

00:26:20:17 - 00:26:23:18
Hickman:
I think identity theft is going to be your primary driver there.

00:26:23:21 - 00:26:43:14
Hickman:
Yeah. So the combination of Social Security, Social Security numbers, names, addresses, it's really a goldmine for identity theft, creating fraudulent accounts, fake tax filings. And because it's all data resurfacing, it really kind of shows that breaches can have long lasting consequences.

00:26:43:14 - 00:26:48:11
Hickman:
And so it wasn't just, you know, hey, my data is out there.

00:26:48:11 - 00:27:17:01
Hickman:
It happened in 2021. You know, I'm going to monitor for a couple of years with whatever a credit monitoring service and, you know, let things lie. We're talking four years later now, it's resurfaced and out there is it's the same threat being new. Right? And so you might, you know, as an individual have, you know, your credit monitoring is already up for whatever time you were going to get it for, and now you need to do it again.

00:27:17:01 - 00:27:34:20
Will:
So other companies, organizations, especially those that deal with, customer data, what are some actions that they can take to prevent something like this from happening to them and to their customers?

Hickman:
For sure. That's a good question.

00:27:34:22 - 00:28:21:06
Hickman:
A lot of it comes down to, taking care of the data and then securing your networks in your systems. So data encryption, you know, end to end, wherever you're storing it, making sure that that's, secure, it's encrypted. Having security systems in place, like XDR, different sins, things like that, that are monitoring and alerting to traffic that might be suspicious or having, different file auditing applications or software that if, if you know, there's an individual or an account that's accessing certain data, you know, you're getting alerted on it.

00:28:21:08 - 00:29:00:08
Hickman:
XDR is something that, you know, if you've got it installed on endpoints in your environment, it's going to help, identify any kind of suspicious activity, anything that is out of the ordinary, at least getting alerting on it and things like that. Another thing that's kind of more, organizationally specific is like vendor audits, scrutinizing the third parties that you work with, making sure that you have, policies and procedures with them, have your security standards that they have to uphold, you know, when connecting into your environment.

00:29:00:09 - 00:29:17:16
Hickman:
And then zero trust modules. So one thing, access everywhere to where, you know, zero trust is you, you know, trust no one. I mean, that's really what it is. And then, you allow access to different, assets or data just as needed.

00:29:17:15 - 00:29:28:04
Will:
Okay. So, thank you for bringing this up and for sure for setting here and discussing this with us.

00:29:28:06 - 00:29:59:20
Will:
Do you have any final notes? 

Hickman:
Yeah, I would say, like, I can least like this, that there are old data that's just repackaged. Just kind of goes to prove that, you know, these things can link linger and can have lasting consequences for organizations even years after they've happened. So prior to prioritizing your security, encryption audits and things like that, they, they work at the end of the day, and you're protecting your customers, right? Those are your assets. And, this what you need to do. Right? 

00:29:59:21 - 00:30:09:22
Will:
Good. All right. Thank you. Andrew. 

Hickman:
Yeah. Hey, thanks for having me.

00:30:17:21 - 00:30:35:10
Will:
And welcome back to the Secure AF podcast. I'm sitting here with Andrew Peters, security engineer two. And, we're continuing our talk about the, fact and fiction and the mythos of some of the, data breaches that we're seeing. In recent days and the last couple of weeks.

00:30:35:12 - 00:31:02:13
Will:
So let's set the stage. Can you give us a quick overview of what AP source does and its role in the health care ecosystem? 

Peters:
Yeah, absolutely. Episode source is a company that provides, software to healthcare organizations. They use this software to perform, risk adjustment, medical coding, electronic medical record keeping, and, various other health care related tasks.

00:31:02:15 - 00:31:24:13
Will:
Okay. And so why are companies like AP source so critical to the operations of modern health care organizations? 

Peters:
Well, pretty much every modern health care organization is going to need some sort of way to keep and maintain, electronic medical records and, coding information. And episode. This is just one of the many solutions out there that exists that health care organizations use for that.

00:31:24:15 - 00:31:51:06
Will:
Okay. So recently and we're talking about that be source because, there have been the headlines due to a significant data breach. So what do we know so far about what happened? 

Peters:
Well, right now we know that, between January 27th and February 6th of this year, they were accessed by, unauthorized, intruder into their environment that was able to exfiltrate data. And right now they're estimating that it was about, 5.4 million records were taken, 5.4 million records. 

00:31:51:08 - 00:32:19:23
Will:
So how does this breach compare to others that we've seen in 2025, especially in terms of scale and impact? 

Peters:
So it's the second largest one reported this year so far to at least the Office of Civil Rights. The first biggest one was, Yale New Haven Health Systems, and that was 5.6 million.

00:32:19:23 - 00:32:44:23
Will:
So it's a very, very close second for the year so far. So can you tell us what kind of information was compromised in this breach? I'm assuming. I mean, there's a lot of HIPAA, related items here. Patient data. What kind of information was compromised? And why is it concerning?

00:32:44:23 - 00:33:09:07
Peters:
So, according to a source, looks like names, Contact information, insurance information, other types of health care records and even potentially date of birth and Social Security numbers were compromised. That's especially problematic because a lot of that information, especially like date of birth, Social Security numbers, and contact information can obviously be used to commit, identity theft, as that information gets published on the internet.

00:33:09:07 - 00:33:42:11
Will:
So. Right. And so yeah. And that's, that's the, this is the second time that we've seen, just in this episode that we've talked about Social Security numbers. That have been compromised and date of birth names, addresses, all of the things that threat actors would use, for identity theft. So can you tell us how transparent as Episource been, with the public and with regulators about this breach?

00:33:42:13 - 00:34:14:16
Peters:
I've seen, organizations be less transparent. Obviously they're going to withhold some details about exactly what happened and what the nature of the breach was. Maybe we'll learn a little bit more about that in the future. But in terms of the actual breach itself and their disclosure to OCR and their, notifications, that they've, released to their customers and clients, I would say that their, based on what I've seen, pretty much as transparent as they're going to possibly be in that situation. With their legal right.

00:34:14:18 - 00:34:38:06
Will:
So I, I've seen that, I mean, they're talking about it, they're admitting it happened. And they are from what I've seen, they are they're saying that all not all of the records have been compromised, but they're saying that those that have been that they are reaching out to those people that were affected by it.

00:34:38:08 - 00:35:01:03
Peters:
Yes. According to Episource, they did say that not all of their, records have been compromised. It was just a portion of them, they are doing investigations to determine which specific records were exfiltrated from their environment so that they can send out notifications to, the users. They did say right now they haven't seen any misuse of that data.

00:35:01:05 - 00:35:34:15
Peters:
But, you know, those threat actors, didn't you know, have, any good intentions in mind when they remove that from their environment? So it was only a matter of time before we start seeing that become misused. 

Will:
Now, I think with this one, we don't know exactly how this happened. Correct? 

Peters:
No. Not yet. 

Will:
So, but looking at other health care companies looking at incidents like this, how do you think this will push health care companies to rethink how they handle and how they secure data?

00:35:37:22 - 00:36:03:19
Peters:
I would like to think that incidents like this, as we continue to see them happen, because this isn't the first, year software that we've seen get compromised. I would like to think that hospitals will spend a little bit more time on vendor due diligence and vendor management and actually, ask for more information about how these, health record, software providers are actually handling this type of information and what their own internal security policies look like.

00:36:04:15 - 00:36:30:22
Will:
Yeah. I think that's very important. It's not just keep track of yourself, but also keep track of everyone that you're letting in. Tanner, was speaking about that just earlier, actually, talking about scattered spider, about how important it is to keep track your vendors and keep track of, like, what the vendors have access to.

00:36:31:00 - 00:36:45:12
Will:
So. Very good. So, one last question. So, what lessons do you think other organizations can learn from the Episource breach? 

Peters:
Well, once again, unfortunately, they probably won't. But, invest in security. I know for a lot of organizations, especially hospitals, cybersecurity is, just a giant money sink for them, or so that's what they think.

00:36:55:12 - 00:37:19:20
Peters:
Because they don't ever see a tangible return on their investment. They spend a bunch of money on paying salaries of security professionals and buying a bunch of software. But until there's actually an incident that is prevented by that, they never actually see any return from that. So, as a result, a lot of the security teams for health care organizations don't get the funding that they need to operate efficiently.

00:37:20:00 - 00:37:38:04
Peters:
So, I would I would hope that hospitals will continue to increase the funding and, training for their cybersecurity teams to do their best to make sure this doesn't keep happening in the future. 

Will:
Agreed. Well, Peters, thank you so much for being on the show. We'll see you next time.

00:37:46:08 - 00:38:15:11
Will:
All right. We're sitting here with our SOC analyst, Dylan. And we've been talking about different breaches in the news recently, and, you're here to talk about the, Lake Risevatnet dam breach in Norway. That recently took place. And this was sort of a wake up call. Could you walk us through what happened and why it matters for ICS, industrial control systems security today?

00:38:15:13 - 00:38:31:15
Dylan:
Yeah. So what had basically happened is, a hacker got access from outside, to their industrial control systems, and they increased the water pressure of the dam well above the riverbeds threshold.

00:38:31:15 - 00:38:47:01
Dylan:
And while this one didn't have any damage, that's where our wake up call is. Is things like this could have impact and big damages because other manufacturing companies, chemical manufacturing, those also use these systems.

00:38:47:01 - 00:39:09:17
Dylan:
And if those systems were to get hacked, you know, they could change chemical leveling and, you know, just a whole slew of messages that could come out of that. 

Will:
Right? So you mentioned it was the increase, the pressure, but not enough to actually do any damage. So in real numbers the dam could increase pressure to I believe it's 20,000 liters per second. And they increased it to just a little under 500. So that to you, does this feel like a proof of concept attack? 

Dylan:
It very well could be, someone just trying to test the waters of what they can do. And this was, the only reason this attack was able to happen is because we had, an outward facing webpage that had control to the valve as well as it was secured by weak passwords and didn't have multifactor authentication. And those are pretty big deal. And that's why we stress a lot that you need to have multi-factor authentication and stronger passwords.

00:39:40:18 - 00:39:55:13
Will:
Absolutely. So why are small, underfunded facilities such frequent targets for ICS, cyber attacks? What makes them so vulnerable?

00:39:55:13 - 00:40:11:16
Dylan:
The smaller companies have a hard time trying to get proper audits, proper assessments of their equipment. They don't have the time to really sit there and nitpick at all their security, but that is when it's the most important is whenever you or are lacking in those. So many ICS attacks don't involve sophisticated exploits right.

00:40:18:13 - 00:40:46:17
Will:
So what does that say to you about the current state of ICS security, hygiene? 

Dylan:
It says a lot about our standards and baselines. We really need to nit pick at those. We need to make sure we don't have weak passwords. We're using multifactor authentication. Segmentation of networks is actually a massive thing in that, these systems shouldn't have internet facing, ports.

00:40:46:19 - 00:41:14:04
Dylan:
As well as these systems are used in really big major, companies across the nation and internationally. I mean, they're used in power grids, water treatment facilities. Nuclear facilities are pretty important. Systems that we got to make sure that we're taking care of. So it's really just those baseline standard things because a lot of them get hit by these weak passwords and lack of multi-factor authentication.

00:41:14:06 - 00:41:40:11
Dylan:
And we really try to address those points, right? Especially the MFA. And always, always MFA. Yeah. I hear so many people complaining about MFA, but it's so important. I mean, you got to make sure you know who's getting into your systems, right? 

Will:
How does the convergence of IT and OT environments expand the attack surface, and what can organizations do to manage that risk?

00:41:44:08 - 00:42:00:05
Dylan:
It increases the attack surface because it gives a lot more systems that weren't made to be on networks, access to networks. So having those systems that don't have the intention of being there on the network means that they didn't have the security built in.

00:42:00:05 - 00:42:02:19
Dylan:
None of that thought process was put into it.

00:42:02:19 - 00:42:30:11
Dylan:
So I mean, that attack surface becomes massive now because you no longer have a system that was built with security in my nose, built with efficiency in mind. And, some of the way we can help mitigate that is just by segment segmenting our networks. We need IDs and firewalls in between. Mitigating the amount of internet facing ports that there are, things along those nature.

00:42:30:11 - 00:42:57:17
Will:
So you've already spoke to this a lot, but repetition is important. So looking ahead, you know, what practical steps should IT professionals take today to harden ICS systems against future threats? 

Dylan:
They really need to audit their systems, and perform assessments over them to make sure that they don't have those, web facing, the internet, web facing pages.

00:42:57:19 - 00:43:20:08
Dylan:
They need to really make sure that their end users are creating strong passwords. And these are, I mean, these seem like small things whenever you talk about them, but they're really big and important. I mean, people will just repeat the same passwords for all their accounts, and you can't can be doing that. You got to make sure that you've got a good, strong password.

00:43:20:08 - 00:43:43:21
Dylan:
So using password managers, going back to a multi-factor authentication, you know, really making sure that your systems are using that, that two step MFA, those are going to be the biggest things that help mitigate these kind of risk is just really nailing those. The small details, the small details is what really fixes these.

00:43:43:23 - 00:43:49:02
Will:
Do you have any last words, any last tidbits on this or anything else before we wrap up?

00:43:49:02 - 00:44:08:09
Dylan:
It's just these the small, small things, the passwords, multifactor authentication, understanding the you have to look at what systems you're operating with, too, is probably a big thing.

00:44:08:11 - 00:44:33:02
Dylan:
Before I go, sometimes looking at a system, you can you can kind of forgive that it doesn't have the strongest password, but these ICS, another system that's kind of similar to scale systems. If that's something that's more familiar to you, they really just need to. Constant, constant checks. We need to make sure that those they're very important systems and they need to be locked up in a vault.

00:44:33:04 - 00:44:53:17
Will:
Yep. Lock them up. All right. Well, thank you, Dylan. Thank you. So this has been another episode of the Secure AF podcast. I'd like to thank Dylan. I'd like to thank Peters and Hickman, and Tanner and Dax, for coming on and speaking about these different vulnerabilities. So a big shout out to the amazing SoC over here at Alias Cybersecurity. Until next time.

00:45:03:08 - 00:45:15:17
Voiceover:
The Secure AF Podcast is a production of Alias Cybersecurity. Visit us online at aliascybersecurity.com. All rights reserved.