NDM Technologies Cyber News

DoD Contractor Fined $11.2M for False Cybersecurity Certificates

A major Department of Defense (DoD) contractor, Health Net Federal Services (HNFS), has agreed to pay $11.2 million to settle allegations of falsified cybersecurity compliance certifications. HNFS, a subsidiary of Centene Corporation, allegedly failed to meet critical cybersecurity controls while administering the Defense Health Agency’s TRICARE health benefits program between 2015 and 2018. 

According to the Department of Justice (DoJ), HNFS falsely certified compliance with cybersecurity requirements in its annual reports, despite failing to conduct timely vulnerability scans and address security flaws. Internal and third-party audits repeatedly flagged issues, yet the company allegedly ignored critical warnings regarding asset management, access controls, firewall configurations, outdated software, patch management, and password policies. 

This case highlights the increasing scrutiny on federal contractors to uphold strict cybersecurity standards. Acting Assistant Attorney General, Brian M. Boynton, emphasized that the DoJ remains committed to holding contractors accountable for cybersecurity violations that threaten national security and the privacy of American citizens. 

This settlement serves as a stark warning to all organizations handling sensitive government data: failure to meet cybersecurity obligations can result in significant legal and financial consequences. 

Black Basta's Leaked Chat Logs Reveal Ransomware Gang's Tactics

Recent research into leaked chat logs from the ransomware gang Black Basta has exposed a concerning trend—threat actors actively track and discuss vulnerabilities before they are officially published on CVE.org. The logs reference 62 unique Common Vulnerabilities and Exposures (CVEs), with 53 already known to be exploited in the wild. 

The leaked conversations provide a rare glimpse into the inner workings of one of the most notorious ransomware gangs. Black Basta demonstrates a clear preference for leveraging publicly available exploits, proof-of-concept tools, and widely known vulnerabilities. Microsoft products topped the list of targeted systems, including ProxyNotShell vulnerabilities in Exchange Server and CVE-2020-1472, better known as Zerologon. Although the most frequently mentioned vulnerability was CVE-2024-3400, a zero-day in Palo Alto Networks’ PAN-OS that faced widespread exploitation last spring. 

Other notable vulnerabilities discussed include CitrixBleed (CVE-2023-4966), Fortinet’s FortiOS zero-day (CVE-2024-21762), and ConnectWise ScreenConnect flaws (CVE-2024-1708 and CVE-2024-1709). While the references don’t confirm direct exploitation by Black Basta, they highlight the urgent need for defenders to stay ahead with timely patching and mitigations—especially when ransomware gangs monitor vulnerabilities before they appear in public databases. 

Cybersecurity teams must act fast, as relying solely on CVE.org for visibility may leave organizations exposed to emerging threats. 

NPD Fined After Massive Data Breach

National Public Data (NPD), the data broker responsible for one of 2024’s largest data breaches, is facing new legal trouble after failing to comply with California’s data privacy laws. 

Back in April 2024, hackers stole databases containing personally identifiable information that included the Social Security numbers of 270 million individuals. While much of the leaked data has been found to be inaccurate, the attack still caused turmoil for the general public and significantly damaged NPD’s reputation.  

Following the breach, NPD filed for bankruptcy protection, claiming it could not cover its debts. However, in November 2024, the petition was rejected, allowing authorities and creditors to pursue legal action against the data broker. Now, the California Privacy Protection Agency (CPPA) has fined NPD $46,000 for failing to register as a data broker in the state before the January 31, 2024 deadline. 

This case brings some closure to an incident that impacted many individuals and signals a growing trend in regulatory enforcement. With data breaches on the rise, noncompliance with data protection laws is drawing increasing scrutiny. For companies handling sensitive personal information, failing to meet regulatory requirements not only heightens cybersecurity risks but also invites significant financial and legal consequences. 

Upcoming Conferences & CPE Opportunities

The Official Cybersecurity Summit

This 9th annual Denver Cybersecurity Summit will connect you with C-Suite and Senior Executives responsible for protecting their companies' critical infrastructure. Learn innovative solutions and access interactive panels and discussions. 

March 5 -- Denver, CO

Ohio Information Security Conference

This 21st Annual Ohio information security conference aims to provide education to enhance your cyber defense strategies. Explore innovative technologies, engage with top experts, and discover best practices tailored to your organization's needs at OISC. 

March 5 -- Dayton, OH

Apres Cyber Slopes Summit

Dive into the future of AI and cybersecurity at the Après-Cyber Slopes Summit in Park City, Utah. Experience a unique blend of cutting-edge technology and luxury ski resort leisure. Elevate your expertise and network in an AI-driven Cybersecurity landscape.

March 6-7 -- Park City, UT