Following up on the President’s signature of the Consolidated Appropriations Act on March 15, Cybersecurity Dive discusses the new critical infrastructure cyberattack reporting requirements. Those requirements will take effect after the Cybersecurity and Infrastructure Security Agency issues implementing regulations. Those regulations, in turn, will let us know whether and to what extent healthcare entities are part of the critical infrastructure subject to the new reporting requirements.
From the vulnerability front, the HHS Cybersecurity Program released its February 2022 vulnerability bulletin on March 18.
Tech Republic reviews the latest vulnerabilities that CISA has added to its catalog.
More specifically, Bleeping Computer informs us
The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.
This was disclosed in a joint cybersecurity advisory published this week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).
“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” the FBI said [PDF].
Cybersecurity Dive adds
The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday warned U.S. organizations about Russian state-sponsored threat actors exploiting the PrintNightmare vulnerability, as well as misconfigured account settings used in multifactor authentication (MFA) to launch attacks.
The threat actors were able to launch an attack against a non-government organization (NGO) dating back to May 2021 using a misconfigured MFA setting set to default. They used the flaw to enroll a new device and gained network access, according to the bulletin. The attackers later exploited the PrintNightmare vulnerability to steal documents after gaining access to the cloud and email accounts.
Separately, ESET researchers are warning about a third data wiping malware called CaddyWiper, which destroys user data and partition information. The wiper was found Monday on several dozen systems in a limited set of organizations in Ukraine, but does not share code similarities with either HermeticWiper or IsaacWiper.
From the ransomware front
- Here’s a link to the latest The Week in Ransomware” from the Bleeping Computer.
- Cyberscoop reports
In early September, researchers with Google’s Threat Analysis Group started tracking a financially motivated hacking group exploiting a since-patched Microsoft vulnerability to gain access to targeted computers.
Later it became clear that the group is what’s known as an initial access broker — a crew specializing in gaining entry to high-value networks and selling that access to other cybercriminals — and that it is closely affiliated with the notorious Conti ransomware organization.
In findings published Thursday, the Google researchers detail how the group they’re calling “Exotic Lily” employed relatively novel tactics to gain access to targets, and how, at its peak, the hackers sent an estimated 5,000 emails per day to as many as 650 targeted organizations globally.
From the cyberdefense front
- The HIPAA Journal assesses the March 2022 cybersecurity newsletter from HHS’s Office for Civil Rights, the agency that enforces the HIPAA Privacy and Security Rules.
- Next Gov explains the new NIST Publication 800-172A
As the government looks to tighten procurement regulations for critical software, the National Institute of Standards and Technology issued a special publication detailing appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information.
“Assessors obtain evidence during the assessment process to allow designated officials to make objective determinations about compliance to the CUI enhanced security requirements,” reads NIST guidance—SP 800-172A—published Tuesday. “The evidence needed to make such determinations can be obtained from various sources, including self-assessments, independent third-party assessments, government-sponsored assessments, or other types of assessments, depending on the needs of the organization establishing the requirements and the organization conducting the assessments.”
- The Wall Street Journal offers an article by Stuart Madnick, who is the John Norris Maguire Professor of Information Technologies, Emeritus, at the MIT Sloan School of Management and the founding director of the Cybersecurity at MIT Sloan (CAMS) research consortium. Mr. Madnick explains why “[u]nless organizations fix the internal decision-making that allowed a cyberattack to occur, they could be vulnerable to further breaches, researchers say.”
Following up on last week’s post on Google’s acquistion of Mandiant, Cybersecurity Dive puts that transaction in perspective.
“Let’s face it, Google’s in a sort of a death race with AWS and Azure in terms of cloud supremacy, right,” said Garrett Bekker, a principal research analyst with S&P Global’s 451 Research. “To some extent, security is a tool that helps them get there more than an end in and of itself.”
Google’s gobbling up of Mandiant is the latest in a sector feeding frenzy. There were more than 200 M&A deals last year, with aggregate disclosed deal valuations exceeding $55 billion. In the past five years, there were more than 1,000 cybersecurity M&A deals, data from CB Insights show.
This week recorded a $616.5 million acquisition, with SentinelOne’s plans to add Attivo Networks’ identity security to its XDR suite.