Cybersecurity Saturday

David ErmerCybersecurity

From our Nation’s Capital, Cybersecurity Dive reports

On the one-year anniversary of the Executive Order on Improving the Nation’s Cybersecurity, industry experts say the Biden administration has made significant inroads in raising software security standards, but additional work and financial support is necessary to achieve security end goals. 

The Office of Management and Budget’s (OMB) federal zero trust strategy enjoys almost unanimous support from federal cybersecurity decision makers, however two-thirds of federal cybersecurity decision makers said the three-year timeline was unrealistic, according to a study from MeriTalk, sponsored by AWS, CrowdStrike and Zscaler. Just 14% of those surveyed believe the program is properly funded.

Almost two-thirds of federal officials expect to achieve zero trust goals by the goal date of 2024, according to a separate study from General Dynamics Information Technology. However, many of those officials see significant challenges, including a lack of sufficient IT staff and the need to replace legacy infrastructure.

My, how time flies.

Cyberwire adds

A $63 million settlement has been reached in the class-action lawsuit filed over the 2015 data breach of the US Office of Personnel Management (OPM) that exposed the data of over 21 million current, former, and prospective federal employees and families members, the Epoch Times reports. The files were allegedly stolen by China-backed hackers, who exfiltrated highly sensitive information such as fingerprints and psychological and emotional health histories, and it is reported that the Chinese government has been using data from such breaches to build a database on American citizens for political and economic espionage. The agreement explains, “The settlement is the result of extensive negotiations and accounts for the unique aspects of this litigation, including the strict limitation on recovering from the Government and the causation problems that Defendants would have argued result from the hack’s attribution to a foreign state actor…That these data breaches were attributed to the Chinese government, apparently motivated by foreign policy considerations, would have compounded the risks associated with tracing plaintiffs’ harm to [OPM].” Under the settlement, which is still awaiting approval from a federal judge, OPM will pay $60 million and OPM contractor Peraton will pay $3 million into a fund for victims of the hack. 

The news strikes the FEHBlog as a good deal for the government.

From the ransomware front, Cyberscoop informs us

vosLocker, a prolific ransomware group that was the subject of a recent joint FBI and U.S. Treasury Department warning, claimed this week that it had hit a Dallas-based nonprofit Catholic health system with more than 600 facilities across four U.S. states, Mexico, Chile and Colombia.

The attack on CHRISTUS Health marks the second health care system AvosLocker targeted in the last two months. Michigan-based McKenzie Health System began notifying customers this week that patients’ personal data had been stolen from the company’s network in a “security incident” that “disrupted” some of its IT systems in March. The company did not identify the attacker, but AvosLocker posted purported McKenzie data to its dark web leak site April 6. * * *

Security Week adds

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities. * * *

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

For more on Charming Kitten, check out this Cyberscoop article.

Here is a link to the Bleeping Computer’s Week in Ransomware column.

From the cyber vulnerabilities front, CISA added one new known vulnerability to its catalog.

From the cyber defenses front, here’s a link to a press release of note

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an advisory today [May 11] with cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks. 

Security Week offers an expert view on seven steps to reduce risk to your critical infrastructure quickly.