Cybersecurity Saturday

From the cybersecurity policy front —

Cybersecurity Dive tells us

U.S. corporate leaders need to embrace cybersecurity as an issue of central importance to the success of their businesses, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said.

Easterly, in a Thursday appearance before the Economic Club of New York, told attendees that top corporate executives, including CEOs and corporate board members, need to understand the risks posed by cybersecurity and take an active role in. 

Speaking just weeks after the Biden administration unveiled the national cybersecurity strategy, Easterly said this is not an issue the government can fix on its own, but businesses will need to play an important role in solving.  

Nextgov adds

[T]he House Committee of Oversight and Accountability heard testimony from Acting National Cyber Director Kemba Walden on how to implement the National Cybersecurity Strategy.

In opening statements, Walden outlined several pillars the national strategy plans to rely on when incorporating stronger defenses into U.S. digital networks. These include forming international partnerships, investing in a workforce, incentivizing stronger cybersecurity requirements, disrupting threat actors, and implementing stronger security measures. 

The paramount principle guiding the strategy, however, iealth s imparting more responsibility on the federal government and Big Tech players to safeguard U.S. networks.

“The biggest, most capable and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe––and that includes the federal government,” Walden said.

Health IT Security informs us

The Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of its Cybersecurity Performance Goals (CPGs), a set of voluntary practices that critical infrastructure organizations may adopt to mitigate cyber risk.

CISA initially released the CPGs in October 2022 in response to President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The updated version has been reorganized according to stakeholder feedback.

The CPGs are now more closely aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily navigate the CPGs and prioritize investments accordingly.

From the cyber breaches front —

Health IT Security highlights

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued its 2022 Internet Crime Report, which revealed key trends that emerged in the cyber threat landscape last year. The IC3 received 800,944 complaints in 2022, signifying a 5 percent decrease from 2021.

Despite this decrease, the potential total loss grew from $6.9 billion in 2021 to more than $10.2 billion in 2022. Ransomware alone racked up $34.3 million in losses in 2022.

“While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3,” the report noted.

“As such, we assess ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity.”

The healthcare sector reported the most ransomware attacks to IC3 in 2022 compared to any other critical infrastructure, accounting for 210 of the 870 complaints tied to critical infrastructure. IC3 data shows that 14 of the 16 critical infrastructures had at least one member that fell victim to a ransomware attack last year.

CBS News brings us up to date on the recent DC Health Link breach.

Cybersecurity Dive relates

  • Exploits of zero-day vulnerabilities fell by almost a third in 2022, but it was still the second highest year on record, according to Mandiant research released Monday.
  • Mandiant tracked 55 zero-day vulnerabilities that were exploited in 2022, including three instances linked to financially motivated ransomware threat actors. 
  • Products from the three largest vendors — Microsoft, Google and Apple — were the most commonly exploited for the third year in a row, according to Mandiant.

Health IT Security adds

Microsoft has observed an increase in distributed denial of service (DDoS) attacks against healthcare organizations in recent months, a blog post by the Azure Network Security Team explained. Microsoft observed an increase from 10-20 DDoS attacks against healthcare applications hosted in Azure in November 2022 to 40-60 attacks daily in February 2023.

As previously reported, HHS warned the healthcare sector earlier this year about pro-Russian hacktivist group KillNet, a threat group known to target the sector with DDoS attacks.

“While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days,” HHS stated at the time.

From the ransomware / data retrieval and extortion front

Tech Republic reports

Ransomware groups are pulling no punches in their attempts to force compromised organizations to pay up. A report released Tuesday by Unit 42, a Palo Alto Networks threat intelligence team, found that attackers are increasingly harassing victims and associated parties to make sure their ransom demands are met.

For its new 2023 Ransomware and Extortion Threat Report, Unit 42 analyzed approximately 1,000 incidents that the team investigated between May 2021 and October 2022. Around 100 cases were analyzed for insight into ransomware and extortion negotiations. Most of the cases were based in the U.S., but the observed cybercriminals conducted attacks against businesses and organizations around the world.

By the end of 2022, harassment was a factor in 20% of the ransomware cases investigated by Unit 42, a significant jump from less than 1% in mid 2021.

Bleeping Computer’s The Week in Ransonware tells us

This week’s news has been dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability.

Over the past month, one hundred new companies have been added to Clop’s data leak site, with the extortion gang threatening to leak data if a ransom is not paid.

From the cybersecurity defenses front —

The Healthcare Cybersecurity Coordination Center released a mobile device security checklist.

Mobile devices are prevalent in the health sector, and due to their storage and processing of private health information (PHI) as well as other sensitive data, these devices can be a critical part of healthcare operations. As such, their data and functionality must be protected. This document represents a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself.\

CISA “released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.” 

CISA also announced

In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.

The pre-ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies.

For more information, visit #StopRansomware. To report early-stage ransomware activity, visit Report Ransomware. CISA also encourages stakeholders and network defenders to review associate director Romans’ post, Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs, to learn more about CISA’s Pre-Ransomware Notification Initiative.

Cyberscoop explains how “the FBI Breachforum’s bust is causing chaos in the cybercrime underground. The dramatic fall of one of the preeminent cybercrime communities on the web will have major implications for the cybercrime markets.”