Cybersecurity Saturday

David ErmerCybersecurity

In cybersecurity news —

  • Cyberscoop offers a commentary on Russian hackers — and how to stop them — after a year of cyberwar in Ukraine
  • The Health Sector Cybersecurity Coordination Center (HC3) released its first quarter 2023 healthcare cybersecurity bulletin.
    • “In Q1 of 2023, HC3 observed a continuation of many ongoing trends with regard to cyber threats to the Healthcare and Public Health community. Ransomware attacks, data breaches and often both together continued to be prevalent in attacks against the health sector. Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”
  • The Cybersecurity and Infrastructure Security Agency launched National Supply Chain Integrity Month.

From the cyber vulnerabilities front —

  • Health IT Security tells us
    • “Threat actors are increasingly abusing cloud apps to deliver malware in healthcare settings, Netskope revealed in its latest Threat Labs Report. Cloud-delivered malware increased from 38 percent to 42 percent in the past 12 months, researchers found.”
    • “Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps,” the report stated. “Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.”
  • HC3 released a sector alert about “DNS NXDOMAIN Attacks.”
    • “Through a trusted third party, information was shared with HC3 regarding a distributed denial-of-service (DDoS) attack, which has been tracked since November 2022. These attacks are flooding targeted networks and servers with a fake Domain Name Server (DNS) request for non-existent domains (NXDOMAINs).”
    • Health IT Security provides more background on these attacks.
      • “Their signature DDoS attacks on critical infrastructure sectors typically only cause service outages lasting several hours or even days,” HC3 noted. “However, the range of consequences from these attacks on the United States health and public health (HPH) sector can be significant, threatening routine to critical day-to-day operations.”
  • HC3 also released a presentation explaining “why electronic health records are still a top target for cyber threat actors.”
  • The Cybersecurity and Infrastructure Security Administration added five known exploited vulnerabilities. Bleeping Computer explains the action.

From the ransomware front —

  • Cybersecurity Dive reports
    • “Researchers at Check Point detected a highly sophisticated – and previously unnamed – ransomware strain which the company says may be the fastest ever, with an encryption speed almost twice as fast as LockBit. The ransomware, which Check Point dubbed “Rorschach,” was used in an attack against a U.S. company.
    • “The ransomware was deployed using a DLL-sideloading technique using Palo Alto Network’s Cortex XDR, which is a signed commercial security product. This technique has not commonly been used for ransomware. 
    • “Check Point has disclosed the information to Palo Alto, which will release new versions of Cortex XDR Agent next week to prevent misuse of the software.” 
  • Cybersecurity Dive adds
    • “Corporate leaders would be mistaken to interpret reports of fewer ransomware-related cyber insurance claims and decelerating premiums in 2022 as evidence of a diminished threat level, according to cybersecurity experts.”
    • “While the private sector and government have made some progress in the fight against ransomware, the threat is still serious and evolving, the experts warned.”
    • “I think hackers are always going to evolve, so we can’t rest on the laurels of 2022,” John Farley, managing director of the cyber practice at Gallagher, an insurance brokerage firm based in Rolling Meadows, Ill., told CFO Dive. “We have to be able to adapt quickly to this ever-evolving threat.”

From the cyberdefenses front —

  • Cybersecurity Dive informs us
    • Organizations that implement automated hardening techniques will have the best opportunity to prevent cyberattacks, according to a report released Thursday by Marsh McLennan. Those that apply baseline security techniques to servers, operating systems and other components are six times less likely to suffer a security breach.
    • Insurers have historically recommended three major controls to reduce cyber risk: endpoint detection and response, multifactor authentication and privileged access management. 
    • However, the report shows multifactor authentication only works when it is implemented across all access points for critical and sensitive data, including remote access and administrator account access points. 
    • Organizations using these methods are 1.4 times less likely to suffer damage from an attack. 
    • Another key control is patching highly-severity vulnerabilities within seven days of the initial patch release. More than half of organizations are patching critical vulnerabilities within the first seven days, but only 24% of organizations are patching high-severity vulnerabilities — rated with a CVSS score of 7.0 to 8.9 — in that same time period.
  • Beckers Hospital Review reports 
    • “Software giant Microsoft received a court order from the U.S. District Court for the Eastern District of New York that will allow the company to disrupt infrastructure used by ransomware gangs during hospital attacks.
    • “The court order allows Microsoft to cut off communication between hackers and a fake version of the cybersecurity software Cobalt Strike, used by hackers to breach hospital systems.
    • “The abuse of the cybersecurity software is a tactic used by Russian-speaking ransomware gangs Conti and LockBit, according to an April 6 Microsoft news release.”