Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front —

  • On May 10, 2023, the National Institute of Standards and Technology posted “revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3).”
    • “Notable updates in the draft include: 
      • “Changes to reflect the state-of-practice cybersecurity controls;
      • “Revised criteria used by NIST to develop security requirements;
      • “Increased specificity and alignment of the security requirements in SP 800-171 Rev. 3 with SP 800-53 Rev. 5, to aid in implementation and assessment; and
      • “Additional resources to help implementers understand and analyze the proposed updates.”
    • “NIST is requesting public comments on the draft guidelines by July 14, 2023.”
    • “NIST anticipates releasing at least one more draft version of SP 800-171 Rev. 3 before publishing the final in early 2024. Following the publication of the final version, the authors plan to revise the set of supporting NIST publications on protecting controlled unclassified information, including SPs 800-171A (security requirement assessment), SP 800-172 (enhanced security requirements) and SP 800-172A (enhanced security requirement assessment).” 
    • “NIST is planning a webinar for June 6, 2023, to introduce the changes made to SP 800-171. Registration information will be posted next week on the Protecting CUI project site.” 
  • Cybersecurity Dive reports, “White House considers ban on ransom payments, with caveats. Experts suggest the effort, a reversal from the administration’s previous stance, is fraught with complications that could cause unintended consequences.”
    • Cybersecurity Dive adds,
      • “As the White House floats the possibility of a ban on ransom payments, the number of organizations hit by ransomware that ultimately pay a ransom remains high. 
      • “Nearly half, 46%, of organizations hit by ransomware during the past year paid a ransom to recover data, according to research Sophos released Wednesday [May 10].”
      • “The survey also found that cybersecurity insurance plays a direct role in the likelihood of an organization making a ransom payment. Nearly 3 in 5 organizations with a standalone cyber insurance policy paid the ransom, compared to the 15% of uninsured organizations that paid the ransom.”
    • Cybersecurity Dive points out,
      • “The number of ransomware claims filed by U.S. clients of insurance broker Marsh spiked 77% in the first quarter of the year compared with the prior three-month period, the company told CFO Dive.
      • “Marsh saw 55 ransomware claims from U.S. clients in the first quarter of the year versus 31 claims in the fourth quarter. The figures, which are expected to be published in an upcoming report, follow a downward trend in 2022 that had been credited with helping to moderate skyrocketing premiums in the cyber insurance market.
      • “I do think that we can still continue to see a deceleration of rate increases for those companies that have an optimal cyber risk maturity profile and have not suffered significant events that have caused the carriers to make claim payments,” Meredith Schnur, Marsh’s U.S. and Canada cyber brokerage leader, said in an interview.”
  • Cybersecurity Dive reports,
    • “Acting National Cyber Director Kemba Walden said the national cybersecurity strategy has been well received, however, acknowledged there were areas of disagreement. 
    • “Walden speaking Tuesday [May 9, 2023] at a forum hosted by The Software Alliance, also known as BSA, said there are two major areas of common ground that form the basis of the policy. Individual technology users, small businesses, local governments and small infrastructure providers like schools and hospitals are currently bearing the brunt of the cybersecurity risk — and that needs to change. 
    • “Cybersecurity risk is in the wrong place,” Walden said. “I think that’s an area of common ground.”
    • “Secondly, the U.S. is currently engaged in a game of Whac-A-Mole with malicious actors and the country needs to work together to make sure systems can be properly defended.
    • “Walden said her main concern regarding the national cyber strategy is to make sure the U.S. can build a more resilient digital ecosystem.”

From the cyber vulnerabilities front —

  • Health IT Security informs us,
    • “The Health Sector Cybersecurity Coordination Center’s (HC3) latest alert [dated May 10, 2023] details the growing trend of threat actors targeting a known vulnerability in Veeam Backup & Replication (VBR) software. VBR is a popular software product that can be used to back up, replicate, and restore data on virtual machines (VMs).
    • The vulnerability, known as CVE-2023-27532, is a high-severity vulnerability with a CVSS score of 7.5 that exposes encrypted credentials stored in the VBR configuration to unauthenticated users. If successfully exploited, threat actors may be able to gain access to the backup infrastructure hosts and could steal data or deploy ransomware.”
  • Health IT Security further tells us,
    • “The internet has a bot problem, cybersecurity company Imperva suggested in its 2023 Bad Bot Report. Nearly half of all internet traffic came from bots in 2022, while human traffic dipped to its lowest level in eight years.
    • Bots are not inherently bad – they can help automate select tasks, measure customer engagement, or simulate conversations. However, malicious bots can help threat actors launch denial-of-service attacks, distribute malware, or crack passwords. Imperva observed an uptick in bad bot traffic volume for the fourth consecutive year, growing to 30.2 percent in 2022, compared to 27.7 percent in 2021.
    • “Bad bots interact with applications like legitimate users would, making them harder to detect and block. They abuse business logic by exploiting the way a business operates, rather than exploiting technical vulnerabilities,” the report stated. * * *
    • “Imperva suggested that businesses begin mitigating risk by protecting exposed APIs and mobile apps, monitor traffic, and remain aware of data breaches and leaks occurring across the industry.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added one and then seven more known exploited vulnerabilities to its catalog.

From the ransomware front —

  • Cyberscoop calls our attention to “The Ransomware Malicious Quadrant, published Wednesday by ransomware-focused cybersecurity firm Halcyon and first shared with CyberScoop, takes a range of the most consequential and effective ransomware groups over the past year and gathers the most critical datapoints on each, and categorizes them.”
  • Silicon Angle tells us,
    • “A new ransomware group targeting vulnerabilities in virtual private network appliances has been found that has a unique twist: The ransomware encrypts itself to avoid detection by security software.
    • “Discovered by security researchers at Kroll LLC, the ransomware, dubbed “Cactus,” is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet Inc. VPN appliances to gain access to major organizations before getting to work.”
  • “CISA and FBI have released [on May 11, 2023] a joint Cybersecurity Advisory (CSA), Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG. This joint advisory provides details related to an exploitation of PaperCut MF/NG vulnerability (CVE-2023-27350). FBI observed malicious actors exploit CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, the FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity. CISA encourages network defenders to review and apply the recommendations in the Detection Methods and Mitigations sections of this CSA.”
  • Here’s the latest’s Bleeping Computer Week in Ransomware report.

From the cyberdefenses front —

  • The Washington Post reports,
    • “The Justice Department announced on Tuesday [May 9] that it disrupted Russian government cyberespionage malware that has infected targets in at least 50 countries. The U.S. government had been investigating it for more than 20 years.
    • “On the same day, a coalition of U.S. and U.S.-allied cyber agencies released technical details on the malware, known as Snake, to help industry and governments to shut it down.”
  • The Washington Post also discusses the growing use of artificial intelligence as a hacking tool, adding,
    • AI will help defenders as well, scanning reams of network traffic logs for anomalies, making routine programming tasks much faster, and seeking out known and unknown vulnerabilities that need to be patched, experts said in interviews.
    • Some companies have added AI tools to their defensive products or released them for others to use freely. Microsoft, which was the first big company to release a chat-based AI for the public, announced Microsoft Security Copilot in March. It said users could ask questions of the service about attacks picked up by Microsoft’s collection of trillions of daily signals as well as outside threat intelligence.
    • [However, b]y multiplying the powers of both sides, AI will give far more juice to the attackers for the foreseeable future, defenders said at the RSA conference.”