Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front —

  • DefenseScoop reports
    • The Department of Defense sent its new classified cyber strategy to Congress this week, the Pentagon said Friday.
    • The highly anticipated strategy is the first since 2018 and follows the release of the National Cybersecurity Strategy in March.
    • The DOD also publicly released an unclassified “fact sheet” on Friday, and said an unclassified “summary” will be provided in the “coming months.” 
    • Of note, the fact sheet explains that the updated strategy is based upon real-world operations. Prior to 2018, the Pentagon had only conducted a limited number of cyber ops due to a variety of factors such as stringent authorities and a high-risk calculous.
    • The 2018 National Defense Authorization Act combined with changes to executive policy streamlined authorities and made it easier for the DOD to approve and conduct operations.\
  • Politico adds
    • “President Joe Biden has nominated U.S. Air Force Lt. Gen. Timothy Haugh, the no. 2 at U.S. Cyber Command, to serve as the new head of both Cyber Command and the National Security Agency, according to an Air Force notice.
    • “The notice, obtained by POLITICO, was sent out on Monday and is titled “General Officer Nomination.” It announces that the president has nominated Haugh to the Senate for promotion to four-star general and assignment in the dual-hatted role. * * *
    • “If confirmed, Haugh will replace Gen. Paul Nakasone, who has led both NSA and Cyber Command since 2018. Nakasone is planning to step down sometime this year.”
  • Cyberscoop also tells us
    • “Microsoft rolled out a blueprint for regulating artificial intelligence on Thursday that calls for building on existing structures to govern AI.
    • “Microsoft’s proposal is the latest in a string of ideas from industry on how to regulate a technology that has captured public attention, attracted billions of dollars in investments and prompted several of its principal architects to argue that AI is in desperate need of regulation before it has broad, harmful effects on society. 
    • “In remarks before a Washington, D.C. audience on Thursday, Microsoft President Brad Smith proposed a five-point plan for governing AI: implementing and building upon existing frameworks, requiring effective brakes on AI deployments, developing a broader legal and regulatory framework, promoting transparency and pursuing new public-private partnerships.”

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dives informs us
    • “PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers.
    • “The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren’t involved. PillPack said more than 3,600 affected accounts included prescription data.
    • “The online pharmacy said it discovered the breach on April 3, and it determined an unauthorized person used users’ email addresses and passwords to sign into their accounts between April 2 and April 6.”
  • Dark Reading relates
    • “China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.
    • “That’s according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) “Volt Typhoon.” It’s a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.”
  • Cyberscoop adds
    • “A rare form of malicious software designed to infiltrate and disrupt critical systems that run industrial facilities such as power plants has been uncovered and linked to a Russian telecom firm, according to a report released Thursday from the cybersecurity firm Mandiant. 
    • “The discovery of the malware dubbed “CosmicEnergy” is somewhat unusual since it was uploaded to VirusTotal — a service that Google owns that scans URLs and files for malware — in December 2021 by a user with a Russian IP address and was found through threat hunting and not following an attack on a critical infrastructure system. 
    • “Whatever the motivation for developing it and uploading the code to VirusTotal, CosmicEnegy joins an highly specialized group of malware such as Stuxnet, Industroyer and Trisis that are purpose built for industrial systems. Furthermore, the discovery adds another layer of concern for critical infrastructure operators and organizations that are increasingly targeted by criminal and nation-backed hackers.
    • “Researchers at Mandiant, which is part of Google Cloud, noted that its highly unusual for this type of code to be discovered or even disclosed to the public. Yet, it’s not clear if the malware was intended for use in a cyberattack or it could have been developed for internal red-teaming exercises before the code was released into the wild.”
  • Health IT Security reports
    • “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA) regarding BianLian ransomware group.
    • “The group has been observed targeting a variety of United States critical infrastructure sectors since June 2022, as well as Australian critical infrastructure sectors. BianLian typically gains access via valid Remote Desktop Protocol (RDP) credentials and uses open-source tools for credential harvesting. In 2023, BianLian has threatened negative financial, legal, and business impacts if victims refuse to pay the ransom.
    • “BianLian group actors then extort money by threatening to release data if payment is not made,” the advisory stated. “BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.”
  • CISA warned of hurricane/typhoon-related scams and identified three and then one more known vulnerabilities to its catalog.

From the ransomware front —

  • Cybersecurity Dive informs us, “A trio of [recent] ransomware attacks targeting the Dallas metro area have the hallmarks of a targeted campaign. They also underscore a very real problem: society is becoming desensitized to disruption.”
  • Here’s a link to the latest issue of Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

  • Cybersecurity Dive reports
    • “The Cybersecurity and Infrastructure Security Agency for the first time since 2020 released an updated version of #StopRansomware, in partnership with the FBI, National Security Agency and the Multi-State Information Sharing and Analysis Center. 
    • “The updated guide, developed through the Joint Ransomware Task Force, reflects lessons learned over the last few years, adding the FBI and NSA as co-authors for the first time. It offers recommendations to prevent initial intrusion as well as steps to protect data using cloud backups. * * *
    • “It includes a comprehensive list of best practices to defend against attacks, including: 
      • “Maintain offline, encrypted backups of critical data and regularly test those backups in a simulation of disaster recovery. This should include “golden images” of critical systems, including preconfigured operating systems and associated applications. 
      • “Develop, maintain and practice a basic cyber incident response plan for ransomware and data breaches. This should include a communications plan, including disclosure notifications to government authorities. 
    • “The guide also includes a comprehensive set of measures to prevent and mitigate ransomware and data extortion, including: 
      • “Conduct regular scanning to identify and address vulnerabilities, particularly on internet facing devices. 
      • “Regularly patch and update software and operating systems to the latest versions. 
      • “Make sure all on premises, cloud services, mobile and bring your own devices are properly configured and security features are enabled. 
      • “Implement phishing-resistant multifactor authentication.
      • “Enforce lockout policies after a certain number of failed login attempts.
    • “The guide suggests creating illustrated guides that provide detailed information about data flows inside an organization. This will help incident responders understand which systems to focus on during an attack.” 
  • The Wall Street Journal informs us
    • “Cyber insurance prices in the United States rose 11% year over year on average in the first quarter of 2023 according to insurance broker Marsh. This was a noticeably smaller increase than the 28% rise in Q4 2022 and was the fifth straight quarter that prices rose by less than the previous quarter. Additionally, rate increases moderated during 2022, with an average increase of 17% in December 2022, which was down significantly from a December 2021 high average increase of 133%. 
    • “Marsh said increased competition, improved cybersecurity controls, and a reduction in ransomware attacks in 2022 were factors that affected the continued moderation in pricing, while noting there has been an upturn in ransomware incidents and claims since Q4 2022.”
  • Tom’s Guide updates us on best VPN logging practices.
  • The Harvard Business Review offers ideas on creating effective cybersecurity training programs.