Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Nextgov reports,
    • “Cybersecurity experts are warning that a potential cyber leadership vacuum in the federal government may prevent agencies from recovering and responding to a sprawling ransomware attack that has already exposed millions of Americans’ personal data.
    • “A senior official with the Cybersecurity and Infrastructure Security Agency confirmed on a call with reporters last week that several federal civilian agencies were among the victims in a widespread cyberattack that exploited a vulnerability discovered in the popular MOVEit file-transfer product developed by Progress Software. The attack is believed to have been carried out by CL0p, a Russian-linked ransomware gang otherwise known as TA505. Since the news of the global attack was first reported, a variety of federal and state agencies, banks and private sector organizations also confirmed they were victims and that data may have been stolen from millions of customers.
    • “The Office of the National Cyber Director was established under the National Defense Authorization Act for fiscal year 2021 in large part to provide coordination and guidance across the federal government on cybersecurity matters, including incident response and crisis management. Chris Inglis, the first-ever Senate-confirmed national cyber director, stepped down in February after helping to develop the new national cyber strategy released earlier this year. President Joe Biden has not yet nominated a replacement to fill the post.” 
  • Cybersecurity Dive adds,
    • “The U.S. State Department is offering a $10 million bounty related to information on the Clop ransomware gang, which is attributed to broad exploits of the MOVEit transfer vulnerabilities with victims that include federal agencies.  
    • “The Department of Energy confirmed data was impacted by an attack, and reports from CNN indicate a possible attack is being investigated against the Office of Personnel Management. The U.S. Department of Agriculture is also dealing with a third-party vendor data breach.” 
  • Cyberscoop tells us,
    • “The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday.
    • “The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington. 
    • “The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said. 
    • “The NatSec Cyber Center arrives at a time of growing concern about nation-state cyberattacks especially originating from Russia and China. Last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, warned Americans to be prepared for a major Chinese cyberattack. “This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” she said at an event in Washington.”
  • The Cybersecurity and Infrastructure Security Agency shares a “Readout from CISA’s 2023 Second Quarter Cybersecurity Advisory Committee Meeting.”
  • The National Institutes of Standards and Technology announced on June 22, 2023,
    • “U.S. Secretary of Commerce Gina Raimondo announced that the National Institute of Standards and Technology (NIST) is launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology. The Public Working Group on Generative AI will help address the opportunities and challenges associated with AI that can generate content, such as code, text, images, videos and music. The public working group will also help NIST develop key guidance to help organizations address the special risks associated with generative AI technologies. The announcement comes on the heels of a meeting President Biden convened earlier this week with leading AI experts and researchers in San Francisco, as part of the Biden-Harris administration’s commitment to seizing the opportunities and managing the risks posed by AI. * * *
    • “[Also on June 22], the National Artificial Intelligence Advisory Committee delivered its first report to the president and identified areas of focus for the committee for the next two years. The full report, including all of its recommendations, is available on the AI.gov website.
    • “Questions about the public working group or NIST’s other work relating to generative AI may be sent to: generativeAI@nist.gov

From the cybersecurity vulnerabilities and breaches front —

  • Cybersecurity Dive offers details on the MoveIT file transfer program vulnerability and resulting breaches.
    • “Big names disclose MOVEit-related breaches, including PwC, EY and Genworth Financial
    • “More than 100 organizations have been hit as part of the MOVEit attack campaign, including PBI Research Services, which exposed millions of customer data files to theft.”
  • Cyberscoop informs us,
    • “Apple issued a security update on Wednesday for all its operating systems to patch dangerous vulnerabilities that could allow attackers to take over someone’s entire device. 
    • “The vulnerabilities in question first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.
    • “The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”
  • HHS’s healthcare sector cybersecurity coordination center (HC3) issued an analyst note on “SEO poisoning.”
    • Search engine optimization (SEO) poisoning, considered a type of malvertising (malicious advertising), is a technique used by threat actors to increase the prominence of their malicious websites, making them look more authentic to consumers. SEO poisoning tricks the human mind, which naturally assumes the top hits are the most credible, and is very effective when people fail to look closely at their search results. This can lead to credential theft, malware infections, and financial losses. As more organizations utilize search engines and healthcare continues to digitally transform, SEO poisoning is becoming a larger security threat. HC3 has observed this attack method being used recently and frequently against the U.S. Healthcare and Public Health (HPH) sector.
  • Security Week relates,
    • “The National Security Agency (NSA) has published technical mitigation guidance to help organizations harden systems against BlackLotus UEFI bootkit infections.
    • “The NSA’s recommendations provide a blueprint for defenders to protect systems from BlackLotus, a stealthy malware that emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.”
  • This week, CISA added six and then five more known exploited vulnerabilities to its catalog.

From the ransomware front, here is the link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

  • Health IT Security points out,
    • Cyber resilience is crucial to business continuity amid a cyber incident, as it ensures that systems can recover quickly. As such, it is no surprise that cyber resilience would be top-of-mind for organizations undergoing a digital transformation.  
    • “In Accenture’s new “State of Cybersecurity Resilience 2023” report, researchers exemplified the benefits of cyber resilience by identifying a group of companies that it calls “cyber transformers.”
    • “Cyber transformers, according to Accenture, “strike a balance between excelling at cyber resilience and aligning with the business strategy to achieve better business outcomes.”
  • NIST announced
    • “NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218)describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customer.”