Cybersecurity Saturday

David ErmerCybersecurity, Uncategorized

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports
    • “An international law enforcement operation disrupted the Qakbot botnet and associated malware that has been connected with countless cyberattacks and nearly $60 million in losses from victims around the world, the U.S. Department of Justice announced Tuesday. 
    • “The operation that included the FBI, DOJ and authorities in France, Germany, the Netherlands, Romania, Latvia and the United Kingdom — is “one of the largest U.S.-led disruptions of a botnet infrastructure” used by criminals to facilitate ransomware, financial fraud and other cyber-enabled criminal activity, the FBI said in a statement.
    • “There were no arrests in connection with the operation but the investigation remains ongoing, a senior FBI official told reporters Tuesday.
    • “Qakbot, also known as Qbot or Pinksipbot, is malware first detected in 2008 that has been associated with hundreds of millions of dollars in losses to individuals and businesses in the U.S. and around the world, according to the FBI. The malware has been an initial entry mechanism for a variety of ransomware groups over the years. Groups such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta have been known to use it. Between October 2021 and April 2023, the FBI said, Qakbot administrators have received fees corresponding to approximately $58 million in ransoms paid by victims.
  • Cybersecurity Dive adds
    • “The FBI was able to redirect botnet traffic toward servers it controlled and disrupt the operation. More than 200,000 computers in the U.S. alone were found to be infected. Authorities also seized $8.6 million in illicit cryptocurrency as part of the takedown. ***
    • “The FBI and Dutch National Police have set up website links where stolen credentials can be accessed to find out if they were used.” 
  • Here are links to the related CISA announcement and Security Week’s report on industry reaction to this news.
  • Krebs on Security informs us,
    • “Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
    • “.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
    • “That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022, and April 30, 2023, and found 30,000 .US phishing domains.
    • “.US is overseen by the National Telecommunications and Information Administration(NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.”
  • Go figure.
  • Cybersecurity Dive tells us last Monday
    • “The blast radius from the mass exploit of a zero-day vulnerability in the MOVEit file transfer service reached another milestone in its destructive spread: more than 1,000 organizations are impacted, according to Emsisoft and KonBriefing Research.
    • “The number of organizations hit by the wide-scale attack increased nearly 40% last week, underscoring the scope of impact and challenge organizations are encountering as they work to determine potential exposure.
    • “The pool of victims from Clop’s attack spree, which was discovered Memorial Day weekend, continues to grow as downstream victims, which lead to more downstream victims, are identified via public disclosures and the threat actor’s website.
  • Health IT Security adds
    • “This week, Singing River Health System in Mississippi is actively facing system downtime as it investigates a cyberattack on its network. What’s more, Prospect Medical Holdings, which operates 16 hospitals and more than 165 clinics across Southern California, Rhode Island, Pennsylvania, and Connecticut, is still experiencing a systemwide outage that began on August 9.
    • “As these incidents continue to develop, other entities have continued to report confirmed data breaches to HHS, as exemplified in this week’s data breach roundup. Third-party data breaches continue to dominate breach notifications, causing breaches across the country.”
    • The article goes on to highlight recent breach announcements. 

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Organizations are facing more obstacles obtaining or renewing cyber insurance coverage,  according to a survey of 300 organizations conducted by Censuswide, on behalf of Delinea. Organizations also face strict requirements to get a claim covered.
    • “The majority of organizations, 4 in 5,  said their insurance rates went up when they submitted a new application or applied for policy renewals, with two-thirds reporting premium hikes of between 50% and 100%. 
    • “It is also taking organizations longer to obtain new coverage. The process for 20 of those surveyed, roughly 7%, took six months or longer.”
  • The Healthcare and Public Sector Critical Infrastructure Security and Resilience Partnership released an updated version of its Health Industry Cybersecurity Tactical Crisis Response Guide.
  • An ISACA expert discusses “Contending with Artificially Intelligent Ransomware.”
  • HHS’s 405(d) group released a cyber-hygiene poster oriented toward healthcare providers. Nevertheless, it can be adapted for health plan use.
  • Forbes identifies ten “captivating” cybersecurity conferences being held in Fall 2023.