Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “An advisory committee to the Cybersecurity and Infrastructure Security Agency [CISA] delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance. 
    • “These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
    • “The recommendations of CISA’s Cybersecurity Advisory Committee will need to be made into policy by Easterly, but in the past, she has mostly embraced the recommendations of the committee, which is made up of former top-ranking officials, executives and lawmakers, such as former National Cyber Director Chris Inglis, former Rep. Jim Langevin and Southern Company CEO Tom Fanning, who chairs the panel.” 
  • Per Health IT Security,
    • “Healthcare stakeholders have an opportunity to provide feedback to the Senate on improving health data privacy in the US, thanks to a request from US Senator Bill Cassidy (R-LA), a ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee.  
    • “Cassidy issued a request for information (RFI) from stakeholders to gain insights into improving health data privacy and modernizing HIPAA. The deadline to submit feedback to Cassidy’s team is September 28.”
  • Cybersecurity Dive points out,
    • “The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors. 
    • “However, Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during the Billington Cybersecurity Summit in Washington D.C., raised the possibility of a letter grade rating that would hold key providers accountable for maintaining a certain level of cyber resilience. 
    • “As good as public-private partnerships are, the administration sees additional enforcement ability as necessary.” 
  • The Wall Street Journal offers its September 2023 cybersecurity regulatory update.
    • “In this quarter’s edition: updates on recently passed regulations from the U.S. Securities and Exchange Commission and the New York Department of Financial Services, new regulatory measures introduced by the California Privacy Protection Agency, the new cybersecurity strategy in New York state, and expert commentary on the draft regulations recently published by CPPA.”

From the cybersecurity breaches and vulnerabilities front,

  • Per Cybersecurity Dive,
    • “The dark web marketplaces dedicated to the trade of credentials and vulnerabilities boasts some big names in enterprise compromises, Flashpoint research released Tuesday [September 12] shows.
    • “Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high profile, actively exploited CVEs, according to the threat intelligence firm.
    • “The remote code execution vulnerability in Barracuda’s email security gateway appliances, CVE-2023-2868, was purchased for $15,000 during Q2. Barracuda disclosed and attempted to patch the actively exploited zero-day vulnerability in May, but the patches failed, and exploits are still underway.
    • “Flashpoint said its threat intelligence analysts observed a post expressing interest in the exploit on June 16, and another user offered help in response two days later.”
  • Dark Reading informs us,
    • “A global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm (aka Holmium) has successfully plucked targets in the satellite, defense, and pharmaceutical sectors, Microsoft is warning. 
    • “The cyber offensive has been active since February, according to a blog post from Microsoft Threat Intelligence, which concluded that the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
    • “The password spray method of attack is a type of brute-force method used by hackers to gain unauthorized access to user accounts and systems. Password spraying involves attempting to access multiple accounts using common passwords, reducing the risk of account lockouts.”
  • Tripwire reports
    • “Apple has released emergency security updates for the flaws found in macOS, iOS, iPadOS, and watchOS used in the BLASTPASS exploit chain. As Bleeping Computer reports, Citizen Lab has warned Apple customers to apply the updates immediately and consider turning on Lockdown Mode if they suspect they’re particularly vulnerable to being targeted by sophisticated hackers. CISA has added the flaws to its catalog of known exploited vulnerabilities, saying that they pose “significant risks to the federal enterprise” and ordered all federal agencies to patch against them by October 2, 2023.”
  • Security Week notes
    • “Deepfake is a term used to describe synthetic media — typically fake images and videos. Deepfakes have been around for a long time, but advancements in artificial intelligence (AI) and machine learning (ML) have made it easier and less costly to create highly realistic deepfakes. 
    • “Deepfakes can be useful for propaganda and misinformation operations. For example, deepfakes of both Russia’s president, Vladimir Putin, and his Ukrainian counterpart, Volodymyr Zelensky, have emerged since the start of the war.
    • “However, in their new report, the FBI, NSA and CISA warn that deepfakes can also pose a significant threat to organizations, including government, national security, defense, and critical infrastructure organizations.” 
  • HelpNetSecurity warns
    • “Your security solutions might stave off a LockBit infection, but you might still end up with encrypted files: according to Symantec’s threat researchers, some affiliates are using the 3AM ransomware as a fallback option in case LockBit gets flagged and blocked.”

From the ransomware front,

  • The Healthcare Sector Cybersecurity Coordination Center provides us with a sector alert on Akira Ransomware.
    • “Akira is a Ransomware-as-a-Service (RaaS) group that started operations in March 2023. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale. Akira has garnered attention for a couple of reasons, such as their retro 1980s-themed website and the considerable demands for ransom payments ranging from $200,000 to $4 million. Akira has been observed obtaining initial malware delivery through several methods, such as leveraging compromised credentials and exploiting weaknesses in virtual private networks (VPN), typically where multi-factor authentication (MFA) is not being used. Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption. It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets. The group has targeted multiple sectors, including finance, real estate, manufacturing, and healthcare.”
  • Here is a link to the latest Bleeping Computer Week in Ransomware, which features an attack on Las Vegas.

From the cybersecurity defenses front,

  • Health IT Security calls our attention to
    • The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announce[ing] the release of version 3.4 of the Security Risk Assessment (SRA) Tool, further enhancing the user experience and helping covered entities navigate risk assessment requirements under the HIPAA Security Rule.
    • “OCR and ONC developed the SRA Tool to help small- and medium-sized healthcare providers identify and assess risks and vulnerabilities to electronic protected health information (ePHI). The tool is a software application that organizations can download at no cost.”
  • Check out the 405(d) Post, which offers “Five Key Insights from The Healthcare Cybersecurity Benchmarking Study.”
  • An ISACA expert explores risk assessment in a rapidly changing threat landscape.
  • CSO offers “Ten principles to ensure strong cybersecurity in agile development.”