Cybersecurity Saturday

David ErmerCybersecurity

From Washington, DC —

  • Health IT Security reports,
    • “The Department of Homeland Security (DHS) issued recommendations to Congress about how the federal government could improve critical infrastructure cyber incident reporting in a new report. Notable recommendations include streamlining the reporting process by establishing a single reporting web portal, as well as creating a model incident report form that federal agencies can adopt.
    • “The report, aptly titled “Harmonization of Cyber Incident Reporting to the Federal Government,” was a deliverable required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March of last year. CIRCIA enabled the creation of the Cyber Incident Reporting Council (CIRC), which took the lead on the report and represents leaders from 33 federal agencies.
    • “The report acknowledged ongoing challenges that stem from duplicative federal cyber incident reporting requirements. Currently, there are 52 cyber incident reporting requirements either in effect or proposed across the federal government.”
  • FEHBlog note – At least 53 cyber incident reporting requirements exist as the DHS report overlooks OPM’s requirements for FEHB plan carriers.
  • What’s more,
    • SUMMARY: The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy. ONCD seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity (the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements) in regulator acceptance of other regulators’ recognition of compliance with baseline requirements.
    • DATES: The original comment deadline for this RFI was 5 p.m. EDT September 15, 2023. ONCD has extended the deadline for comments to be received to 5 p.m. EDT October 31, 2023.
    • ADDRESSES: Interested parties may submit comments through www.regulations.gov
    • Cyberscoop discusses this initiative here.
  • Per Cybersecurity Dive,
    • “FBI Director Christopher Wray urged private sector organizations to help the agency by coming forward with information regarding malicious cyber activity. 
    • “Wray told attendees at Mandiant’s annual mWISE 2023 conference Monday that many of the agency’s successful cyber operations in recent years were accomplished with the assistance of private sector partners. He emphasized organizations would be treated properly as victims of malicious actors and not punished for their cooperation.
    • “We know the private sector hasn’t always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won’t be showing up in raid jackets,” Wray told conference attendees. “Instead, we’ll treat you like the victims you are – just like we treat all victims of crimes.”
  • and
    • The U.S. has made significant progress towards developing a more resilient cybersecurity infrastructure after implementing about 70% the Cyberspace Solarium Commission’s recommendations, according to a report from CSC 2.0
    • CSC co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., praised the launch and implementation of the National Cybersecurity Strategy during a presentation Tuesday in Washington D.C., but said more work needed to be done on deterrence. 
    • Key gaps remain in the nation’s cybersecurity posture, including the need to create more resilient federal networks and strengthen key critical infrastructure sectors, such as healthcare, agriculture and water.

From the cybersecurity business front,

  • Cybersecurity Dive reports
    • “Cisco reached a deal valued at $28 billion in cash, or $157 per share, to buy software observability firm Splunk, the companies announced Thursday. The deal, which marks Cisco’s largest-ever acquisition, is built around the “complementary capabilities” across AI, security and observability between Cisco and Splunk. 
    • “Cisco expects the deal to become cash flow positive and gross margin accretive within the first fiscal year after the deal closes, which is expected in Q3 2024. The agreement, which has been unanimously approved by the board of directors at Cisco and Splunk, remains subject to regulatory approval.
    • “Splunk President and CEO Gary Steele will join the executive leadership team at Cisco, reporting directly to Chair and CEO Chuck Robbins.”

From the cybersecurity breaches and vulnerabilities front,

  • HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its August 2023 cybersecurity vulnerability bulletin.
    • “In August 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for August are from Microsoft, Google/Android, Cisco, Apple, Mozilla, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”
  • HC3 also pointed out last week,
    • “Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations. HC3 strongly encourages organizations to update these systems.”
  • HC3 posted a PowerPoint on Chinese and North Korean cybercrime. In sum,
    • “Chinese and North Korean “cybercriminal groups” act as unique threats to the U.S. health sector.
    • “China and North Korea are significant cyber powers–China in absolute terms and North Korea in relative terms.
    • “Domestic politics in both organizations has created a unique cybercriminal ecosystem, where the only significant cybercriminals threatening the U.S. health sector are state-sponsored.
    • “Most significant criminal gangs (i.e., are financially motivated) have all the sophistication of many other cybercriminal gangs but also have the resources (technological, financial and diplomatic) of a state behind them.”
      • “They are state-backed criminals, and they target a number of industries, including the U.S. health sector.”
  • This week, CISA added eight known exploited vulnerabilities to its catalog on September 18, another on September 19, and one more on September 21.
  • SecurityWeek calls attention to
    • “Apple’s announcement on Thursday [September 20] that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.”

From the ransomware front,

  • On September 20,
    • “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.
    • “Snatch threat actors operate a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.
  • From Dark Reading,
    • “Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).
    • An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 
    • “The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.
    • “As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.”

From the cyberdefenses front,

  • Cybersecurity Dive explains why,
    • “Security has an underlying defect: passwords and authentication; Cyberattacks are fueled by the shortcomings of business authentication controls. Bad things happen when access falls apart and credentials land in the wrong hands.”
  • An ISACA expert discusses how to mitigate emerging technology risks.