Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

The Cybersecurity and Infrastructure Security Agency announced
- “[T]he kickoff of the 20th Cybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online. “Secure Our World” will also be the enduring theme for throughout the year as we work to drive behavioral change around core cybersecurity habits by providing everyone with the knowledge and tools they need.
- “As cyber threats become more sophisticated, individuals and families, small and medium businesses, and large companies all have an important role to play to in keeping our digital world safe and secure,” said CISA Director Jen Easterly. “This Cybersecurity Awareness Month we are asking everyone to do their part to ‘Secure Our World’ by adopting key behaviors that promote online safety and security.” * * *
- “CISA encourages everyone to explore the resources on our Cybersecurity Awareness Month website, which includes a toolkit, tip sheets, and animated videos.”

Cyberscoop also reports on CISA’s campaign.

The National Institutes of Standards and Technology tells us
- “The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.
- “Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology. We seek to better understand and improve people’s interactions with cybersecurity systems, products, and services.
- “To learn more about our latest projects, watch our latest videos, meet the team, or to view our publications, visit our revamped website https://csrc.nist.gov/projects/human-centered-cybersecurity.”

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “Progress Software quietly alerted customers to eight vulnerabilities in WS_FTP Server, another file-transfer service from the company behind MOVEit.
- “The company shared the news the day after its fiscal third-quarter earnings call.
- “Two of the eight vulnerabilities are critical, with CVSS scores of 10 and 9.9 out of 10, CVE-2023-40044 and CVE-2023-42657, respectively. All versions of the file-transfer service, which allows customers to remotely manage their service from any internet connection, are impacted, the company said Wednesday. Thousands of IT teams use WS_FTP Server, according to a product page.
- “There’s no indication any of the vulnerabilities in WS_FTP Server have been exploited, a Progress Software spokesperson told Cybersecurity Dive.”

Yesterday, the Health Sector Cybersecurity Coordination Center (HC3) issued a related Sector Alert.
- “Progress Software, the maker of the MOVEit file transfer software, which was widely exploited by the CL0P ransomware-as-a-service (Raas) group, has released a new advisory regarding multiple vulnerabilities in the WS_FTP Server, a file transfer product. Two of the vulnerabilities were rated as critical and are being tracked as CVE-2023-40044, which can allow an attacker to execute remote commands, and as CVE- 2023-4265, which is a directory traversal vulnerability. Due to the recent and malicious targeting of Progress Software’s products to compromise Healthcare and Public Health (HPH) sector entities, HC3 strongly encourages patching and upgrading these devices to prevent serious damage to the HPH sector.”

Dark Reading also discusses this development.

Also on Friday, HC3 issued an Analyst Note on LokiBot malware.
- “Active since 2015 and among the most prevalent and persistent strains of malware families since 2018, LokiBot has matured to target multi-sector industries. Despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the Healthcare and Public Health (HPH) sector shows its reach.
- “In March 2020, a multi-threat actor spearphishing campaign to spread LokiBot malware with a false World Health Organization trademark image solidified its threat to the HPH sector. In addition to other malware analyses, HC3 reported this specific cyberattack in a 2020 HC3 Sector Note on LokiBot. The malware has been widely used for years, and it takes a lot of effort to monitor because of behavior changes. However, some best practices exist for protecting against LokiBot and managing its impact.
- “What follows [in the analyst note] is an update to the previous HC3 analysis of LokiBot, a timeline of multi-sector targeted applications, detection strategies, sample MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the malware.”

According to a post on Wednesday,
- “[T]he U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA) People’s Republic of China-Linked Cyber Actors Hide in Router Firmware. The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
- “BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets.
- “CISA strongly recommends organizations review the advisory and implement the detection and mitigation techniques described to protect devices and networks. For additional guidance, see People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices and visit CISA’s China Cyber Threat Overview and Advisories page.”

Cyberscoop lets us know,
- North Korean cyberespionage operation targeted employees of an aerospace company in Spain using a previously unreported backdoor and a creative phishing campaign featuring a phony Silicon Valley recruiter, demonstrating a “significant advancement in malicious capabilities,” researchers with the cybersecurity firm ESET said Friday.
- Hackers linked with North Korea’s Lazarus Group — an umbrella term for a collection of North Korean cyber units — posed as a recruiter for Meta and contacted employees of the unnamed company via LinkedIn and sent two coding challenges supposedly part of the hiring process but which were in fact laced with malware, Peter Kálnai, an ESET researcher, wrote in a report published Friday.
- The operation, carried out some time last year, is just the latest example of North Korean-linked cyber operations using phony job opportunities to target various professionals, including journalists, security researchers and software developers, among others.

Over the past week, CISA added three known exploited vulnerabilities to its catalog on Monday and another on Thursday.

Per Health IT Security,
- Advanced email attacks remain a top threat to organizations around the world, including those in the healthcare sector, Abnormal Security observed in its latest blog post. Abnormal saw a 167 percent increase in advanced email attacks in 2023, which included business email compromise (BEC), malware, credential phishing, and extortion.

From the ransomware front,

BitDefender reported on Thursday,
- “Johnson Controls, a multinational conglomerate that secures industrial control systems, security equipment, fire safety and air conditioning systems, has been hit by a massive cyber attack.
- “The company, which employs over 100,000 people around the world, suffered a ransomware attack over the weekend which left data encrypted and caused it to shut down sections of its IT infrastructure.
- “The Dark Angels ransomware group has claimed responsibility for the attack and claims to have exfiltrated over 25 TB of data from the organization. The threat? If a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the “Dunghill Leaks” site.

Here’s a link to Bleeping Computer’s Week in Ransomware. On top of the Johnson Control’s attack, Bleeping tells us
- We also continue to see the effects of Clop’s massive MOVEit data-theft attacks, with the National Student Clearinghouse warning of a data breach that impacted 890 schools and the BORN Ontario child registry breach impacting 3.4 million people, including patients at the Hospital for Sick Children (SickKids).
- Cybersecurity firms, journalists, and law enforcement also released interesting reports this week:
  - A threat actor named ShadowSyndicate is linked to 7 ransomware operations.
  - Hackers are actively exploiting OpenFire flaws to encrypt servers.
  - The Snatch extortion gang left their server status page open, allowing anyone to see who was connecting to the server.
  - The FBI warned that ransomware affiliates are accelerating double-encryption attacks.
  - A look at Akira’s new PowerRanges variant, internally called Megazord.

From the cybersecurity defenses front,

An ISACA expert discusses lessons learned from Microsoft’s “massive” data exposure incident.

CIO explores the changing face of cybersecurity threats this year.

The Wall Street Journal looks into why employees ignore workplace cybersecurity rules.
- “People are able to justify their bad behavior with rationalizations. Companies need to tackle the lies we tell ourselves head on.”

The GAO issued
- “A Cybersecurity Program Audit Guide (CPAG) to be used in conducting cybersecurity performance audits. The intent of the guide is to arm cyber analysts and auditors with a set of methodologies, techniques, and audit procedures to evaluate components of agency cybersecurity programs and systems. GAO welcomes federal and other governmental organizations to use this guide to assess their cybersecurity programs.”

The Wall Street Journal reports,
- “It’s telling that, in a year that was pretty economically challenging, security didn’t plummet in terms of spending,” said Nick Kakolowski, director of research at IANS Research, a cybersecurity advisory group.
- “Cyber budgets grew this year for the most part, but modestly, IANS found in a study with recruiting company Artico Search. After double-digit increases in 2020 and 2021, the average growth in cybersecurity budgets for 2023 was 6%, according to the survey of 550 security executives. As a portion of overall technology budgets, cyber accounted for 11.6%, the study found. Around 37% of respondents to the survey said their cyber budgets were flat or reduced, the survey found.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog