Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • The Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services held
    • “a roundtable discussion on the cybersecurity challenges that the U.S. healthcare and public health (HPH) sector system faces, and how government and industry can work together to close the gaps in resources and cyber capabilities. Ahead of the roundtable, CISA and HHS released a cybersecurity tool kit that includes resources tailored for the healthcare and public health sector. * * *
    • This toolkit is easy to navigate online at www.CISA.gov/healthcare and consolidates resources like:  
      • “CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.   
      • “HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.  
      • “HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.” 
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a request for comment on how to create a more harmonized system of software identification as part of a larger effort to make the software supply chain more secure. 
    • “Since President Joe Biden issued an executive order on improving cybersecurity in 2021, CISA and other federal agencies have been working to prioritize software security by improving vulnerability management and the use of software bill of materials (SBOMs). 
    • “The request for comment is designed to establish some uniform parameters to track critical information required to improve software security. Information on known vulnerabilities, what mitigations or security patches are available, and which software is approved for use are all part of the effort, according to a white paper released by CISA.” 
  • The Wall Street Journal tells us,
    • “President Biden is expected to sign an executive order next week addressing rapid advances in artificial intelligence, laying the groundwork for Washington’s embrace of AI as a tool in the national security arsenal while also pressuring companies to develop the technology safely.
    • “The order, which hasn’t been finalized and was described by people briefed on its expected contents, is aimed at establishing guideposts for federal agencies’ own use of AI, while also leveraging the government’s purchasing power to steer companies to what it considers best practices. 
    • “The White House began inviting people this week to an event on “safe, secure and trustworthy AI,” according to people familiar with the matter. A spokeswoman for the White House declined to comment.”

From the cybersecurity vulnerabilities and defenses front,

  • Health Exec reports,
    • “A new report reveals there have been 480 healthcare data breaches in 2023 so far, with over 25% of Americans impacted. The estimated number of patients affected is 87 million this year so far, over double the 37 million in 2022. 
    • “The report comes from Atlas VPN, which utilized publicly available data from the U.S. Department of Health and Human Services (HHS), which keeps a running list of healthcare security incidents. Federal law requires data breaches that potentially leak more than 500 patient records to be reported to the HHS.  * * *
    • “The full report can be found here.”
  • HHS’s Health Sector Cybersecurity Coordination Center issued three warnings this week. Here are the executive summaries:
    • AI-Augments Phishing — “Phishing has historically been a very successful means for cyberattackers of any motivation to compromise an organization and launch a full-fledged cyberattack to achieve their goals. Phishing attacks are frequently utilized, and this is especially true with regard to the health sector. The two most common cyberattacks targeting the health sector are ransomware and data breaches. (And usually both together!)
    • “These attacks often begin with a successful phishing attack. The advent of artificial intelligence has only made phishing attempts more effective, especially since those tools are freely available to the public.
    • In this paper, we provide a brief overview of basic artificial intelligence concepts, phishing attacks, and the application of artificial intelligence to phishing. We conclude with efforts that should be made to reduce the likeliness of all phishing attacks, including those that have been augmented by the use of artificial intelligence.”
  • and
    • QR Code Based Phishing – Phishing – the use of phony e-mails to deliver malicious code – has historically been a successful means for cyber attackers to compromise victim organizations and launch full-fledged, multi-staged cyberattacks. Phishing attacks are frequently utilized as the first stage of an attack – the infection vector – and this is especially true for the health sector. A cyberattack that begins with phishing often ends with ransomware and/or a major healthcare data breach.
    • Quick response (QR) codes were designed to quickly read and transmit legitimate data but have become increasingly abused as part of phishing attacks, called “quishing”.
    • In this paper, we provide a brief overview of QR codes, phishing attacks, and the application of both of these to cyberattacks on the health sector. We conclude this analysis with recommended defense and mitigation actions to reduce the likeliness and effectiveness of phishing attacks, including those augmented by the use of QR codes.
  • and
    • SolarWinds has published security fixes for their Access Rights Manager (ARM). This update addressed eight vulnerabilities, with three of them being rated as critical (CVE-2023-35182, CVE-2023-35185, CVE-2023-35187) and can lead to remote code execution on the “SYSTEM” of a Windows computer. This could enable an attacker to operate with the highest level of privileges available on the machine. In early 2020, the SolarWinds Orion system was targeted by an attacker(s), which led to the supply chain compromise of up to 18,000 of its customers.
    • Due to the previous malicious targeting and wide use of SolarWinds, HC3 strongly encourages users to monitor and upgrade their systems to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.

From the ransomware front,

  • Cybersecurity Dive reports,
    • “The threat group behind some of the most high profile, identity-based cyberattacks this year is also “one of the most dangerous financial criminal groups” currently in operation, Microsoft researchers said in a Wednesday report.
    • “The group, which Microsoft identifies as Octo Tempest and other researchers identify as Oktapus, Scattered Spider and UNC3944, uses multiple forms of social engineering to gain access to organizations’ infrastructure, steal corporate data and extort victims for ransom payments, according to Microsoft Threat Intelligence.
    • “The collection of young, native English-speaking threat actors, which was initially observed in 2022 and affiliated with the ransomware-as-a-service operation ALPHV or BlackCat in mid-2023, has claimed responsibility for major attacks against MGM ResortsCaesars Entertainment and Clorox in the past few months. * * *
    • “The threat actors engage in aggressive communications with victims, such as leaving threatening notes within a text file on a system, contacting executives via text messages and emails, and infiltrating communication channels being used by victims to respond to incidents,” Mandiant, a Google Cloud unit, said last month in a report on UNC3944.
    • “We’ve seen very young individuals break into some of the biggest organizations by leveraging these techniques that are so hard to defend against,” Mandiant Consulting CTO Charles Carmakal said during an April briefing.
    • “They are incredibly disruptive and aggressive,” Carmakal told Cybersecurity Dive via email last month following the MGM Resorts attack.”

From the cybersecurity defenses front,

  • CISA announced,
    • “A new release of Logging Made Easy, a Windows-based, free and open log management solution designed to help organizations more effectively use available security data to detect and address cyber threats.
    • In April 2023, CISA assumed Logging Made Easy from the United Kingdom’s National Cyber Security Centre (UK-NCSC). Following a period of transition and enhancement, it is now available with step-by-step installation instructions for both legacy and new users.
    • “Logging is critical for proactive monitoring of threats and retroactive investigation and remediation in the event of an incident. Logging Made Easy is a tested and reliable solution that can help organizations with limited resources needing a centralized logging capability,” said Chad Poland, Product Manager for Cyber Shared Services. “CISA is excited to offer this shared service capability to U.S. and international organizations that can help them mitigate risk and identify vulnerabilities.” * * *
    • For more information, visit CISA’s new Logging Made Easy webpage.
  • ISACA announced its “AI Survey Results: What Do Infosec Professionals REALLY Need to Know?”
  • “The HSCC Cybersecurity Working Group has reprinted its Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT) document.”