Cybersecurity Saturday

Happy Veterans Day! Thanks to all those who served our country.

From the cybersecurity policy front,

  • Health IT Security reports,
    • “US Senators Mark Warner (D-VA), Bill Cassidy (R-LA), John Cornyn (R-TX), and Maggie Hassan (D-NH) launched a bipartisan Senate healthcare cybersecurity working group. The group will focus on proposing legislative solutions within the Senate Health, Education, Labor, and Pensions (HELP) Committee to strengthen healthcare cybersecurity.
    • “We are seeing a disturbing rise in cyberattacks on our health care system. These attacks not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy stated. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans’ crucial health data.”
  • Cyberscoop Informs us,
    • “[On November 2, 2023,] [f]ormer National Security Agency Executive Director Harry Coker told members of the Senate Homeland Security and Governmental Affairs Committee that if he’s confirmed as the next national cyber director, he’d largely continue along the same path as his predecessors.
    • “Coker, who also spent 17 years at the Central Intelligence Agency and had made few public appearances before Thursday’s hearing, expressed appreciation for previous Office of the National Cyber Director work, including the National Cybersecurity Strategy, the subsequent implementation plan and the National Cyber Workforce and Education Strategy.
    • “If confirmed, I would frankly continue the good work that ONCD has done with its partners,” Coker said. He noted in his opening statement he’s “seen the need for stronger partnerships and collaboration between the public and private sectors” and that collaboration would be “the north star” under his leadership.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced that
    • “Director Jen Easterly and the Republic of Korea’s Deputy Director of the National Intelligence Service (NIS) Baek Jong-wook signed a Memorandum of Understanding (MoU) outlining areas for collaboration under the bilateral Cyber Framework signed by President Biden and Republic of Korea President Yoon in April.   
    • “The Framework affirms cooperation with Korea in key CISA mission areas, to include sharing technical and operational cyber threat information and best practices in cyber crisis management.  In June, senior leaders from both countries determined that CISA and NIS would co-lead a Framework Action Group on critical infrastructure. This Action Group will also bring together Korea’s Ministry of Science and ICT and other USG departments and agencies. ” 
  • The National Institute of Standards and Technology (NIST) informed us on November 9, 2023,
    • “The final public draft of NIST Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is now available for public review and comment.  * * *
    • “Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Informationis also available.
    • “The public comment period for both drafts is open through January 12, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to”
  • NextGov offers an overview of the NIST’s final draft publications.
  • On November 9, 2023, CISA, the National Security Agency and their partners released.
    • Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.
    • Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.
    • CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “Business software maker SolarWinds is denying charges that it lacked adequate cybersecurity controls in the build up to a significant hack of its products in 2020, and accused the U.S. Securities and Exchange Commission of misrepresenting facts in its complaint.
    • “On Oct. 30, the SEC announced that it had filed charges against SolarWindsalleging the firm defrauded investors by repeatedly misleading them about its cyber vulnerabilities and the ability of attackers to penetrate its systems. 
    • “The SEC’s lawsuit is fundamentally flawed—both legally and factually—and we plan to defend vigorously against the charges,” SolarWinds said. The SEC declined to comment.”
  • Cybersecurity Dive points out,
    • Mortgage servicing provider Mr. Cooper Group shut down multiple systems after it determined a threat actor accessed certain technology systems on Oct. 31, according to a Thursday [November 2, 2023] filing with the Securities and Exchange Commission.
    • The company initiated precautionary containment measures in response to the cyberattack, a move that’s temporarily halting recurring payments and leading customers to make one-time loan payments online, via phone, email or third parties. The status of customers’ loans were last updated Oct. 31.
    • Mr. Cooper is the third-largest mortgage servicer in the U.S. with more than 4.3 million customers, according to the company.
  • TechCrunch adds,
    • Mr. Cooper, the mortgage and loan giant with more than four million customers, has confirmed customer data was compromised during a recent cyberattack.
    • In an updated notice on its website published Thursday [November 9, 2023], Mr. Cooper said that it was “still investigating what data may have been exposed,” though it remains unclear what kind of cyberattack hit Mr. Cooper’s system
  • CISA added another known exploited vulnerability to its catalog on November 7 and one more on November 8, 2023.
  • BusinessTech discusses the vulnerability management lifecycle.

From the ransomware front,

  • Because Bleeping Computer did not publish the Week in Ransomware yesterday, here is a notable attack featured in Cybersecurity Dive:
    • “A U.S. subsidiary of China’s largest bank was hit by a ransomware attack Wednesday that resulted in disruption to certain financial services systems, the bank announced Thursday [November 9, 2023].
    • “The hack disrupted the trading of U.S. Treasuries, forcing the Industrial and Commercial Bank of China Financial Services to send required settlement details to certain parties by a messenger carrying a USB stick, according to Bloomberg.
    • “The New York City-based firm said it reported the incident to law enforcement and successfully cleared U.S. Treasury trades executed Wednesday and repo financing trades done Thursday.
  • Dark Reading adds,
    • “The disruptive ransomware attack on the world’s largest bank this week, the PRC’s Industrial and Commercial Bank of China (ICBC), may be tied to a critical vulnerability that Citrix disclosed in its NetScaler technology last month. The situation highlights why organizations need to immediately patch against the threat if they haven’t done so already.
    • “The so-called “CitrixBleed” vulnerability (CVE-2023-4966) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.
    • “* * * The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue fresh guidance and resources this week on addressing the CitrixBleed threat. CISA warned of “active, targeted exploitation” of the bug in urging organizations to “update unmitigated appliances to the updated versions” that Citrix released last month.”
  • HHS’s health sector cybersecurity coordination center issued an analyst note on Blacksuit ransomware:
    • “A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector. Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today. Both Royal and the now-defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly. What follows [in the note] is an overview of the potential new group, possible connections to other threat actors, an analysis of its ransomware attacks, its target industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defense and mitigations against the group.”
  • The HIPAA Journal notes,
    • “A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.
    • “To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyber attackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.”

From the cybersecurity defenses front,

  • An ISACA expert discusses how “Cyber Advisors, Security Services Providers Can Use Zero-Sum Game Theory Framework to Benefit Clients.”
  • Dark Reading explains “How to Outsmart Malware Attacks That Can Fool Antivirus Protection. One of the main challenges for Android users is protecting themselves from malicious applications that can damage devices or perform other harmful actions.”