Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop reports,
    • “Former National Security Agency Executive Director Harry Coker is one step closer to being the next national cyber director after the Senate Homeland and Governmental Affairs Committee advanced his nomination Wednesday.
    • “Coker, also a former CIA officer, told the panel during the initial nomination hearing that he would plan on continuing the work of his potential predecessors.
    • “Coker’s nomination comes after the White House was criticized by experts and policy wonks for not nominating Kemba Walden, the current acting national cyber director, to the permanent role. The Washington Post reported that Walden’s personal debts were the White House’s rationale for declining to nominate her.
    • “Walden’s last day as the acting cyber chief is Friday, according to an ONCD spokesperson.”
  • On November 14, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released
    • “its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.”its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.
    • “Last month, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.”
  • Federal News Network observes,
    • “When federal government agencies were breached by Chinese hackers due to a Microsoft Azure vulnerability, the Cybersecurity and Infrastructure Security Agency released an advisory calling for the use of more enhanced monitoring tools to build resilience against increasingly sophisticated attacks. This latest advisory was further amplified by the National Cybersecurity Strategy, which reinforced the need to make the government’s critical infrastructure more resilient by modernizing federal networks.  
    • “Despite these measures, a recent study shows that only 26% of the public sector (compared to 40% of the private sector) have a formal approach to building resilience. Moreover, federal agencies whose mission-set centers on critical infrastructure, such as the Departments of Energy or Transportation, still face challenges to maintain legacy toolsin contrast to the public sector as a whole.   
    • “This is because federal agencies need more support to implement modern monitoring tools that help improve their threat detection and response. Without the proper technology in place to match the challenges of today’s threat landscape, it is difficult to remain resilient when faced with an attack. But how might an organization begin to achieve the resilience required for today’s cyber threats?  
    • “It starts with federal agencies prioritizing observability strategies. Despite its growing popularity, observability is a fresh concept – one that can be difficult to define and see as a path to resilience without first understanding its foundation. The roots of observability can simply be traced down to a collection of logs, metrics and traces by which monitoring systems can more proactively mitigate potential threats.”

From the cybersecurity vulnerability and breaches front,

  • The HIPAA Journal offers its October 2023 Healthcare Data Breach Report.
    • “For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).”
  • Federal News Network reports,
    • “The Office of Personnel Management faces a tight deadline to set up a new health insurance marketplace for Postal Service employees and retirees to enroll in new plans, starting next year.
    • “Now OPM is addressing watchdog concerns about whether the IT infrastructure supporting this new USPS marketplace is following federal cybersecurity requirements.
    • “OPM’s Office of Inspector General, in a flash audit released Friday, raised concerns about the cybersecurity steps OPM took before launching the IT systems that will run the Postal Service Health Benefits (PSHB) Program. * * *
    • “The IG report focuses on the steps OPM took to launch Carrier Connect, a system OPM uses to communicate and share data with health care providers. [FEHBLog note — FFF presumably refers to sharing data with FEHB plans.]
    • “According to the report, OPM officials acknowledged the agency started the assessment and authorization process too late in the security development lifecycle — in the summer of 2023 — and knew they would have to launch Carrier Connect under a provisional authority to operate (ATO).
    • IT security was not integrated at the beginning, and as a result, many of the required elements of an authorization to operate (ATO) package were not completed before the system was authorized to operate and placed into production,” the IG report states.”
  • HHS’s health sector Cybersecurity Coordination Center (HC3) posted a PowerPoint presentation about Emotet malware, which HC3 describes as “the enduring and persistent threat to the health sector.”
  • This week, CISA added six known exploited vulnerabilities to its catalog on November 13, then another three on November 14, and then finally another three on November 16.
  • Get a load of this Dark Reading article.
    • “The ransomware group ALPHV (aka “BlackCat”) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations. * * *
    • “Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.
    • “For one thing, in a statement provided to BleepingComputer on Wednesday, MeridianLink stated that it wasn’t yet sure if any consumer personal information was compromised, adding that “based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” Exactly what data ALPHV stole and published may affect whether the breach is “material,” per SEC language.
    • “Second, as noted in its original press release, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).
    • “Future victims of similar attacks will have fewer breaks to count on.
    • “Using the threat of filing a ‘failure to report’ complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group’s benefit,” Tiquet warns. “Disciplinary action from the SEC is not to be taken lightly and fines can be very steep.”

From the ransomware front

  • Cybersecurity Dive reports,
    • “The group of threat actors claiming responsibility for major attacks against MGM ResortsCaesars Entertainment and Clorox is composed of experts in social engineering, and federal cyber authorities are prodding more victims to come forward.
    • “Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a Thursday advisory.
    • “The FBI and Cybersecurity and Infrastructure Security Agency shared technical details and data gleaned from investigations as recently as this month to help organizations thwart and mitigate attacks. Yet, officials say more information is needed, as a lack of reporting hinders law enforcement’s ability to take action.
    • “Scattered Spider’s high level of activity underscores the importance of prevention and the need for more victim organizations to report cyberattacks to CISA or the FBI, agency officials said.”
  • The American Hospital Association News adds,
    • “Scattered Spider’s sophisticated technical cyberattacks begin with sophisticated psychological attacks,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Scattered Spider employs social engineering techniques to deceive end users into providing their credentials, authentication codes or downloading ‘help desk’ tools on their computers that allow the adversary to gain and maintain persistent access to computer networks. Staff should be advised of help desk verification protocols and that help desk personnel should not be asking staff to divulge their credentials or multi-factor authentication codes. Conversely, the help desk should enhance its verification protocols and challenge questions to ensure they do not improperly reset staff credentials and to help staff distinguish valid help desk interaction from social engineering attempts.
  • On November 15, 2023, CISA issued a #StopRansomware Advisory regarding Rhysida Ransomware.
  • On November 13, 2023, CISA posted an update to its Royal Ransomware Advisory.
    • “The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.”
  • Bleeping Computer’s The Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • On November 17, CISA postedthe Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.”
  • Forta tells us about Amazon Web Services’ Six Pillars of Cybersecurity.
  • Dark Reading explains how to build a resilient incident response team.