Cybersecurity Saturday

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center posted a Sector Alert about a “Critical Vulnerability in Fortinet FortiSIEM Platform” on November 22, 2023.
    • “Fortinet has identified a vulnerability in its FortiSIEM platform, which is utilized by the Healthcare and Public Health (HPH) sector. This vulnerability enables a threat actor to execute commands on the target system, allowing for a potentially wide-scale and impactful cyberattack. HC3 recommends that all healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms in a timely manner.”
  • The Cybersecurity and Infrastructure Security Agency added one more known exploited vulnerability to its catalog on November 21, 2023.
  • Dark Reading points out,
    • “A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.
    • “Experts say this could be the first time they’ve observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.
    • “The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.”
  • Health IT Security notes,
    • “The HHS Office for Civil Rights (OCR) completed a HIPAA investigation into New York-based Saint Joseph’s Medical Center following claims that the organization had impermissibly disclosed COVID-19 patients’ protected health information (PHI) to a news reporter. Saint Joseph’s Medical Center agreed to pay $80,000 to OCR and implement corrective actions.
    • “OCR launched the investigation following the publication of an article by the Associated Press about the academic medical center’s response to the COVID-19 pandemic. The article included photographs and information about three COVID-19 patients, including diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
    • “Further investigation determined that Saint Joseph’s had provided the information to the Associated Press without first obtaining written consent from the three patients.”
  • The HHS Inspector General warns us “about a fraud scheme involving monthly billing for remote patient monitoring.”

From the ransomware front,

  • Cybersecurity Dive reports on November 22, 2023,
    • “Criminal threat groups and nation-state actors are exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway to launch attacks, the Cybersecurity and Infrastructure Security Agency and FBI warned on Tuesday.
    • “Affiliates of LockBit 3.0 exploited the vulnerability — dubbed CitrixBleed by researchers — to gain access into Boeing’s parts and distribution unit and exfiltrate data, as part of a suspected ransomware attack, according to federal authorities.
    • “CISA, through its ransomware vulnerability warning program, has notified almost 300 organizations they were running vulnerable instances of the devices and needed to take mitigation measures before they were attacked, Eric Goldstein, executive assistant director of cybersecurity at CISA, said during a conference call with reporters.” 
  • Here is a link to the CISA analysis of CitrixBleed.
  • Cyberscoop provides its perspective on this and related schemes.
    • “Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
    • “Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.” 
    • “That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”

From the cybersecurity defenses front,

  • CISA discusses how the agency has re-envisioned its Cybersecurity Insurance and Data Analysis Working Group to help reduce cybersecurity risk.
    • “When we re-launch the CIDAWG in December, the working group will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, with the intent to correlate data with cybersecurity controls to understand their effectiveness. CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness. This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.”
  • The Wall Street Journal explains why storytelling can improve cybersecurity training.
    • “I recently wrote about the “phishing tests” that many companies use to train (well, scare) employees into being more cyber-vigilant. They send around a phony phishing email, and measure how many people click on it. But my research shows that these tests can actually be harmful. They create fear, stress and distrust among employees, and in the end they don’t improve phishing resistance much.
    • “When I wrote that article, a number of readers wrote in asking a simple question: If phishing tests don’t work, what does?
    • “I believe a better way to train people is to have their peers tell them stories about their experience with scams. Humans have an innate ability to learn from stories about other people—even if they are just casual stories that fall into the middle of a conversation. My research on the topic has found just how effective stories can be when applied to cybercrime: Hearing about somebody else getting snagged by phishing, or narrowly avoiding it, makes people more likely to take security seriously and avoid the mistakes they have heard about.”
  • The Hackers News recommends six steps to accelerate cybersecurity incident response.
  • ISACA offers a report on optimizing risk transfer for systematic resilience.