Cybersecurity Saturday

From the cybersecurity policy front,

  • The Wall Street Journal reported on Wednesday,
    • “The U.S. government said it had disrupted a uniquely dangerous and potentially life-threatening Chinese hacking operation that hijacked hundreds of infected routers and used them to covertly target American and allied critical infrastructure networks.
    • “Senior officials described the operation in unusually blunt terms as part of an evolving and increasingly worrisome campaign by Beijing to get a foothold in U.S. computer networks responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a future conflict, including over Taiwan.
    • “Wednesday’s announcement was part of an effort by senior Biden administration officials to underscore what Federal Bureau of Investigation Director Christopher Wray called the “apocalyptic scenarios” animating their fears about China’s advanced and well-resourced hacking prowess. Western intelligence officials say its skill and sophistication has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, which they say poses an unrivaled cybersecurity challenge.”
  • Here’s Cybersecurity Dive’s story on this chilling development.
    • “The FBI and Department of Justice disclosed Wednesday a court-authorized disruption of a botnet linked to the Volt Typhoon threat campaign from 2023, which Wray noted during his testimony. The hackers installed KV Botnet malware on hundreds of small office/home office routers in the U.S., in a plan to target critical infrastructure providers through the compromised hosts. * * *
    • “Volt Typhoon is very focused on targeting U.S. critical infrastructure by staying below the radar, and works hard to reduce the signatures we use to hunt them across networks,” Sandra Joyce, VP, Mandiant Intelligence, Google Cloud, said in a statement. “They are making use of compromised systems to blend in with normal network activity and constantly change the source of their activity.”
  • Cyberscoop adds,
    • “Any federal agency running Ivanti Connect Secure or Ivanti Policy Secure devices must disconnect them from their networks before midnight Friday [February 2], the United States’s top civilian cyber defense agency said Wednesday amid reports the vulnerable devices are being targeted by espionage operations linked to China. 
    • “Last month, CISA warned that the vulnerable Ivanti devices were subject to “widespread exploitation of vulnerabilities by multiple threat actors.” On Wednesday, the agency issued new instructions for how to update and bring those devices back online. 
    • “A CISA spokesperson did not immediately respond to a question about how many instances of Ivanti’s affected product are present in federal networks. * * *
    • “Chinese hackers appear to be exploiting the Ivanti vulnerabilities to carry out espionage. Researchers with Google’s Mandiant wrote in a blog post Wednesday that they’d identified “broad exploitation activity” by suspected Chinese-linked espionage hackers they track as “UNC5221,” as well as other uncategorized attackers.” 
  • and
    • “The Office of the National Cyber Director has work to do to improve the implementation of President Joe Biden’s national cybersecurity strategy, according to a watchdog report.
    • The Government Accountability Office said in a report released Thursday that the national cybersecurity strategy lacks performance measures and estimated costs, which the watchdog believes is essential for a national strategy.
    • “The GAO said that “neither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.” The initiatives outlined in the implementation planinclude milestones and expected completion dates, but lacked assessments in “the extent to which the initiatives are achieving outcome-oriented objectives” like information sharing or updated federal cyber defenses, GAO said.
    • “ONCD staff told the GAO said it wasn’t actually feasible to develop outcome-oriented measures, simply because those measures do not yet exist in the broader cybersecurity field. “They acknowledged the value of having meaningful outcome-oriented performance measures to assess cybersecurity effectiveness but stated that such measures do not currently exist in the cybersecurity field in general,” the GAO wrote.”
  • On Wednesday Cybersecurity Dive tells us,
    • The Biden administration came out forcefully this week against a congressional effort to undo the U.S. Securities and Exchange Commission’s recently adopted rule requiring public companies to disclose cybersecurity incidents.
    • President Joe Biden would veto the joint resolution, S.J. Res. 50, if it comes to his desk, the administration said Wednesday in a policy statement.
    • The legislation to disapprove the SEC’s authority to require companies to quickly disclose material cyber incidents and describe how they manage cyberthreats in annual reports was introduced by Republican senators in November alongside a companion resolution by House Republicans.
  • Federal News Network offers an interview with “Kirsten Moncada, OPM’s chief privacy officer and a longtime federal privacy expert, [who remarked that] the rise of AI tools in government is sure to create more work for privacy officials across the government.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us
    • “An identity-based attack Cloudflare previously declared contained and unimpactful turned out to be quite the opposite. The threat actor that intruded Cloudflare’s Okta environment in mid-October regained access to some of the content delivery network’s systems in mid-November, the company said Thursday in a blog post.
    • “The threat actor used one access token and three service account credentials Cloudflare failed to rotate after the environment was compromised by an early October attack against Okta, the company said. The Okta incident ultimately exposed data on all of the single sign-on provider’s customer support system clients.
    • “We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” CEO Matthew Prince, CTO John Graham-Cumming and CSO Grant Bourzikas said in the blog post.”
  • Dark Reading points out,
    • “Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users.
    • “What makes the campaign different from numerous others that have employed a similar tactic — such as one reported just earlier this month involving Chinese websites — is its sheer scale and its novel, multistage payload delivery technique. Also noteworthy is the threat actor’s use of cracked macOS apps with titles that are of likely interest to business users, so organizations that don’t restrict what users download can be at risk as well.
    • “Kaspersky was the first to discover and report on the Activator macOS backdoor in January 2024. A subsequent analysis of the malicious activity by SentinelOne has showed the malware to be “running rife through torrents of macOS apps,” according to the security vendor.”
  • On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) announced “New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways.”
  • CISA added a known exploited vulnerability to its catalog on January 31 and another later the same day.

From the ransomware front,

  • Security Week discuses why the ransomware threat continues to grow.
    • “The volume of ransomware attacks is not a constant and can be affected by many short term factors (take downs, criminal retirements, retooling, etcetera). 2022 showed a reduction, and some commentators suggested that the tide was turning against ransomware. 2023 has demonstrated this was a false dawn, with more than twice the number of victims in 2023 compared to 2022. 
    • “Anyone who believes ransomware will go away doesn’t understand the nature of criminality. Extortion has and always will be a primary criminal business plan. The current Delinea report demonstrates that the delivery of extortion can be fine-tuned (the evolution from encryption to data exfiltration), but the purpose remains the same, and the incidence will continue to increase.
    • “The success of this business plan is demonstrated by an increase in the number of victims who have paid the ransom — up from 68% to 76% (and remember that is 76% of a higher number of victims). What cannot be measured is the effect of cyberinsurance on ransomware delivery and response. Some commentators believe that attackers look for victims with cyberinsurance, and the report notes, “One reason for the willingness to pay may be the rise of cyberinsurance.”
  • Bleeping Computer’s The Week in Ransomware returns this week.
    • “Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks.
    • “While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to see affiliates targeting healthcare with complete disregard to the disruption they are causing patients in trying to receive care.”

From the cybersecurity defenses front,

  • TechTarget identifies “sixteen common types of cyberattacks and how to prevent them.”
  • CISA announced,
    • “CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.
    • “This third publication in CISA’s SbD Alert series examines how manufacturers can eliminate the path threat actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group—are taking to compromise small office/home office (SOHO) routers.” 
  • An ISACA expert writes about “Navigating the Treacherous Waters of IT Risk: The MOVEit Transfer Exploit as a Case Study.”