Cybersecurity Saturday

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “The U.S. Cybersecurity and Infrastructure Security Agency [CISA] on Wednesday [March 27, 2024] published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government.
    • “CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022. Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation-states to help improve defenses.
    • “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.  * * *
    • “The rules apply to any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
    • “Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
    • “There are exemptions for small organizations, with revenue and employee counts that qualify under the Small Business Administration’s criteria.” 
  • Here are a link to the CISA announcement and a link to the proposed rule.
  • Cyberscoop adds,
    • “While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
    • “For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.” * * *
    • “CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
    • “Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.” 
  • On March 28, 2024, the Defense Department released its “Defense Industrial Base Cybersecurity Strategy {which] plots a course for increased focus and collaboration between the Defense Department and the U.S. defense industrial base on cybersecurity initiatives amid what officials say are persistent cyberthreats.”

From the cyber-vulnerabilities and breaches front,

  • Per Security Week,
    • “While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
    • “By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023. * * *
    • “Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.”
  • Cybersecurity Dive tells us,
    • “Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
    • “Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
    • “Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.”
  • Earlier this month, HHS’s Health sector Cybersecurity Coordination Center (HC3) posted the following two PowerPoints:
    • Credential Harvesting and Mitigations
      • “Cyberattacks against healthcare facilities can involve credential harvesting, which may lead to a disruption of operations. Credential harvesting, also known as credential stealing or credential phishing, is a technique that cybercriminals can use to obtain sensitive login credentials like usernames, passwords, and personal information. These credentials operate as the gateway to an individual’s digital identity, and can grant access to various types of information, such as online accounts and health data. The methods employed for credential harvesting are diverse, ranging from sophisticated phishing emails to fake websites and social engineering tactics.”
    • Defense and Mitigations from E-mail Bombing
      • E-mail bombing, also known as mail bomb or letter bomb attacks, occur when a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages. They are a type of Denial of Service (DoS) attack that allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless. By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.
      • This type of attack is of particular importance to the Healthcare and Public Health (HPH) sector. In 2016, unknown assailants launched a massive cyber attack aimed at flooding thousands of targeted “dot-gov” (.gov) e-mail inboxes with subscription requests, rendering many unusable for days.
      • E-mail bombs are not only an inconvenience to the victim, but to everyone using that particular server. When an e-mail server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime. This Sector Alert provides an overview of types of e-mail bomb techniques, as well as defenses and mitigations for targets of this type of attack.
  • Bleeping Computer adds that “Google’s Threat Analysis Group (TAG) and Google subsidiary Mandiant said they’ve observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.”

From the Change Healthcare situation front,.

  • HealthIT Security let us know on March 29.
    • “In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is “likely” to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
    • “This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems,” UHG stated. “We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.”
    • “To date, UHG had not seen evidence of any data being published on the web.
    • “In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.” 

From the ransomware front,

  • Beckers Hospital Review notes,
    • “A ransomware group that specializes in “double extortion” has claimed responsibility for a cyberattack on an Oklahoma hospital, HIPAA Journal reported.
    • “The Bian Lian hacking gang posted Lindsay (Okla.) Municipal Hospital to its data leak site and said the stolen data would be uploaded soon, according to the March 25 story.
    • “The hackers’ “double extortion” forte means they steal data then require ransom payments to both release the information and decrypt any encrypted files, the news outlet reported. HHS has warned that Bian Lian is targeting healthcare providers because of the group’s financial motivations.”

From the cybersecurity defenses front,

  • Cybersecurity Dive informed us on March 26, 2024,
    • “The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
    • “CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
    • “The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.”
  • The Wall Street Journal reports,
    • “Companies from the U.S. telecommunications, financial services and power sectors held a joint cybersecurity exercise with government agencies this week to test how their defenses held up against real attacks. [The report is dated March 29, 2024.)
    • “Security staff from AT&TLumen Technologies, Southern Co., Mastercard and Southern California Edison pitted defensive and offensive teams, known as blue and red teams, against each other on Wednesday and Thursday in Washington, D.C. * * *
    • “This week’s Tri-Sector Cyber Defense Exercise was an expanded version of a similar event held two years ago. While in the previous event individual teams from each participating company competed against each other, this year’s program drew staff from each participant into combined teams to learn from each other’s techniques. Those teams then assaulted and blocked attacks from fictitious entities in the various represented sectors, using the same tools and technology as they would in reality.”
  • and
    • “Cybersecurity leaders struggle to communicate with executives and boards of directors and often paint an overly positive image of their companies’ security, according to a new survey of C-suite executives. 
    • “With new regulations that require companies to disclose more details about cybersecurity, around half of those polled see an immediate need to improve security leaders’ communication skills. 
    • “Thirty-one percent of top executives said they believe their companies’ chief information security officers paint a more optimistic picture than reality, according to a new survey from communications advisory firm FTI Consulting * * *
    • “Executives want CISOs to improve how they communicate about cyber risks. The FTI survey found that 98% of executives support more funding for such training, and 45% said it is an immediate need.”