Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Cybersecurity Dive reports,
- “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security.
- “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray.
- “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
and
- “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
- “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
- The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
and
- “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted.
- “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
- “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”

NextGov relates,
- “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
- “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”

“DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.

Federal News Network lets us know,
- “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
- “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
- “Federal News Network has learned Connelly’s last day will be April 19. * * *
- “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
- “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop informs us,
- “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
- “CISA’s directive comes in the week after CyberScoop first reported its existence.
- “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
- “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”

Cybersecurity Dive tells us,
- “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
- “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families.
- “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”

Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.

Security Week lets us know,
- “Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
- “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
- “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”

CISA added new known exploited vulnerabilities to its catalog this week.
- April 11, 2024
  - CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
  - CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
- April 12, 2024
  - CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
- FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..

The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
- “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

TechTarget notes,
- “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
- “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
- “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
- “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”

WIRED reports,
- “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
- “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
- “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
- “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

MedCity News discusses four lessons learned from the Change Health cyberattack.

According to Dark Reading,
- The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
- The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
- The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.

“NIST has released three self-guided online introductory courses on the NIST Special Publication (SP) 800-53 security and privacy control catalog, the SP 800-53A control assessment procedures, and SP 800-53B control baselines. The courses provide a high-level overview of foundational security and privacy risk management concepts based directly on their respective NIST SPs.”

According to Cybersecurity Dive,
- “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings.
- “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America.
- “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
- “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog