Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity retrospection and predictions front as we approach New Year’s Day,

CSO lists the “top 7 zero-day exploitation trends of 2024,” and “IT leaders’ top 9 takeaways from 2024.”

Dark Reading points out “Emerging Threats & Vulnerabilities to Prepare for in 2025. From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.”

Federal News Network offers a “2024 review: ‘Typhoons’ bookend [the Change Healthcare breach in a] busy year in cyber. From Volt Typhoon to Salt Typhoon, major cyber incidents in 2024 shined a spotlight on how agencies are managing cyber threats to critical infrastructure.”

Healthcare Dive recounts “seven of the biggest healthcare cyberattack and breach stories of 2024 Cyberattacks targeting the healthcare industry continued to rise this year. Here are some of the largest incidents, from Change Healthcare to Ascension.”

From the cybersecurity policy front,

Yesterday the Health and Human Services Department’s Office for Civil Rights announced its proposed amendments to the HIPAA Security Rule which is intended to protect electronic personal health information. The public comment deadline is March 7, 2025, sixty days from January 6, 2025, the date that proposed rule will be published in the Federal Register.

Here is a link to the OCR’s fact sheet for the proposed rule. The HIPAA Security Rule dates back to 2003, and its hallmark was flexibility in implementation. To that end, the HIPAA Security rule set forth required standards and addressable standards. Because a lot has changed since 2003, I expected standard changes, but I did not expect OCR to do away with the required / addressable standard distinction in favor of exceptions. Like many other regulations issued by the current administration, the proposed amendments are loaded with new paperwork and oversight requirements. Hopefully the next administration will pull back the proposed rule so that the changes focus on requiring tools that are known to work, e.g., multi factor authentication, encryption, adequate backups.

Cybersecurity Dive lets us know,
- “Lax security controls played a significant role in allowing a China-government sponsored threat group to gain broad and full access to U.S. telecom networks, a senior White House official said Friday.
- “From what we’re seeing regarding the level of cybersecurity implemented across the telecom sectors, those networks are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a Friday media briefing.
- “Neuberger’s remarks came as the White House confirmed a ninth telecom company was among those compromised by Salt Typhoon’s widespread intrusion of U.S. telecom networks. The unnamed company recently determined it was impacted after reviewing threat hunting and hardening guidance provided by the U.S. government, Neuberger said.
- “Earlier this month, U.S. officials said at least 8 U.S. telecom providers or infrastructure companies were compromised in a campaign that went undetected for months and has been underway for up to two years.”

Per Federal News Network,
- “The DoD’s big cybersecurity program advanced earlier this month. It’s a big rule to carry out if it becomes effective. For what the rule means and what comes next in the Cybersecurity Maturity Model Certification Program, Deltek cybersecurity researcher Michael Greenman joined the Federal Drive with Tom Temin for details.”
- The article offers a transcript of this interview

From the cybersecurity breaches, ransomware, and vulnerabilities front,

The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
- December 23, 2024
  - CVE-2021-44207 Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability

Here is a link to a Security Affairs explanation of the vulnerability.

Bleeping Computer pointed out on December 24,
- The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands.
- The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.
- In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.
- The hackers note that the list represents only victims that have been contacted but did not respond to the message, suggesting that the list of affected companies may be larger.
- “The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.” * * *
- “The zero-day flaw exploited this time is now tracked as CVE-2024-50623 and it allows a remote attacker to perform unrestricted file uploads and downloads, leading to remote code execution.
- “A fix is available for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21 and the vendor warned in a private advisory that hackers were exploiting it to open reverse shells on compromised networks.”
and
- “The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.
- “In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces.
- “The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations.”

From the cybersecurity defenses front,

Netxgov/FCW alerts us that “Government and private sector organizations have begun to recognize that physical and virtual assets must be protected from cyber threats in the same way as IT.”

Dark Reading discusses “Defining & Defying Cybersecurity Staff Burnout. Sometimes it feels like burnout is an inevitable part of working in cybersecurity. But a little bit of knowledge can help you and your staff stay healthy.”

Here is a link to Dark Reading’s CISO Corner, which was updated this week.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog