Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Federal News Network tells us,
    • “President-elect Donald Trump’s pick to lead the Department of Homeland Security is signaling potential changes at the Cybersecurity and Infrastructure Security Agency.
    • “South Dakota Gov. Kristi Noem, nominated by Trump to serve as homeland security secretary, testified before the Senate Homeland Security and Governmental Affairs Committee on Friday. She fielded a range of questions, largely on border security and immigration enforcement.
    • “On the cybersecurity front, Noem in her opening statement said she would prioritize a “comprehensive, whole-of-government approach to cybersecurity,” without offering further specifics.
    • “I fully acknowledge that people in Washington, DC do not have all of the answers, and therefore I will leverage private, public partnerships,” Noem added as part of her opening statement. “I will advance cutting edge state of the art technologies to protect our nation’s digital landscape.”
  • Cybersecurity Dive lets us know,
    • “The White House rolled out a highly anticipated executive order on Thursday [January 16, 2025] to combat a rising level of sophisticated attacks targeting U.S. government agencies, critical infrastructure providers and high-profile individuals by state-linked threat groups and other malign actors. 
    • “The executive order will give the U.S. more authority to level sanctions against malicious actors that have disrupted hospitals and other critical providers. 
    • “Federal authorities also plan to leverage the government’s $100 billion in annual IT spending to make sure technology companies develop more secure software.” * * *
    • To help increase security in the public and private sector, the executive order aims to: 
      • Give the U.S. more authority to level sanctions against hackers that have critical providers, including hospitals. 
      • Require software vendors doing business with the federal government to prove they are using secure development practices. The federal government plans to validate that evidence and publish the information to help private sector buyers make informed decisions on secure software. 
      • The National Institute for Standards and Technology will develop guidance on how to deploy software updates in a secure and reliable manner. 
      • The General Services Administration will develop guidance on how cloud customers can securely use these products.  
      • Identify minimum cybersecurity standards for companies working with the federal government. Bureaucracy and cybersecurity requirements for using federal information systems will be streamlined for three years. 
      • Federal authorities will begin research into AI-based tools to search for software vulnerabilities, manage patching and detect threats. A public-private partnership will be developed to use AI to protect critical infrastructure in the energy sector. 
      • The U.S. will only buy internet-connected devices that meet Cyber Trust Mark standards starting in 2027.   
  • Cyberscoop adds,
    • “A sweeping executive order on cybersecurity released Thursday won largely positive reviews, with the main question being its timing — and what will come of it with the executive branch set to be handed over from president to president.”
  • NextGov/FCW informs us,
    • The Office of Personnel Management did not take long nor have to look too far to find its next chief information officer.
    • Melvin Brown II, who previously served as OPM’s deputy chief information officer, was named OPM’s chief information officer this week, according to a LinkedIn post he published Sunday January 12, 2025.
  • Cyberscoop relates,
    • “The Department of the Treasury has sanctioned a Chinese national and a cybersecurity company based in Sichuan, China, for taking part in the Salt Typhoon hacking campaign that has swept up data from at least nine U.S. telecommunications companies.
    • “The department’s Office of Foreign Assets Control (OFAC) named Yin Kecheng of Shanghai and the Sichuan Juxinhe Network Technology Co. Ltd., as entities that had “direct involvement” in the Salt Typhoon campaign. Kecheng is described as an affiliate of the Chinese Ministry of State Security with over a decade of hacking experience.
    • “Kecheng is also alleged to have been involved in a recent hack of the Treasury Department.”
  • Per HHS news releases,
    • “[On January 14, 2025,] the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Solara Medical Supplies, LLC (Solara), a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and Breach Notification Rule following a [2019] breach of electronic protected health information (ePHI) caused by a phishing incident.” * * *
    • “In November 2019, OCR received a breach report concerning a phishing attack in which an unauthorized third party gained access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the breach of 114,007 individuals’ ePHI. In January 2020, OCR received notification of a second breach, when Solara reported that it had sent 1,531 breach notification letters to the wrong mailing addresses. OCR’s investigation determined that Solara failed to conduct a compliant risk analysis to identify the potential risks and vulnerabilities to ePHI in Solara’s systems; failed to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and failed to provide timely breach notification to individuals, HHS, and the media.
    • “Under the terms of the resolution agreement, Solara agreed to implement a corrective action plan that will be monitored by OCR for two years and pay $3,000,000 to OCR.” * * *
    • “The resolution agreement and corrective action plan may be found here.”
  • and
    • “[On January 15, 2025,] the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Surgical Group, P.C. (NESG), a provider of surgical services in Michigan, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
    • “In March 2023, OCR received a breach report concerning a ransomware incident that had affected NESG’s information system. NESG concluded that the protected health information of 15,298 patients had been encrypted and exfiltrated from its network. OCR’s investigation determined that NESG had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in NESG’s systems.
    • “Under the terms of the resolution agreement, NESG agreed to implement a corrective action plan that OCR will monitor for two years and paid $10,000 to OCR.: * * *
    • “The resolution agreement and corrective action plan may be found here.”

From the cybersecurity vulnerabilities and breaches front,

  • Per Cybersecurity Dive,
    • “The Cybersecurity and Infrastructure Security Agency spotted Salt Typhoon on federal networks before defenders discovered the China-sponsored threat group intruded into U.S. telecom systems, Director Jen Easterly said Wednesday.
    • “CISA’s sleuthing “enabled law enforcement to unravel and ask for process on virtual private servers,” Easterly said during an onstage interview at the Foundation for Defense of Democracies. Details gathered from that investigation and response allowed CISA to discover Salt Typhoon and its activities, Easterly said.” * * *
    • “CISA’s observations didn’t prevent Salt Typhoon from attacking the telecom networks en masse, but Easterly presented the agency’s threat hunting and intelligence gathering capabilities as an example of intra-government and public-private collaboration improvements made under her stewardship of the agency.
    • “Easterly is scheduled to step down as CISA director when the President-elect Donald Trump takes office next week.”
  • and
    • Threat hunters are scrambling to determine the scope of damage and potential impact from a critical zero-day vulnerability that impacts a trio of Ivanti products, including Ivanti Connect Secure VPN appliances.
    • Shadowserver scans identified more than 900 unpatched Ivanti Connect Secure instances on Sunday [January 12, 2025] and said the devices are likely vulnerable to exploitation. The amount of unpatched and vulnerable instances found by Shadowserver scans is down from more than 2,000 on Thursday [January 9, 2025].
    • The nonprofit, which analyzes and shares malicious activity with more than 200 national computer security incident response teams covering 175 countries, was asked not to disclose how it knows these instances are unpatched, but has yet to receive any false positive feedback, Shadowserver CEO Piotr Kijewski told Cybersecurity Dive via email on Friday.
    • Researchers are especially concerned about widespread exploitation of the zero-day because of previous cyberattacks linked to software defects in Ivanti products.
  • CISA added seven more known exploited vulnerabilities to its catalog this week.
  • More details from
  • Cybersecurity Dive
    • “The Cybersecurity and Infrastructure Security Agency added a command injection vulnerability in BeyondTrust Remote Support and Privileged Access Products to its catalog of known exploited vulnerabilities on Monday [January 13, 2025]. 
    • “The medium-severity flaw, listed as CVE-2024-12686, allows an attacker with administrative privileges to inject commands into a computer network and run as if they are a site user. The vulnerability has a CVSS score of 6.6. 
    • “The CVE is the second vulnerability disclosed by BeyondTrust during its investigation into an attack spree in December. The attacker reset the passwords of numerous accounts after compromising a Remote Support SaaS API key. A limited number of RemoteSupport SaaS customers were impacted by the attacks.” 
  • CSO Online
    • Fortinet has confirmed the existence of a critical authentication bypass vulnerability in specific versions of FortiOS firewalls and FortiProxy secure web gateways. The flaw has been exploited in the wild since early December in what appears to be an indiscriminate and widespread campaign, according to cybersecurity firm Arctic Wolf.
    • The fix for this zero-day is part of a bigger patch cycle by Fortinet, which released updates for 29 vulnerabilities across multiple products, 14 of which impact FortiOS, the operating system used in Fortinet’s FortiGate firewalls. Some of the flaws impact multiple products that share the same code, which is the case for the zero-day now tracked as CVE-2024-55591.
    • Although Fortinet does not credit Arctic Wolf with discovering the vulnerability, the indicators of compromise listed in the advisory match the analysis of the attack campaign Arctic Wolf warned about in December and documented in more detail on Friday.
  • Security Week
    • “The software giant [Microsoft] on Tuesday called urgent attention to three separate flaws in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and warned that malicious attackers are already launching privilege escalation exploits.
    • “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in a series of barebones advisories.
    • “As is customary, the company did not release technical details or IOCs (indicators of compromise) to help defenders hunt for signs of compromise.
    • “The three exploited zero-days — CVE-2025-21334CVE-2025-21333 and CVE-2025-21335 — affect the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) that handles efficient resource management and communication between the host system and guest virtual machines (VMs).” 
  • and
    • Threat actors are exploiting a critical-severity remote code execution (RCE) vulnerability in Aviatrix Controller to deploy malware, cybersecurity firm Wiz reports.
    • The issue, tracked as CVE-2024-50603 (CVSS score of 10/10), exists because user-supplied input is not properly neutralized, allowing unauthenticated, remote attackers to inject arbitrary code that is executed with high privileges on the Aviatrix cloud networking platform.
    • The solution is designed to help organizations manage and secure their cloud infrastructure across multiple providers from a single place.
    • Impacting certain endpoints within the Aviatrix Controller’s API, which is implemented in PHP, the vulnerability was patched in December, but technical information on it was only published last week.

From the ransomware front,

  • Cybersecurity Dive reports on January 17, 2025,
    • Blue Yonder said it is investigating a threat after Clop listed the supply chain management company among nearly 60 companies the ransomware group claims it hacked. The attacks were linked to exploited vulnerabilities in Cleo file-transfer software, according to researchers from Zscaler and Huntress. 
    • A spokesperson for Blue Yonder on Friday confirmed the company uses Cleo to manage certain file transfers. Once the zero-day was confirmed, Blue Yonder said it immediately took steps to mitigate the threat.
    • “Like many Cleo Harmony customers across the globe, we are currently investigating any potential impact of this matter on our business and we continue to update our customers as we have additional information,” the spokesperson told Cybersecurity Dive via email.”
  • CISO Online alerts us on January 13, 2025,
    • CISOs are being warned to make sure employees take extra steps to protect their AWS access keys after word that a threat actor is using stolen login passwords for ransomware attacks.
    • The target is Amazon S3 buckets and the attack uses AWS’ own encryption to make data virtually unrecoverable without paying the attackers for a decryption key, said a report by researchers at Halcyon Tech.
    • “Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure,” the report notes. “Once encrypted, recovery is impossible without the attacker’s key.” * * *
    • “There are, however, a few things AWS customers’ IT administrators can do:
      • “use the Condition element in IAM (identity and access management) policies to prevent the application of SSE-C to S3 buckets. Policies can be configured to restrict this feature to only authorized data and users;
      • “enable detailed logging for S3 operations to detect unusual activity, such as bulk encryption or lifecycle policy changes;
      • “regularly review permissions for all AWS keys to ensure they have the minimum required access;
      • ‘disable unused keys and rotate active ones frequently.
    • “In a statement accompanying the Halcyon report, AWS referred customers to this web page with information for administrators on how to deal with suspected unauthorized activity on their accounts.”
  • Per Industrial Cyber,
    • “The U.S. National Institute of Science and Technology (NIST) through its National Cybersecurity Center of Excellence (NCCoE) division published Monday draft Ransomware Community Profile reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. The NIST IR 8374 Rev. 1 (draft) comes as the agency is currently considering a more comprehensive revision to the profile to reflect recent ransomware policy developments and incorporate the results of collaborative activities in the ransomware prevention and response space. 
    • “NIST is seeking feedback by March 14, 2025, on the revised draft of the risk management framework, which will guide the future of its ransomware prevention guidance. General comments on the draft are also encouraged. The agency is also looking for input on which elements of the Ransomware Community Profile have been beneficial. Suggestions for improvements to the Community Profile are also welcome.”

From the cybersecurity defense front,

  • Here are CISA news releases from the last week of the Biden administration:
    • “The Cybersecurity and Infrastructure Security Agency (CISA) published today [January 14, 2025] the Joint Cyber Defense Collaborative (JCDC) Artificial Intelligence (AI) Cybersecurity Collaboration Playbook. Developed alongside federal, international, and private-sector partners through JCDC, this playbook provides the AI community—including AI providers, developers, and adopters—with essential guidance on how to voluntarily share actionable incident information and it describes how proactive information sharing can enhance operational collaboration and improve resilience of AI systems.” 
    • “The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft, announces today [January 15, 2025] the release of Microsoft Expanded Cloud Log Implementation Playbook. This guidance helps public and private sector organizations using Microsoft Purview Audit (Standard) to operationalize newly available cloud logs to be an actionable part of their enterprise cybersecurity operations.”
    • CISA Director Jen Easterly’s final CISA blog post concerns “Strengthening America’s Resilience Against the PRC Cyber Threats.”
  • Here is a link to Dark Reading’s CISO Corner.