FEHBlog

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “Congress might pull in opposite directions on cybersecurity in its new two-year term, while President-elect Donald Trump’s position on key cyber topics remains a wild card.
  • “The agenda is packed: Corporate executives want regulatory harmonization, policymakers realize that key critical infrastructure sectors like healthcare need more support and oversight, and artificial intelligence continues to intrigue lawmakers.
  • “Despite partisan tensions over everything from taxes to immigration, cybersecurity is likely to remain an issue that brings Democrats and Republicans together on national security grounds. Still, Republicans are expected to go after regulation they see as burdensome, in particular the Securities and Exchange Commission’s incident-reporting rule.
  • “It’s important now more than ever that policymakers ensure advancing common-sense and bipartisan cybersecurity policy is a top priority for the 119th Congress,” said John Miller, senior vice president of policy, trust, data and technology at the Information Technology Industry Council, a trade group.”

• NextGov/FCW discusses the Defense Department related cybersecurity and other provisions found in the Fiscal Year 2025 National Defense Authorization Act which Congress passed this week.

• Security Affairs lets us know,
  • “According to the WSJ, the U.S. government is considering banning TP-Link routers starting in 2025.
  • “TP-Link holds 65% of the U.S. market and is the top choice on Amazon, powering internet communications for the Defense Department.
  • “In August, two U.S. lawmakers urged the Biden administration to investigate TP-Link over concerns its devices could be used in cyberattacks.
  • “The Commerce, Defense and Justice departments have opened separate probes into the company, with authorities targeting a ban on the sale of TP-Link routers in the U.S. as early as next year, the report said.” reported Reuters. “An office of the Commerce Department has even subpoenaed the company while the Defense Department launched its investigation into Chinese-manufactured routers earlier this year, the newspaper reported, citing people familiar with the matter.” * * *
  • “[A] spokesperson for TP-Link’s U.S. subsidiary told the WSJ that the company welcomes any opportunities to engage with the U.S. government to demonstrate that its security practices align with industry standards and to show its ongoing commitment to the U.S. market, consumers, and addressing national security risks.”

• The Office of Management and Budget’s Office of Information and Regulatory Affairs concluded its review of the HHS’s Office for Civil Rights proposed amendments to the HIPAA Security Rule on December 18.
  • AGENCY: HHS-OCR  RIN: 0945-AA2 Status: Concluded
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    Section 3(f)(1) Significant: Yes
    STAGE: Proposed Rule  Economically Significant: No
    RECEIVED DATE: 10/18/2024. LEGAL DEADLINE: None   COMPLETED: 12/18/2024
    COMPLETED ACTION: Consistent with Change
• The next step is publication of the proposed rule in the Federal Register.

• Last Monday, the Cybersecurity and Infrastructure Security Agency released its “2024 Year in Review Highlights CISA’s Achievements in Reducing Risk and Building Resilience in Cybersecurity and Critical Infrastructure Security.”

• Cyberscoop adds,
  • “Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.
  • “CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.
  • “CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”
  • “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
• and
  • “The Cybersecurity and Infrastructure Security Agency unveiled a detailed set of guidelines Wednesday to safeguard the mobile communications of high-value government targets in the wake of the ongoing Salt Typhoon telecom breach.
  • “The guide aims to help both political and federal leadership harden their communications and avoid any data interception by the Chinese-linked espionage group. As of earlier this month, government agencies were still grappling with the attack’s full scope, federal officials told reporters. Among the targets were officials from both presidential campaigns, including the phone of President-elect Donald Trump.
  • “The advisory details several key practices intended to mitigate risks associated with cyber threats and raise awareness on techniques that can thwart any type of malicious actor.
  • “I want to be clear that there’s no single solution that will eliminate all risks, but implementing these best practices will significantly enhance the protection of your communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. “We urge everyone, but in particular those highly targeted individuals, to review our guidance and apply those that suit their needs.”
  • “Even with the guidance’s focus on high-value targets, the advice is good for anyone that wants to take actions to secure their mobile devices. One of the primary recommendations includes the exclusive use of end-to-end encrypted messaging applications for secure communication. CISA suggests adopting apps like Signal, which provide robust encryption for both Android and iPhone platforms, preventing unauthorized interception of messages.”
    
• The American Hospital Association News tells us,
  • The Cybersecurity and Infrastructure Security Agency is seeking comments on its draft National Cyber Incident Response Plan Update. The plan describes how the federal government, private sector, and state, local, tribal and territorial government entities will coordinate to manage, respond to and mitigate the consequences of high-profile cyberattacks. The update addresses changes in the cyberthreat and operations landscape by incorporating feedback and lessons learned from stakeholders in previous incidents. Comments are being accepted in the Federal Register until Jan. 15.

• Per a Justice Department press release,
  • “A superseding criminal complaint filed in the District of New Jersey was unsealed today charging a dual Russian and Israeli national for being a developer of the LockBit ransomware group.
  • “In August, Rostislav Panev, 51, a dual Russian and Israeli national, was arrested in Israel pursuant to a U.S. provisional arrest request with a view towards extradition to the United States. Panev is currently in custody in Israel pending extradition on the charges in the superseding complaint.
  • “The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” said Attorney General Merrick B. Garland. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

From the cyber vulnerabilities and breaches front,

• SC Media relates,
  • “A Chinese-backed malware operation is building a botnet out of smart cameras and video boxes.
  • “The FBI said [on December 16] that a group identified as HiatusRAT has been seeding internet-of-things (IoT) devices with malware that allows for remote access and control. Targets include smart cameras and DVR boxes.
  • “In addition to gathering video footage or traffic data from the compromised hardware, attackers can use the edge-facing devices as a foothold to gain access into other hardware on the network and perform further attacks and data exfiltration.
  • “In this case, the FBI believes that the attackers are trying to compromise U.S. government agencies and the private contractors that work with them. It is believed that the threat actors are working on behalf of the Chinese government to infiltrate networks and gather data that would benefit Beijing.”

• The American Hospital Association adds,
  • “This recent campaign appears to have targeted vulnerable Chinese-branded webcams and DVRs for specific, published vulnerabilities and default passwords set by the vendor,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “These devices are often used in security video monitoring systems. Several of these vulnerabilities impacting older, end-of-life devices have not been patched by the manufacturer and the FBI recommends replacing them with updated devices. The critical takeaway from this bulletin is that patch management programs must cover not only traditional computer systems, but also Internet of Things devices on your network.” 

• On December 17, HHS’s Health Sector Cybersecurity Coordination Center issued an analyst note about credential harvesting.

• Bleeping Computer lets us know,
  • “A new Microsoft 365 phishing-as-a-service platform called “FlowerStorm” is growing in popularity, filling the void left behind by the sudden shutdown of the Rockstar2FA cybercrime service.
  • “First documented by Trustwave in late November 2024, Rockstar2FA operated as a PhaaS platform facilitating large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.
  • “The service offered advanced evasion mechanisms, a user-friendly panel, and numerous phishing options, selling cybercriminals access for $200/two weeks.
  • According to Sophos researchers Sean Gallagher and Mark Parsons, Rockstar2FA suffered from a partial infrastructure collapse on November 11, 2024, making many of the service’s pages unreachable.
  • Sophos says this does not appear to be the result of law enforcement action against the cybercrime platform but rather a technical failure.
  • A few weeks later, FlowerStorm, which first appeared online in June 2024, started quickly gaining traction.

• CISA added eight known exploited vulnerabilities to its catalog this week.
  • December 16, 2024
    • CVE-2024-20767 Adobe ColdFusion Improper Access Control Vulnerability
    • CVE-2024-35250 Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability
  • December 17, 2024
    • CVE-2024-55956 Cleo Multiple Products Unauthenticated File Upload Vulnerability
  • December 18, 2024
    • CVE-2018-14933 NUUO NVRmini Devices OS Command Injection Vulnerability
    • CVE-2022-23227 NUUO NVRmini 2 Devices Missing Authentication Vulnerability
    • CVE-2019-11001 Reolink Multiple IP Cameras OS Command Injection Vulnerability
    • CVE-2021-40407 Reolink RLC-410W IP Camera OS Command Injection Vulnerability
  • December 19, 2024
    • CVE-2024-12356 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
      
• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical vulnerability in Apache Struts 2 just days after it was originally disclosed and patched, researchers warn.  
  • “The vulnerability, listed as CVE-2024-53677, involves a flaw in file upload logic, according to a bulletin from Apache. The vulnerability has a CVSS score of 9.5 out of 10, indicating the risk is considered critical.  
  • “An attacker can manipulate file upload parameters to enable path traversal. Apache urged users to upgrade to Struts 6.4.0 or greater and use the Action File Upload Interceptor. Security researchers warn the vulnerability can allow an attacker to conduct malicious actions.”\
• and
  • “Researchers have now traced exploitation of a critical vulnerability in Cleo file transfer software back to October, Mandiant Consulting CTO Charles Carmakal said in a LinkedIn post Wednesday. Mandiant’s discovery puts active exploitation at least a month earlier than previously observed by other researchers.
  • “Mandiant identifies the cluster actively exploiting the two vulnerabilities, CVE-2024-50623 and CVE-2024-55956, as UNC5936. Researchers say the cluster has overlaps with FIN11, also known as Clop, which claimed responsibility for the attacks earlier this month. 
  • “There is currently no evidence of mass data theft, which was observed in prior campaigns by the threat group, Carmakal said. However, malicious backdoors including Beacon and Goldtomb have been deployed on exploited systems.”
• and
  • “An attacker gained access to a limited number of BeyondTrust customers’ instances of Remote Support SaaS, an access-management tool, the company said in a Dec. 8 blog post, which was updated Wednesday. The attacker compromised a Remote Support SaaS API key and reset passwords of multiple accounts.
  • “The cybersecurity vendor initially detected anomalous activity on one customer instance of Remote Support SaaS on Dec. 2, according to the updated blog. Three days later, the company determined multiple customers were impacted, suspended those instances and revoked the compromised API key.
  • “Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted,” the company said in the blog post.”

From the ransomware front,

• Cybersecurity Dive points out,
  • “Data from nearly 5.6 million people was exposed due to a ransomware attack on nonprofit health system Ascension this spring, according to a report to federal regulators.
  • “The attack compromised personal information from some current and former Ascension patients, senior living residents and employees, the system said on Thursday [December 19]. Personal details, medical information, payment information, insurance details and government ID numbers, including Social Security numbers, could have been exposed.
  • “The breach is the third largest reported to the HHS’ Office for Civil Rights’ healthcare data breach portal this year, trailing only incidents at Change Healthcare and Kaiser Foundation Health Plan.” * * *
  • “In June, Ascension reported that cybercriminals gained access to its systems after a worker accidentally downloaded a malicious file, and that personally identifiable and protected health information may have been exposed.
  • “Now, the health system has completed its review of what data may have been compromised. Ascension is mailing letters to affected people, which should be delivered over the next two to three weeks, the health system said in an update Thursday [December 19].
  • “Though patient data was involved, Ascension said it found no evidence that data was stolen from EHR and other clinical systems, where full patient records are stored.” 

• Statescoop lets us know,
  • Hackers are threatening as early as this week to release the personal information of potentially hundreds of thousands of Rhode Islanders connected with RIBridge, the state’s health and social services system that suffered a cyberattack on Dec. 5, Gov. Dan McKee and state officials told media over the weekend.
  • Brian Tardiff, Rhode Island’s chief digital officer, said that the cybercriminals behind the attack threatened to release the data they claim to have obtained in the Dec. 5 cyberattack unless they receive a ransom payment. Tardiff did not specify the ransom deadline, amount of money demanded or if the hackers identified themselves.
  • “Any individual who has received or applied for state health coverage or health and human services programs or benefits could be impacted by this breach,” according to an update posted to the state’s website Friday after the cyberattack was detected.
  • The state’s benefits programs that may be impacted by the breach include Medicaid, Supplemental Nutrition Assistance Program, Temporary Assistance for Needy Families,  Child Care Assistance Program, health coverage purchased through HealthSource RI, Rhode Island Works, Long-Term Services and Supports, General Public Assistance and Program At HOME Cost Share.

• Per TechTarget,
  • “Despite being taken down and humiliated by the National Crime Agency (NCA) coordinated Operation Cronos in February 2024, an unknown individual(s) associated with, or claiming to represent, the LockBit ransomware gang has broken cover to announce the impending release of a new locker malware, LockBit 4.0.
  • “In screengrabs taken from the dark web that have been widely circulated on social media in the past day, the supposed cybercriminal invited interested parties to “sign up and start your pen tester billionaire journey in 5 minutes with us”, promising them access to supercars and women. At the time of writing, none of the links in the post direct anywhere, while a countdown timer points to a ‘launch’ date of 3 February 2025.
  • “Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said it was hard to say at this stage what LockBit 4.0 entailed – whether the gang was launching a new leak site, its old one having been seized, or whether it has made changes to its ransomware.
  • “It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It’s therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement,” said Fitzsimons.”

From the cybersecurity defenses front,

• Dark Reading discusses
  • “Managing Threats When Most of the Security Team Is Out of the Office. During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls”
• and
  • “To Defeat Cybercriminals, Understand How They Think. Getting inside the mind of a threat actor can help security pros understand how they operate and what they’re looking for — in essence, what makes a soft target.”

• Here is a link to Dark Reading’s CISO Corner.

• The Cyberscoop article on CISA’s mobile communications protection guide adds
  • “The guidelines advocate for the use of Fast Identity Online (FIDO) phishing-resistant authentication as a superior alternative to traditional multifactor authentication (MFA) methods. FIDO authentication, especially through hardware-based security keys such as Yubico or Google Titan, is recommended for enhancing the security of high-targeted accounts.
  • The guidance also emphasizes moving away from Short Message Service (SMS) messages as a form of MFA, advising that SMS-based authentication is not encrypted and can be easily intercepted by those with access to telecommunications infrastructure.
  • “Additional recommendations include the use of a password manager, regular software updates for both operating systems and applications to patch vulnerabilities and setting telecommunications account PINs to prevent SIM-swapping attacks — a common technique used by hackers to hijack phone numbers and intercept sensitive communications.
  • “Specific guidelines tailored for Apple iPhone and Android users were also included. iPhone users are advised to enable “Lockdown Mode” to restrict app access and deploy Apple iCloud Private Relay for secure internet browsing. Meanwhile, Android users are encouraged to choose devices with strong security records and long-term update commitments, and to ensure the use of encrypted Rich Communication Services (RCS) for messaging.”