Weekend Update / Cybersecurity Saturday

Weekend Update / Cybersecurity Saturday

Blue Bonnets — The Texas State Flower

The FEHBlog’s Friday Insights did not publish as scheduled on Saturday morning. To get the email distribution back on schedule the FEHBlog is combining the Weekend Update and the Cybersecurity Saturday posts below.

Weekend Update

The House of Representatives and the Senate will be in session for Committee business and floor voting on Wednesday, Thursday and Friday this week.

Recently, the Centers for Medicare and Medicaid Services confirmed that the No Surprises Act air ambulance reporting will not occur in 2023.

Under section 106 of the No Surprises Act, air ambulance providers, insurance companies, and employer-based health plans must submit to federal regulators information about air ambulance services provided to consumers. The Centers for Medicare & Medicaid Services (CMS) in the Department of Health & Human Services (HHS) is conducting this Air Ambulance data collection (AADC), which will be used to develop a public report on air ambulance services.
The proposed rules describing the proposed form and manner of the data collection can be found at this link. The final rules will specify the final reporting requirements, including the data elements and the deadlines for the data collection. The data collection will not begin until after the final rules are published. This page will be updated when the rules are finalized and more information on data collection is available.

From the value added care front, Behavioral Health Business discusses how Aetna and Optum are collaborating with a large mental health provider, Universal Health Services, to develop reliable outcome measurements for mental health services.

From the healthcare developments front —

NPR tells us

When the FDA approved bempedoic acid, marketed under the brand name Nexletol, back in 2020, it was clear that the drug helped lower LDL — “bad” cholesterol. The drug was intended for people who can’t tolerate statin medications due to muscle pain, which is a side effect reported by up to 29% of people who take statins.

What was unknown until now, is whether bempedoic acid also reduced the risk of cardiovascular events. Now, the results of a randomized, controlled trial published in The New England Journal of Medicine point to significant benefit. The study included about 14,000 people, all of whom were statin intolerant.

“The big effect was on heart attacks,” says study author Dr. Steven Nissen of Cleveland Clinic. 

People who took daily doses of bempedoic acid for more than three years had about a 23% lower risk of having a heart attack, in that period, compared to those taking a placebo. There was also a 19% reduction in coronary revascularizations, which are procedures that restore blood flow to the heart, such as a bypass operation or stenting to open arteries.

Medscape highlights a “revolutionary” treatment for suicidal depression, the Stanford neuromodulation therapy (SNT) protocol.

From the medical research front, Medscape reports

A common chemical that is used in correction fluid, paint removers, gun cleaners, aerosol cleaning products, and dry cleaning may be the key culprit behind the dramatic increase in Parkinson’s disease (PD), researchers say.

An international team of researchers reviewed previous research and cited data that suggest the chemical trichloroethylene (TCE) is associated with as much as a 500% increased risk for Parkinson’s disease (PD).

Lead investigator Ray Dorsey, MD, professor of neurology, University of Rochester, New York, called PD “the world’s fastest-growing brain disease,” and told Medscape Medical News that it “may be largely preventable.”

“Countless people have died over generations from cancer and other disease linked to TCE [and] Parkinson’s may be the latest,” he said. “Banning these chemicals, containing contaminated sites, and protecting homes, schools, and buildings at risk may all create a world where Parkinson’s is increasingly rare, not common.”

The paper was published online March 14 in the Journal of Parkinson’s Disease.

The FEHBlog has several friends with Parkinson’s Disease.

From the Medicare front, Health Payer Intelligence relates

Beneficiaries with end-stage renal disease (ESRD) are increasingly shifting from Medicare fee-for-service (FFS) to Medicare Advantage, leading more Medicare Advantage plans to form value-based arrangements with kidney care management companies, according to Avalere.

Beneficiaries with ESRD have typically received coverage through Medicare FFS because only those already enrolled in a Medicare Advantage plan before initiating dialysis were eligible for the private program through 2020.

A provision under the 21st Century Cures Act that went into effect on January 1, 2021, made all Medicare beneficiaries with ESRD eligible to enroll in Medicare Advantage plans.

Although patient safety awareness week is over, the Wall Street Journal makes us aware that

Black boxes on airplanes record detailed information about flights. Now, a technology that goes by the same name and captures just about everything that goes on in an operating room during a surgery is making its way into hospitals.

The OR Black Box, a system of sensors and software, is being used in operating rooms in 24 hospitals in the U.S., Canada and Western Europe. Video, audio, patient vital signs and data from surgical devices are among the information being captured.

The technology is being used primarily to analyze operating-room practices in hopes of reducing medical errors, improving patient safety and making operating rooms more efficient. It can also help hospitals figure out what happened if an operation goes wrong. * * *

Duke University Hospital, where two operating rooms are equipped with black boxes, is using the technology to study and improve on patient positioning for surgery to reduce the possibility of skin-tissue and nerve injuries. It is also studying and using the technology to improve communication among nursing personnel throughout a surgical procedure to ensure that key tasks—such as confirming that surgical instruments and medical devices are available for a procedure—are being completed promptly, effectively and efficiently.

Cybersecurity Saturday

From the cybersecurity policy front, the American Hospital Association informs us that

The Senate Homeland Security and Governmental Affairs Committee held a full Committee hearing examining cybersecurity risks to the healthcare sector on March 16. Witnesses included Scott Dresen, chief information security officer for Corewell Health, a large integrated health system in Michigan. 
 
“The increasing frequency of attack from nation state actors and organized crime has created a sense of urgency within the healthcare sector and we need help from the United States government to respond to these threats more effectively,” Dresen said.
 
Specifically, he called for enhancing existing partnerships with and between federal agencies, expanding the sharing of actionable threat intelligence, incentivizing access to affordable technology to defend against advanced threats, ensuring there is an adequate cyber workforce, and reforming legislation to encourage the adoption of best practices while not penalizing the victims of cyberattacks.

STAT News reveals why an HHS rule amending the HIPAA Privacy Rule will wreak financial havoc on health systems. The proposed rule was issued in January 2021, so the final rule has been pending for a long time.

Federal News Network reports

The Cybersecurity and Infrastructure Security Agency (CISA) is looking to position a new “Cyber Analytics and Data System” at the center of national cyber defenses, as the agency’s post-EINSTEIN plans come into focus in its fiscal 2024 budget request.

CISA is seeking $424.9 million in the 2024 budget for “CADS.” The program is envisioned as a “system of systems,” budget documents explain, that provides “a robust and scalable analytic environment capable of integrating mission visibility data sets and providing visualization tools and advanced analytic capabilities to CISA cyber operators.”

The new program is part of the “restructuring” of the National Cybersecurity Protection System, according to the documents. More commonly known as “EINSTEIN,” the NCPS has been in place to defend federal agency networks since the Department of Homeland Security’s inception in 2003.

From the cyber breaches front, Tech Target brings us up to date on the DC Health Link breach.

An additional wrinkle to the breach came Monday [March 13] when another user on the same dark web forum using the alias Denfur, who had previously published sample data from the breach, created a thread supposedly aiming to clear up misinformation surrounding the breach.

Claiming to be a friend of IntelBroker, Denfur said the attack vector for the breach was an exposed, insecure database belonging to DC Health Link. Moreover, the poster said the database was likely exposed “for over a year and a half” before the breach occurred. TechTarget Editorial contacted DC Health Link in order to verify Denfur’s claims, but a spokesperson declined to comment.

Nextgov reports

At least two hacking groups were able to gain access to at least one federal agency’s servers through an old vulnerability in a software development and design product, according to a cybersecurity advisory issued Wednesday.

According to an alert issued by the Cybersecurity and Infrastructure Security Agency, or CISA, hackers were able to gain access to and run unauthorized code on a federal agency’s server, though they were not able to gain privileged access or move deeper into the network. The malicious activity was observed between November 2022 and early January, though the initial compromise goes as far back as August 2021.

Hackers used a vulnerability in old versions of Telerik UI, a software developer kit for designing apps, which, when exploited, allows hackers with access to execute code. The vulnerability was discovered in 2019 and builds on previous vulnerabilities discovered in 2017 that allow bad actors to gain privileged access and “successfully execute remote code on the vulnerable web server.”

The National Vulnerability Database—managed by the National Institute of Standards and Technology—rates this a critical vulnerability, with a score of 9.8 out of 10.

From the cyber vulnerabilities front, HHS’s Healthcare Cybersecurity Coordination Center (HC3) released its February 2023 list of vulnerabilities of interest to the health sector.

In February 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Citrix, Intel, Cisco, VMWare, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

Cybersecurity Dive informs us.

  • Researchers are warning that state-linked and financially motivated threat actors may try to exploit a critical zero-day vulnerability in Microsoft Outlook to launch new attacks against unpatched systems. 
  • Microsoft urged customers to patch their systems against CVE-2023-23397 to address the critical escalation of privilege vulnerability in Microsoft Outlook for Windows, the company said Tuesday. Microsoft Threat Intelligence warned that a Russia-based threat actor launched attacks against targeted victims in several European countries.
  • Mandiant researchers warned that other criminal and cyber-espionage actors will race to find new victims vulnerable to the zero day before organizations can apply patches. 

CISA added three and then one more known exploited vulnerability to its catalog this week.

Security Week highlights that “Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant.”

Deepfakes are part of the ongoing trend of weaponized AI. They’re extremely effective in the context of social engineering because they use AI to mimic human communications so well. With tools like these, malicious actors can easily hoodwink people into giving them credentials or other sensitive information, or even transfer money for instant financial gain. Deepfakes represent the next generation of fraud, by enabling bad actors to impersonate people more accurately and thus trick employees, friends, customers, etc., into doing things like turning over sensitive credentials or wiring money.

Here’s one real-world example: Bad actors used deepfake voice technology to defraud a company by using AI to mimic the voice of a CEO to persuade an employee to transfer nearly $250,000 to a Hungarian supplier. Earlier this year, the FBI also warned of an uptick in the use of deepfakes and stolen PII to apply for remote work jobs – especially for positions with access to a lot of sensitive customer data.

The Security Week article also discusses defenses to deepfake tactics.

From the ransomware date infiltration front –

  • The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023. LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit. CISA encourages network defenders to review and apply the recommendations in the Mitigations section of this CSA.
  • HC3 posted a threat profile on Black Basta.
    • “Black Basta was initially spotted in early 2022, known for its double extortion attack, the Russian-speaking group not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom. The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta. Nevertheless, as ransomware attacks continue to increase, this Threat Profile highlights the emerging group and its seasoned cybercriminals and provides best practices to lower risks of being victimized.”

Here is a link to the always interesting Bleeping Computer Week in Ransomware.

From the cyber defenses front —

CISA announced

the creation of the Ransomware Vulnerability Warning Pilot (RVWP). Through the RVWP, CISA:     

  1. Proactively identifies information systems—belonging to critical infrastructure entities—that contain vulnerabilities commonly associated with ransomware intrusions.
  2. Notifies the owners of the affected information systems, which enables the owners to mitigate the vulnerabilities before damaging intrusions occur. 

Review the RVWP webpage for details, including information on the authorities and services CISA leverages to enable RVWP notifications.

HelpNetSecurity tells us how to use ChatGPT to improve cyber defenses.

Cybersecurity Saturday

From Capitol Hill, the Senate Homeland Security and Governmental Affairs Committee will hold a full Committee hearing to examine cybersecurity risks to the healthcare sector. The hearing will occur on Thursday, March 16, 2023, at 10 am.

Among the topics at the hearing will be a serious cybersecurity breach at DC Health Link which runs the DC health marketplace under the Affordable Care Act (“Act”). In the Affordable Care Act (“ACA”) Congress shifted its health benefits coverage for its members and senior staffers from FEHB to the ACA marketplace. Of note, Congress was directly hit in the OPM breach and this new one.

Axios explains

A hacker who uses the pseudonym “Denfur” is selling a database they claim includes stolen sensitive data from at least 55,000 customers of D.C.’s health insurance marketplace, including members of Congress and their staffs.

Driving the news: Congressional leaders started warning lawmakers on Wednesday about the breach at DC Health Link and suggested they freeze their credit while an investigation continues.

  • DC Health Link, which confirmed the breach and dark web leaks in a statement, helps all city residents purchase health insurance, not just members of Congress.

What’s happening: Researchers at Check Point Research told Axios Thursday that a malicious hacker had posted the database for sale on the “biggest English-speaking dark web hacking forum.” The member claims the database includes sensitive data from thousands of customers, including Social Security numbers, birthdates and home addresses.

  • Denfur is now selling the stolen database for just “a few dollars,” researchers noted. Denfur signed off the post with “Glory to Russia!”
  • CyberScoop reports that a sample of the stolen data includes information about former defense officials and lobbyists, and the Associated Press reported it was able to authenticate data belonging to two victims in the set.
  • Axios has seen the dark web post, which was still live as of Friday morning.

Cyberscoop adds,

A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned. 

Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed. 

At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.

From the cybersecurity risks / vulnerabilities front —

Tech Republic tells us,

CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year —  identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving “cloud-conscious” actors nearly tripled from 2021.

“This growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,” said CrowdStrike in its 2023 Global Threat Report.

Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike’s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities. * * *

Last week’s revelation of an attack on password manager LastPass, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee’s home computer, releasing to the attackers a trove of unencrypted customer data.

The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog on March 7, 2023, and two more on March 10. Bleeping Computer provides its perspective here.

Tech Republic also highlights a cybersecurity report from the World Econonic Forum that is worth a gander.

From the ransomware front

Tech Republic informs us based on the CrowdStrike report that cybercriminals are shifting tactics from ransomware to data exfiltration and extortion like what happened at DC Health Link. “There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike’s reckoning.”

HHS’s Healthcare Sector Cybersecurity issued a threat alert on data exfiltration trends in the healthcare sector on March 9.

Here’s a link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

Health IT Security reports

HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the healthcare sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.

The guide aims to help healthcare organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). * * *

The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.  

Bank Info Security points out that “In addition to the new joint NIST cybersecurity framework toolkit, the Health Sector Coordinating Council and HHS are also close to completing an update of a joint 2019 publication, Health Industry Cybersecurity Practices.”

Cybersecurity Saturday

From the cybersecurity policy front —

The Wall Street Journal reports

The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren’t sufficient to guard consumers and the nation.

Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail. * * *

In addition to making a forceful call for expanded liability, the plan reiterates several top priorities that have frequently been listed by various senior cybersecurity officials in recent years, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with the goals of past administrations, the focus on liability and mandates on critical infrastructure largely depart from President Biden’s predecessors.

The strategy also emphasizes the need for persistent use of offensive cyber capabilities, such as those housed at the U.S. Cyber Command, to disrupt and dismantle cyber threats to the U.S. The strategy’s language effectively endorses steps taken during the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy replaces one issued by former President Donald Trump in 2018.

Security experts and former officials said establishing liability for software manufacturers was the most significant—if hardest to achieve—element of the strategy.

Security Week offers insider observations on the new strategy.

Here are links to the White House’s fact sheet and an informative report from Health IT Security.

The document is divided into five pillars, representing key focus areas: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.

Each pillar has significant implications for critical infrastructure entities, including those in the healthcare sector. Namely, the National Cybersecurity Strategy highlights the need to further prioritize Internet of Things (IoT) device security and to transfer some cyber responsibilities away from software users and onto vendors.

“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the document states.

“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

Cybersecurity Dive discusses the path to implementing this strategy.

From the cyber breaches front, Security Week points out four recent healthcare sector data breaches.

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

  • Nearly one-third of companies lost money following a phishing attack in 2022, Proofpoint research found. 
  • The 76% year-over-year increase in phishing attacks resulting in a wire transfer or invoice fraud reflects threat actors’ resolve to narrow their scope and steal money more quickly, according to Proofpoint’s annual State of the Phish report released Tuesday.
  • “We saw a significant jump in the direct financial loss,” said Sara Pan, team manager of product marketing at Proofpoint. “What that really implies is that we’re seeing attackers being more impatient and really wanting to claim their trophy right after a successful phishing attack.”
  • The Cybersecurity and Infrastructure Agency (CISA) added one more known exploited vulnerability to its catalog.

From the ransomware front —

  • Bank Info Security reports on an FBI report on ransomware attacks against critical infrastructure in 2022.
  • Bank Info Security adds,
    • Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransom being paid to criminals.
    • Coveware ascribed the decline directly to the FBI, which has “subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable.” Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.
  • The FBI and CISA issued an alert on Royal Ransomware.
    • Today [March 2, 2023], the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.
    • Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
    • CISA encourages network defenders to review the CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.
  • The Bleeping Computer’s Week in Ransomware is back!

From the cyber defense front —

CISA announced

Today [February 28, 2023], CISA released a Cybersecurity Advisory, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks. This advisory describes a red team assessment of a large critical infrastructure organization with a mature cyber posture. CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders proactive steps to reduce the threat of similar activity from malicious cyber actors. 
  
As detailed in the advisory, the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. This cybersecurity advisory highlights the importance of early detection and continual monitoring of cyber assets.  
  
CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to ensure security processes and procedures are up to date, effective, and enable timely detection and early mitigation of malicious activity.

Cybersecurity Dive observes

  • The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure providers to harden their defenses and enable phishing resistant multifactor authentication, after conducting a red team assessment of a large organization over a three-month period in 2022.
  • During the voluntary assessment, a CISA red team was able to gain access to workstations at separate geographic locations using spearphishing emails. The red team leveraged that access to move laterally around the network, gaining root access to multiple workstations adjacent to specialized servers. 
  • The organization largely failed to detect multiple actions by the red team, including lateral movement, persistence and command and control activity. However, the use of strong service account passwords and MFA prevented the red team from accessing a sensitive business system.

The American Hospital Association adds,

“This highly detailed and technical report is an excellent guide to help implement specific cybersecurity tools that will help detect a cyberattack in the early stages and significantly reduce its spread and impact,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The ‘red team’ or penetration test used a common combination of voice and email social engineering techniques to gain trust of the end users and compromise their credentials, which reaffirms government and AHA cybersecurity guidance that relatively low-cost basics such as establishing phishing-resistant multi-factor authentication are essential to reduce cyber risk. I would strongly encourage hospitals and health systems to explore the possibility of leveraging CISA’s authority and capacity to provide free technical assistance, including red team penetration testing.” 

Also, an ISACA expert explains why “LastPass Hack Highlights Importance of Applicable Acceptable Use Policies.”

Cybersecurity Saturday

From the cybersecurity policy front —

Cyberscoop reportsPort

A forthcoming White House cybersecurity strategy document aims to force large companies to shoulder greater responsibility for designing secure products and to redesign digital ecosystems to be more secure, Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, said at a CyberScoop event Thursday. 

By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said. 

According to an early draft of the document obtained by Slate — which White House officials have emphasized is not a final document — the strategy includes a wide range of mandatory regulations on American critical infrastructure companies to improve security and authorizes law enforcement and intelligence agencies to take a more aggressive approach to hack into foreign networks to prevent attacks or retaliate after they have occurred. 

The strategy document is expected to broadly abandon the mostly voluntary approach that has defined U.S. policy in recent years in favor of more comprehensive regulation.

PortSwigger delves into the National Institute of Standards and Technology (NIST) plans for “significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet” as first noted here last week.

From the cyber vulnerabilities front —

The Cybersecurity and Infrastructure Security Agency (CISA) offers this alert

CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine. CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat.

Security Week adds the perspective of “Several cybersecurity companies’ reports [that published] in the past week summarizing what they have seen in cyberspace since the start of the war.”

Cybersecurity Dive reports

  • “Phishing remained the top initial access vector for security incidents last year with more than 2 in 5 of all incidents involving phishing as the pathway to compromise, IBM research found.
  • “Three in 5 of all phishing attacks were conducted through attachments last year, according to IBM Security X-Force’s annual threat intelligence report released Wednesday. Phishing via links accounted for one-third of all phishing attacks. 
  • “One-quarter of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just 1 in 10 involved external remote services.”

and

  • “Threat actors are shifting tactics and embracing new tools to run more efficient and impactful operations.
  • “Attackers are now often looking to build an economy of scale,” Wendi Whitmore, SVP of Unit 42 at Palo Alto Networks said Wednesday during a keynote at the company’s annual user summit.
  • “Instead of using one attack vector against one company, threat actors are targeting an entire supply chain.
  • “Likewise, instead of encrypting data, then decrypting it on the back end, ransomware groups can just steal the information and threaten to release it publicly if their ransom demand isn’t met.”

CISA added three more known exploited vulnerabilities to its catalog on February 21. It’s worth noting that CISA refreshed its website. As a result, CISA’s known exploited vulnerabilities reports now identifies the additions rather than require the reader to click over to the catalog. Bravo.

From the ransomware front, the Bleeping Computer provides no Week in Ransomware this week, but it does inform us about “A threat actor [that] has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains.”

HHS’s healthcare sector cybersecurity coordination center (HC3) released the following alert

Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. Cybersecurity & Infrastructure Security Agency (CISA) added the GoAnywhere flaw (CVE-2023-0669) to its public catalog of Known Exploited Vulnerabilities. This Sector Alert follows previous HC3 Analyst Notes on Clop (CLOP Poses Ongoing Risk to HPH Organizations and CLOP Ransomware) and provides an update on its recent attack, potential new tactics, techniques and procedures (TTPs), and recommendations to detect and protect against ransomware attacks.

The American Hospital Association adds

“The Russia-linked Clop ‘ransomware-as-a-service’ gang has been targeting health care since 2019, evolving its tactics to effectively combine ransomware and data theft in novel ways,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Last month HC3 reported that Clop was infecting files disguised to look like medical documents, submitting them to providers and requesting a medical appointment. The objective is to deceive the recipient into clicking on the malicious document and infecting the organization with highly disruptive ransomware. Health care organizations should immediately apply the security patches recommended in these alerts and review the scope, security and necessity of secure file transfer systems.”

For more from the AHA click here, and Health IT Security discusses this Alert here.

To mitigate risk, HC3 urged organizations to patch the GoAnywhere MFT vulnerability where applicable. HC3 also encouraged healthcare organizations to “acknowledge the ubiquitous threat of cyberwar against them” and focus on educating staff and assessing enterprise risk against all potential vulnerabilities.

“Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations,” HC3 concluded.

HC3 posted an Analyst Note about MedusaLocker ransomware yesterday.

Ransomware variants used to target the healthcare sector, from relatively well-known cyber threat groups, continue to be a source of concern and attention. (See HC3 reports on Royal Ransomware and Clop Ransomware). Likewise, the threat from lesser known but potent ransomware variants, such as the MedusaLocker, should also be a source of concern and attention by healthcare security decision makers and defenders.

The Wall Street Journal sums it up with encouraging news

Extortion payments from ransomware, a hacking scourge that has crippled hospitals, schools and public infrastructure, fell significantly last year, according to federal officials, cybersecurity analysts and blockchain firms.

After ballooning for years, the amount of money being paid to ransomware criminals dropped in 2022, as did the odds that a victim would pay the criminals who installed the ransomware. With ransomware, hackers lock up a victim’s computer network, encrypting hard drives until victims pay.

Alphabet Inc.’s Mandiant cybersecurity group said it had responded to fewer ransomware intrusions in 2022—a 15% decrease from 2021. CrowdStrike Holdings Inc., another U.S. cybersecurity firm, said it saw a drop in average ransom-demand amounts, from $5.7 million in 2021 to $4.1 million in 2022, a decline the company attributed to disruption of major ransomware gangs, including arrests, and a decline in crypto values. Ransomware payments are generally made using cryptocurrency.

The blockchain-analytics firm Chainalysis Inc. says that payments that it tracked to ransomware groups dropped by 40% last year, totaling $457 million. That is $309 million less than 2021’s tally.

“It reflects, I think, the pivot that we have made to a posture where we’re on our front foot,” Deputy Attorney General Lisa Monaco said in an interview. “We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”

Cybersecurity Saturday

From the cybersecurity policy front —

Federal News Network tells us

Federal cybersecurity leaders are looking forward to a major update for the National Institute of Standards and Technology’s Cybersecurity Framework, as NIST aims to add new details on governance, supply chain risks and more to a document that guides the cybersecurity practices of many organizations.

NIST released the original framework in 2014 and last updated the document in 2018. It began gathering feedback on the shift to “CSF 2.0” through a request for information last February, and hosted an initial workshop on the new framework in June.

Last month, NIST published a concept paper laying out some of the initial planned changes. Comments on the paper are due March 3. NIST plans to have a draft of CSF 2.0 ready by this summer, before releasing a final version in early 2024.

During a Wednesday workshop hosted by the standards agency, CISA Director Jen Easterly applauded NIST’s work to update the framework. She reiterated a recent push from CISA for the technology community to focus on “product safety and “the idea that software and hardware must be secure by design and secure by default,” adding that NIST’s work on the framework is an important element in that endeavor.

Federal News Network adds

The Social Security Administration is getting $23.3 million from the Technology Modernization Fund to implement multifactor authentication across its internal systems, part of a trio of recent TMF awards focused on cybersecurity and reliability.

The TMF announced three new investments today for SSA, the Treasury Department and the U.S. Agency for Global Media (USAGM).

USAGM is getting $6.2 million from the TMF to implement a zero trust architecture across its global network. * * * Other agencies to receive zero trust architecture funding from the TMF, include USAID, the Office of Personnel Management, the Education Department, and the General Services Administration.

Cyberscoop informs us

The U.S. government is stepping up its effort to combat threats from foreign technology investments, data acquisition and cyberattacks with a new collaboration between the Departments of Justice and Commerce, Deputy Attorney General Lisa Monaco said Thursday.

Speaking at the Chatham House in London as part of a conversation on disruptive technologies by nation states and malign actors, Monaco announced the “Disruptive Technology Strike Force,” to fight the ability of autocrats seeking “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.”

Venture Beat identifies five cybersecurity trends for 2023:

  • Cyber insurance coverage requirements grow;
  • AI’s role in threat protection matures, and
  • Cybersecurity must be flexible to meet threats.

Speaking of cyber insurance, the Advisory Council of Employee Welfare and Pension Plans issued a report on Cybersecurity Insurance and Employee Benefit Plans.

From the cyber threats front —

  • The Health and Human Services Office for Civil Rights shared “two Reports to Congress for 2021, on 
  • These reports, delivered to Congress today, may benefit regulated entities to assist in their HIPAA compliance efforts. The reports also share steps OCR took to investigate complaints, breach reports, and compliance reviews regarding potential HIPAA rule violations.  The reports include important data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.”  
  • The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog on February 14, 2023, and one more on February 16, 2023. Bleeping Computer discusses February 14, 2023, additions.
  • The Healthcare Sector Cybersecurity Coordination Center produced a Healthcare Sector DDoS Guide:
  • “Distributed Denial of Service (DDoS) attacks have the potential to deny healthcare organizations and providers access to vital resources that can have a detrimental impact on the ability to provide care. In healthcare, disruptions due to a cyber-attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks. (See HC3 Analyst Note titled: Pro- Russian Hacktivist Group ‘Killnet’ Threat to HPH Sector). Link can be found here.
  • “Threat actors utilize DDoS attacks due to the cost-effectiveness and relatively low resources and technical skills needed to deploy this type of attack as a hacker doesn’t have to install any code on a victim’s server. Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cyber criminals take advantage of the sheer number of insecure internet-connected devices. (Analyst Comment: It is strongly recommended by cybersecurity institutions, like the National Institute of Standards and Technology, that organizations effectively manage the cybersecurity and privacy risks associated with Internet-of-Things (IoT)). (See NIST Report (NISTIR) – 8228). Link can be found here.”

Health IT Security discusses this guide here.

One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.

Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information.

From the cybersecurity defenses front —

  • Cyberscoop fills us in on the benefits of proactive cyber threat protection.
  • Venture Beat explains how to use blockchain to prevent data breaches.
  • The Wall Street Journal discusses “How Companies Can Minimize the Cybersecurity Risk From Their Tech Vendors.”
    • Set up a rigorous review process when hiring vendors; 
    • Spell out expectations in vendor agreements, including how data will be shared;
    • Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities;
    • Carefully guard access to company data from the vendors, and 
    • Empower the chief information security officer and bring security expertise to boards.

Cybersecurity Saturday

    From the cybersecurity policy front, Cybersecurity Dive informs us

    National Cyber Director Chris Inglis will retire from his position Feb. 15, ending a more than four decade career in national security. 

    Kemba Walden, principal deputy national cyber director and a former legal executive at Microsoft, will become acting director until Biden names a nominee for the post. The NCD post requires Senate confirmation. 

    From the cyber vulnerabilities front —

    • The Health Sector Cybersecurity Coordination Center (HC3) issued a PowerPoint presentation titled “2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead.”
    • HC3 also released its January 2023 Cybersecurity Vulnerability Bulletin.
    • The Cybersecurity and Infrastructure Agency (CISA) added three known exploited vulnerabilities to its catalog.
    • The Government Accountability Office produced a report titled “Challenges in Protecting Cyber Critical Infrastructure.”

    From the ransomware front —

    CISA announced on February 8

    CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. The ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.

    As detailed in the advisory, CISA has created and released an ESXiArgs recovery script at https://github.com/cisagov/ESXiArgs-Recover. CISA and FBI encourage organizations that have fallen victim to ESXiArgs ransomware to consider using the script to attempt to recover their files.

    Here’s a Cybersecurity Dive report on this topic.

    CISA announced on February 9

    CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

    The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

    • Train users to recognize and report phishing attempts.
    • Enable and enforce phishing-resistant multifactor authentication. 
    • Install and regularly update antivirus and antimalware software on all hosts. 

    See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

    Bleeping Computer tells us

    Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.

    BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black BastaLockBitBlackMatterAvosLockerREvilHelloKittyRansomEXX, and Hive.

    The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.

    Cyberscoop considers whether “After the Hive takedown, could the LockBit ransomware crew be the next to fall?”

    Here is a link to Bleeping Computers The Week in Ransomware.

    From the cyber defenses front —

    • The Wall Street Journal offers its quarterly cybersecurity insurance update.
    • ZDNet reports, “Reddit was hit with a phishing attack. How it responded is a lesson for everyone. A quick and transparent response shows that there’s a correct way to respond to cybersecurity incidents.”
    • An ISACA expert asks, “How does one fix people?” and answers, “Through governance, processes and planning. Governance, processes and planning are all essential components of effective cybersecurity management.”

    Cybersecurity Dive

    From the cybersecurity front, Health IT Security interviewed Senator Mark Warner (D Va) “about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.”

    The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.

    “There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.

    Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.

    The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”

    This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

    Interesting.

    From a cybersecurity vulnerabilities front,

    Cybersecurity Dive informs us

    The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released Wednesday by insurance provider Coalition.

    The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

    The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

    and

    A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute. 

    Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

    The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5. * * *

    A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

    The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

    While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

    On a related note, an ISACA expert considers trends in cyberattacks.

    Looking deeper into the crystal ball, Security Week discusses

    The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade. 

    At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

    Beckers Health IT informed us on February 1, 2023:

    More U.S. hospitals and health systems have reported that their websites went down this week after a cyberattack that Russian hacking group Killnet claimed responsibility for.

    Becker’s reported Jan. 31 on 17 hospitals and health systems that were affected. These six organizations were also reportedly hit, according to news reports and tech company BetterCyber:

    1. Banner Health (Phoenix)

    2. Boulder City (Nev.) Hospital

    3. CHA Hollywood Presbyterian Medical Center (Los Angeles)

    4. ChristianaCare (Newark, Del.)

    5. Presbyterian Healthcare Services (Albuquerque, N.M.)

    6. University of Iowa Health Care (Iowa City)

    On January 30, 2023, the Heath Sector Cybersecurity Coordination Center (HC3) released an analyst note on this threat. The next day, HC3 issued a sector alert about “Multiple Vulnerabilities in OpenEMR Electronic Health Records System.”

    Three vulnerabilities were identified in an older version of OpenEMR, a popular electronic health records system, which can allow for a cyberattacker to access sensitive information and even compromise the entire system. The prevalence of ransomware attacks and data breaches impacting the health sector make these vulnerabilities especially important. These vulnerabilities were fixed in newer versions of OpeEMR, and therefore upgrading to the most recent version will fully patch them.

    On a related note, Cyberscoop points out, “ChatGPT isn’t a malware-writing savant, and much of the hype around it obscures just how much expertise is required to output quality code.”

    From the cyber breach front, last Thursday, the HHS Office for Civil Rights announced a HIPAA Security Rule alleged violation settlement with Banner Health,

    a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

    From the ransomware front, all the FEHBlog has this week (do we really need more?) is Bleeping Computer’s The Week in Ransomware.

    While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

    The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

    The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

    What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

    The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

    We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

    Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

    Cybersecurity Saturday

    From the cybersecurity policy front, Cybersecurity Dive tells us

    The public-private cybersecurity supergroup, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.

    JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday. 

    It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.

    FedScoop reports

    The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

    On Thursday [January 24, 2023], NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks. 

    The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

    Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.

    and

    The National Institutes of Standards and Technology has issued the first version of its Artificial Intelligence Risk Management Framework that federal agency leaders and lawmakers hope will govern use of the technology.

    The Department of Commerce agency Thursday released the initial document, which it emphasized will continue to evolve as the department receives further input from industry and the scientific research community.

    Publication of the document comes as the use of AI technology receives increased public attention with the launch of new mainstream tools including Chat-GPT.

    In the framework documentNIST sets out four key functions that it says are key to building responsible AI systems: govern, map, measure and manage.

    Nextgov informs us

    The Office of Personnel Management plans to launch a federal cyber workforce dashboard to provide agencies with a better tool to address workforce needs, according to a demo of the proposed dashboard held during a National Institute of Standards and Technology webinar on Tuesday [January 24, 2023].

    An OPM spokesperson told Nextgov the cyber workforce data dashboard is a new tool that will have two versions: a public version looking at governmentwide data and an agency-specific version—where each agency will have a more granular view—to help support their workforce needs. The spokesperson added that OPM has been showing the dashboard to cyber workforce community stakeholders, such as the Office of the National Cyber Director and the Office of Management and Budget.

    This past week has been Data Privacy Week. Spiceworks explains how to convert Data Privacy Week to Data Privacy Year. Security provides thoughts and advice from data security leaders. For example

    Corey Nachreiner, Chief Security Officer at WatchGuard Technologies:

    “Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility.”

    From the cyber vulnerabilities front —

    Cybersecurity Dive reports

    Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday

    The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses. 

    The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network. 

    Health IT Security also offers an article on this topic.

    Fortune Magazine alerts us,

    As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

    But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

    Health IT Security reports that “UCHealth and UCLA Health Report Healthcare Data Breaches
    The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.”

    The Cybersecurity and Infrastructure Security Agency added known exploited vulnerabilities to its catalog — here and here.

    Health IT Security adds

    Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry’s Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

    Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

    From the ransomware front, The Wall Street Journal reports

    U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

    The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

    Bravo. Bleeping Computer’s The Week in Ransomware focuses on this important development.

    Yesterday [January 26, 2023], an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

    For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

    While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

    Here’s the Justice Department’s press release.

    Furthermore, an ISACA expert writes about common misconceptions about ransomware.

    From the cyber defense front, the Wall Street Journal provides advice on assessing the likelihood of a ‘Catastrophic” cyber attack, and Security Week explains how to end to password dependency.

    Cybersecurity Saturday

      From the cyberpolicy front —

      Cyberscoop reports

      The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.

      The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.

      The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.

      “We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted. 

      The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.

      The Cybersecurity and Infrastructure Security Agency released a report on 2022 year in review. Health IT Security examines the CISA report from the standpoint of the healthcare sector.

      The FEHBlog noticed that two Federal Acquisition Regulation proposed rules that he has been tracking are now pending review at OMB’s Office of Information and Regulatory Affairs.

      DOD/GSA/NASA (FAR)

      AGENCY: FAR RIN: 9000-AO34 Status: Pending Review
      TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
      STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: Yes
      RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

      AGENCY: FAR RIN: 9000-AO35 Status: Pending Review
      TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems
      STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: No
      RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

      Should these regulations clear OIRA review, then the next step will be published in the Federal Register.

      From the cyberbreach front,

      Cybersecurity Dive reports

      T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.

      The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.

      T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants. 

      This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.

      The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.

      From the cyber vulnerabilities front —

      Cybersecurity Dive reports

      • Potential cyber incidents and business interruption remained the two leading worldwide corporate risk concerns for the second year in a row, according to a report published Tuesday by Allianz Group’s corporate insurance unit, Allianz Global Corporate & Specialty. 
      • Both cyber and business interruptions were the top concerns among 34% of respondents in the annual Allianz Risk Barometer. The study measured the responses of 2,712 risk management experts in 94 countries and territories, including CEOs, risk managers, brokers and other insurance experts. 
      • Respondents were concerned about a range of potential incidents, from ransomware to data breaches and IT outages. The report noted ransomware remains a frequent threat and cited IBM data showing the average cost of a data breach hit a record of $4.35 million, with the cost expected to surpass $5 million this year.

      Health IT Security tells us

      Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.

      The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.

      CISA added one more known exploited vulnerability to its catalog.

      The Healthcare Sector Cybersecurity Coordination Center issues three reports this week:

      • Healthcare Cybersecurity Bulletin for Q4 2022 “Ransomware attacks, data breaches, and often both together, continued to be prevalent attacks against the health sector,” the bulletin notes. “Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”
      • December Vulnerabilities of Interest to the Health Sector “In December 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Intel, Cisco, SAP, Citrix, VMWare, and Fortinet.”
      • Artificial Intelligence and Its Current Potential to Aid in Malware Development Artificial intelligence (AI) has now evolved to a point where it can be effectively used by threat actors to develop malware and phishing lures. While the use of AI is still very limited and requires a sophisticated
        user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to easily and quickly customize attacks against the healthcare sector.

      In this regard CSO offers a feature on how ChatGPT changes the phishing game. “The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.” Wonderful.

      From the ransomware front —

      • An ISACA expert explains why ransomware looms large on the third party risk landscape. “As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.”
      • In Cybersecurity Dive, a ransomware negotiator shares three tips for victim organizations.
      • Dark Reading adds “in another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.”

      From the cyber defenses front, Tech Republic explains that while the cybersecurity implications of ChatGPT are vast, especially for email exploits, putting up guardrails, flagging elements of phishing emails that it doesn’t touch and using it to train itself could help boost defense. Ah, a double edged sword.

      Cybersecurity Saturday

      While Congress did enact a nationwide data breach law for healthcare organizations, including FEHB plans, Cyberscoop reports that last month’s data breach affecting password manager LastPass “exposes how US breach notification laws can leave consumers in the lurch.”

      The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime. 

      “It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”

      Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.

      As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods. 

      Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate

      The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.

      Congress can fix this problem.

      Cybersecurity Dive tells us

      The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.

      Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.

      “We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”

      This won’t change until priorities and incentives are realigned, she said.

      Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.

      “We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.

      Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.

      “Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.

      Organizations are relying on technology that short shrifts security.

      “We can’t just let technology off the hook,” Easterly said.

      Good point, Ms. Easterly

      From the cyber vulnerabilities front,

      Cybersecurity Dive informs us

      • “For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie
      • “The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million. 
      • “Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.”

      Cybersecurity Dive also points out

      The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspaceto its catalog of known exploited vulnerabilities Tuesday [January 10]. 

      The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace. 

      CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.  * * *

      CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox. 

      Here’s a link to the CISA catalog for your ease of reference.

      FYI, the Wall Street Journal reports, that “Biden administration officials and cybersecurity experts said the Federal Aviation Administration’s system outage on Wednesday didn’t appear the result of a cyberattack.”

      From the ransomware front,

      Security Weeks relates, “Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

      The Health Sector Cybersecurity Coordination Center issued an analysis of “Royal & BlackCat Ransomware: The Threat to the Health Sector.”

      Bleeping Computer’s The Week in Ransomware tells us

      New research on ransomware was also disclosed, or discovered, with various reports listed below:

      CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

      From the cyber defense front,

      • The Wall Street Journal reports, “Cloud-infrastructure company Cloudflare Inc. announced Wednesday new email security capabilities aimed at helping businesses defend against phishing, malware and other cyberattacks commonly targeting corporate email accounts.”
      • Health IT Security informs us, “More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.”
      • Following up on Ms. Easterly’s comments on cyber safety, Federal News Network notes that “CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.”