Cybersecurity Saturday

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “An advisory committee to the Cybersecurity and Infrastructure Security Agency [CISA] delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance. 
    • “These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
    • “The recommendations of CISA’s Cybersecurity Advisory Committee will need to be made into policy by Easterly, but in the past, she has mostly embraced the recommendations of the committee, which is made up of former top-ranking officials, executives and lawmakers, such as former National Cyber Director Chris Inglis, former Rep. Jim Langevin and Southern Company CEO Tom Fanning, who chairs the panel.” 
  • Per Health IT Security,
    • “Healthcare stakeholders have an opportunity to provide feedback to the Senate on improving health data privacy in the US, thanks to a request from US Senator Bill Cassidy (R-LA), a ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee.  
    • “Cassidy issued a request for information (RFI) from stakeholders to gain insights into improving health data privacy and modernizing HIPAA. The deadline to submit feedback to Cassidy’s team is September 28.”
  • Cybersecurity Dive points out,
    • “The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors. 
    • “However, Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during the Billington Cybersecurity Summit in Washington D.C., raised the possibility of a letter grade rating that would hold key providers accountable for maintaining a certain level of cyber resilience. 
    • “As good as public-private partnerships are, the administration sees additional enforcement ability as necessary.” 
  • The Wall Street Journal offers its September 2023 cybersecurity regulatory update.
    • “In this quarter’s edition: updates on recently passed regulations from the U.S. Securities and Exchange Commission and the New York Department of Financial Services, new regulatory measures introduced by the California Privacy Protection Agency, the new cybersecurity strategy in New York state, and expert commentary on the draft regulations recently published by CPPA.”

From the cybersecurity breaches and vulnerabilities front,

  • Per Cybersecurity Dive,
    • “The dark web marketplaces dedicated to the trade of credentials and vulnerabilities boasts some big names in enterprise compromises, Flashpoint research released Tuesday [September 12] shows.
    • “Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high profile, actively exploited CVEs, according to the threat intelligence firm.
    • “The remote code execution vulnerability in Barracuda’s email security gateway appliances, CVE-2023-2868, was purchased for $15,000 during Q2. Barracuda disclosed and attempted to patch the actively exploited zero-day vulnerability in May, but the patches failed, and exploits are still underway.
    • “Flashpoint said its threat intelligence analysts observed a post expressing interest in the exploit on June 16, and another user offered help in response two days later.”
  • Dark Reading informs us,
    • “A global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm (aka Holmium) has successfully plucked targets in the satellite, defense, and pharmaceutical sectors, Microsoft is warning. 
    • “The cyber offensive has been active since February, according to a blog post from Microsoft Threat Intelligence, which concluded that the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
    • “The password spray method of attack is a type of brute-force method used by hackers to gain unauthorized access to user accounts and systems. Password spraying involves attempting to access multiple accounts using common passwords, reducing the risk of account lockouts.”
  • Tripwire reports
    • “Apple has released emergency security updates for the flaws found in macOS, iOS, iPadOS, and watchOS used in the BLASTPASS exploit chain. As Bleeping Computer reports, Citizen Lab has warned Apple customers to apply the updates immediately and consider turning on Lockdown Mode if they suspect they’re particularly vulnerable to being targeted by sophisticated hackers. CISA has added the flaws to its catalog of known exploited vulnerabilities, saying that they pose “significant risks to the federal enterprise” and ordered all federal agencies to patch against them by October 2, 2023.”
  • Security Week notes
    • “Deepfake is a term used to describe synthetic media — typically fake images and videos. Deepfakes have been around for a long time, but advancements in artificial intelligence (AI) and machine learning (ML) have made it easier and less costly to create highly realistic deepfakes. 
    • “Deepfakes can be useful for propaganda and misinformation operations. For example, deepfakes of both Russia’s president, Vladimir Putin, and his Ukrainian counterpart, Volodymyr Zelensky, have emerged since the start of the war.
    • “However, in their new report, the FBI, NSA and CISA warn that deepfakes can also pose a significant threat to organizations, including government, national security, defense, and critical infrastructure organizations.” 
  • HelpNetSecurity warns
    • “Your security solutions might stave off a LockBit infection, but you might still end up with encrypted files: according to Symantec’s threat researchers, some affiliates are using the 3AM ransomware as a fallback option in case LockBit gets flagged and blocked.”

From the ransomware front,

  • The Healthcare Sector Cybersecurity Coordination Center provides us with a sector alert on Akira Ransomware.
    • “Akira is a Ransomware-as-a-Service (RaaS) group that started operations in March 2023. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale. Akira has garnered attention for a couple of reasons, such as their retro 1980s-themed website and the considerable demands for ransom payments ranging from $200,000 to $4 million. Akira has been observed obtaining initial malware delivery through several methods, such as leveraging compromised credentials and exploiting weaknesses in virtual private networks (VPN), typically where multi-factor authentication (MFA) is not being used. Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption. It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets. The group has targeted multiple sectors, including finance, real estate, manufacturing, and healthcare.”
  • Here is a link to the latest Bleeping Computer Week in Ransomware, which features an attack on Las Vegas.

From the cybersecurity defenses front,

  • Health IT Security calls our attention to
    • The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announce[ing] the release of version 3.4 of the Security Risk Assessment (SRA) Tool, further enhancing the user experience and helping covered entities navigate risk assessment requirements under the HIPAA Security Rule.
    • “OCR and ONC developed the SRA Tool to help small- and medium-sized healthcare providers identify and assess risks and vulnerabilities to electronic protected health information (ePHI). The tool is a software application that organizations can download at no cost.”
  • Check out the 405(d) Post, which offers “Five Key Insights from The Healthcare Cybersecurity Benchmarking Study.”
  • An ISACA expert explores risk assessment in a rapidly changing threat landscape.
  • CSO offers “Ten principles to ensure strong cybersecurity in agile development.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • We learn from Cybersecurity Dive that
    • Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
    • “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said. 
    • Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.
  • Per Fedscoop,
    • “New policy guidance is coming soon to help agencies comply with the Federal Risk and Authorization Management Program (FedRAMP) as the cloud landscape evolves, according to the federal government’s No. 2 IT official.
    • “Drew Myklegard, deputy federal CIO, said Thursday at FedScoop’s FedTalks that the forthcoming guidance comes as the federal cloud marketplace has evolved to be more dominated by software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings. 
    • “The landscape has changed. SaaS — and now it’s heavy, heavy SaaS — and a lot of PaaS providers really need access to the government and their mission. So now we’re pivoting and it takes a couple of years to do that, but we’re pivoting towards that market,” Myklegard said.
    • “He continued: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “A record year for cyberattacks on U.S. hospitals is putting patients in danger, as hospitals struggle to cope with disabled equipment and frozen data, an official from the American Hospital Association warned Thursday.
    • “Hackers, especially ransomware groups, are routinely taking down medical applications and internet connections, and freezing up patient and operations data, John Riggi, national adviser for cybersecurity and risk at the AHA, said, speaking at a meeting of the Healthcare Information and Management Systems Society. 
    • “Email and phones go down. Backup computers generally don’t work or have only about three days of data on them,” Riggi said. “We have seen this consistently,” he told the audience of healthcare technology and cyber leaders.”
  • The American Hospital Association adds,
    • “The U.S. Treasury Department, in coordination with the United Kingdom, Sept. 7 sanctioned 11 individuals who are part of the Russia-based Trickbot cybercrime group, whose targets have included hospitals and other critical infrastructure organizations. The Department of Justice also unsealed indictments against nine individuals in connection with Trickbot malware and Conti ransomware, including seven of the sanctioned individuals. According to the agencies, the Trickbot group in 2020 launched a wave of ransomware disruptions against U.S. hospitals and health care facilities, in one case deploying ransomware that disrupted computer networks and telephones at three Minnesota facilities and caused them to divert ambulances.”  
  • Last week, the Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog
  • Cybersecurity Dive points out
    • “A consumer signing key that caused security headaches for Microsoft earlier this year was exposed in an April 2021 crash dump, the company said Wednesday. A China-based threat group behind attacks later used the key to compromise more than two dozen customers, including U.S. State Department emails earlier this year. 
    • “Microsoft disclosed the crash dump, which redacts sensitive information, as part of an internal investigation into how the consumer signing key was left exposed. The threat group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer following the crash dump,
    • “The threat group stole sensitive emails from the State Department and reportedly U.S. Commerce Secretary Gina Raimondo.”
  • Per Krebs on Security, “Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach.”

From the ransomware front,

  • Security Week reports,
    • “Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.
    • “Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks. 
    • “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory.”

From the cybersecurity defenses front,

  • Cybersecurity Dive identifies the top five behaviors of successful CISOs thanks to Gartner Research.
  • Dark Reading discusses three strategies to defending against “resurgent info stealers.”
  • An ISACA experts explores using near-miss incidents are risk indicators.

 

Cybersecurity Saturday

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports
    • “An international law enforcement operation disrupted the Qakbot botnet and associated malware that has been connected with countless cyberattacks and nearly $60 million in losses from victims around the world, the U.S. Department of Justice announced Tuesday. 
    • “The operation that included the FBI, DOJ and authorities in France, Germany, the Netherlands, Romania, Latvia and the United Kingdom — is “one of the largest U.S.-led disruptions of a botnet infrastructure” used by criminals to facilitate ransomware, financial fraud and other cyber-enabled criminal activity, the FBI said in a statement.
    • “There were no arrests in connection with the operation but the investigation remains ongoing, a senior FBI official told reporters Tuesday.
    • “Qakbot, also known as Qbot or Pinksipbot, is malware first detected in 2008 that has been associated with hundreds of millions of dollars in losses to individuals and businesses in the U.S. and around the world, according to the FBI. The malware has been an initial entry mechanism for a variety of ransomware groups over the years. Groups such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta have been known to use it. Between October 2021 and April 2023, the FBI said, Qakbot administrators have received fees corresponding to approximately $58 million in ransoms paid by victims.
  • Cybersecurity Dive adds
    • “The FBI was able to redirect botnet traffic toward servers it controlled and disrupt the operation. More than 200,000 computers in the U.S. alone were found to be infected. Authorities also seized $8.6 million in illicit cryptocurrency as part of the takedown. ***
    • “The FBI and Dutch National Police have set up website links where stolen credentials can be accessed to find out if they were used.” 
  • Here are links to the related CISA announcement and Security Week’s report on industry reaction to this news.
  • Krebs on Security informs us,
    • “Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
    • “.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
    • “That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022, and April 30, 2023, and found 30,000 .US phishing domains.
    • “.US is overseen by the National Telecommunications and Information Administration(NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.”
  • Go figure.
  • Cybersecurity Dive tells us last Monday
    • “The blast radius from the mass exploit of a zero-day vulnerability in the MOVEit file transfer service reached another milestone in its destructive spread: more than 1,000 organizations are impacted, according to Emsisoft and KonBriefing Research.
    • “The number of organizations hit by the wide-scale attack increased nearly 40% last week, underscoring the scope of impact and challenge organizations are encountering as they work to determine potential exposure.
    • “The pool of victims from Clop’s attack spree, which was discovered Memorial Day weekend, continues to grow as downstream victims, which lead to more downstream victims, are identified via public disclosures and the threat actor’s website.
  • Health IT Security adds
    • “This week, Singing River Health System in Mississippi is actively facing system downtime as it investigates a cyberattack on its network. What’s more, Prospect Medical Holdings, which operates 16 hospitals and more than 165 clinics across Southern California, Rhode Island, Pennsylvania, and Connecticut, is still experiencing a systemwide outage that began on August 9.
    • “As these incidents continue to develop, other entities have continued to report confirmed data breaches to HHS, as exemplified in this week’s data breach roundup. Third-party data breaches continue to dominate breach notifications, causing breaches across the country.”
    • The article goes on to highlight recent breach announcements. 

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Organizations are facing more obstacles obtaining or renewing cyber insurance coverage,  according to a survey of 300 organizations conducted by Censuswide, on behalf of Delinea. Organizations also face strict requirements to get a claim covered.
    • “The majority of organizations, 4 in 5,  said their insurance rates went up when they submitted a new application or applied for policy renewals, with two-thirds reporting premium hikes of between 50% and 100%. 
    • “It is also taking organizations longer to obtain new coverage. The process for 20 of those surveyed, roughly 7%, took six months or longer.”
  • The Healthcare and Public Sector Critical Infrastructure Security and Resilience Partnership released an updated version of its Health Industry Cybersecurity Tactical Crisis Response Guide.
  • An ISACA expert discusses “Contending with Artificially Intelligent Ransomware.”
  • HHS’s 405(d) group released a cyber-hygiene poster oriented toward healthcare providers. Nevertheless, it can be adapted for health plan use.
  • Forbes identifies ten “captivating” cybersecurity conferences being held in Fall 2023.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Federal News Network informs us
    • “Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.
    • “Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
    • “The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy. * * *
    • “Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.
    • “In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center released its July 2023 report on vulnerabilities of interest to the health sector.
    • “In July 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for July are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, MOVEit, Oracle, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Administration added a new known exploited vulnerability to its catalog on August 21; two more on August 22, and another two on August 24.
  • Per Health IT Security,
    • “Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.
    • “While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.”

In HIPAA Privacy Rule news,

  • Health IT Security says,
    • “The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.
    • “The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.
    • “The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.”

From the ransomware front,

  • Cybersecurity Dive reports
    • “The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
    • “The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
    • “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”
  • and
  • and
    • “The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
    • “The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web. 
    • “Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday [August 24].”
  • Bleeping Computers’ The Week in Ransomware is on summer vacation this week.

From the cybersecurity defenses front,

  • Per CISA,
    • “[On August 21,] the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
    • “CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources about CISA’s PQC work, visit the Post-Quantum Cryptography Initiative.”
  • Per Health IT Security,
    • “The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.
    • “Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC), the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.
    • “The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information-sharing entities.”
  • Dark Reading identifies five best practices for implementing Risk-First Cybersecurity.
    • “Organizations face an uphill battle to safeguard hybrid cloud assets and sensitive data from evolving cyber threats in an increasingly interconnected and digitized world. While the security-first approach is essential, it has limitations in addressing the dynamic nature of these threats. The risks resulting from these threats are multifaceted and sophisticated, encompassing cybersecurity, compliance, privacy, business continuity, and financial implications. Therefore, a shift toward a risk-first approach is necessary.”
  • ISACA shares an executive view of key cybersecurity trends in 2023.
    • “2023 has further proven that the state of cybersecurity is constantly evolving. New technologies are emerging and increasingly being adopted for purposes of enhancing threat detection, analyzing large volumes of data for anomalies and automating security processes. Meanwhile, cyber threats are becoming increasingly sophisticated. In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected.1 To more effectively defend against such attacks, it is important for cyber professionals to understand current trends and challenges that exist in the field of cybersecurity.”
  • The Wall Street Journal offers its quarterly cyber insurance update.
    • In this quarter’s update, we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors, how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile, and whether having a cyber insurance policy increases the likelihood of being a victim of a ransomware attack?

Cybersecurity Dive

From the cybersecurity policy front —

  • Ars Technica reports
    • The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to healthcare systems, hospitals and clinics, and health-related devices.
  • FedScoop tells us,
    • Federal agencies got a reminder from the White House yesterday [August 16] of the need to firm up their cybersecurity in compliance with a Biden executive order.
    • The National Security Advisor Jake Sullivan sent a memo to departments and agencies Wednesday morning “to ensure their cyber infrastructure is compliant with” a May 2021 cybersecurity executive order on improving U.S. agencies’ cyber defense, a National Security Council spokesperson said in an emailed statement. 
  • Per NextGov,
    • “The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation’s cyber posture, a top official said Tuesday.
    • “Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year. 
    • “We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW’sIdentity Security Workshop. “Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems.”
  • NIST released a summary of public comments received on draft Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. FEHB claims data falls within the scope of this SP.
    • “NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171r3 security requirements. NIST anticipates releasing SP 800-171r3 fpd and SP 800-171A ipd for public comment in Q1 of FY 2024 (October – December 2023) and looks forward to ongoing engagement with users during the comment period.” 
  • Per Cybersecurity Dive,
    • Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.
    • The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency [CISA] said.

From the cybersecurity vulnerabilities and breaches front,

  • The Health Sector Cybersecurity Coordination Center released a threat analysis of China-based threat actors.
    • “This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.”
  • CISA added one more known exploited vulnerability to its catalog on August 16, 2023.
  • Dark Reading reports
    • “Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
    • “Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.”
  • Bloomberg Technology examines a larger email hack of Microsoft.
    • “No one likes losing their keys. But after a single Microsoft Corp. key fell into the hands of Chinese hackers, it’s going to take more than changing the locks to restore its reputation. 
    • “The consumer signing key was used to forge authentication tokens — which are meant to verify a user’s identity — and access emails, including the accounts of Commerce Secretary Gina Raimondo and State Department officials, shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping in June.
    • “The world’s largest software maker is now facing increasing criticism from computer security experts and government officials alike over the hack, among the more embarrassing breaches of US government networks since the so-called SolarWinds attack was disclosed in 2020. Russian state-sponsored hackers also abused Microsoft’s software as part of that attack.
    • “Senator Ron Wyden, in a blistering letter last month about the lapse, called for multiple investigations. Shortly after, a US cybersecurity advisory panel opened a probe into the risks of cloud computing, and it is also looking at Microsoft’s role in the email hack.”
  • Health IT Security brings us up to date on the hack that keeps on giving – the MoveIT transfer hack.
    • Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.
    • Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.
    • MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

From the cybersecurity defenses front,

  • Cybersecurity Dive explains why
    • “Security basics aren’t so basic — they’re hard; Lax security controls cause heavy damages, and security experts warn how unmet basics turn up, time and again, when things go wrong” and
  • identifies
    • AWS customers’ most common security mistake; All too often organizations are not doing least-privilege work with identity systems, AWS’ Mark Ryland told Cybersecurity Dive,” and
  • discusses how to take advantage of sometimes disjointed threat intelligence.
  • The Wall Street Journal reports
    • “Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors, resulting in potentially damaging targeted and untargeted attacks.
    • “Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk, though some threats are nearly impossible to mitigate.
    • “Multiple internal stakeholders working together with technology solutions and consultancy expertise can significantly reduce the risk of, or impact from, supply chain attacks[, e.g., the MoveIT transfer hack].”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive informs us,
    • “The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday,  the first major update of the agency’s risk guidance since 2014. 
    • “After originally focusing risk guidance on critical infrastructure, the updated framework includes a wider array of organizations, including small- and medium-sized businesses, local schools and other entities. 
    • “The revised framework also addresses the role of corporate governance and the growing risks to digital networks via third-party relationships. * * *
    • “NIST will release a CSF 2.0 reference tool in a few weeks to help users browse, search and export data in a format that is machine-readable. It will also hold a workshop in the fall for additional public comments. 
    • “The deadline for public comments is Nov. 4, and NIST plans to publish a final version of CSF 2.0 in early 2024.”
  • Health IT Security adds,
    • As previously reported, the NIST CSF can be an asset to healthcare organizations looking to bolster their cybersecurity programs. Alongside other voluntary frameworks and HIPAA compliance actions, healthcare organizations can leverage the NIST framework to enhance privacy and security protections.
  • Politico updates us on the Federal Trade Commission’s proposed health data breach rule.
    •  In May, the Federal Trade Commission proposed a sweeping expansion of health data privacy rules, and now, the period for the public to weigh in has ended.
    • “While many comments were supportive, others were concerned that the FTC was overstepping its authority, opening itself up to litigation, and urged more clarity.” * * *
    • “The proposal would clarify that health app developers would be subject to regulations requiring them to notify customers if their identifiable data is accessed by hackers or business partners or shared for marketing without patient approval. The rule would include those offering health services and supplies — broadly defined to include fitness, sleep, diet and mental health products and services, among a laundry list of categories.”
  • The Wall Street Journal summarizes the Security and Exchange Commission’s final cyber rule:
    • The U.S. Securities and Exchange Commission has approved new regulations requiring public companies to disclose cybersecurity breaches within four business days of becoming aware of a material impact resulting from the incident.
    • The regulations dropped the requirement for companies to disclose the names of cybersecurity experts on company boards and the nature of their expertise..
    • Companies are now required to report information regarding their cybersecurity risk management, strategy and governance annually.
    • Despite the SEC not requiring cyber expertise, experts believe having cyber oversight on the board is still beneficial and a priority.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us,
    • “The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.
    • “The victim pool represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.
    • “The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized. * * *
    • “The widespread attack against MOVEit and its customers was “highly creative, well-planned, organized by multiple groups and executed well since they were able to poach records at scale,” independent analyst Michael Diamond said via email.
    • “Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” Diamond said. “My impression is that this is only going to get worse over time.”
    • “Diamond isn’t alone in forecasting the worst is yet to come.”
  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on August 7 and another one on August 9.
  • The Wall Street Journal reports that “AI Is Generating Security Risks Faster Than Companies Can Keep Up: Rapid growth of generative AI-based software is challenging business technology leaders to keep potential cybersecurity issues in check.”
  • The Healthcare Sector Cybersecurity Coordination Center released a threat analysis on multifactor authentication (good) and smishing (bad).

From the ransomware front,

  • Cybersecurity Dive pointed out on August 7, 2023,
    • “A ransomware attack against Prospect Medical Holdings disrupted healthcare services across multiple states last week, prompting multiple hospital closures as response and recovery efforts are underway.
    • “Prospect Medical Holdings recently experienced a data security incident that has disrupted our operations,” the healthcare provider said Friday in a statement. The California-based company operates 16 hospitals and more than 165 clinics and outpatient facilities in California, Connecticut, Pennsylvania and Rhode Island.”

From the cybersecurity defenses front,

  • FedScoop reports
    • “The White House on Wednesday [August 9] announced a competition for cybersecurity researchers that is intended to spur the use of artificial intelligence to identify and fix software vulnerabilities.
    • “Teams that compete in the “AI Cyber Challenge,” which the Defense Advanced Research Projects Agency will lead, can win prizes worth up to $18.5 million. The agency has also allocated an additional $7 million in prize money for small businesses that participate.
    • “As part of the competition, researchers will use AI technology to fix software vulnerabilities, with a particular focus on open-source software. Leading AI companies Anthropic, Google, Microsoft and OpenAI will make their technology available for the challenge, according to the Biden administration.
    • “The White House’s announcement comes amid continued concern over rising cyber supply-chain risk across the federal government and the private sector. Last September, the Office of Management and Budget stipulated that all software providers would have to self-attest to the security of their products before deploying them on federal agency systems.”

Cybersecurity Saturday

From the cybersecurity policy front —

  • Cybersecurity Scoop reports,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] released its strategic plan for fiscal year 2024 through 2026 on Friday, following a plethora of strategies and implementation plans released over the past several months by the White House aimed at improving the nation’s overall cybersecurity preparedness. 
    • “Within CISA, this Plan will serve as a keystone for implementation, resource, and operational planning, as further executed through our Annual Operating Plans. Externally, it will help stakeholders understand and participate in our long-term cybersecurity planning and prioritization,” the document reads.
    • CISA’s strategic plan will focus on three goals: address immediate threats, harden the terrain and drive security at scale. Additionally, the strategy has nine objectives, three for each goal, outlining the agency’s scope for the next three years.
    • “The release comes shortly after the Office of the National Cyber Director released a National Cyber Workforce and Education Strategy, as well as the National Cybersecurity Strategy in March and subsequent Implementation Plan in July.”
  • and
    • “The Biden administration’s strategy for building the U.S. cybersecurity workforce calls for government, industry and civil society groups to collaborate in increasing the number of cybersecurity workers and also urges an overhaul of the U.S. immigration system. 
    • “To address a dire shortage of cybersecurity workers, Monday’s strategy document takes a broad approach in overhauling the cybersecurity workforce. “The national cyber director’s office can only really task federal departments and agencies because, realistically, we need all of society. We need them to be feel supported and heard and seen as we approach these ecosystem models,” Acting National Cyber Director Kemba Walden told CyberScoop.”

From the cybersecurity breaches and vulnerabilities front —

  • Health IT Security brings us up to date on MOVEit breaches affecting healthcare organizations.
  • Health IT Security adds, “The healthcare sector continued to face a high volume of cyberattacks in the past few months as infostealing malware rose in popularity, BlackBerry stated in its latest Global Threat Intelligence Report.”
  • Cybersecurity Dive reports
    • “Half of the 12 most-commonly exploited vulnerabilities in 2022 were discovered the previous year, cyber authorities from the Five Eyes said in a joint advisory released Thursday. One of the top 12 vulnerabilities was discovered in 2018.
    • “Flaws in Microsoft products accounted for 1 in 3 of the most-routinely exploited vulnerabilities, including three Exchange Server CVEs from 2021. Two-thirds of the most-exploited vulnerabilities were found in products from three vendors: Atlassian, Microsoft and VMware.
    • “Other vendors that made the list include Apache’s Log4j, F5 Networks, Fortinet and Zoho.
    • * * * “Delayed or inconsistent vulnerability patching remains an underlying problem. This, combined with the unmet need for vendors, designers and developers to adhere to secure-by-design and secure-by-default principles, is aggravating the risk of compromise by malicious cyber actors.
    • “The Five Eyes intelligence alliance, which includes authorities from the U.S., Australia, Canada, New Zealand and the U.K., reiterated the need for vendors to follow secure design practices throughout the software development lifecycle.”
  • Security Week tells us
    • The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI [Unified Extensible Firmware Interface], warning that the dominant firmware standard presents a juicy target for malicious hackers.
    • “UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky. 
  • CISA’s Director Jen Easterly blogs about the importance of securing the Border Gateway Protocol, which she describes as being the most important part of the internet you have never heard of.
  • On July 31, CISA added another known exploited vulnerability to its catalog.

From the ransomware front —

  • HHS’s Health Sector Cybersecurity Coordination Center released a sector alert on August 4, 2023.
    • “Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector.”
  • Bleeping Computer informs us that “Clop ransomware now uses torrents to leak data and evade takedowns” and it offers its Week in Ransomware.
    • “Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.
    • “This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.”

From the cybersecurity defenses front —

  • Per Forbes
    • “Traditional passwords have proven to be an increasingly problematic authentication strategy in the evolving face of cybersecurity. Biometrics, such as fingerprints, facial recognition and iris scanning, are ushering in a new era of safe authentication.
    • “Biometrics provide distinct advantages over passwords in terms of security, convenience and user experience. But why exactly are biometrics more secure, and how can businesses successfully implement this technology into their existing strategies?
    • Forbes article explains how.
  • HelpNet offers advice on building cybersecurity defenses.
  • Security Intelligence explains how artificial intelligence can reduce data breach life cycles and costs.

Cybersecurity Saturday

From the cybersecurity policy front —

  • Cyberscoop reports
    • “President Biden on Wednesday nominated Harry Coker, a long-time CIA and National Security Agency official, to serve as the next national cyber director, a choice that elevates a relatively unknown official to take on a high-profile assignment as the president’s leading cybersecurity adviser. 
    • “Coker’s nomination ends a protracted search to replace Chris Inglis, who led the Office of the National Cyber Director until February after leading efforts to draft the administration’s cybersecurity strategy. 
    • “Leading voices in Capitol Hill have urged Biden in recent weeks to nominate Inglis’s deputy, Kemba Walden, who has been serving as the acting director. Despite the support of key lawmakers, the White House passed on elevating Walden to the permanent position — reportedly out of concern that her significant financial debts might hinder her confirmation before the Senate.”
  • The Cybersecurity and Infrastructure Security Agency tells us,
    • “Now that the cross-sector CPGs have been published, CISA is working with Sector Risk Management Agencies (SRMAs) to directly engage with each critical infrastructure sector to develop Sector-Specific Goals (SSGs).  In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector or, materials to assist sector constituents with effective implementation of the existing cross-sector CPGs. Sector-specific goals will be developed by:
    • “Identifying any additional cybersecurity practices not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.  
    • “Providing examples for recommended actions specific to the infrastructure and entities in that sector; and  
    • “Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.  
    • “As there are 16 Critical Infrastructure sectors with varying needs, CISA will be tackling this effort in several phases. The first four sectors CISA is working with include the Energy, Financial Services, IT, and Chemical Sectors. In addition, CISA will be working throughout the year with the Water/Wastewater Sector, Healthcare Sector, and K-12 Subsector on identifying approaches for how organizations in those sectors/subsectors can enhance their cybersecurity posture through the implementation of the existing body of cross-sector goals.”
  • Here is a link to the website for the healthcare sector coordinating council (HSCC), whose work the FEHBlog will begin to track. Surprisingly to the FEHBlog, OPM is not an HSCC member.

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive informs us,
    • “Healthcare continues to be the most expensive industry for data breaches, beating out other sectors for the 13th year in a row, according to research conducted by the Ponemon Institute and published by IBM Security
    • “The average cost of a healthcare data breach reached nearly $11 million in 2023, an increase of 8% from last year and a 53% jump since 2020, the report found. 
    • “Although the healthcare sector faces high levels of industry regulation, expenses accrued from data breaches in the sector were almost double compared to the financial industry, which saw the second-most expensive data breaches at $5.9 million.”
  • Cybersecurity Dive adds
    • “The investigation phase of data breaches is the fastest growing and costliest category of data breach expenses, contributing to the consistent year-over-year increase in costs. Detection and escalation costs jumped almost 10% to nearly $1.6 million per incident, IBM found.
    • “The breadth and depth of incident response investigations are scaling up directly with the overall costs, along with the off tempo of the criminal,” John Dwyer, head of research at IBM Security X-Force, told Cybersecurity Dive.”
  • On a related topic, Cybersecurity Dive lets us know,
    • “Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies, according to the Cybersecurity and Infrastructure Security Agency.
    • “Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year.
    • Valid accounts, including former employee accounts, not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment released Wednesday.
    • Spear-phishing links — malware-laced emails sent to targeted individuals — were responsible for 1 in 3 attacks, the report found.
    • The success rate of these techniques underscores the staying power of the most common methods threat actors use to gain initial access to targeted systems.
  • Cyberscoop relates
    • “Apple on Monday issued its third security update in roughly a month to remedy vulnerabilities exploited in Operation Triangulation, a spyware campaign that researchers say specifically targeted iMessage users in Russia. 
    • “The Russian arm of cybersecurity firm Kaspersky on June 1 revealed the details of a zero-click iOS exploit. The company’s researchers said they discovered it while monitoring the company’s own corporate Wi-Fi network dedicated to mobile devices. The findings were released the same day Russia’s Federal Security Service, or FSB, said it had uncovered an American espionage operation targeting Apple devices in Russia in cooperation with Apple. 
    • “Apple told CyberScoop at the time that it had “never worked with any government to insert a backdoor into any Apple product and never will.”
  • Per Cyberscoop,
    • “Executives, researchers and engineers at big tech companies and startups alike working on artificial intelligence face a growing threat from criminal and nation-state hackers looking to pilfer intellectual property or data that underlies powerful chatbots, the FBI warned on Friday.
    • “The growing risk coincides with the increasing availability of AI tools and services to the general public in the form of products such as OpenAI’s ChatGPT, or Google’s Bard, for instance, as well as the increasing ease and ability for many companies to develop AI language models.
    • “The warning comes two days after FBI Director Christopher Wray and Bryan Vorndran, the agency’s assistant director, cyber division, warned about the distinct AI-related threats from China, which political leaders in the U.S. and Europe have long warned wants to dominate all aspects of AI research and implementation.”
  • Per Security Week,
    • “New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications.
    • “Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user.
    • “These requests are successful because the authentication or authorization of the user submitting the request is not properly validated, the three agencies explain.”
  • CISA added an additional known exploited vulnerability to its catalog on July 25, July 26, and July 27, 2023.
  • Yesterday CISA “published three malware analysis reports on malware variants associated with the exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero-day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.”
  • Also, yesterday, CMS shared its MOVEIt breach notice to Medicare beneficiaries.

From the ransomware front —

  • HelpNet Security points out that “In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.”
  • Here is a link to yesterday’s The Week in Ransomware from Bleeping Computer.
    • “With ransom payments declining, ransomware gangs are evolving their extortion tactics to utilize new methods to pressure victims.
    • “This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.
    • “Clop has begun to create clear websites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.”

From the cybersecurity defenses front —

  • TechRepublic shares cybersecurity defense ideas included in the Ponemon/IBM report.
  • Forbes offers a cybersecurity expert’s view on adopting a new paradigm in cybersecurity stemming from this conundrum:
    • Today, companies that house secure data and information are encountering an accessibility dilemma: On the one hand, they face an increased need for security and privacy of data, particularly as cyber threats become self-generating and more sophisticated. On the other hand, the value in securing assets lies in being able to utilize them, share them, and transact them effectively and efficiently with intended stakeholders so as to improve customer service and attain competitive differentiators. Companies struggle to balance these needs with the imperative to secure these data, particularly in accordance with certain industry standards or digital privacy regulations

Cybersecurity Saturday

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive tells us,
    • “Distributed denial of service attacks surged during the second quarter as criminal and state-linked hacking organizations unleashed a number of sophisticated attacks against critical infrastructure providers and other organizations across the globe, Cloudflare said in a report released Tuesday.  
    • “Experts linked pro-Russia hacktivist groups, including Killnet and Anonymous Sudan, to recent major DDoS attacks against Microsoft and threats against financial centers in the U.S. and Europe. 
    • “Cloudflare research shows a sharp increase in deliberately engineered and targeted DNS attacks.”
  • Health IT Security adds,
    • “Healthcare organizations face an uptick in cyber threats as malicious actors turn to tools like ransomware, artificial intelligence (AI), and Internet of Things (IoT) attacks. These threats are becoming increasingly significant in the dynamic cyber threat landscape, a Trustwave SpiderLabs report revealed.
    • “The report “Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape” provides insights and practical strategies to address the specific threats faced by healthcare organizations.”
  • Security Week informed us on July 21, 2023,
    • “Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.
    • “Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, and OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
    • “Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality and multi-tenant applications in certain conditions.”
  • Also per Security Week on July 18, 2023, “At least two new Adobe ColdFusion vulnerabilities have been exploited in the wild, including one that the software giant has not completely patched.”

From the ransomware front —

  • Cyberscoop interviews an FBI official about how the agency fights ransomware.
  • The FEHBlog welcomes back Bleeping Computer’s Week in Ransomware after two weeks away. This week’s article covers news from July 8 forward.

From the cybersecurity defenses front —

  • CISA explains how to take the first steps toward better cybersecurity.
  • What’s more, CISA “has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transition into a cloud environment and identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.” 
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) on July 18, 2023, informed us about patches available for Critical and High Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) vulnerabilities.
  • HC3 also issued an analyst note on July 21, 2023, about Remote Identity Management.
    • “Identity theft is not limited to stolen medical records, social security numbers, and financial data. Threat actors can also target institutions by capitalizing on gaps in user access protocols, hiring processes, and mitigation capabilities to conceal some aspect of their identity and attention. Identity verification, fraud detection and user authentication are imperative when implementing a robust Identity and Access Management (IAM) program.”
  • Security Week looks into improving security awareness training for employees.
  • ISACA explains how to build cybersecurity resilience throughout an organization.

Cybersecurity Saturday

From the cybersecurity policy front —

  • Homeland Security Today reports
    • “This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems. 
    • “The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”
  • Cybersecurity Dive tells us,
    • The Biden administration released its implementation plan for the national cybersecurity strategy Thursday, delegating cyber initiatives to a smattering of government agencies.
    • The plan, which is designed to guide the government’s completion of the national cybersecurity strategy, comes four months after the policy blueprint was unveiled.
    • “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Kemba Walden, acting national cyber director, said Wednesday during a press briefing.
    • “Fundamentally, we are publishing this plan because we will only achieve our goals with a whole-of-society approach,” Walden said. * * *
    • The 57-page document divides the five pillars and 27 objectives of the national cybersecurity plan into a broader series of initiatives.
    • While the implementation plan calls for the majority of initiatives to be completed before the end of fiscal year 2024, 11 are slated to be done in FY23, which closes at the end of September.
  • Cyberscoop adds
    • “As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner-operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
    • “In pushing for one big set of regulation for all critical infrastructure, you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
    • “And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.”
  • The Wall Street Journal points out,
    • “The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials. 
    • “The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the past few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.”
  • In sum, crafting an effective cybersecurity strategy is a tall order.

From the cybersecurity vulnerabilities and breaches front —

  • Bleeping Computer reported on July 11,
    • “HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
    • “HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
    • “As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
    • “The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
    • “The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
    • “However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.”
  • Cybersecurity Dive offers an update on the slow-moving MOVEit file transfer disasters.
    • “More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.”
  • Speaking of zero-day vulnerabilities, Security Week reported on July 11
    • “In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
    • “Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added five known exploited vulnerabilities to its catalog on July 11 and two more on July 13.
  • HHS’s Health Sector Cybersecurity Coordination Center released its report on June Vulnerabilities of Interest to the Health Sector.
    • “In June 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for June are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • HC3 also posted a PowerPoint titled “Artificial Intelligence, Cybersecurity and the Health Sector.”
  • Health IT Security points out
    • The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a new publication entitled “Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP).”
    • HIC-CHIRP provides healthcare organizations with a template for navigating a coordinated incident response when faced with disruptive cyber incidents. Specifically, the publication seeks to address healthcare-specific gaps in existing incident response resources.

In ransomware news,

  • Bleeping Computer lets us know,
    • “Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
    • “According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.”

From the cybersecurity defenses front —

  • CSO Online shares best practices for an effective cybersecurity strategy.
  • Tech Republics discusses Gartner’s 2023-24 cybersecurity outlook.
  • Forbes offers twenty cybersecurity training tips designed to make the training “stick.”