From the CrowdStrike front,

• The Wall Street Journal summarizes for us,
  • “CrowdStrike said over 97% of Microsoft Windows sensors were back online as of Thursday, nearly a week after a global tech outage snarled businesses, government agencies and air travel worldwide.
  • “CrowdStrike Chief Executive George Kurtz said the company still has more work to do to address the fallout from last Friday’s disruption. 
  • “To our customers still affected, please know we will not rest until we achieve full recovery,” Kurtz said Thursday in a post on LinkedIn.
  • “Kurtz again apologized for the outage. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency,” he said.
  • “CrowdStrike said in an incident report earlier this week that a bug in a quality-control tool it uses to check system updates for mistakes allowed a critical flaw to be pushed to millions of machines running Microsoft Windows. 
  • “About 8.5 million devices were affected by the outage, CrowdStrike said Monday. Many of those machines were part of wider corporate IT systems, meaning the impact was felt more widely.” 

• ABC News adds,
  • “An outage caused by a software update distributed by cybersecurity firm CrowdStrike triggered a wave of flight cancellations at several major U.S. airlines – but the disruption was most severe and prolonged at Delta Airlines.
  • “In all, the carrier canceled more than 2,500 flights over a period that stretched from last Friday, when the outage began, into the middle of this week.” * * *
  • “For a company such as Delta, they rely on countless partner services for everything from scheduling pilots and planes to providing meal service and snacks to allowing customers to select their seats,” David Bader, a professor of cybersecurity and the director of the Institute of Data Science at the New Jersey Institute of Technology, told ABC News.” * * *
  • “The reason for the prolonged recovery from the outage was because the CrowdStrike update disruption required a manual fix at each individual computer system, experts told ABC News. While each fix can be completed in no more than 10 minutes, the vast number of Delta’s digital terminals required significant manpower to address,” Mark Lanterman, the chief technology officer at the cybersecurity firm Computer Forensic Services, said.”

• Per Cybersecurity Dive,
  • “Parametrix said the global IT outage linked to Crowdstrike will likely cost the Fortune 500, excluding Microsoft, at least $5.4 billion in direct financial losses, in a report released Wednesday [July 24]. 
  • “Cyber insurance will only cover 10% to 20% of the losses, based on large risk retentions and policy limits at many companies, according to Parametrix. CyberCube estimates the cyber insurance market will face preliminary insured losses of between $400 million and $1.5 billion, potentially the single worst loss in the cyber insurance sector over 20 years. 
  • “Parametrix expects the healthcare sector to see the biggest impact among industries with $1.94 billion in losses after three-quarters Fortune 500 healthcare companies were impacted. Though banking was also hard-hit, with an estimated $1.15 billion in direct losses, airlines are expected to have the highest per company costs.”

• Dark Reading points out unexpected lessons to be gained from the CrowdStrike outage.
  • “In the wake of global IT issues caused by a defect in a content update for CrowdStrike’s Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it’s easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.”

• Here is a link to CISA’s regularly updated website about the outage.

From the cybersecurity policy front,

• Per an HHS press release on Thursday July 25,
  • “The U.S. Department of Health and Human Services (HHS) today announced a reorganization that will streamline and bolster technology, cybersecurity, data, and artificial intelligence (AI) strategy and policy functions.
  • “Opportunities in data and technology in healthcare and human services have grown significantly in recent years. Historically, responsibility for policy and operations has been distributed across the Office of the National Coordinator for Health Information Technology (ONC), the Assistant Secretary for Administration (ASA), and the Administration for Strategic Preparedness and Response (ASPR). This reorganization will clarify and consolidate these critical functions, as follows:
    • “ONC will be renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC);
    • “Oversight over technology, data, and AI policy and strategy will move from ASA to ASTP/ONC, including the HHS-wide roles of Chief Technology Officer, Chief Data Officer, and Chief AI Officer; and
    • “The public-private effort between the health sector and the federal government on cybersecurity (“405(d) Program”) will move from ASA to ASPR, joining the other health sector cybersecurity activities already located in ASPR’s Office of Critical Infrastructure Protection, and advancing the Department’s one-stop-shop approach to healthcare cybersecurity.” * * *
  • “National Coordinator Micky Tripathi will be named Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.”

• Cybersecurity Dive reported yesterday,
  • “The White House and the Cybersecurity and Infrastructure Security Agency disclosed key personnel decisions this week as the administration continues efforts to improve the nation’s resilience and cybersecurity posture. 
  • “The White House Office of the National Cyber Director named Harry Wingo the new deputy national cyber director. 
  • “Wingo, an assistant professor at the National Defense University College of Information and Cyberspace and former U.S. Navy Seal officer, will begin his new role next week, according to the White House.” * * * 
  • “The appointment comes as CISA named Bridget Bean, assistant director of integrated operations, the new executive director of the agency. Bean will succeed Brandon Wales, who is stepping down as the agency’s first executive director next month.” 

• Here is link to CISA Director Jen Easterly’s comments on these personnel changes.

• On Monday July 22, the HHS Inspector General posted a report titled “HHS Office of the Secretary Needs to Improve Key Security Controls to Better Protect Certain Cloud Information Systems.” TechTarget discusses the report here.

• Per Help Net Security, here is a link to
  • [A] Help Net Security interview [with] Ava Chawla, Head of Cloud Security at AlgoSec, discusses the most significant cloud security threats CISOs must be aware of in 2024. These threats include data breaches, misconfiguration, insider threats, advanced persistent threats, ransomware, API vulnerabilities, and supply chain vulnerabilities.

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Stepped-up activity from a North Korean hacking group is prompting Mandiant to upgrade it to a top-tier hacking threat and the FBI to issue an alert about the outfit, which the company and agency say has long sought to obtain intelligence about defense and research and development but has since expanded to other targets.
  • “Mandiant, a cybersecurity arm of Google Cloud, said in a report it released Thursday [July 25] that the newly labeled APT45 has broadened its ransomware operations — rare for North Korean groups — to target health care providers, financial institutions and energy companies.
  • “The FBI is set to follow with an advisory and news conference Thursday about the hackers.”

• Here is a link to a CISA press release about Thursday’s advisory and a link to a Dark Reading article on the press conference.

• Dark Reading adds,
  • “The US Department of Justice has unsealed an indictment of a North Korean military intelligence operative targeting US critical infrastructure.
  • “The individual, Rom Jong Hyok, allegedly carried out ransomware attacks against healthcare facilities and funneled the ransom payments to arrange other breaches into defense, technology, and government organizations globally, in violation of the Computer Fraud and Abuse Act, according to the indictment.
  • “The ransom payments were laundered through Hong Kong, where they were converted into Chinese yuan, withdrawn from an ATM, and then used to purchase virtual private servers in order to exfiltrate sensitive defense and technology information.” 

• Here is a link to the Justice Department’s press release on this action.

• Bleeping Computer warns,
  • “American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices.
  • “The firm detected and stopped the malicious actions in time, so no data breach occurred. However, the case highlights the continued threat posed by North Korean threat actors posing as IT staff, something that the FBI has warned about repeatedly since 2023.
  • “The DPRK maintains a highly organized army of IT workers who obscure their true identities to get hired by hundreds of American firms.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • July 23, 2024,
    • CVE-2012-4792 Microsoft Internet Explorer Use-After-Free Vulnerability
    • CVE-2024-39891 Twilio Authy Information Disclosure Vulnerability

In other ransomware news,

• Cybersecurity Dive reports why healthcare entities can be an easy mark for ransomware gangs.

• Bleeping Computer tells us,
  • “Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000.
  • “This number is from TRM Labs, a blockchain intelligence and analytics firm specializing in crypto-assisted money laundering and financial crime.
  • “North Korea is the leader in stealing cryptocurrency through exploits and breaches, having stolen over a billion dollars in 2023. Asia also remains the leader in scams and investment fraud.
  • “However, Russians reportedly dominate all other malicious activity involving crypto.”

• Silicon Angle offers a 20-minute-long interview with folks from VEEAM which recently issued its “third Ransomware Trends Report, not of Veeam customers, but of the whole industry. There were 1,200 organizations that were hit with ransomware.”

From the cybersecurity defenses front,

• The Wall Street Journal reports on July 23,
  • “Alphabet unit Google’s talks to acquire the cybersecurity startup Wiz for a planned $23 billion have fallen apart, according to a person with knowledge of the discussions.
  • “In an email to employees sent Monday and viewed by The Wall Street Journal, Wiz Chief Executive Assaf Rappaport said the company is now aiming for an initial public offering.”

• Forbes offers “A CISO’s Guide to Fortifying Your Cybersecurity Posture.”

• Tech Target shares a guide to cybersecurity planning for businesses and identifies “16 common types of cyberattacks and how to prevent them.”

• The Wall Street Journal reports,
  • “Hemant Rathod, an Indian executive, was sipping tea in a conference room Friday morning in Delhi, about to send a long email to his team, when his computer went haywire.
  • “The HP laptop suddenly said it needed to restart. Then the screen turned blue. He tried in vain to reboot. Within 10 minutes, the screens of three other colleagues in the room turned blue too.
  • “I had taken so much time to draft that email,” Rathod, a senior vice president at Pidilite Industries, a construction-materials company, said by phone half a day later, still carrying his dead laptop with him. “I really hope it’s still there so I don’t have to write it again.”
  • “The outage, one of the most momentous in recent memory, crippled computers worldwide and drove home the brittleness of the interlaced global software systems that we rely on.  * * *
  • “Adding to the chaos—and further underlining the vulnerability of the global IT system—a separate problem hit Microsoft’s Azure cloud computing system on Thursday shortly before the CrowdStrike glitch, causing an outage for customers including some U.S. airlines and users of Xbox and Microsoft 365.
  • The CrowdStrike problem laid bare the risks of a world in which IT systems are increasingly intertwined and dependent on myriad software companies—many not household names. That can cause huge problems when their technology malfunctions or is compromised. The software operates on our laptops and within corporate IT setups, where, unknown to most users, they are automatically updated for enhancements or new security protections.

• The irony lies in the fact that
  • “The global outage began with an update of a so-called “channel file,” a file containing data that helps CrowdStrike’s software neutralize cyber threats, CrowdStrike said. The update was timestamped 4:09 a.m. UTC—just after midnight in New York and around 9:30 a.m. in India.
  • “That update caused CrowdStrike’s software to crash the brains of the Windows operating system, known as the kernel. Restarting the computer simply caused it to crash again, meaning that many users had to surgically remove the offending file from each affected computer.”

From the cybersecurity policy front,

• Cybersecurity Dive informs us,
  • “A U.S. District Court judge dismissed most of the charges in a civil fraud case filed against SolarWinds by the Securities and Exchange Commission Thursday.
  • “The SEC filed suit in October alleging SolarWinds misled investors about the company’s cybersecurity practices leading up to the Sunburst supply chain hack, which was disclosed in December 2020. The attack that targeted SolarWinds Orion platform impacted thousands of customers, including major U.S. companies and government agencies that used the platform. 
  • “Judge Paul Engelmayer of the U.S. District Court Southern District of New York sustained the SEC’s claims of securities fraud based on SolarWinds’ security statement. However, the court dismissed other claims, including all claims involving post-Sunburst disclosures. * * *
  • “Allegations related to a 2017 statement made about the company’s security capabilities on the “trust center” page of its website will continue to be litigated.” 

• The Wall Street Journal points out,
  • “A spokesman said SolarWinds is pleased with the judge’s ruling. “We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,” he said. * * *
  • “David Shargel, a partner at law firm Bracewell, said the dismissal of part of the SEC’s claims was a victory for SolarWinds “by any measure.” Companies rarely defeat the SEC’s lawsuits so early in the litigation process.”
  • “It’s definitely a serious charge that remains, and it serves as a reminder that, as with any public-facing statement, companies need to ensure that their disclosures are accurate and not misleading,” he said.” * * *
  • Notably, Engelmayer also dismissed the SEC’s claim that SolarWinds violated rules that govern how companies guard against accounting errors. The judge said cybersecurity controls aren’t part of that process. “That reading is not tenable,” the judge wrote, saying the controls clearly apply only to financial accounting. 
  • “I think that might give some compliance departments some comfort going forward in terms of the parameters of the disclosure requirements,” Shargel said.

• The National Institute of Standards and Technology issued a special publication concerning Personal Identity Verification (PIV). Experience-rated FEHB carriers must employ PIV for their employees who access OPM’s letter of credit system.

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us that “The massive AT&T breach has been linked to an American hacker living in Turkey and reports say the telecom giant paid a $370,000 ransom.”

• Cybersecurity Dive lets us know,
  • “Weak credentials and misconfigurations across cloud systems were at the root of 3 in 4 network intrusions during the first half of 2024, Google Cloud said Wednesday in its latest Threat Horizons Report.
  • “Google Cloud said systems with weak or no credentials were the top initial access vector, accounting for 47% of cloud environment attacks during the first six months of the year. That’s a slight decrease from the second half of 2023 when weak or no credentials were at the root of 51% of attacks, according to Google Cloud.
  • “Misconfigurations were the initial access vector for 30% of all cloud environment attacks during the first half of 2024, marking a significant jump from 17% in the second half of 2023.”

• The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog this week:
  • July 15, 2024, CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability
  • July 17, 2024,
    • CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
    • CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
    • CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability

From the ransomware front,

• Per Cybersecurity Dive,
  • “Ransomware activity jumped in the second quarter as threat groups listed 1,237 organizations on data leak sites during the period, marking a 20% increase from Q1, Reliaquest said in a Tuesday report. 
  • “May was an especially active month due to a spike in posts from the ransomware group LockBit, which accounted for 36% of the month’s alleged victims, the report found. Yet, an abnormally slow June dragged the total count of alleged ransomware victims down 13% year over year, according to Reliaquest.
  • “U.S.-based businesses bore the brunt of ransomware attacks during Q2, composing more than half of all claimed ransomware victims listed on data leak sites during the period. Sectors targeted most heavily by cybercriminals during the quarter included manufacturing and professional, scientific and technical services, the report found.”

• The Wall Street Journal notes,
  • “Rite Aid disclosed customer data was accessed in a June cybersecurity breach.
  • “The drugstore operator said an unknown third-party impersonated a company employee on June 6. It detected the incident within 12 hours and launched an investigation and reported it to law enforcement.
  • “Rite Aid said by June 17 it determined the party acquired certain data associated with the purchase or attempted purchase of specific retail products, including purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at purchase between June 6, 2017, and July 30, 2018.”

• Dark Reading adds on July 15,
  • “[Rite Aid] has not released an official statement revealing who the threat actors are, but the RansomHub gang has claimed that it breached the company’s systems.
  • “While having access to the Rite-Aid network, we obtained over 10GB of customer information equating to around 45 million lines of people’s personal information,” the ransomware group said on its Dark Web leak site. “This information includes name, address, dl_id number, DoB, Rite Aid rewards number.”
  • “Rite Aid reportedly stopped negotiating a ransom, prompting the ransomware group to share snippets of what it claims is stolen data as proof and add a two-week deadline before more information will be leaked.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Google parent Alphabet is in advanced talks to acquire cybersecurity startup Wiz for roughly $23 billion, according to people familiar with the matter, in what would be its largest acquisition ever. 
  • “A deal could come together soon, assuming the talks don’t fall apart, the people said. 
  • “Alphabet is eyeing the deal at a time of intense antitrust scrutiny of the search company and other tech giants. The acquisition could also help boost Alphabet’s efforts in cloud computing, an important and growing business but one where it has lagged behind peers. * * *
  • “Google has been working to bulk up its cybersecurity business, focused on the cloud. Its biggest recent acquisition—and second largest ever—is the nearly $5.4 billion purchase two years ago of another security company, Mandiant.” 

• TechTarget shares “best practices for protection from ransomware in cloud storage” and advises “CISOs on how to improve cyberthreat intelligence programs.”

• Dark Reading explains why “In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training.”

From the cybersecurity policy front –

• The Wall Street Journal reports,
  • “[On July 9, 2024,] Australia, the U.S. and six other allies warned that a Chinese state-sponsored hacking group poses a threat to their networks, in an unusual, coordinated move by Western governments to call out a global hacking operation they say is directed by Beijing’s intelligence services.
  • “Tuesday’s advisory was a rare instance of Washington’s major allies in the Pacific and elsewhere joining to sound the alarm on China’s cyber activity. Australia led and published the advisory. It was joined by the U.S., U.K., Canada and New Zealand, which along with Australia are part of an intelligence-sharing group of countries known as the Five Eyes. Germany, Japan and South Korea also signed on.” * * *
  • “The technical advisory detailed a group known in cybersecurity circles as Advanced Persistent Threat 40, or APT40, which conducts cybersecurity operations for China’s Ministry of State Security and has been based in the southern island province of Hainan. The advisory detailed how the group targeted two networks in 2022—though it didn’t identify the organizations—and said the threat is continuing.”

• Federal News Network informs us,
  • “A top Department of Homeland Security official says DHS is working to harmonize new cyber incident reporting rules, as industry and even some lawmakers criticize the draft rule’s scope and potential duplicative requirements.
  • “The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.
  • “Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.
  • “We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”
  • “He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”
  • “We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so, you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

• The FEHBlog finds it interesting that recent cyberbreach news articles rely on Securities and Exchange Commission 8-K reports from public companies.

• Cyberscoop summarizes a variety of criticisms levelled against the CIRCIA proposed rule in the public comments.

• Cyberscoop adds,
  • “New legislation from a bipartisan pair of senators would create an interagency committee tasked with streamlining the country’s patchwork system of cybersecurity regulations if signed into law.
  • “The Streamlining Federal Cybersecurity Regulations Act [S. 4630] from Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., calls on the White House’s national cyber director to create a committee that would harmonize the myriad cyber requirements imposed on companies by federal regulatory agencies, according to bill text shared with CyberScoop.
  • “The introduction of the bill comes a month after a Senate hearing in which Nicholas Leiserson, the assistant national cyber director for cyber policy and programs, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. “It is a problem that requires leadership from ONCD and Congress informed by the private sector,” he said.”

• Cybersecurity Dive tells us,
  • “The Cybersecurity and Infrastructure Security Agency and FBI advised software vendors to eliminate operating system command injection vulnerabilities from products before they ship. The agencies issued the advisory Wednesday [July 10, 2024] as part of their secure-by-design alert series.
  • “Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs and CVE-2024-3400 in Palo Alto Networks firewalls. 
  • “OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA and the FBI said in the advisory.” 

• Per the HeathIT.gov website,
  • “ONC’s HTI-2 proposed rule [released July 10] implements provisions of the 21st Century Cures Act and reflects ONC’s focused efforts to advance interoperability and improve information sharing among patients, providers, payers, and public health authorities.
  • “Key proposals include:
    • “Two sets of new certification criteria, designed to enable health IT for public health as well as health IT for payers to be certified under the ONC Health IT Certification Program. Both sets of certification criteria focus heavily on standards-based application programming interfaces to improve end-to-end interoperability between data exchange partners (health care providers to public health and to payers, respectively).
    • “Technology and standards updates that build on the HTI-1 final rule, ranging from the capability to exchange clinical images (e.g., X-rays) to the addition of multi-factor authentication support.
    • “Requiring the adoption of United States Core Data for Interoperability (USCDI) version 4 by January 1, 2028.
    • “Adjustments to certain “exceptions” to the information blocking regulations to cover additional practices that have recently been identified by the regulated community, including a new “Protecting Care Access” exception, which would cover practices an actor takes in certain circumstances to reduce its risk of legal exposure stemming from sharing information.
    • “Establishing certain Trusted Exchange Framework and Common Agreement^TM (TEFCA^TM) governance rules, which include requirements that implement section 4003 of the 21st Century Cures Act.”
  • The public comment deadline will end in early September, depending on the date of the proposed rule’s publication in the Federal Register.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “A cyberattack targeting AT&T’s Snowflake environment compromised data on nearly all of the telecom provider’s wireless customers, the company said in a Friday filing with the Securities and Exchange Commission. Nearly 110 million customers are impacted, according to AT&T’s annual report for the period of compromised data.
  • “Data stolen during the intrusion includes records of AT&T customers’ calls and text messages spanning a six-month period ending Oct. 31, 2022, and records from Jan. 2, 2023, the company said in the SEC filing. 
  • “The attack did not expose the content of calls or text messages, customer names or personally identifiable information, according to AT&T. Yet, the stolen records include the phone numbers AT&T wireless customers interacted with, counts of those interactions and aggregate call duration for a day or month.”

• Dark Reading adds,
  • “Nearly all” of AT&T’s wireless customers are affected, the company admitted, as well as customers of mobile virtual network operators (MVNOs) using AT&T’s network. According to public resources, those MVNOs likely include popular wireless service providers like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless.” * * *
  • “Earlier this year, data belonging to more than 70 million AT&T customers leaked to the Dark Web. The trove included all the hallmark personally identifying information (PII) types, like Social Security numbers, mailing addresses, and dates of birth.
  • “This time, none of the stolen data has as yet been observed on the public web, and customers’ most sensitive PII has remained untouched. [FEHBlog note the theft occurred in April — the public notice was delayed with Justice Department approval.]
  • Still, AT&T warned, “There are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

• Cyberscoop notes that Snowflake “announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users.”  

• On a related note, Help Net Security discloses,
  • “On July 1, Twilio – the company that develops the Authy MFA mobile app – shared with the public that attackers have leveraged one of its unauthenticated API endpoints to compile a list of phone numbers and other data belonging to Authy users.
  • “Company systems were not breached, Twilio said, and Authy accounts have not been compromised, but the company warned that “threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.”
  • “The list, which apparently holds data of 33 million Authy users, has been offered for sale by ShinyHunters, a threat actor that specializes in breaching companies and stealing their customers data, then holding it for ransom and/or selling it to the highest bidder on forums and markets frequented by cybercriminals.”

• Cybersecurity Dive calls attention to a recent survey,
  • “Almost 60% of organizations can’t track what happens to their information once it goes out in an email or through another communication channel, a survey by data security company Kiteworks finds. 
  • “That’s a risk management problem because data breaches are correlated with how information leaves an organization. 
  • “The more communication tools an organization uses — email, file sharing, managed file transfer, secure file transfer protocol, web forms, among others — the higher the risk of information ending up where it wasn’t intended, the survey finds. 
  • “Respondents with over seven communication tools experienced 10-plus data breaches — 3.55x higher than the aggregate,” the survey report says. “

• On July 9, 2024 —
  • “CISA added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
    • “CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
    • “CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability”
    • “CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability”
  • Health IT Security pointed out recent breaches involving healthcare entities.
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted its bulletin on June 2024 vulnerabilities of interest to the health sector.

• Health IT Security alerts us,
  • “Change Healthcare published a substitute data breach notice on its website [earlier this week] to inform affected individuals of the breach that resulted from the February 2024 cyberattack against the company. Change has publicly stated that the cyberattack involved the data of approximately one-third of Americans.
  • “Change Healthcare said that it would begin mailing written letters to affected individuals on June 20, once it completed its data review. Additional customers may be identified as impacted as the review continues.
  • “The company provided a brief timeline of events in its substitute notice, which was published on its website. Although the cyberattack began on February 21, it was not until March 13 that Change was able to obtain a dataset of exfiltrated files that was safe to investigate. * * *
  • “Any individual who believes that their information has been impacted by the data breach can enroll in two years of complimentary credit monitoring and identity theft protection services. Ahead of the breach notice, state attorneys general encouraged consumers to take advantage of these free resources.”

From the ransomware front,

• Cyberscoop reports,
  • “The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop. 
  • “A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoins on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop. 
  • “The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.”

• SC Media and Bleeping Computer discuss RansomHub attacks on the Florida Department of Health and the Rite Aid pharmacy chain.

• Dark Reading reports,
  • “Akira ransomware actors are now capable of squirreling away data from victims in just over two hours, marking a significant shift in the average time it takes for a cybercriminal to move from initial access to information exfiltration.
  • “That’s the word from the BlackBerry Threat Research and Intelligence Team, which today released a breakdown of a June Akira ransomware attack on a Latin American airline. According to BlackBerry’s anatomy of the attack, the threat actor, using Secure Shell (SSH) protocol, gained initial access via an unpatched Veeam backup server, and immediately set about heisting information before deploying the Akira ransomware the next day.
  • “The likely culprit is Storm-1567 (aka Punk Spider and Gold Sahara), a prolific user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, according to the report. The gang is known for using double-extortion tactics and has attacked more than 250 organizations across numerous industry verticals globally since emerging from the shadows in March 2023. It mainly sets its sites on Windows systems, but has developed Linux/VMware ESXi variants as well, and has consistently shown a high level of technical prowess.”

• The Register (UK) tells us,
  • “As ransomware crews increasingly shift beyond just encrypting victims’ files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the more mature crime organizations are developing custom malware for their data theft.
  • “In a report published on Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs). Talos selected the 14 based on volume and impact of attacks and “atypical threat actor behavior,” using data from the criminals’ leak sites, internal tracking, and other open-source reporting.
  • “The 14, listed here by number of victims on their respective shaming sites, are the ones you’d likely expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona. 
  • “Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” the report’s authors note.”

From the cybersecurity defenses front,

• Cybersecurity Dive discusses “What does your CEO need to know about cybersecurity? CEOs don’t necessarily have to become experts in the technical aspects of cybersecurity to be prepared in case of an attack or — hopefully — stop one before it starts.”

• Per a July 11, 2024, CISA press release,
  • “CISA released CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth in coordination with the assessed organization. This Cybersecurity Advisory (CSA) details key findings and lessons learned from a 2023 assessment, along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.
  • “The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.
  • “CISA encourages all organizations review the advisory and apply the recommendations and mitigations within, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication.”

From the cybersecurity policy front,

• The Wall Street Journal makes available an interview with an assistant U.S. attorney general in a 10-minute-long podcast.
  • “The U.S. government has delayed public disclosures of cyber incidents several times since new rules came into force last December, according to Matthew Olsen, assistant attorney general at the U.S. Department of Justice. He spoke with WSJ reporter Dustin Volz at WSJ Tech Live: Cybersecurity on June 6 about the government’s reason for granting companies exemption to delay disclosing hacks. They also discussed the heightened risk of cyber-attacks. Zoe Thomas hosts.”

• The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, announced on Monday July 1, “a settlement with Heritage Valley Health System (Heritage Valley), which provides care in Pennsylvania, Ohio and West Virginia, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, following a ransomware attack.”
  • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html
  • Background on the attach which occurred in 2017 is available at the Pittsburg Post Gazette link.

• Cybersecurity Dive reports
  • “The U.S. Supreme Court ruling Friday [June 28] to overturn the Chevron doctrine could have major implications on the cybersecurity regulatory landscape at a time when federal agencies have enacted significant requirements designed to strengthen incident reporting and meet baseline security standards.” * * * 
  • “Legal and cybersecurity experts are still evaluating what the impact of the Chevron doctrine ruling will be on future regulations. However, Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink how they approach future cyber regulations to make sure they don’t create an overly burdensome environment for critical infrastructure and industry partners. 
  • “I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity,” Pugh said in an interview.”

From the cybersecurity vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on July 2.
  • “CVE-2024-20399 Cisco NX-OS Command Injection Vulnerability”

• Cybersecurity Dive provides background on the KEV.
  • “A suspected threat actor with ties to China is actively exploiting a zero-day vulnerability in Cisco NX-OS software, researchers said Monday [July 1].
  • “The suspected actor, dubbed Velvet Ant, is exploiting a command injection vulnerability, identified as CVE-2024-20399, which impacts a wide range of Cisco Nexus devices, according to researchers at Sygnia. The vulnerability has a CVSS score of 6.0, however researchers warn the threat actor is highly sophisticated and is deploying custom malware, Sygnia. 
  • “Cisco on Monday released software updates for some NX-OS hardware platforms, and will continue to release additional fixes when they are ready. The company said there are no other workarounds to address the flaw.”

• Cybersecurity Dive further reported on July 1,
  • “At least 700,000 OpenSSH servers are at risk of exploit from a remote code execution vulnerability, CVE-2024-6387, Qualys said Monday. Researchers at Qualys, which discovered the vulnerability, dubbed it “regreSSHion.”
  • “Though Qualys researchers have not yet scored the CVE, they describe it as critical, presenting a significant security risk. The signal handler race condition in OpenSSH’s server allows unauthenticated remote code execution as root on glibc-based Linux systems.
  • “This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in complete system takeover, installation of malware, data manipulation and the creation of backdoors for persistent access,” Bharat Jogi, senior director of Qualys threat research unit, said in the report.”

• Cybersecurity Dive let us know on July 2,
  • “Microsoft researchers on Tuesday warned that critical vulnerabilities in Rockwell Automation PanelView Plus can be exploited by unauthenticated hackers, putting the devices at risk for remote code execution and denial of service. The vulnerabilities were initially disclosed and patched in late 2023.
  • “PanelView Plus devices are human-machine interfaces that are widely used in industrial settings, and malicious control of these devices can lead to disruptive attacks. The remote code execution vulnerability, listed as CVE-2023-2071, has a CVSS score of 9.8. The denial of service vulnerability, listed as CVE-2023-29464, has a CVSS score of 8.2. 
  • “Microsoft initially discovered the vulnerabilities and shared its findings with Rockwell Automation in May and July 2023. Rockwell Automation released security advisories and patches for the CVEs in September and October 2023. Microsoft researchers urged users to patch and apply other mitigation steps.”

From the ransomware front,

• SC Media reported on July 2,
  • “Operations at Northern California’s Patelco Credit Union have been disrupted by a ransomware attack over the weekend, hindering banking service access to nearly 500,000 individuals, according to CBS Bay Area.
  • “Despite the attack prompting the immediate shutdown of Patelco’s banking systems, its ATMs, branches, and call centers continued operating regular hours although individual account information was inaccessible to employees, said a Patelco spokesperson. Other services affected by the outage included the credit union’s website and mobile app, electronic transactions, and online bill payments, as well as portions of its debit and credit card transactions.

• Bleeping Computer reports,
  • “A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows.
  • “The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors.
  • “Researchers at cybersecurity company Group-IB monitored the Eldorado’s activity and noticed its operators promoting the malicious service on RAMP forums and seeking skilled affiliates to join the program.”
• and
  • “Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner’s account was compromised and used to access the Company’s systems to steal protected health information.
  • “The Company says it detected the compromise after detecting ‘anomalous behavior’ from a partner’s personal device and launched an investigation into the incident.
  • “The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity’s systems and, later, exfiltrate sensitive health data.”

• The Record notes,
  • “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. 
  • “The group’s targets were companies in the manufacturing and logistics industries, said Tim West, an analyst at the cybersecurity firm Halcyon, in a comment to Recorded Future News. He declined to provide further information about the targets. 
  • “What’s interesting about this ransomware group, Halcyon researchers said, is that it has no public leaks website but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone, the researchers said.

From the cybersecurity defenses front,

• Check out these helpful articles from Dark Reading
  • “How the CISO Can Transform into a True Cyber Hero. Three steps that can help CISOs bring calm to incident response, redefine how they are perceived, and emerge as the hero in a cyber crisis.”
  • “Are SOC 2 Reports Sufficient for Vendor Risk Management? SOC 2 reports are a valuable tool for evaluating vendor security, but they shouldn’t be the only piece of the puzzle.” and
  • “A CISO’s Guide to Avoiding Jail After a Breach. Yahoo, Uber, SolarWinds — increasingly, the government is incentivizing better corporate security by punishing the individuals leading it. Is that a good idea? And how can security pros avoid ending up on the butt end of a lawsuit?

• The FEHBlog got a kick out of title of the third article because as a young lawyer his go to assurance to clients was “I’ll get you out even if takes me 20 years.”

From the cybersecurity policy front,

• The Wall Street Journal reports,
  • “Insurers told a congressional hearing Thursday {June 27, 2024] that they need the flexibility to determine what they will and won’t cover under cyber policies, saying they are still trying to understand the risks associated with cyberattacks.
  • “The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection held the hearing to explore how cyber insurance is being used by critical-infrastructure operators, amid warnings of hacking efforts from China and Russia.
  • “Insurers have tightened underwriting standards and raised premiums for cyber policies in recent years, spooked by an increase in losses starting in 2019 as cyberattacks spiked during the coronavirus pandemic. Many now require a raft of cybersecurity controls for organizations to qualify for coverage, such as multifactor authentication and network monitoring, and carriers have restricted what they will cover. 

• Cybersecurity Dive adds,
  • “In an effort to qualify for cyber insurance three-quarters of companies have invested in cyber defense, according to a report released Wednesday by Sophos and Vanson Bourne. 
  • “These investments were either required to obtain coverage, helped organizations secure lower premiums or, in other cases, improved the coverage terms of their insurance plans. The research is based on a survey of 5,000 IT and cybersecurity leaders across 14 countries in the Americas, Asia Pacific and Europe, the Middle East and Africa.
  • “Despite the investments, significant gaps remain between recovery costs and the coverage provided by insurance providers, Sophos found.”

• The National Institute of Standards and Technology announced,
  • “The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is returning to Washington, D.C.
  • “DATES: October 23–24, 2024
  • “LOCATION: HHS Headquarters (Hubert H. Humphrey Building) in Washington, D.C. * * *
  • “Registration will open later in the summer.“

• Fedscoop tells us,
  • “Chris DeRusha, the former federal chief information security officer and deputy national cyber director, is joining Google Cloud to lead the tech giant’s global public sector compliance work, according to a Tuesday press release.
  • “DeRusha, who left the federal government last month after more than three years as the federal CISO, will lead the expansion of Google Cloud’s suite of artificial intelligence, cloud computing and security products within the public sector, both in the United States and abroad.”

From the cybersecurity vulnerabilities and breaches front,

• Health IT Security tells us,
  •  “Third-party data breaches have been a top concern for healthcare cybersecurity leaders in recent years, following a string of high-profile cyberattacks across the healthcare supply chain.
  • “Threat research from SecurityScorecard, a company that provides cybersecurity ratings for corporations, showed that 35% of third-party breaches that occurred in 2023 affected healthcare organizations, overtaking all other sectors.
  • “SecurityScorecard analyzed the security ratings and historical breach data of the 500 largest US healthcare companies to glean insights into the sector’s top risk factors. Despite the perception that healthcare is behind other industries when it comes to cyber defense, healthcare organizations averaged a security score of 88.”

• For example, Dark Reading points out,
  • “A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children’s Hospital in Chicago taking its systems offline.
  • “Cybercriminals accessed the children’s hospital’s systems, disrupting its patient portal, communications, and ability to access medical records.
  • “In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.
  • “Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.”

• Health IT Security adds,
  • “Geisinger began notifying upwards of one million individuals of a data breach that occurred in November 2023, when a former Nuance Communications employee accessed certain Geisinger patient information two days after being terminated. The individual has since been arrested and is facing federal charges.
  • “Geisinger serves 1.2 million people across Pennsylvania in rural and urban care settings. Geisinger used Nuance, a Microsoft-owned company, for information technology services.”

• Cybersecurity Dive further informs us,
  • “Microsoft has notified additional enterprise customers this week that a password-spray campaign by the state-linked Midnight Blizzard threat group led to a compromise of their emails. 
  • “Microsoft also provided additional detail to other customers that were previously notified about the intrusions. Customers who received the notifications took to social media, as they feared they were being potentially phished. The new disclosures were first reported by Bloomberg.
  • “This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” the company said in an emailed statement. “This is increased detail for customers who have already been notified and also includes new notifications.”

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a Threat Actor Profile on a Russian cyber threat group known as Seashell Blizzard.

Cybersecurity Dive relates,

• “UPDATE: June 27, 2024: Progress Software upgraded the severity score of a MOVEit file-transfer service vulnerability, CVE-2024-5806, from a 7.4 to 9.1 on Tuesday. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched,” the company said in the updated advisory. “While the patch distributed by Progress on June 11 successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

• HC3 issued a Sector Alert on the MOVEit vulnerability on June 27, and CISA advised yesterday
  • “Progress Software released a security bulletin to address a vulnerability in MOVEit Transfer. A cyber threat actor could exploit this vulnerability to take control of an affected system.
  • “Users and administrators are encouraged to review the following bulletin and apply the necessary updates:
    • “MOVEit Transfer Critical Security Alert Bulletin – June 2024 – (CVE-2024-5806)

• CISA added three known exploited vulnerabilities to its catalog on June 26, 2024
  • “CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
  • “CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
  • “CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability”

• The American Hospital Association News reports,
  • “The Health Information Sharing and Analysis Center June 27 issued a threat bulletin alerting the health sector to active cyberthreats exploiting TeamViewer. H-ISAC recommends users review logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”
• and
  • “The FBI and Department of Health and Human Services June 24 released an advisory about cyberthreat actors targeting health care organizations in attempts to steal payments. The agencies have recommended mitigation efforts to help reduce the likelihood of being impacted. Threat actors have been found to use phishing efforts to gain access to employees’ email accounts, and then pivoting to target login information related to the processing of reimbursement payments to insurance companies, Medicare or similar entities, the agencies wrote. In some instances, threat actors would call an organization’s information technology help desk posing as an employee of the organization to trigger a password reset for the employee’s account. 
  • “The AHA was initially made aware of this type of scheme in January, and HHS issued an advisory on similar threats in April. 

• Pharmacy Practice News calls attention to an
  • “increasingly popular tool for hackers trying to sneak around information technology (IT) protections.
  • “Smishing is a variant of phishing (the by now familiar practice of sending fraudulent emails to steal personal information). In this case, the attacker “uses a compelling text message to trick targeted recipients into clicking a link, which sends the attacker private information or downloads malicious programs to a smartphone,” the Department of Health and Human Services (HHS) explained in an August 2023 report. (The term comes from combining SMS, which refers generally to text messaging, with “phishing.”)
  • “If you have ever received a text message insisting that a UPS package could not be delivered [and the FEHBlog has], or warning you that you’re in trouble with the IRS and urgently requesting that you click the embedded link, then you’ve been a target of attempted smishing. And if you think you’ve seen more of these messages lately, you’re not alone.

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Cloud security is a top priority for organizations around the world, Thales found in a study released Tuesday. The report is based on a survey of 3,000 IT and security professionals from 18 different countries.
  • “More than 2 in 5 respondents said they have had their cloud environments breached in the past, with 14% of respondents reporting a breach in the past year. 
  • “For nearly one-third of incidents, human error and misconfiguration are to blame. Respondents also cited the exploitation of known vulnerabilities in 28% of breaches and failure to use multifactor authentication in 17%.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Federal News Network lets us know,
  • “Agencies that oversee critical infrastructure should address threats posed by China and work to establish baseline cybersecurity requirements over the next two years.
  • “That’s according to new guidance signed out by Homeland Security Secretary Alejandro Mayorkas on June 14. The document lays out priorities over the next two years for sector risk management agencies. SRMAs are responsible for overseeing the security of specific critical infrastructure sectors.
  • “From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Mayorkas said in a statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work.”

• The Wall Street Journal adds,
  • “The U.S. government is pushing board directors at critical-infrastructure companies to improve cybersecurity oversight amid intense espionage and hacking campaigns from China and other adversaries.  “The U.S. government is pushing board directors at critical-infrastructure companies to improve cybersecurity oversight amid intense espionage and hacking campaigns from China and other adversaries.  
  • “On Tuesday [June 18], the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency, the National Association of Corporate Directors, credit card giant Mastercard and venture-capital firm NightDragon delivered a one-day course to 16 such directors.
  • “The attending directors, all of whom serve in leadership roles such as chairing audit committees on the boards of critical-infrastructure companies, sat for instruction at the Secret Service’s Laurel, Md.-based training facility. The course isn’t a primer on cybersecurity basics, but practical education on current threats and oversight.

• The Washington Post reports,
  • “The Biden administration announced Thursday [June 20] that it will ban Kaspersky Lab from distributing its anti-virus software and cybersecurity products in the United States, pointing to national security concerns related to the Russian company.
  • “Commerce Secretary Gina Raimondo told reporters the decision was made following an “extremely thorough investigation,” and that Kaspersky has “long raised national security concerns.” The United States in 2017 banned federal agencies [and contractors] from using those products. * * *
  • “The ban on Kaspersky products comes into full effect Sept. 29, according to a statement from the Commerce Department. Until then, Kaspersky will be allowed to continue providing some services in the United States, including certain updates, to give U.S. consumers and businesses time to find alternatives.
  • “Individuals or businesses that continue to use the products will not face legal penalties, department said, but assume “all the cybersecurity and associated risks of doing so.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive informs us,
  • “At least 147,000 ASUS routers are potentially exposed to a critical vulnerability, which can allow a remote attacker to bypass authentication and gain login access, researchers at Censys said Thursday [June 20].
  • “ASUS issued a security advisory on June 14 recommending customers upgrade their firmware or apply mitigation steps if the upgrade was not possible.  
  • “The improper authentication vulnerability, listed as CVE-2024-3080, has a CVSS score of 9.8.”  

• FEHBlog note — The Cybersecurity and Infrastructure Security Agency did not add new known exploited vulnerabilities to its catalog this week.

• Cybersecurity Dive adds,
  • “Multifactor authentication appeared in almost half of all security incidents the Cisco Talos incident response teams encountered during the first quarter of the year, according to data released Tuesday. 
  • “In 25% of cases, incident response specialists responded to fraudulent MFA push notifications sent by attackers, Cisco Talos found.
  • “Users did not properly implement MFA in 1 in 5 Cisco Talos engagements, the firm said.”

• Health IT Security tells us
  • “UnitedHealth Group (UHG) has begun notifying affected entities of the Change Healthcare data breach and will begin mailing breach notifications to individual cyberattack victims in late July, the company stated in a June 20 media notice.
  • “Change said it has completed a review of over 90% of impacted files and continues to see no evidence that full medical histories were exfiltrated from its systems during the cyberattack. Change explained that it only recently obtained a dataset that was safe to analyze, as its own systems were difficult to access during recovery.
  • “Even though the data review is not yet complete, Change has begun notifying the customers it has identified as impacted as of June 20 so they can proactively respond. * * *
  • “Change Healthcare’s latest update further confirmed that the company will make HIPAA and state attorney general notifications on behalf of victim entities unless those entities decide to opt out and handle the notifications themselves.
  • “The affected information varied by individual but may have included contact information, health insurance information, billing and claims information, medical record numbers, diagnoses, test results, Social Security numbers, and other personal information.
  • “Change offered two years of complimentary credit monitoring and identity theft protection services to victims and said that it reinforced its security and privacy policies in light of the incident.

From the ransomware front,

• NPR reflects on the ransomware attack on Ascension Health.

• CIS0 Series adds,
  • “As many as 10 companies are facing ransom payments between $300,000 and $5 million following a breach against cloud-based data analytics firm Snowflake earlier this month. According to Mandiant, who has helped lead Snowflake’s case, the hacking scheme has “entered a new stage” as the ransom demands flow in, as well as death threats against the cybersecurity experts investigating the breach. The hackers gained access to the information by targeting Snowflake users using single-factor authentication techniques. Mandiant has said it anticipates the ransomware group to “continue to attempt to extort victims.”

• The American Hospital Association News tells us,
  • “The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Qilin, formerly “Agenda,” a ransomware-as-a-service group targeting health care and other industries worldwide. The group was observed recruiting affiliates in late 2023, and has variants written in Golang and Rust, HC3 said. Qilin is known to gain initial access through spear phishing, as well as leveraging remote monitoring and management and other common tools in cyberattacks. The group is also known to practice double extortion. HC3 said the group’s targeting appears to be opportunistic rather than targeted.” 

• Per Cybersecurity Dive,
  • “Crime is paying less often for threat actors as improved corporate security measures — and dramatically higher ransom demands — sway more companies to reject extortion payments for seized data.
  • “Less than a quarter of 1,800 companies that submitted cyber claims to Marsh, or 23%, paid ransom demands last year, despite a 64% jump in extortion events from 2022 to a record 282, the insurance broker and risk advisor said in a June 11 report. 
  • “In 2021, Marsh noted, 63% of its clients paid an extortion demand to protect data.
  • “Companies, especially larger ones, are “just more resilient than they were three, four, five years ago,” Meredith Schnur, managing director of Marsh’s U.S. and Canada cyber practice, told Legal Dive.”

From the cybersecurity defenses front,

• Dark Reading explains why multi-factor authentication is not enough while Tech Radar points out why we need a password-less world.

• Tech Target gives advice on how to write a useful cybersecurity incident report.

• Here’s a link to this week’s CISO Corner in Dark Reading.

From the cybersecurity policy front,

• Per Cybersecurity Dive,
  • “The Biden administration outlined a comprehensive plan Tuesday [June 4] to harmonize a bevy of federal, state and international regulations designed to boost cyber resilience among the nation’s private sector and critical infrastructure providers. Industry stakeholders want the administration to simplify the reporting process to cut back on duplicative disclosure requirements. 
  • “National Cyber Director Harry Coker Jr. said the administration is working on a pilot reciprocity framework to determine how best to streamline the administrative load on critical infrastructure subsectors, in a Tuesday blog post. 
  • “The administration will also seek additional help from Congress to find legislative authorities to reduce administrative redundancies.

• The Senate Homeland Security and Governmental Affairs Committee held a hearing on this topic on June 5.
  • “During the hearing, Peters and the witnesses emphasized the importance of having standardized regulations across critical infrastructure sectors to ensure our nation is best prepared to respond to cybersecurity threats. They also reinforced that cybersecurity remains one of the most pressing challenges facing our nation due to our reliance on interconnected systems and increasingly complex cyberattacks. “During the hearing, Peters and the witnesses emphasized the importance of having standardized regulations across critical infrastructure sectors to ensure our nation is best prepared to respond to cybersecurity threats. They also reinforced that cybersecurity remains one of the most pressing challenges facing our nation due to our reliance on interconnected systems and increasingly complex cyberattacks. 
  • “Nicholas Leiserson, Assistant National Cyber Director for Cyber Policy and Programs for the Office of the National Cyber Director (ONCD) – the lead federal agency for harmonizing cybersecurity regulations – discussed the challenges the office faces when trying to promote harmonization. David Hinchman, Director of Information Technology and Cybersecurity at the Government Accountability Office, discussed how regulators can best tailor cybersecurity requirements to promote a cohesive response to protect themselves and critical infrastructure owners and operators from cyberattacks.”  
• Cyberscoop reports on the hearing and a related CISA action.

• Cybersecurity Dive adds,
  • “Sen. Ron Wyden, D-Ore., is urging the HHS to require large healthcare organizations to improve their cybersecurity practices as increasing attacks and data breaches rock the industry. “Sen. Ron Wyden, D-Ore., is urging the HHS to require large healthcare organizations to improve their cybersecurity practices as increasing attacks and data breaches rock the industry. 
  • “In a letter to Secretary Xavier Becerra, the chairman of the Senate Committee on Finance said the agency’s approach to regulating healthcare cybersecurity is “woefully inadequate,” leaving the sector vulnerable to attack.” 

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive (June 6) and HHS’s Health Sector Cybersecurity Coordination Center (HC3) (June 7) discuss vulnerabilities to Snowflake’s cloud platform.
  • On June 02, 2024, Snowflake observed an increase in cyber threats targeting accounts on their cloud data platform. The vulnerability is possibly associated with CVE-2023-51662. HC3 strongly encourages all users to review the following advisory, and to apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.

• Dark Reading informs us,
  • “SolarWinds has released its version 2024.2, including a variety of new features and upgrades, along with patches for three different security vulnerabilities.
  • “Notably, one high-severity SWQL injection bug, tracked under CVE-2024-28996 (CVSS 7.5), was reported to SolarWinds security by Nils Putnins, a penetration tester affiliated with the North Atlantic Treaty Organization (NATO), the company reported along with the new release. The other flaws fixed in the latest SolarWinds update included a high-severity cross-site scripting flaw, tracked under CVE-2024-29004 (CVSS 7.1), and a medium-severity race condition vulnerability affecting the Web console, tracked under CVE-2024-28999 (CVSS 7.1), the company said.”

• HC3 issued on June 4 threat guidance concerning Baxter Welch Allyn vulnerabilities. Baxter Welch Allen manufactures medical devices.

• On June 3, “CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  • CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability

From the ransomware front,

• Per Cybersecurity Dive,
  • “Ransomware activity surged last year as attackers flocked to legitimate remote access tools to break into enterprise networks, Mandiant said in a Monday [June 3] report. “Ransomware activity surged last year as attackers flocked to legitimate remote access tools to break into enterprise networks, Mandiant said in a Monday [June 3] report.
  • “There were 4,520 posts on data leak sites last year, a 75% increase from 2022. Threat groups use data leak sites to make claims and ramp up pressure on alleged victims. The number of posts surged to more than 1,300 in the third quarter, setting a quarterly record, Mandiant said. The firm tracked more than 1,200 data leak site posts in the second quarter.
  • “In 2023, Mandiant led 20% more investigations involving ransomware than the previous year, underscoring further evidence of a swell in attacks. “The slight dip in extortion activity in 2022 was an anomaly,” the incident response and research firm said.”

• Per Fierce Healthcare, “Ascension targets June 14 for system-wide EHR restoration after ransomware attack.”

• Statescoop lets us know,
  • “Victims of ransomware attacks by the Russian ransomware group LockBit can now unlock their encrypted data for free using the 7,000 decryption keys obtained by the FBI, a federal official announced during an event in Boston on Wednesday [June 4]. “Victims of ransomware attacks by the Russian ransomware group LockBit can now unlock their encrypted data for free using the 7,000 decryption keys obtained by the FBI, a federal official announced during an event in Boston on Wednesday.
  • “The announcement comes after law enforcement took down the group’s infrastructure in February through “Operation Cronos,” an international operation designed to disrupt LockBit’s business model and expose members of the ransomware gang, FBI Cyber Division Assistant Director Bryan Vorndran said in a keynote Wednesday at the 2024 Boston Conference on Cyber Security.
  • “Though the gang still operates, reports show the mission disrupted its activities.
  • “From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said.”

From the cybersecurity defenses front,

• Cybersecurity Dive tells us
  • “Telecommunications, media and technology companies are outperforming other sectors in cybersecurity, with more advanced defenses and cyber governance models, Moody’s said Thursday in a report on the sector.” Telecommunications, media and technology companies are outperforming other sectors in cybersecurity, with more advanced defenses and cyber governance models, Moody’s said Thursday in a report on the sector.
  • “Companies in these sectors accelerated cybersecurity spending by more than 125% on average during the last five years, compared to a 100% growth rate over that period for all global companies, according to the report. Technology companies doubled their cybersecurity spending over the five-year period while telecom businesses increased spending by more than 250%. 
  • “Cybersecurity spending nearly doubled during the past five years, accounting for 10% of companies’ technology budgets in 2023, according to Moody’s. The report is based on Moody’s research and a survey of more than 1,700 respondents.”

• Here’s a link to Dark Reading’s CISO corner.

From the cybersecurity policy front,

• Federal News Network tells us,
  • “The Biden administration, having struggled in some cases to set cybersecurity requirements for critical infrastructure, sees a new plan for minimum cyber standards coming together by early 2025.
  • “That’s according to Caitlin Durkovich, special assistant to the president and deputy homeland security advisor for resilience and response. During an event on Thursday hosted by the ICS Village, Durkovich spoke about the Biden administration’s efforts to implement a recently signed national security memorandum on critical infrastructure security.
  • “One of the reasons that we pushed so hard to make sure this NSM was signed out when it was, was so we had some runway to drive the implementation,” Durkovich said. “The president essentially signed it 270 days until the end of his first term. We wanted that first term to be able to implement the majority of actions.”

• The Wall Street Journal reports,
  • “The U.S. Department of Health and Human Services doesn’t want to get caught flat-footed by the next healthcare hack. 
  • “The agency is leading work to create a map of the cybersecurity risks inherent in having a single technology supplier dominate a particular aspect of the market, a threat known as a single point of failure. The concern comes after a cyberattack on UnitedHealth Group’s Change Healthcare unit early this year produced cascading effects on health claims, freezing millions of dollars in payments. The repercussions took care providers, regulators and lawmakers by surprise.”

• Yesterday, HHS added the following guidance to its Change Healthcare cyberattack FAQs:
  • “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • “Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
  • “If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
  • “The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.”

From the cyber vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency (CISA) added the following known exploited vulnerabilities to its catalog this week:
  • May 28, 2024 — CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability
  • May 29, 2024 — CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
  • May 30, 2024 — CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability and CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability

• Cybersecurity Dive adds,
  • The National Institute of Standards and Technology expects to clear the towering backlog of unanalyzed vulnerabilities in the National Vulnerability Database by the end of September, the agency said in a Wednesday update.
  • NIST scaled back its activities on the NVD program in mid-February following a change in interagency funding support and a staggering deluge of CVE disclosures. The agency reported an all-time high of 33,137 vulnerabilities last year, according to Flashpoint research.
  • To help clear the logjam, the agency awarded a cybersecurity analysis and email support contract to Maryland-based Analygence for $865,657 to support the processing of incoming vulnerabilities for the NVD, according to USAspending.gov. “We expect to begin performance the week of June 3,” Analygence COO Tom Peitler said via email.

• HHS’s Health Sector Cybersecurity Coordination Center posted a “Healthcare Sector DDoS Guide.”
  • “A Distributed-Denial-of-Service (DDoS) attack is a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. In the health and public health (HPH) sector, they have the potential to deny healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care.
  • “Disruptions due to a cyber attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software based medical equipment, and websites to coordinate critical tasks. As such, this comprehensive DDoS guide is intended for target healthcare audiences to understand what DDoS attacks are; what causes them; types of DDoS attacks with timely, relevant examples; and mitigations and defenses against a potential attack.”

From the ransomware front,

• Beckers Hospital Review lets us know,
  • “Most attacks on U.S. healthcare are coming from Russia, ABC affiliate KGTV reported May 28. 
  • “John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told the publication that ransomware attacks targeting hospitals have increased by more than 300%, with most of these attacks coming from Russia.
  • “The Russian government refuses to cooperate with U.S. law enforcement on these issues, therefore providing them safe harbor,” he told the news outlet.
  • “Mr. Riggi noted that ransomware gangs have also been identified operating in China, North Korea and Iran.
  • “The hacking groups most actively targeting healthcare as of April 2024 were LockBit, BlackCat/ALPHV and BianLian, according to HHS’ Health Sector Cybersecurity Coordination Center, or HC3.”

• CSO adds,
  • “Two weeks ago, the UK National Crime Agency and the US Department of Justice announced unmasked the Russian national alleged to be the creator and administrator of the LockBit ransomware program.
  • “Now, cybersecurity company NCC Group reports that for the first time in eight months, LockBit has also been overtaken by Play as the world’s top ransomware gang, with 32 attacks in April compared to LockBit’s 23 attacks.”

• Bloomberg informs us,
  • “It’s time to formally stop ransom payments.
  • “That’s the argument that a top cybercrime researcher — one who until recently staunchly opposed such a ban — made to scores of threat intelligence experts who gathered last week in a darkened basement ballroom at a hotel not far from the US Capitol.
  • “Banning ransom payments is an extreme step but it also might be the least bad option available to us,” Allan Liska, a threat analyst at the cyber firm Recorded Future, told the crowd. * * *
  • “On stage, Liska said he’s aware of the counter arguments: A ban won’t work to stop attacks, and blocking companies paying ransoms will do them harm. But, he said, what companies are doing now hasn’t stopped attacks either. While blocking payments might hurt some companies, so do the breaches themselves, he said. 
  • “Afterwards, Liska told me he was “dragged kicking and screaming” into opposing ransom payments. The unrelenting pace of attacks last year convinced him that it was time to take a radical step. 
  • “It’s not because I think it’s a good idea. It’s because, right now, nothing else has worked and we need to do something,” he said. “I don’t know what else it could possibly be.”

From the cyber defenses front,

• Cyberscoop relates,
  • “A coalition of international law enforcement agencies carried out what they said was the “largest ever” operation to counter botnet and dropper malware by taking down or disrupting more than 100 servers, seizing 2,000 domains and identifying nearly 70 million euros earned by one of the main suspects in the case. 
  • “Officials with Europol announced early Thursday that “Operation Endgame” targeted droppers — malware used to get other malware onto a system — used extensively to facilitate a range of consequential cybercrimes, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
  • “As part of the operation, authorities made one arrest in Armenia and three in Ukraine, and eight suspects linked to the activities and wanted by Germany will be added to Europe’s Most Wanted list, Europol said in its statement.”

• Modern Healthcare reports,
  • “Healthcare’s cybersecurity challenges have shined a light on how the industry has failed to protect patient data by not dedicating enough resources to address the problem.  
  • “Health systems and insurers are dealing with the aftermath of the industry’s latest large-scale ransomware attacks on St. Louis-based Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital, among others. Conversations are happening over whether organizations should be bringing in outside consultants or hiring more employees, executives say.
  • “Do we have enough people? Do we need consulting help to accelerate resiliency projects and testing? Those are the conversations going on right now,” said James Case, chief information security officer at Jacksonville, Florida-based Baptist Health. “The current climate is causing us to bubble those conversations to the top, and whether we should get help one way or another.”  

• Here’s a link to Dark Reading’s CISO Corner.