From the cybersecurity policy front, Cybersecurity Dive tells us

The Defense Department officially launched its zero trust strategy and road map Tuesday, part of a larger strategy to overhaul the way federal agencies combat sophisticated threat actors, including those from criminal organizations and rogue nation states. 

The DOD will move away from a perimeter-based approach for IT systems defense to a system that essentially assumes the risk of breach during regular interactions and will act accordingly. The plan calls for the Pentagon’s full implementation of the strategy and road map by fiscal 2027.  * * *

Microsoft, in a blog post released Tuesday, praised the DOD announcement on zero trust, noting the challenge of collaborating on zero trust amid the difficulties of comparing implementations across various organizations and technology stacks. 

“However the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights on cybersecurity,” Steve Faehl, federal security CTO at Microsoft, said in the blog post. 

From the cybersecurity vulnerabilities front, Forbes offers “A Boiling Cauldron: Cybersecurity Trends, Threats, And Predictions For 2023.”

From the ransomware front, Health IT Security reports

Lorenz ransomware poses a threat to the healthcare sector, particularly larger organizations, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note. The human-operated ransomware group has been known to focus on “big-game hunting,” targeting large, high-profile entities rather than private users.

Lorenz threat actors are known to publish data publicly as a tactic to pressure victims during the extortion process. The actors have been observed demanding hefty ransoms, ranging from $500,000 to $700,000.

From the cybersecurity defenses front, Cybersecurity Dive informs us

Cybercriminals are prepared and ready to target online shoppers with fake websites, malicious links and fake charities, the Cybersecurity and Infrastructure Security Agency warned as the holiday shopping season gets underway.

“By following a few guiding principles like checking your devices, shopping from trusted sources, using safe purchasing methods, and following basic cyber hygiene like multifactor authentication, you can drastically improve your online safety when shopping online for gifts this year,” CISA Director Jen Easterly said in a statement.

The federal agency shared tips for individuals to limit cyber risks while shopping online, and encouraged organizations to review guidance it released last year with the FBI to manage cyberthreats during the holidays.

From Capitol Hill, Politico tells us about developments in privacy and cybersecurity legislative efforts.

From the cyber vulnerabilities front —

• The HHS Health Sector Cybersecurity Coordination Center (HC3) issued its monthly vulnerabilities bulletin for October 2022.

• The Cybersecurity and Information Security Agency (CISA) added another known exploited vulnerability to its catalog.

• ZDNet reports on a “concerning” tactic that hackers are using to dodge multi-factor authentication.

• Health IT Security adds “Numerous cloud attacks are successfully exploiting the healthcare sector for financial gain, according to a newly released 2022 Cloud Security Report by cybersecurity vendor Netwrix.”

Cybersecurity Dive warns us

More than one-third of respondents said it took their organization longer to assess the scope, stop and recover from a holiday or weekend attack compared to a weekday, according to a Cybereason survey published Wednesday November 16]. Larger organizations with more than 2,000 employees were even more likely to experience delays.

Organizations would lose more money as a result of a ransomware attack on a weekend or holiday than they were a year ago, according to Cybereason. One-third of respondents said their organization lost more money from a holiday or weekend ransomware attack, up from 13% in 2021.

Organizations in education and travel and transportation reported a greater likelihood of financial losses from a holiday or weekend attack instead of a weekday. About 2 in 5 respondents in those industries said their organization suffered a larger economic impact.

From the ransomware front —

Health IT Security reports

HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about Hive ransomware actors. The ransomware actors have been repeatedly targeting critical infrastructure, especially the healthcare sector since they were first observed in June 2021.

As of November 2022, Hive ransomware actors have victimized more than 1,300 companies globally and gained $100 million in ransom payments. The group has claimed multiple healthcare victims, including an attack on Memorial Health System in August 2021 that resulted in appointment cancellations, clinical disruptions, and EHR downtime. * * *

Healthcare organizations should secure and monitor RDP, install updates for software, firmware, and operating systems as soon as they are released, and maintain offline data backups. In addition, organizations were encouraged to enable PowerShell Logging and install and regularly update antivirus software.

The federal bodies also urged organizations to prepare for the event of a ransomware attack by reviewing the security postures of third-party vendors, implementing a recovery plan, and documenting external remote connections.

In the event of a Hive ransomware attack, organizations should isolate infected systems, secure backups, and turn off other computers and devices to manage the attack. Paying the ransom is also highly discouraged, as it may incentivize threat actors to continue victimizing organizations.

“This is another example of foreign-based, primarily Russian-speaking, hackers attacking U.S. health care, John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk, said in a subsequent announcement.

Here is Bleeping Computer’s current Week in Ransomware.

Other news this week are new reports on rising ransomware operations:

• Both Microsoft and SecurityScorecard released reports on the Royal Ransomware operation, which is believed to be comprised of ex-Conti members.

• ASEC released a report on Dagon Locker, a rebrand of the Quantum ransomware operation.

• BlackBerry warns of the expanding operations of the ARCrypter ransomware.

From the cybersecurity defenses front

• Cybersecurity Dive informs us that “The Cybersecurity and Infrastructure Security Agency on Thursday [November 17] released its Guide for Stakeholder-Specific Vulnerability Categorization and outlined three areas of focus for continued improvement.”

• The National Institutes of Standards and Technology issued SP 800-125, which is a “Guide to a Secure Enterprise Network Landscape.”

• Mitre shared a “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.“

• Forbes provides a new approach to closing the cybersecurity talent gap.

From the cybersecurity policy front, Cybersecurity Dive tells us

Virginia Democrat Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence, has released a white paper detailing a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry.

Cyber vulnerabilities increasingly threaten patient safety as well as leaving organizations exposed to data theft, the paper argues. “It has become readily apparent that the way that cybersecurity is treated by those in the healthcare sector needs to change.”

Assembled by Warner’s staff with input from cybersecurity and healthcare experts, the paper outlines the challenges facing care delivery organizations and offers proposals aimed at strengthening providers’ cybersecurity capabilities and building response systems to help recover from attacks. * * *

The paper proposes establishing minimum cyber hygiene practices for healthcare organizations, addressing insecure legacy systems, requiring a “software bill of materials” for medical devices and all healthcare industry software, streamlining information sharing and looking at how Medicare payment policies should be changed to incorporate cybersecurity expenses.

The public comment deadline is December 1, 2022.

From the cyber vulnerabilities front

While the Cybersecurity and Infrastructure Security Agency did not add any new known exploited vulnerabilities this week, the Federal Times offers an article on how to use the catalog which lead the FEHBlog to CISA’s guidance on that topic. CISA allows identified three steps that the agency is taking to transformthe vulnerability management landscape.

• First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)
• Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX)
• Third, we must help organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog

Cybersecurity Dive adds

Multiple threat actors are launching attacks against unpatched users of Zimbra Collaboration Suite, a business productivity software and email platform, the Cybersecurity and Infrastructure Security Agency said in a warning Thursday [November 10].  

CISA, in a joint advisory with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and contributions from the FBI, said threat actors are exploiting multiple CVEs to launch attacks against unpatched government and private sector users. 

The advisory updates previous guidance issued in August regarding vulnerabilities in ZCS. Officials urge administrators that failed to patch their systems or are otherwise exposed to the internet, to assume they have been compromised and use third-party detection signatures in the advisory to hunt for threat activity. 

and

Federal authorities are encouraging users and corporate administrators to apply security updates after major vulnerabilities were found in Citrix ADC (Application Delivery Controller) and Citrix Gateway.

The Cybersecurity and Infrastructure Security Agency warned Wednesday that a remote attacker could exploit the vulnerability to take control over an affected system.

Citrix is not aware of any known exploitation in the wild, but is urging administrators to immediately patch their systems, according to a company spokesperson.

Security Week explains how “Microsoft’s latest Patch Tuesday [November 7] updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.”

From the ransomware front

Bleeping Computers’ The Week in Ransomware is back.

From the same publication we learn

The U.S. Department of Health and Human Services (HHS) warned today [November 10] that Venus ransomware attacks are also targeting the country’s healthcare organizations.

In an analyst note issued by the Health Sector Cybersecurity Coordination Center (HC3), HHS’ security team also mentions that it knows about at least one incident where Venus ransomware was deployed on the networks of a U.S. healthcare organization. * * *

The threat actors behind the Venus ransomware attacks are known for hacking into the victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Besides terminating database services and Office apps, the ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention on compromised endpoints.

Since August, when it began operating, Venus ransomware has been relatively active, with new submissions being uploaded to ID Ransomware every day.

From the cybersecurity defenses front —

Cybersecurity Dive advises us

NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward: 

Check passwords against breached password lists

Block passwords contained in password dictionaries

Prevent the use of repetitive or incremental passwords

Disallow context-specific words as passwords

Increase the length of passwords

* * *

[F]ewer than half, 44%,  of organizations provide their employees with guidance and best practices governing passwords and access management, according to Keeper’s 2022 U.S. Cybersecurity Census Report.

Nearly one-third allow employees to set and manage their own passwords – and admit that employees often share access to passwords.

But organizations are reaching a point of no return with passwords. The NIST framework doesn’t just recommend guidelines for password management, but for a variety of authentication methods, including biometrics and multifactor. 

“Time spent on enhancing password-based authentication is a wasted cost; instead, organizations should get out of password schemes as soon as possible and investigate alternatives,” said Maynor. 

Still, it’s helpful to be familiar with these practices for personal use. The article also discusses password manager security.

The Wall Street Journal provides an update in rising cybersecurity insurance premiums:

Data from the latest WSJ Pro Research cybersecurity survey reveals cyber insurance insights including coverage levels, challenges related to buying policies, and claim rates.

There is a wide disparity in purchases of cyber insurance depending on company size: Nine out of ten of the largest companies have cybersecurity insurance coverage, while six in ten of the smallest have coverage.

Premiums are rising: 86% of companies renewing their cyber insurance policies noted an increase in premiums for the same level of coverage.

Reasons for small businesses lacking cyber insurance include not thinking it represents good value for money and believing they are unlikely to be hit with a successful cyberattack.

Larger companies are more likely to claim against their cyber insurance: 11% of large companies made claims in the last 12 months, more than three times the number of smaller businesses that made claims.

Cybersecurity Dive discusses a recent cybersecurity insurannce coverage dispute. “The legal dispute between the snack giant [Mondelez] and insurer Zurich American, which lasted four years, raises further questions about how insurers cover acts of cyber war.”

From the cybersecurity policy front —

Health IT Security informs us

President Biden issued a proclamation declaring November as Critical Infrastructure Security and Resilience Month. The President highlighted ways in which the Administration has taken action to protect critical infrastructure from cyber and physical threats and underscored the importance of security awareness and action to maintain critical infrastructure resilience.

The Cybersecurity and Infrastructure Security Agency applauded the President’s action.

Throughout November, CISA will be bringing the world of infrastructure security and resilience to life with interviews and blogs featuring CISA staff and external industry partners, as well as other activities. We encourage everyone to visit CISA’s Infrastructure Security Month webpage for more information and resources. Be sure to follow CISA on social media throughout the month for resources, tools, and tips you can use to help identify and reduce risk to infrastructure facilities, their internet and operational technology systems, employees, visitors and more.

Cybersecurity Dive adds

Officials at the Cybersecurity and Infrastructure Security Agency are optimistic that U.S. companies will embrace its efforts to boost cooperation on raising cybersecurity performance goals, sharing intelligence and building resiliency.  * * *

“We need to ensure that we’re coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves,” [CISA Director Jen] Easterly said during the forum [hosted by the Center for Strategic and International Studies on November 1]. “So [I’m] very excited about what I’m seeing from the technology companies.”

Another objective is to get more large companies to embrace cybersecurity as a corporate governance, not just technology concern, Easterly said.

From the cyber vulnerabilities front

The Healthcare Sector Cybersecurity Coordination Center issued a PowerPoint presentation about Iranian Threat Actors and Healthcare.

CISA added one more known exploited vulnerability to its catalog.

Last Tuesday, CISA announced

OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.

Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, “can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution,” allowing them to take control of an affected system.

CISA encourages users and administrators to review the OpenSSL advisory, blog, OpenSSL 3.0.7 announcement, and upgrade to OpenSSL 3.0.7. For additional information on affected products, see the 2022 OpenSSL vulnerability – CVE-2022-3602 GitHub repository, jointly maintained by the Netherland’s National Cyber Security Centrum (NCSC-NL) and CISA.

From the ransomware front

The Wall Street Journal reports

U.S. banks flagged ransomware-related transactions adding up to more than $1 billion in 2021, the Treasury Department said, although risk experts said that barely scratches the surface of cybercrime’s true economic scale.

Data released by the Financial Crimes Enforcement Network, or FinCEN, this week showed the number and value of transactions that banks had flagged as related to ransomware in 2021 reached $1.2 billion, spread across 1,489 reports to regulators. In 2020, such transactions totaled $416 million across 487 reports.

“I think we’re seeing the tip of the iceberg in terms of what these actual payments are,” said Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association, a trade group for banks. 

Wow.

Cyberscoop tells us

On Tuesday [November 1], the White House wrapped up a two-day ransomware summit, where participants agreed to stand up a voluntary International Counter Ransomware Task Force to serve as a base for coordinated disruption and threat sharing. The initiative, which will launch sometime early next year, will start with a fusion center operated out of Lithuania’s Regional Cyber Defense Center as a test case for a bigger information-sharing program.

From the cybersecurity defenses front

HIPAA Journal relates

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach. * * *

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. * * *

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. * * *

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting.

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

CISA released guidance on phishing-resistant multifactor authentication this week. Cybersecurity Dive adds

Phishing-resistant multifactor authentication isn’t just the strongest form of MFA — it’s “the gold standard for MFA,” according to the Cybersecurity and Infrastructure Security Agency.

The federal agency this week published a fact sheet to clarify its definition of phishing-resistant MFA and provide guidance and prioritization schemes for organizations to implement the safeguards in logical phases. 

• Three key recommendations from CISA.
• Stick to FIDO standards and the Web Authentication API (WebAuthn) protocol.
• Take stock of your IT systems, determine which platforms support MFA and start there.
• Roll out phishing-resistant MFA in phases, placing early emphasis on high-value targets and resources.

FIDO standards and the WebAuthn protocol are the only widely available phishing-resistant forms of MFA, according to CISA. The protocol and standard, both developed by the FIDO Alliance, can work together to bolster MFA.

From the cybersecurity policy front —

Cybersecurity Dive reports

The Cybersecurity and Infrastructure Security Agency released its long-awaited, cross sector cybersecurity performance goals Thursday, in a bid to raise the security baselines. Far from esoteric, the efforts listed are meant to serve as a broadly-digestible roadmap to minimum operational security.

The 37 voluntary goals span the technical and the tactical, weighing the cost, complexity and impact of security initiatives. But they are not exhaustive and do not capture all that is required to protect critical infrastructure security. 

The goals “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” CISA said.

CISA placed a premium on low cost, high impact security efforts, which accounts for more than 40% of the goals. 

and

“CISA Director Jen Easterly, in a Thursday media call, said the guidelines would be particularly helpful for local organizations that may operate in the supply chains of larger companies or target rich, resource poor providers like hospitals, K-12 school districts or local water utilities.”

Cyberscoop adds

Danielle Jablanski, an OT cybersecurity strategist at cybersecurity firm Nozomi Networks, noted that the goals are “extremely accessible” and allows an organization to choose how to adopt the practices without a sort of formalized mandate.

“There’s a lot of things that are out of [asset owners] control and I think this document brings them in and focuses in on what is in their control what’s in their power and what’s in their capability to get done,” she said.

The CISA performance goals remind me of the flexibility built into the HIPAA Security Rule. Speaking of which, here’s the HHS Office for Civil Rights October Cybersecurity Newsletter, which discusses the HIPAA Security Rule’s Security Incident Procedures. Health IT Security discusses the newsletter’s recommendations.

From the cyber breach front —

U.S. News and World Reports lists the ten biggest breaches of 2022 so far.

Closer to home, Govexec reports on a federal employee’s unfortunate experience of having her Thrift Savings Account looted by a hacker.

From the cyber vulnerability front

Tech Republic tells us “In their new report, SonicWall explores some of the most dangerous trends that security professionals need to have on their radar.”

The Health Section Cybersecurity Coordination Center (HC3) issued its Monthly Cybersecurity Vulnerability Bulletin.

In September 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Cisco, Adobe, SAP, and VMWare. A vulnerability is given the classification as a zero- day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

HC3 also released a sector alert titled “Critical OpenSSL Vulnerability Will Require Action by Healthcare Organizations.”

A software library called OpenSSL – used with many of the most common operating systems and applications for secure communications – is going to receive an important update on Tuesday, November 1, 2022. OpenSSL is deployed across industries ubiquitously, including the health sector. HC3 highly recommends all public and private heatlh sector organizations identify all instances of OpenSSL in their infrastructure and prepare to test and deploy the patch as soon as it is released.

CISA updated its Known Exploited Vulnerabilities Catalog with six plus one new vulnerabilities this week.

From the ransomware front —

Cybersecurity Dive reports

Ransomware attack activity jumped 26% from August to September, hitting 202 victims and reaching a number of cases not observed since May, according to NCC Group’s Monthly Threat Pulse report. Last year still holds the lead for monthly highs.

The jump in ransomware was partly accelerated by a summer spree of attacks initiated by the LockBit ransomware group, which was responsible for more than half of all attacks tracked by NCC Group’s threat intelligence team in September. The prolific threat actor first appeared in September 2019 and is now on version 3.0 of its ransomware strain and payloads.

While month-to-month ransomware activity ebbs and flows, the sectors most heavily targeted and hit by attacks have held steady, according to NCC Group. The industrials sector — including construction, manufacturing, distribution and engineering products, among others — was the most-targeted industry in September with 57 incidents and accounting for more than one-quarter of attacks. Attacks on industrials doubled the next most-hit target, consumer cyclicals.

Tech Republic identifies the top ransomware groups of 2022.

Healthcare Dive uses the recent ransomware attack on Common Spirit Health to explain why cybersecurity needs to be an important consideration in merger and acquisitions due diligence work.

Here’s the latest Week in Ransomware from Bleeping Computer.

From the cyber defense front —

• An expert writing in ISACA points out the top three mistakes IT security teams make.
• CISA issued guidance on “Understanding and Responding to Distributed Denial-of-Service Attacks.”

From the cyber policy front —

Cybersecurity Dive reports

National Cyber Director Chris Inglis said the Biden administration’s long-anticipated national cybersecurity strategy could be ready as early as late November but may take a couple of additional months for final completion. 

Inglis, speaking at the mWISE conference in Washington D.C. Wednesday, said the strategy would focus heavily on international cybersecurity issues as well as workforce development concerns, a major issue for the information security industry.

Officials have made considerable outreach to the private sector in terms of developing the strategy, with two-thirds of about 300 engagements being made with private industry officials.

and

Water, hospitals and K-12 schools will be the primary area of focus for the Cybersecurity and Infrastructure Security Agency over the next year, CISA Director Jen Easterly said Thursday at Mandiant’s mWISE Conference. 

Healthcare and water are among 16 critical infrastructure sectors CISA and other federal agencies have identified as “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” While schools are not considered critical infrastructure, they represent a soft target that is frequently hit by debilitating ransomware attacks.

CISA, in a bid to prioritize risk management and cyber resilience guidance across critical services, is placing higher emphasis, at least initially, on what Easterly describes as “target-rich, resource-poor entities.”

Health IT Security adds

For healthcare, further federal security guidance could help the sector manage risk amid an increasingly complex and active cyber threat landscape. In 2021, the healthcare sector fell victim to ransomware more than any other critical infrastructure sector, the Federal Bureau of Investigation found.

“We unfortunately continue to see ransomware attacks against hospitals, which could be helped if hospitals had a baseline to establish, maintain, and measure their cyber security hygiene and level of preparedness,” Stacy O’Mara, senior director of government affairs at Mandiant, told HealthITSecurity.* * * *

A streamlined approach could help to ease the burden on individual entities.

“While all of these existing regulations are helpful to the healthcare sector – and should evolve to account for evolving threats to patients’ medical records, medical devices, and hospitals’ networks and systems – the federal government needs to continue its efforts to harmonize and streamline regulatory requirements,” O’Mara suggested.

Amen to that suggestion.

From the cyber breach front, Fierce Healthcare tells us

Advocate Aurora Health gave notice to patients that their health data may have been exposed through tracking technology. 

Up to 3 million patients may have been impacted in the breach against the health system, which is one of the Chicago area’s largest healthcare providers.

Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications.

“These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population,” the health system said in the online statement. “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors. * * *

Advocate Aurora had advised patients to use browser tracker-blocking features or incognito mode when logging into medical portals. It also suggests that those Facebook or Google accounts examine their privacy settings.

Wow.

Cybersecurity Dive discusses a former Uber chief security officer conviction stemming from the handling of a ransomware incident.

Sullivan was convicted of obstructing a Federal Trade Commission probe, which had been investigating a prior breach at Uber. He was also convicted of a rarely charged crime called misprision, which involves knowing concealment of a crime.

Following the verdict, U.S. Attorney Stephanie Hinds said federal authorities expect companies to promptly alert customers and appropriate authorities when such data is stolen by hackers. 

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said in the announcement of the verdict by the Department of Justice. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers, than in protecting users.”

Sullivan faces up to five years in prison for obstruction and up to three years in prison for misprision of a felony. 

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

The Apache Commons Text team is urging users to upgrade to version v1.10.0, which disables faulty interpolators at the center of a critical vulnerability that some security researchers have now dubbed “Text4Shell.” 

Those using an earlier version of commons text are considered safe from the vulnerability. Apache says users are only affected when using a stringsubstitutor API without properly sanitizing untrusted input, according to a blog post released Tuesday. 

The upgrade to v1.10.0 will serve as a quick workaround, however the best option is to properly validate and sanitize any untrusted input.

CSO Online reports

Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.

“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.

The Cybersecurity Intelligence and Security Agency “released a security update to address vulnerabilities affecting Cisco Identity Services Engine (ISE). A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing high and low severity vulnerabilities, see the Cisco Security Advisories page.”

From the ransomware front, the American Hospital Association reports

The FBI, Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services today [October 21] alerted U.S. organizations to a cybercrime group targeting the health care sector with ransomware and data extortion operations. The group has attacked multiple organizations since June, deploying ransomware to encrypt servers responsible for health care services, exfiltrating personal identifiable information and patient health information, and threatening to release the information if a ransom is not paid. The advisory includes indicators of compromise and recommended actions to protect against these attacks.

“This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The report also contains actionable indicators of compromise, malware signatures that should be loaded into network defense and intrusion detection systems. If there is any indication of this ransomware being present on hospital or health system networks, it is recommended that immediate steps be taken to contain, isolate and remediate. It is also strongly recommended that local FBI and CISA field offices be contacted immediately.”

Here’s the latest Bleeping Computer Week in Ransomware.

From the cyber defenses’ front —

Health IT Security informs us

Enabling multi-factor authentication (MFA) is “the single most important thing Americans can do to stay safe online,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wrote in a CISA blog post.

But Easterly encouraged businesses and technology vendors in particular to go one step further and ensure that FIDO authentication is part of their MFA implementation plans.

“We’ve known for years that any form of MFA is better than no MFA. That’s still true, but we’ve also known that at some point ‘traditional MFA’ would become ‘legacy MFA’ and need to be reassessed or even replaced,” Easterly wrote.

“Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA.”

According to its website, the FIDO Alliance is an open industry association united by the goal of reducing “the world’s over-reliance on passwords.”

The FIDO Alliance has globally available technical specifications and industry certification programs that make authentication simpler and more secure.

Security Magazine provides an overview of cyber defenses drawn from an IBM report.

From the cyber breach front, Federal News Network informs us

Victims of one of the largest data breaches to ever hit the federal government are one step closer to a payout, more than seven years later.

A federal judge on Friday finalized the Office of Personnel Management’s settlement agreement with current and former federal employees, as well as federal job applicants, impacted by a major data breach in 2015.

District Judge Amy Berman Jackson, in a fairness hearing at the U.S. District Court for the District of Columbia, said the $63 million settlement for breach victims was “fair, reasonable and adequate.” * * *

Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit, but individuals breach have until Dec. 23 to submit a claim to join the class-action lawsuit.

The law firm Girard Sharp, which represents plaintiffs in the lawsuit, said in June that the settlement will provide a minimum payment of $700 for individuals who suffered a financial loss as a result of the hack, “even for those with minor expenses.”

Reuters adds

[District Judge Amy Berman Jackson] on Friday said she will slash thousands of dollars in proposed “incentive” awards for plaintiffs who settled data-breach claims against the U.S. Office of Personnel Management, as the court prepares to issue a final order approving the $63 million deal.

U.S. District Judge Amy Berman Jackson in Washington, D.C., at a hearing said she will approve a “nominal” amount of $1,000 for 36 named plaintiffs who led the privacy case against the Office of Personnel Management (OPM), the primary human resources agency in the federal government.

From the cyberpolicy front —

This coming week is

Cybersecurity Career Awareness Week, a week-long campaign in the middle of Cybersecurity Awareness Month focused on raising awareness around cybersecurity job opportunities and how building a cyber workforce enhances our nation’s security.  Hosted by National Institute of Standards and Technology (NIST), this week runs from October 17-22 this year.

CyberScoop informs us

The White House National Security Council will announce plans Tuesday for a consumer products cybersecurity labeling program intended to improve digital safeguards on internet-connected devices, a senior White House official told CyberScoop. 

About 50 representatives from consumer product associations, manufacturing companies and technology think tanks will convene at the White House on Oct. 19 for a workshop on the voluntary effort ahead of an expected spring 2023 launch.

The White House briefly described the effort in a document it released Tuesday outlining various cybersecurity initiatives. The administration plans to start with recommending three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks associated with using so-called internet of things devices.

The FEHBlog ran across CISA’s 2023 to 2025 Strategic Plan that was released in September. Here is a Homeland Security Today article on the new plan.

Health IT Analytics reports

The White House [earlier this month] unveiled its Blueprint for an AI Bill of Rights earlier this week, which identifies five guidelines for the design, use, and deployment of automated and artificial intelligence (AI)-based tools to protect Americans from harm as the use of these technologies continues to grow in multiple industries.

The blueprint outlines five core principles: safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation, and human alternatives, consideration, and fallback. These are intended to serve as practical guidance for the US government, tech companies, researchers, and other stakeholders, but the blueprint is nonbinding and does not constitute regulatory policy.

The guidelines apply to AI and automated tools across industries, including healthcare, and are part of a larger conversation around the ethical use of AI.

From the cyber vulnerabilities front

Cybersecurity Dive tells us

The Cybersecurity and Infrastructure Security Agency on Tuesday added multiple Fortinet products to its Known Exploited Vulnerabilities Catalog, one day after the company warned an authentication bypass vulnerability was being actively exploited. 

The vulnerabilities, listed as CVE-2022-40684, allow for authentication bypass, which enables an attacker to perform operations on the administrative interface. The vulnerability, which has a CVSS score of 9.6, involved FortiOS, FortiProxy and FortiSwitchManager. 

The company initially disclosed the vulnerability on Oct. 3 and urged customers to immediately perform a software upgrade. Late last week, Fortinet sent an internal email to select customers providing a confidential warning along with mitigation advice. 

Security Week reported last Tuesday

Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.

The exploited vulnerability – documented as CVE-2022-41033 – affects the Windows COM+ event system service and has been exploited in elevation of privilege attacks, suggesting it was used as part of an exploit chain detected in the wild.

The latest zero-day was reported anonymously to Microsoft.

The new warning comes less than a month after Microsoft’s security response team scrambled to issue mitigations for a pair of Exchange Server flaws targeted by a nation state-level threat actor.

Those two Exchange Server vulnerabilities – CVE-2022-41040 and CVE-2022-21082 — remain unpatched.

From the ransomware front, Health IT Security relates “As suspected and validated by local news reports, the CommonSpirit “IT issue” was in fact a ransomware attack. CommonSpirit confirmed the nature of the attack in a recent update posted on its website. Hospitals across the country are still feeling the impacts of the attack that began as early as October 3.”

Cybersecurity Dive adds

CommonSpirit has [informed law enforcement and] launched a forensics investigation to determine the data impacts and said it tapped leading cybersecurity specialists to help.

“The fact that this has turned out to be a ransomware incident is not at all surprising,” Brett Callow, a threat analyst at security firm Emsisoft, said. “What remains to be seen is how quickly CommunitySpirit can recover its systems and resume normal operations and whether or not any data was stolen during the attack. If data was stolen, the attackers will likely use the threat of releasing it online as additional leverage to try to extort payment.”

Here’s the latest Bleeping Computer “The Week in Ransomware.“

From the cyber defenses front

• Cybersecurity Dive considers phishing resistant mult-factor authentication and offers “four tips to protect IT employees from phishing attacks.”

• CISA suggests actions to help prevent against advanced persistent threat cyber activity.

From the cybersecurity policy front, Cyberscoop reports

The Cybersecurity and Infrastructure Security Agency announced a Binding Operational Directive on Monday ordering federal civilian agencies to enhance efforts to detect vulnerabilities in their networks, a move that CISA Director Jen Easterly hopes the private sector will emulate.

The Improving Asset Visibility and Vulnerability Detection on Federal Networks, or BOD 23-01, directive is designed to improve “asset visibility and vulnerability detection on federal networks,” Easterly told reporters during a CISA roundtable discussion on Monday. Federal civilian agencies now will be expected to report detailed data about vulnerabilities to CISA at timed intervals using automated tools, she said.

“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” Easterly told reporters. “This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”

Cyberscoop adds

The congressional commission charged with bolstering U.S. cyber defenses has already seen plenty of its recommendations realized: the appointment of a national cyber director, increased CISA funding and a State Department cyber ambassador.

And a new report released Wednesday shows the Cyberspace Solarium Commission is on track to have 85% of all of its recommendations implemented with the remaining either facing some hurdles or “significant barriers.”

The commission progress report shows that nearly 60% of its original 82 recommendations have been fully or nearly implemented and more than 25% are on track to be realized.

From the cyber breaches and vulnerability front

Cybersecurity Dive reports

An “IT security incident” reported this week by CommonSpirit Health, one of the nation’s largest health systems, is likely a cyberattack, security experts said.

CommonSpirit announced on Tuesday that an unspecified security incident was affecting multiple regions and interrupting access to electronic health records. As a precautionary step, some systems were taken offline as a result of the incident, the system said. * * *

While few details have left some to speculate on the nature of security incident at Chicago-based CommonSpirit Health, moving systems offline and interrupting access to electronic health records is viewed as a defensive move, security experts told Healthcare Dive. 

It’s possible that an “an attacker has access or is trying to get access to their system and they want to do whatever they can to prevent that. So what’s the easiest way to do that? Unplug everything,” said Allie Mellen, senior analyst of security and risk at Forrester, a research and advisory firm for various industries. 

The Health Sector Cybersecurity Coordination Center released a presentation on “Abuse of Legitimate Security Tools and Health Sector Cybersecurity.” The presentation discusses how bad actors can turn “tools used to operate, maintain and secure healthcare systems and networks ” against that infrastructure.”

From the ransomware front

• The Government Accountability Office released a report on the topic. “Homeland Security, FBI, and Secret Service help state, local, and other governments prevent or respond to ransomware attacks on systems like emergency services. Most government entities said they were satisfied with the agencies’ prevention and response efforts. But many cited inconsistent communication during attacks as a problem. We recommended that the federal agencies address cited issues and follow key practices for better collaboration.”

• ZDNet informs us, “Over half of ransomware attacks now begin with criminals exploiting vulnerabilities in remote and internet-facing systems as hackers look to take advantage of unpatched cybersecurity issues. According to the analysis of ransomware incidents during the past year by researchers at security company Secureworks, 52% of attacks started with malicious hackers exploiting remote services.”

• As almost always, Bleeping Computer offers us The Week in Ransomware.

From the cyber defenses front

• CISA kicked off National Cybersecurity Awareness Month last Monday. “This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” Here’s CISA’s event page.

• The National Cybersecurity Alliance joins CISA in sponsoring this awareness event. The Alliance shared four points (plus one) on staying safe online.

• Cybersecurity Dive cautions that multifactor authentication is a cybersecurity tool, not a solution.

From the cyberpolicy front, let’s remember, “Cybersecurity Awareness Month, every October, is a collaboration between government and private industry to raise awareness about digital security and empower everyone to protect their data from digital forms of crime.”

CISA adds that the agency “postpone[d] the 5th Annual National Cybersecurity Summit due to the mission-critical work of preparing for the potential impact of Hurricane Ian in the region. The summit was originally scheduled to occur on October 4. Visit CISA’s National Cybersecurity Summit webpage and follow CISA on social media for the latest news and updated registration information when it’s available.”

From the cyber vulnerabilities front —

Cybersecurity Dive informs us in an article posted on September 30

Microsoft is investigating reports of two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019, according to a blog post issued Friday. The vulnerabilities do not affect Microsoft Exchange Online Customers.

The first vulnerability, CVE-2022-41040, is a server-side request forgery vulnerability, Microsoft said. The second, CVE-2022-41082, allows remote-code execution when a threat actor has access to PowerShell. 

Microsoft confirmed it was aware of limited targeted incidents with attackers using the two vulnerabilities to compromise systems. During the incidents, an attacker can use CVE-2022-41040 to allow an authenticated attacker to remotely trigger CVE-2022-41082.

The Health Sector Cybersecurity Coordination Center issued an alert on the Microsoft zero day vulnerabilities.

Currently, the full impact to the Healthcare and public health (HPH) sector is unknown; however, the threat actors actively exploiting these vulnerabilities make the HPH sector a potential target.

CISA issued an alert titled “Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server.”

CISA’s other vulnerability advisories issued last week include the following

• On September 27, CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

• On September 29, “VMWare Releases Guidance for VirtualPITA, VirtualPIE, and VirtualGATE Malware Targeting vSphere.”

• On September 30, Cisco Releases Security Updates for Multiple Products

What’s more, CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. 

From the ransomware front, Cybersecurity Dive reports

U.S. businesses were targeted by nearly half of all publicly acknowledged ransomware attacks globally between January 2020 and July 2022, according to data collected by NordLocker and published Tuesday in a report. 

Of the 5,200 cases recorded on ransomware groups’ sites, U.S. organizations accounted for almost 2,400 incidents. Businesses in California, Texas, Florida and New York suffered the greatest number of ransomware attacks, but Michigan businesses were hit hardest when the rate is adjusted by the number of active businesses in each state.

Small- and medium-sized businesses with two to 200 employees suffered the most attacks during the period, accounting for 46%, or 2,300 ransomware attacks total, according to the report.

And here’s the September 30 “The Week in Ransomware“, from the Bleeping Computer.

This week’s news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.

As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.

Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.

Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.

From the cyberdefenses front —

• Health IT Security offers six healthcare cybersecurity strategies for successful CISOs; Mastering effective communication, implementing a risk-based healthcare cybersecurity approach, and attracting top cyber talent are all parts of a CISO’s job description.”

• The Wall Street Journal reports “Heightened Cyber Threat Brings CIOs, CISOs Closer; The work dynamic between IT and cyber leaders is changing as digital fortification becomes more urgent. ‘Everybody’s top of mind is cybersecurity,’ says one CISO.”

• The Journal adds “A mix of regulation, investor demands and insurance requirements is pushing companies to elevate the oversight of cybersecurity, officials from the U.S. and other countries say.”

• Cybersecurity Dive tells us about “six things that businesses need to know about the changing privacy landscape. New bills are proposed every day, and while only a few will become official policy, there may be important trends that impact businesses.”

From the cybersecurity policy front, CISA announced the speakers scheduled for its Fifth National Cybersecurity Summit to be held in Atlanta, GA, on October 4, 2022. You may attend in person or virtually. You can register here: CISA’s 5th Annual National Cybersecurity Summit Tickets | Eventbrite There’s no charge to attend this summit.

From the cyberbreach front, Cybersecurity Dive reports “Uber details how it got hacked, claims limited damage; While there’s no evidence the rideshare company’s codebase was altered, the attacker did gain access to Slack, vulnerability reports and financial data.” The FEHBlog called attention to the Uber breach in last week’s post.

From the cybervulnerability front

• Health IT Security informs us, “The Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare sector of a new monkeypox-themed phishing scheme targeting healthcare providers.”

• HC3 also released a PowerPoint presentation on a Chinese State-Sponsored Threat Act APT41 and recent activity.

• CISA added another known exploited vulnerability to its catalog.

• Vulture Beat discusses “Keeper Security[‘s] * * * second annual 2022 U.S. Cybersecurity Census Report, which maps the transforming landscape of cybersecurity based on expert insights from 500+ IT decision-makers in U.S. businesses. This year’s findings clearly show that while cybersecurity is a key priority, staying a step ahead of bad actors is a continuous challenge -– and many businesses are not keeping pace. According to survey respondents, U.S. businesses experience 42 cyberattacks each year. Of those, about three cyberattacks are successful. The overwhelming majority of respondents expect the total number of attacks will increase over the next year, with 39% predicting the number of successful cyberattacks will also increase.

• CISA announced that “Microsoft has released a security update to address a vulnerability in Microsoft Endpoint Configuration Manager, versions 2103-2207. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Microsoft’s Security Advisory for CVE-2022-37972 and apply the necessary updates.

From the ransomware front, all we have this week is the Bleeping Computer’s reliable and comprehensive The Week in Ransomware.

From the cyberdefenses front, the FEHBlog was very impressed by the Wall Street Journal article about zero-trust architecture.

The companies that should know best how to fight hackers, tech firms, have reached an arresting conclusion: The weakest link in security, as it’s been since the Trojan War, is humans.

Increasingly, they are taking a new approach: Trust no one.

The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in. So companies need to make sure that even users inside a network can’t do serious damage. * * *

“Zero trust is based on the idea that you don’t trust anything in your system anymore,” says Anshu Sharma, chief executive of Skyflow, a startup that uses zero-trust principles to safeguard personal data for other companies. “Just because you’re in the building, you don’t get access to important stuff.” 

Many of the design principles that guide engineers building zero-trust systems are easy to understand. If you’ve found yourself having to log back into corporate systems or your bank’s website more often of late, that’s a version of the zero-trust tactic of regularly “rotating” the credentials that allow people and computers to access other systems. The idea is that even if attackers got in with your account, they’d have limited time to do damage.

Another zero-trust principle, known as behavioral analysis, is that software should monitor the behavior of those on a network and flag anyone doing something unusual, like trying to make an extra-large bank withdrawal. (This is the same kind of analysis that leads your bank to send you a text if you make an out-of-character credit-card purchase, for example, when you’re traveling to a new city.)

The consistent theme is that every component of a system should be skeptical, even if you’ve identified yourself and gained access, that you are who you say you are and are doing what you should be doing.