Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Healthcare Dive informs us,
    • “The HHS released voluntary cybersecurity goals for healthcare and public health organizations on Wednesday, as the industry grapples with increasing large data breaches and ransomware attacks. 
    • “The performance goals, broken down into essential and enhanced safeguards, aim to help organizations prevent cyberattacks, improve their response if an incident occurs and minimize remaining risk after security measures are applied. 
    • “The resources come after the HHS released a concept paper in December, which detailed plans to create hospital cybersecurity requirements through Medicare and Medicaid and eventually update the HIPAA rule.”
  • Cybersecurity Dive also considers whether “the movement to ban ransom payments gain steam in 2024? Policies and regulations around ransomware payments are widely expected to change in 2024, but how and to what effect remains in flux.”
  • Tim Liu, a cybersecurity expert writing in Forbes, offers his cybersecurity predictions for 2024. Nevertheless, the author adds
    • “With all the concerns about AI, cloud and endpoints, we can’t forget that people—employees, contractors and others with network access—remain one of the most common attack vectors. The largest breach of U.S. military systems occurred when someone inserted an infected flash drive into a single computer. More recently, MGM Resorts was hit with a crippling attack that purportedly began via a convincing but impersonated phone call (a.k.a. vishing).
    • “That’s why it’s so important to focus on the basics first—keeping up to date with patches and providing training for staff and management. In other words, cybersecurity is really not just a technology discussion; it’s a people problem. And by consistently concentrating on people, policy, procedure and practice, cyberattacks can be averted.”

From the cybersecurity vulnerabilities and defenses front,

  • Cybersecurity Dive tells us,
    • “Microsoft plans to make significant changes to its internal security practices after disclosing a hack by the state-sponsored threat group Midnight Blizzard, which stole emails and other data from senior-level Microsoft executives and other employees, the company said Friday in a filing with the Securities and Exchange Commission.
    • “The hackers compromised a legacy non-production test tenant account to gain access to the company, Microsoft said. The threat actor used the account’s permissions to reach a “very small percentage” of emails and attachments of senior executives and employees in the cybersecurity, legal and other departments. 
    • “The actor, formerly known as Nobelium, was behind the 2020 Sunburst attacks against SolarWinds and other companies. U.S. authorities raised alarms about Midnight Blizzard in December after the actor was found exploiting unpatched vulnerabilities in JetBrains TeamCity servers across the globe.”
  • and
    • Data compromises were more abundant and organizations were less forthright about the root cause of cyberattacks throughout 2023, according to the Identity Theft Resource Center’s annual data breach report.
    • The number of data compromises reported in the U.S. last year jumped 78% to a record high of 3,205 incidents, the non-profit organization said Thursday. These compromises ultimately impacted more than 353 million victims, including individuals affected multiple times.
    • “The sheer scale of the 2023 data compromises is overwhelming,” ITRC CEO Eva Velasquez said in the report.
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted a sector alert concerning a “Possible Threat of Unauthorized Access to HPH Organizations from Remote Access Tool.”
    • “Security researchers are warning that Healthcare and Public Health (HPH) organizations that use the remote access tool ScreenConnect could be adversely affected or targeted by threat actors. The impact of potential unauthorized access on both federal and private industry victims, many of which rely on this tool, would be a concerning development for the healthcare sector. This Sector Alert provides a technical overview of issues concerning the remote access tool, IOCs, and recommendations for mitigations to detect and protect against future cyberattacks.”
  • The Cybersecurity and Infrastructure Security Agency added a new known exploited vulnerability to its catalog on January 22, January 23, and January 24.
  • Per Cybersecurity Dive,
    • “Nearly 800 instances of Forta’s GoAnywhere MFT remain unpatched and potentially exposed to a critical vulnerability disclosed earlier this week, according to Shadowserver data published Friday.
    • “While many instances of the file-transfer service remain unpatched, less than 30 are vulnerable to exploits due to admin panel exposure on the public internet, Shadowserver said. Remote access to the administration panel is required for threat actors to exploit the critical authentication bypass vulnerability, CVE-2024-0204
    • “Forta released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose the vulnerability with a CVSS score of 9.8 until this week.”

From the ransomware front,

  • Dark Reading tells us,
    • “Despite takedowns of top ransomware groups, those remaining threat actors have continued to develop new tricks, while maintaining their ability to capitalize on zero-day vulnerabilities, helping them do more damage to industrial control systems (ICS) with fewer attacks, according to new research.
    • “Dragos released its latest industrial ransomware analysis for the last quarter of 2023, finding the landscape more refined, and potent, than ever before in its attacks against ICS. It’s a surprising reveal given recent high-profile busts of ransomware operators in the space, including Ragnar Locker and ALPHV, the new report explained.”
  • Health IT Security alerts us,
    • “The healthcare sector was hit hard by data breaches in 2023, with more than 540 organizations reporting breaches to HHS last year. Ransomware remains a top threat to healthcare, as exemplified by the number of high-profile attacks carried out by prolific threat actor groups and lesser-known gangs alike.
    • “In its annual ransomware report, the GuidePoint Research and Intelligence Team (GRIT) used publicly available data to explore these trends and how they vary across the threat landscape, uncovering troubling changes in the threat landscape. GRIT observed 63 distinct ransomware groups compromising thousands of victims throughout 2023. Healthcare was the third-most targeted industry in 2023 according to GRIT, behind manufacturing and technology.
    • “Attacks by prolific ransomware groups such as LockBit, Alphv, and Clop accounted for the vast majority of victims across all analyzed industries. GRIT identified these groups as “established,” meaning that they are groups that have operated for at least nine months and maintain well-defined tactics.”

From the cybersecurity defenses front,

  • HHS’s 405d program offers guidance on implementing cybersecurity insurance.
  • From the ISACA blog,
    • An expert identifies the top ten things every cybersecurity professional needs to know about privacy, and
    • Another expert explains how to run a well-executed risk and control self-assessment.
  • Tech Republic discusses how to prevent phishing attacks with multi-factor authentication.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive points out five cybersecurity trends to watch this year.
  • Dark Reading informs us,
    • Following the Securities and Exchange Commission’s X account, formerly known as Twitter, compromise on Jan. 9, two Senators have issued a statement calling the hack “inexcusable” and urging the Inspector General of the US Securities and Exchange Commission (SEC) to investigate the regulator’s failure to have basic multifactor authentication (MFA) protections in place.
    • “Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” Senators Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo. said in a statement. “We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.” * * *
    • “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity,” the letter to the SEC Inspector General said, adding the agency was warned in 2023 about its “poor cybersecurity.”
    • “The letter added a shot at the regulator’s increasingly rigorous oversight of enterprise cybersecurity.
    • “The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure,” the Senators wrote.”
  • Cyberscoop reports
    • “Over-classification, a lack of policy guidance, and tensions between private sector cybersecurity firms are continuing to hamper federal government efforts to share cybersecurity threat information, according to a report released Friday by the U.S. intelligence community’s top watchdog. 
    • “Friday’s report, released by the Office of the Inspector General of the Intelligence Community, concludes that while federal agencies have broadly improved their ability to share threat information and defensive mitigations, long-standing policy and technical concerns are providing barriers to rapid information sharing. 
    • “The IG’s report examines how relevant federal agencies shared cyber threat information and defensive measures over the past two years through a framework created by the Cybersecurity Information Sharing Act of 2015. The report finds that the “policies, procedures, and guidelines” for sharing information are “sufficient” to carry out the requirements of the legislation and noted that “sharing has improved” in the last two years.
    • “However, a section on barriers to sharing information among federal entities describes a set of familiar issues — to cyber pros at least — that has long been a rallying cry for improvement, including failures to be more forthcoming in sharing threat information with private sector entities.”
  • and
    • “As dozens of states race to establish standards for how their agencies use AI to increase efficiency and streamline public-facing services, researchers at the National Institute of Standards and Technology found that artificial intelligence systems, which rely on large amounts of data to perform tasks, can malfunction when exposed to untrustworthy data, according to a report published last week.
    • “The report, part of a broader effort by the institute to support the development of trustworthy AI, found that cyber criminals can deliberately confuse or “poison” AI systems to make them malfunction by exposing them to bad data. And what’s more, according to the study, there’s no one-size-fits-all defense that developers or cybersecurity experts can implement to protect AI systems.”
  • The Wall Street Journal adds,
    • “U.S. intelligence authorities are using AI to pick up on the presence of hackers trying to infiltrate and attack American critical infrastructure—and identifying signs of hackers using AI themselves in the attacks.
    • “At a conference Tuesday, cybersecurity leaders discussed burgeoning aspects of AI use by hackers—as well as by law enforcement. Rob Joyce, cybersecurity director at the National Security Agency, said machine learning and artificial intelligence are helping cybersecurity investigators track digital incursions that would otherwise be very difficult to see. 
    • “Specifically, Chinese hackers are targeting U.S. transportation networks, pipelines and ports using stealthy techniques that blend in with normal activity on infrastructure networks, Joyce said, speaking at Fordham University in New York.
    • “These methods are “really dangerous” as their aim is societal disruption, as opposed to financial gain or espionage, Joyce said. The hackers don’t use malware that common security tools can pick up, he added.” 

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • Mortgage lender loanDepot is responding to a cyberattack that led the company to take some of its IT systems offline, the California-based company said Monday. 
    • “Though our investigation is ongoing, at this time, the company has determined that the unauthorized third-party activity included access to certain company systems and the encryption of data,” the company said Monday in filing with the Securities and Exchange Commission. “In response, the company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident.”
    • A spokesperson for the non-bank mortgage lender declined to say how or when the threat actor gained access to its systems and if it’s received an extortion demand or paid a ransom.
  • and
    • “Distributed denial of service attacks hit an all-time high in 2023, more than doubling year over year in the fourth quarter, Cloudflare said Tuesday in a threat report.
    • “The record high year for DDoS attacks coincided with mass exploits of the novel zero-day vulnerability HTTP/2 Rapid Reset, which threat actors used to launch DDoS attacks that broke records during the third quarter of 2023.
    • “Cloudflare said it was mitigating about 201 million requests per second at the peak of the series of HTTP/2 vulnerability attacks.
    • “Massive DDoS attacks require significantly fewer capabilities, resources and time, according to Omer Yoachimik, senior product manager of DDoS protection and security reporting at Cloudflare.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) let us know on January 11,
    • “Cisco released a security advisory to address a vulnerability (CVE-2024-20272) in Cisco Unity Connection. A cyber threat actor could exploit this vulnerability to take control of an affected system.
    • “CISA encourages users and administrators to review the Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability advisory and apply the necessary updates.”
  • CISA added six known exploited vulnerabilities to its catalog on January 8, one more on January 10, and another one on the same day.

From the ransomware front,

  • Per Cybersecurity Dive,
    • “Almost 5,200 organizations were hit by ransomware attacks in 2023, Rapid7 said in a Friday blog post, pulling research from public disclosures and incident data from its managed detection and response team.
    • “In reality, we believe that number was actually higher because it doesn’t account for the many attacks that likely went unreported,” Christiaan Beek, senior director of threat analytics at Rapid7, said in the report.
    • “Rapid7 didn’t provide numbers for 2022, but research from other firms concludes the number of ransomware attacks is rising. There were twice as many ransomware attacks in the second half of 2023, compared to the latter half of 2022, according to BlackFog.”
  • Security Week reports,
    • “Over the weekend, the LockBit ransomware gang claimed responsibility for a November 2023 cyberattack on the hospital system Capital Health.
    • “In December, Capital Health announced that it fell victim to a cyberattack that resulted in network outages and that it immediately launched an investigation, informed law enforcement, and started the restoration process.
    • “At this time, all services are available at our facilities, all systems have been restored, and all operations have returned to normal,” the organization said in an incident notification.
    • “According to the LockBit ransomware gang, only data exfiltration occurred.
    • “We purposely didn’t encrypt this hospital so as not to interfere with patient care,” the gang notes on its Tor-based leak site.
    • “The ransomware group says it stole more than 10 million files from the healthcare organization, which allegedly includes medical confidentiality data.”
  • Here’s a link to Bleeping Computer’s latest Week in Ransomware.

From the cybersecurity defenses front,

  • Federal New Network identifies five steps for building an adaptable, dynamic zero trust architecture within federal agencies.
  • Security Boulevard considers how to recover after failing a cybersecurity audit.

Weekend Update

David ErmerCongress, Cybersecurity, Medical / Rx research, Mental health care, OPM, SCOTUS, U.S. Healthcare
Photo by JOSHUA COLEMAN on Unsplash

The FEHBlog was tied up with family business yesterday so Cybersecurity Saturday appears below the Weekend Update

From Washington, DC,

  • Congress is back to work on Capitol Hill. The Wall Street Journal describes the situation as “Battered Congress Has Two Weeks to Fix Three Big Problems: Talks to stop a government shutdown, fix the border and fund Ukraine converge on Capitol Hill.”
  • The Journal adds this evening,
    • “Congressional leaders reached a bipartisan deal on Sunday setting a roughly $1.6 trillion federal spending level for the year, but the pact drew quick criticism from some conservatives, and it remained unclear whether lawmakers would be able to quickly pass legislation averting a government shutdown.”
  • Congress does not have any hearings scheduled for this week.
  • The Washington Post reports,
    • “The Supreme Court said Friday it will review a case (No. 23-727) challenging Idaho’s strict abortion ban, which the Biden administration says conflicts with a federal law [EMTALA] requiring emergency room doctors to perform the procedure in some circumstances.”
  • Federal News Network provides more background to reduce retirement program overpayments.
    • “For OPM, many of the improper payments that the agency makes through retirement services may stem from limited data, on account of not using enough analytics to identify beneficiaries who have died and therefore are no longer entitled to the benefits, [Linda] Miller, [Audient Group CEO] said.
    • “There is more than one way of identifying people who have passed away — looking at Social Security, obituary data and more accurate information on deaths,” Miller said. “OPM doesn’t use much of that data, so the reports are likely less accurate.”

From the public health and medical research front,

  • Fortune Well offers us four strategies for older folks to get good quality sleep and an approach to adding beneficial thirty-second-long micro-workouts to your day.
  • Govexec tells us,
    • “The Veterans Affairs Department will soon begin funding research into the use of psychedelics such as MDMA and mushrooms to treat PTSD and depression, the first time the agency has done so since the 1960s. 
    • “The announcement answers the call from some veterans and researchers who have long advocated for the potential medical benefits of MDMA and psilocybin, or psychoactive mushrooms. VA on Friday issued a request for applications to its network of researchers, collaborating with academic institutions to solicit proposals to study the impact of using the compounds to treat post-traumatic stress disorder and depression in veterans.” 

From the U.S. healthcare front,

  • STAT News reminds us that the JP Morgan Healthcare Conference will be held this week in San Fransico.
    • “Nonprofit hospitals often get overshadowed at the J.P. Morgan Healthcare Conference, the health care industry’s swankiest investor meeting whose agenda is dominated by drugmakers and biotech companies.
    • “But hospitals are still the largest part of America’s health care economy, commanding nearly a third of the country’s $4.7 billion health care tab. And similar to last year, when hospitals touted their plans for expansion and hiking prices, they will have a rosy picture to sell to financiers as patients flock to their facilities.”
  • The American Medical Association informs us, “What doctors wish patients knew about scope of practice.”
  • Health Payer Intelligence points out,
    • “Despite efforts to reduce drug costs through Medicare negotiation for 10 common medications, the US still pays more for these drugs than almost any other nation, even after factoring in discounts and rebates, according to a Commonwealth Fund chart pack.
    • “The researchers used 2021 data from IQVIA and the Medicare Payment Advisory Commission (MedPAC) to assess how US drug prices differed from international trends. With this information, the researchers compiled 12 charts that situate the drug prices in the United States compared to other countries.”
  • Per Fierce Healthcare,
    • “Duluth, Minnesota-based Essentia Health and Marshfield, Wisconsin-based Marshfield Clinic Health System have scrapped their plan to merge into a 25-hospital Midwest system.
    • “The two nonprofit health systems said in a statement that they have “engaged in meaningful discussion” over the last two years about how the organizations could combine their unique strengths.
    • “We have decided that a combination at this time is not the right path forward for our respective organizations, colleagues and patients,” the health systems said in a statement posted to Essentia Health’s website Friday.”
  • BioPharma Dive reports,
    • “Metagenomi, a biotechnology startup working to identify new CRISPR enzymes for editing genes, has filed to go public.
    • “Backed by healthcare investors and pharmaceutical firms including Novo Nordisk’s parent company and Bayer’s venture arm, Metagenomi most recently raised a $275 million Series B round. The startup is also partnered with Moderna and Ionis Pharmaceuticals.
    • “The Emeryville, California-based biotech is one of at least three life sciences companies to publicly plan for an initial public offering so far this year. Should it successfully price an IPO, its performance could serve as an early barometer for the sector in 2024.”
  • The Society for Human Resource Management notes HR trends for which we should be prepared in 2024

Cybersecurity Saturday

HealthcareIT Today offers a boatload of cybersecurity predictions for 2024.

From the cybersecurity vulnerabilities front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) released its December 2023 monthly vulnerabilities report on January 4:
    • In December 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for December are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Agency added two more known exploited vulnerabilities to the catalog on January 2.
  • Cybersecurity Dive reported on January 5,
    • “A critical vulnerability in Apache OFBiz was hit with a surge in exploitation attempts in recent weeks, which could allow attackers to take control of affected systems and launch supply chain attacks, according to researchers from SonicWall
    • “Apache OFBiz is an open source enterprise resource system that is used in a wide range of software, including Atlassian Jira, which is used by more than 120,000 companies. “Jira uses a customized OFBiz Entity Engine that does not implement the vulnerable framework module,” a spokesperson for Atlassian told Cybersecurity Dive via email.
    • “The authentication bypass vulnerability, listed as CVE-2023-51467, has a CVSS score of 9.8 and could expose sensitive data or allow an unauthenticated attacker to execute arbitrary code.”

From the ransomware front,

  • Here’s a link to the Bleeping Computer’s Week in Ransomware.

From the cyber defenses front,

  • The Wall Street Journal offers tips for security computers for personal and small business use.
  • An ISACA expert explains,
    • “As the digital realm continues to expand, it is axiomatic that cybersecurity threats are escalating concurrently. The fight against cybercrime has transformed from an optional frontline battle to a mandatory survival skill for businesses and individuals. Unfortunately, humans have now surpassed machines as the most favored targets for cybercriminals. An effective approach that merges change management methodology with cybersecurity procedures is needed to combat this.”
  • Security Intelligence offers a wholisitc approach to information and operational technology.

Cybersecurity Saturday

David ErmerCybersecurity

Reflections

  • WIRED Magazine looks back on 2023’s worst “breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns.”\
  • Security Intelligence provides a round of federal actions that shaped cybersecurity in 2023.
  • Info-Security Magazine discusses the top five cybersecurity mergers and acquisitions of 2023.

Recent breaches

  • Health IT Security reports on recent health sector breaches.
  • The Cybersecurity and Infrastructure Security Agency did not post news this week.

Ransomware

  • Bleeping Computer did update The Week in Ransomware yesterday.
    • “It’s been a quiet week, with even threat actors appearing to take some time off for the holidays. We did not see much research released on ransomware this week, with most of the news focusing on new attacks and LockBit affiliates increasingly targeting hospitals.
    • “These attacks include ones against Yakult Australia and the Ohio Lottery by the new DragonForce ransomware operation.
    • “The most concerning news is that LockBit affiliates increasingly target hospitals in attacks, even though the ransomware operation says it’s against the rules.
    • FEHBlog note — There’s no honor among thieves.

Looking forward,

  • The Wall Street Journal reports,
    • “Companies in 2023 saw rising cybersecurity threats, rising regulation and rising costs for cyber insurance, while dealing with tight budgets and a tighter labor market. 
    • “The year ahead will bring no letup. 
    • “Both geopolitical adversaries and common criminals will intensify strikes on U.S. companies to steal information and disrupt business, government security officials say. Ransomware remains a significant threat, with new malware strains emerging as quickly as older ones fade. Serious attackers linked to China and Russia are exploiting bugs in the technology supply chain to get into corporate networks through a side door. 
    • “Chief information security officers increasingly are responding by working with the chief risk officer, general counsel, chief financial officer and chief information officer to set cyber risk policies and processes. That collaboration is vital as the Big Four cyber adversaries of the U.S.—China, Iran, North Korea and Russia—show no signs of slowing attacks.”  
  • Info-Security Magazine offers ten cybersecurity predictions for next year.

Happy New Year1

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Fortune offers a commentary on the topic aptly titled “A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats.”
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency is seeking comment on a global effort to improve software security through major changes in development practices.
    • “The request for information, released Wednesday, seeks input about how to best incorporate security into the software development life cycle. Specifically, CISA is asking for input on how to tackle recurring software vulnerabilities, how to implement security into higher education, and how to enhance security into operational technology and how secure practices may impact costs.
    • “Our goal to drive forward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every consumer, which in turn requires us to rigorously seek and incorporate input,” CISA Director Jen Easterly said in the announcement.”
  • Federal News Network points out,

    • The Defense Department’s long-awaited proposed rule for the Cybersecurity Maturity Model Certification (CMMC) lays out DoD’s plan to introduce the CMMC requirements over the next three years. The proposed rule, released today [December 22] and scheduled to be published in the Federal Register on Dec. 26, would establish requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors are implementing required security protections.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports
    • “Comcast’s Xfinity broadband entertainment platform disclosed a massive data breach involving 35.9 million customers on Monday, an incident connected to the ongoing CitrixBleed vulnerability.
    • “Xfinity promptly patched the vulnerability in Citrix software it uses in mid-October and took additional mitigation steps, the company said in an announcement. However, during a routine cybersecurity exercise on Oct. 25, Xfinity found an anomaly in its systems and identified a breach between Oct. 16-19 by an unauthorized party. 
    • “After launching an investigation and contacting law enforcement, on Nov. 16 the company determined that customer data was likely stolen. On Dec. 6, Xfinity determined the compromised data included user names and hashed passwords. In some cases, names, contact information, the last four digits of Social Security numbers, dates of birth and secret questions and answers were accessed.”
  • Health IT Security adds,
    • “Genetic testing company 23andMe notified 6.9 million individuals that their personal information was compromised in October 2023. However, 23andMe had no evidence that there was a data security incident within its systems. Instead, threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords. * * *
    • “The 23andMe breach exemplified the effects that poor cyber hygiene by end users can have on data security. What’s more, the breach’s impact was expanded since access to one account gave hackers further access to other user profiles via the DNA Relatives feature.
    • Multi-factor authentication (MFA) often emerges as a sensible solution to this issue. The cornerstones of authentication revolve around three factors: something you know, something you have, and something you are. While single-factor authentication requires the user to identify only one of those factors, MFA necessitates that users produce two or more factors, such as a password and a security token, or a pin number and a fingerprint.”
  • CISA added two known exploited vulnerabilities to its catalog on December 21.

From the ransomware front,

  • The American Hospital Association tells us,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre Dec. 18 released a warning about actions and tactics used by the Play ransomware group. The group has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe since 2022, in addition to incidents in Australia in April and November this year. 
    • “The cyber threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors use a double-extortion model, which encrypts systems after exfiltrating data; their ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.” 
  • On December 19,
    • “CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), #StopRansomware: ALPHV Blackcat, to disseminate known ALPHV Blackcat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023. The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.”
  • Bleeping Computer’s The Week in Ransomware” offers details on the ALPHV situation that are worth a gander.

From the cybersecurity defenses front,

  • Dark Reading reports,
    • “Cisco is closing out a busy year of acquisitions with a new deal to boost its multicloud networking and security capabilities.
    • “The networking giant announced its intention to acquire Isovalent, a cloud-native security and networking startup that helped develop two widely used visibility projects, eBPF, Cilium, and Tetragon. The open source technology eBPF provides developers with “unmatched visibility into the inner workings of the operating system,” Cisco said in a statement. The technology presents a way for building security systems that can protect a workload while running, according to the company. * * *
    • “Isovalent will join Cisco Security Business Group after the acquisition closes, which is expected in the second quarter of 2024 (third quarter of Cisco’s fiscal year). The purchase price was not disclosed.”
  • CISA issued a blog post about planned improvements to its cybersecurity information sharing.
    • “Our shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Cybersecurity Dive reported on December 13,
    • “The Senate confirmed Harry Coker Jr. as national cyber director Tuesday, ending a 10-month absence of a permanent leader in the role.
    • “The Navy veteran and executive director of the National Security Agency from 2017 to 2019, will lead the Office of the National Cyber Director and its team of about 100 employees after the Senate confirmed his nomination by a 59-40 vote.
    • “Coker joins the White House at a critical time, with the onus now on him to implement the national cybersecurity strategy that aims to shift the responsibility for security to technology manufacturers and vendors instead of customers.”
  • Bank Info Security explains,
    • “In a Friday advisory, CISA said it had performed the assessment in January at the request of a “large organization deploying on-premise software” that the agency did not identify.
    • “The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.
    • “Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.
    • “CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.
    • “The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.”

From the cybersecurity vulnerability and breaches front,

  • Cybersecurity Dive reports,
    • “U.S. authorities warn that threat actors linked to the Russian Foreign Intelligence Service (SVR) are exploiting a critical vulnerability in JetBrains TeamCity software as part of a worldwide effort that could lead to extensive supply chain attacks.
    • “The FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, along with U.K. and Polish authorities, said Nobelium/Midnight Blizzard — a threat group linked to the 2020 Sunburst attacks against SolarWinds — has been targeting hundreds of unpatched TeamCity servers across the globe, which are widely used for software development. 
    • “The hackers have not yet launched supply chain attacks, but have used their initial access to escalate privileges, move laterally within systems and install malicious backdoors in preparation for larger attacks, authorities said.”
  • and
    • “CitrixBleed isn’t going away: Security experts struggle to control critical vulnerability. While officials echo urgent mitigation steps to contain the zero-day vulnerability, high-profile organizations continue to bear the impact.”
  • CISA added a known exploited vulnerability to its catalog on December 11.

From the ransomware front, Bleeping Computer’s Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • CISA offers insights from its intensive risk assessment project discussed above under cybersecurity policy.
    • Here are the headlines:
      • “ACTIONS TO TAKE TODAY TO HARDEN YOUR INTERNAL ENVIRONMENT TO MITIGATE FOLLOW-ON ACTIVITY AFTER INITIAL ACCESS.
      • “Use phishing-resistant multi-factor authentication (MFA) for all administrative access.
      • “Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials.
      • “Implement network segregation controls.”
  • ISACA offers five things for various professionals to put on their 2024 to-do lists. Here are the five things for cybersecurity and privacy professionals. Check them out.
  • Security Boulevard discusses the next great line of defense, security as a code (SaC).
    • “Security as Code (SaC) is the practice of building and integrating security into tools and workflows by identifying places where security checks, tests, and gates may be included.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Healthcare Dive reports,
    • “The HHS released [on December 6] a working paper this week that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule.
    • “The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs.
    • “The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy. The HHS’ Office for Civil Rights found a 93% increase in large breaches reported from 2018 to 2022, and a 278% increase in large breaches involving ransomware.  * * *
    • “Money and voluntary goals alone won’t drive enough change, the department said. The HHS’ third step focuses on proposing to add healthcare-specific cybersecurity goals into existing regulations, which will inform future standards.
    • “The CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the HHS’ OCR will begin to update the HIPAA Security Rule in the spring to include new standards. [Reginfo.gov tells us the proposed rule is expected to be released in September 2024.]
    • “The American Hospital Association CEO Rick Pollack said the trade and lobbying group welcomes more federal expertise and funding to protect the sector from cyberattacks, but it can’t support mandatory requirements.
    • “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” Pollack said in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”
  • Cyberscoop tells us,
    • “Addressing computer security vulnerabilities by quickly finding and patching flaws is a fundamentally broken model in need of being overhauled, Eric Goldstein, a top cybersecurity official at the Cybersecurity and Infrastructure Security Agency, said Friday.
    • “To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
    • “Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.
    • “If you’re a school district, a water utility, a small business, you’re fundamentally not going to repeatedly succeed over time against the malicious actors that we are trying to manage every day,” Goldstein said.”
  • The Department of Health and Human Services Office of Civil Rights announced,
    • “a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information. 
    • “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks. * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html
  • The Federal Bureau of Investigation announced,
    • “The Securities and Exchange Commission’s new requirements for companies to disclose material cybersecurity incidents take effect on December 18, 2023. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request disclosure delays for national security or public safety reasons.
    • “You can click on the buttons at the bottom of this page to read guidance on requesting a delay and providing necessary information to the FBI, to view the SEC Rule, and to read the FBI’s Policy Notice about how victim requests are processed.  
    • “The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office. The FBI also strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI, that doesn’t trigger materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay. 
    • Please note that delay requests won’t be processed unless they are made immediately upon a company’s determination of materiality.”
  • The National Institute of Standards and Technology released an updated
    • The NIST Cybersecurity and Privacy Reference Tool (CPRT) [which] provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications.

From the cybersecurity vulnerabilities and breaches front,

  • The HHS health sector Cybersecurity Coordination Center (HC3) issued its November report on vulnerabilities of interest to the health sector.
    • “In November 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, Becton, Dickinson (BD) and Company, and ownCloud. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog on December 4, four more on December 5 and another two on December 7.
  • HC3 posted a white paper on ownCloud vulnerability.
    • “The ownCloud platform allows organizations to store, synchronize, and share files and other content, as well as collaborate and consolidate work processes. This platform is known to be deployed across the U.S. health sector, among other industries. The nature of this platform provides cyber-attackers with a target that can potentially provide access to sensitive health information, as well as a staging point for further attacks. Three vulnerabilities were recently identified in certain versions of ownCloud, the most egregious of which is known to be under active attack. HC3 recommends healthcare organizations running ownCloud identify vulnerable instances and prioritize implementation of the mitigation steps in this document.”
  • HC3 also posted a PowerPoint about Open Source Software risks in the health sector.
  • Federal News Network informs us,
    • “The Cybersecurity and Infrastructure Security Agency is reminding agencies and the public to patch known cyber vulnerabilities after a federal agency was hacked earlier this year by threat actors leveraging a bug in outdated software.
    • “In a cyber advisory issued this week, CISA said unidentified threat actors exploited a vulnerability in older versions of Adobe ColdFusion software to gain access to the network of a federal civilian executive branch agency. The specific agency was not identifie
    • “Analysis of the agency’s network logs confirmed the compromise of “at least two public-facing servers” within the agency’s environment between June and July of this year.
    • “Both servers were running outdated versions of software which are vulnerable to various [Common Vulnerabilities and Exposures],” CISA said in the advisory.”
  • Per Cybersecurity Dive,
    • “Cyberattacks and data breaches are exposing personal data at an ever-growing rate, according to an Apple-commissioned study conducted by Stuart Madnick, professor of IT at Massachusetts Institute of Technology, published Thursday.
    • “More than 2.6 billion personal records were compromised in 2021 and 2022, and the number of records breached jumped 36% in 2022 to 1.5 billion, the report said.
    • “Data breaches at U.S. organizations are at an all-time high, up 20% in the first nine months of 2023 compared to all of last year, the study found.”
  • and
    • “Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode
    • “The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
    • “Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.”
  • The Wall Street Journal reports,
    • “The recent breach of  23andMe user accounts shows a simple yet powerful truth about data security: Don’t reuse passwords, people.
    • “The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.
    • “The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including NetflixNintendoZoom and PayPal
    • “It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm. 
    • “The issue here is that 23andMe is a social site that also has healthcare information,” he said. “And both of these increase the risk of exposure of the data, and the value of the data itself.” 

From the ransomware front,

  • The Hacker News explains ransomware as a service. (Note: The Week in Ransomware was not published this week.)

From the cybersecurity defenses front,

  • Security Boulevard offers 2024 predictions for cybersecurity.
  • An ISACA experts explains how to create a health security culture.
  • Medriva discusses the cybersecurity steps that the Cleveland Clinic has taken.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • FedScoop tells us,
    • “A new bipartisan House bill aims to bolster the U.S. cybersecurity workforce by creating two training programs within the federal government, building on companion legislation introduced in the Senate earlier this year.
    • “The Federal Cybersecurity Workforce Expansion Act, co-sponsored by Reps. Chrissy Houlahan, D-Pa., and Mike Gallagher, R-Wis., would establish a cybersecurity registered apprenticeship program in the Cybersecurity and Infrastructure Security Agency and a Department of Veterans Affairs pilot program that would provide cybersecurity training to veterans.
  • The Cybersecurity and Infrastructure Security Agency (“CISA”) announced,
    • “In the fast-paced world of cybersecurity, staying ahead of threats is essential. And while security is without a doubt a priority for businesses of all sizes, it is easy to feel overwhelmed by all the information available. At CISA, we have been diligently developing a solution aimed at simplifying the way our partners and potential collaborators understand their cyber risk and prioritize their investments, ensuring they can quickly navigate this complexity with ease. Our focus has been on making the process of working with us more intuitive and user-friendly so that every organization can spend more time meeting business goals and less time sifting through cybersecurity resources. We believe this approach will be especially helpful for smaller to medium sized stakeholders with fewer resources, who need help prioritizing actions to help them to reduce the likelihood and impact of damaging intrusions.
    • “In early 2024, we look forward to launching a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around our Cybersecurity Performance Goals. This new tool is called ReadySetCyber. While we’re not quite ready to unveil all the details just yet, we are excited to share a glimpse of what’s on the horizon.”
    • That glimpse is available here.
  • The Wall Street Journal reports,
    • “A cyberattack that disrupts everyday life in the U.S. will likely cost more than the insurance industry can afford to cover, requiring government intervention, insurers and brokers said.
    • “The idea of a federal backstop to help insurers cope in the event of a catastrophic cyberattack has been examined by the government in recent years, but has gained momentum with tandem efforts at the Treasury Department, the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency over the past year. Government officials and the insurance industry plan to meet in April to work out exactly what such a program would look like.
    • “Federal support in the event of a catastrophic attack would undoubtedly be necessary, said John Keogh, president and chief operating officer of insurer Chubb.
    • “While the industry could absorb a major natural disaster, the effects of a cyberattack on a similar scale would quickly overwhelm its capacity to cover losses.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive points out last Monday,
    • A cyberattack targeting Fidelity National Financial led to disruptions across its services, including title insurance and mortgage transactions, after it was forced to block access to certain systems, the company said last week in a filing with the Securities and Exchange Commission
    • An investigation showed an unauthorized third party gained access to some of its systems and stole certain credentials, the company said.
    • The threat group known as AlphV/BlackCat claimed responsibility for the attack, according to security researcher Dominic Alvieri.
  • CISA added two more known exploited vulnerabilities to its catalog on November 30, 2023, and removed one on December 1, 2023.

From the ransomware front, here’s a link to the latest Bleeping Computer’s Week in Ransomware.

From the cybersecurity defenses front,

  • Technopedia identifies the top nine cybersecurity trends for 2024.
  • Cybersecurity Dive informs us,
    • “Technology like generative AI can address some key security challenges confronting organizations, but professionals that overemphasize those capabilities miss the fundamental need to put people and their unique talents first.
    • “Security is a people issue,” Amazon CSO Stephen Schmidt said Monday during a presentation at AWS re: Invent in Las Vegas. “Computers don’t attack each other. People are behind every single adversarial action that happens out there.”
    • “For Schmidt, winning in security is akin to playing chess — focusing on the board, how the pieces move and interact — while practicing psychology. Security professionals need to understand the human elements at play, including their own tendencies and opponents’ motivations.
    • “You’re not playing just one chess match,” Schmidt said. “You are playing dozens or hundreds of games at the same time, because you have a variety of adversaries with different motivations who are going after you.”
    • “This cybersecurity scrum can feel overwhelming, but many defenders view generative AI as an ally that can automate repetitive tasks. Cybersecurity vendors across the landscape have released security tools infused with the technology, and more are in the pipeline.”
  • Tech Republic adds that Open AI first released ChatGPT on November 30, 2022. The site explains how the technology has evolved.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center posted a Sector Alert about a “Critical Vulnerability in Fortinet FortiSIEM Platform” on November 22, 2023.
    • “Fortinet has identified a vulnerability in its FortiSIEM platform, which is utilized by the Healthcare and Public Health (HPH) sector. This vulnerability enables a threat actor to execute commands on the target system, allowing for a potentially wide-scale and impactful cyberattack. HC3 recommends that all healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms in a timely manner.”
  • The Cybersecurity and Infrastructure Security Agency added one more known exploited vulnerability to its catalog on November 21, 2023.
  • Dark Reading points out,
    • “A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.
    • “Experts say this could be the first time they’ve observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.
    • “The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.”
  • Health IT Security notes,
    • “The HHS Office for Civil Rights (OCR) completed a HIPAA investigation into New York-based Saint Joseph’s Medical Center following claims that the organization had impermissibly disclosed COVID-19 patients’ protected health information (PHI) to a news reporter. Saint Joseph’s Medical Center agreed to pay $80,000 to OCR and implement corrective actions.
    • “OCR launched the investigation following the publication of an article by the Associated Press about the academic medical center’s response to the COVID-19 pandemic. The article included photographs and information about three COVID-19 patients, including diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
    • “Further investigation determined that Saint Joseph’s had provided the information to the Associated Press without first obtaining written consent from the three patients.”
  • The HHS Inspector General warns us “about a fraud scheme involving monthly billing for remote patient monitoring.”

From the ransomware front,

  • Cybersecurity Dive reports on November 22, 2023,
    • “Criminal threat groups and nation-state actors are exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway to launch attacks, the Cybersecurity and Infrastructure Security Agency and FBI warned on Tuesday.
    • “Affiliates of LockBit 3.0 exploited the vulnerability — dubbed CitrixBleed by researchers — to gain access into Boeing’s parts and distribution unit and exfiltrate data, as part of a suspected ransomware attack, according to federal authorities.
    • “CISA, through its ransomware vulnerability warning program, has notified almost 300 organizations they were running vulnerable instances of the devices and needed to take mitigation measures before they were attacked, Eric Goldstein, executive assistant director of cybersecurity at CISA, said during a conference call with reporters.” 
  • Here is a link to the CISA analysis of CitrixBleed.
  • Cyberscoop provides its perspective on this and related schemes.
    • “Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
    • “Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.” 
    • “That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”

From the cybersecurity defenses front,

  • CISA discusses how the agency has re-envisioned its Cybersecurity Insurance and Data Analysis Working Group to help reduce cybersecurity risk.
    • “When we re-launch the CIDAWG in December, the working group will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, with the intent to correlate data with cybersecurity controls to understand their effectiveness. CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness. This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.”
  • The Wall Street Journal explains why storytelling can improve cybersecurity training.
    • “I recently wrote about the “phishing tests” that many companies use to train (well, scare) employees into being more cyber-vigilant. They send around a phony phishing email, and measure how many people click on it. But my research shows that these tests can actually be harmful. They create fear, stress and distrust among employees, and in the end they don’t improve phishing resistance much.
    • “When I wrote that article, a number of readers wrote in asking a simple question: If phishing tests don’t work, what does?
    • “I believe a better way to train people is to have their peers tell them stories about their experience with scams. Humans have an innate ability to learn from stories about other people—even if they are just casual stories that fall into the middle of a conversation. My research on the topic has found just how effective stories can be when applied to cybercrime: Hearing about somebody else getting snagged by phishing, or narrowly avoiding it, makes people more likely to take security seriously and avoid the mistakes they have heard about.”
  • The Hackers News recommends six steps to accelerate cybersecurity incident response.
  • ISACA offers a report on optimizing risk transfer for systematic resilience.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop reports,
    • “Former National Security Agency Executive Director Harry Coker is one step closer to being the next national cyber director after the Senate Homeland and Governmental Affairs Committee advanced his nomination Wednesday.
    • “Coker, also a former CIA officer, told the panel during the initial nomination hearing that he would plan on continuing the work of his potential predecessors.
    • “Coker’s nomination comes after the White House was criticized by experts and policy wonks for not nominating Kemba Walden, the current acting national cyber director, to the permanent role. The Washington Post reported that Walden’s personal debts were the White House’s rationale for declining to nominate her.
    • “Walden’s last day as the acting cyber chief is Friday, according to an ONCD spokesperson.”
  • On November 14, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released
    • “its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.”its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.
    • “Last month, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.”
  • Federal News Network observes,
    • “When federal government agencies were breached by Chinese hackers due to a Microsoft Azure vulnerability, the Cybersecurity and Infrastructure Security Agency released an advisory calling for the use of more enhanced monitoring tools to build resilience against increasingly sophisticated attacks. This latest advisory was further amplified by the National Cybersecurity Strategy, which reinforced the need to make the government’s critical infrastructure more resilient by modernizing federal networks.  
    • “Despite these measures, a recent study shows that only 26% of the public sector (compared to 40% of the private sector) have a formal approach to building resilience. Moreover, federal agencies whose mission-set centers on critical infrastructure, such as the Departments of Energy or Transportation, still face challenges to maintain legacy toolsin contrast to the public sector as a whole.   
    • “This is because federal agencies need more support to implement modern monitoring tools that help improve their threat detection and response. Without the proper technology in place to match the challenges of today’s threat landscape, it is difficult to remain resilient when faced with an attack. But how might an organization begin to achieve the resilience required for today’s cyber threats?  
    • “It starts with federal agencies prioritizing observability strategies. Despite its growing popularity, observability is a fresh concept – one that can be difficult to define and see as a path to resilience without first understanding its foundation. The roots of observability can simply be traced down to a collection of logs, metrics and traces by which monitoring systems can more proactively mitigate potential threats.”

From the cybersecurity vulnerability and breaches front,

  • The HIPAA Journal offers its October 2023 Healthcare Data Breach Report.
    • “For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).”
  • Federal News Network reports,
    • “The Office of Personnel Management faces a tight deadline to set up a new health insurance marketplace for Postal Service employees and retirees to enroll in new plans, starting next year.
    • “Now OPM is addressing watchdog concerns about whether the IT infrastructure supporting this new USPS marketplace is following federal cybersecurity requirements.
    • “OPM’s Office of Inspector General, in a flash audit released Friday, raised concerns about the cybersecurity steps OPM took before launching the IT systems that will run the Postal Service Health Benefits (PSHB) Program. * * *
    • “The IG report focuses on the steps OPM took to launch Carrier Connect, a system OPM uses to communicate and share data with health care providers. [FEHBLog note — FFF presumably refers to sharing data with FEHB plans.]
    • “According to the report, OPM officials acknowledged the agency started the assessment and authorization process too late in the security development lifecycle — in the summer of 2023 — and knew they would have to launch Carrier Connect under a provisional authority to operate (ATO).
    • IT security was not integrated at the beginning, and as a result, many of the required elements of an authorization to operate (ATO) package were not completed before the system was authorized to operate and placed into production,” the IG report states.”
  • HHS’s health sector Cybersecurity Coordination Center (HC3) posted a PowerPoint presentation about Emotet malware, which HC3 describes as “the enduring and persistent threat to the health sector.”
  • This week, CISA added six known exploited vulnerabilities to its catalog on November 13, then another three on November 14, and then finally another three on November 16.
  • Get a load of this Dark Reading article.
    • “The ransomware group ALPHV (aka “BlackCat”) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations. * * *
    • “Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.
    • “For one thing, in a statement provided to BleepingComputer on Wednesday, MeridianLink stated that it wasn’t yet sure if any consumer personal information was compromised, adding that “based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” Exactly what data ALPHV stole and published may affect whether the breach is “material,” per SEC language.
    • “Second, as noted in its original press release, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).
    • “Future victims of similar attacks will have fewer breaks to count on.
    • “Using the threat of filing a ‘failure to report’ complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group’s benefit,” Tiquet warns. “Disciplinary action from the SEC is not to be taken lightly and fines can be very steep.”

From the ransomware front

  • Cybersecurity Dive reports,
    • “The group of threat actors claiming responsibility for major attacks against MGM ResortsCaesars Entertainment and Clorox is composed of experts in social engineering, and federal cyber authorities are prodding more victims to come forward.
    • “Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a Thursday advisory.
    • “The FBI and Cybersecurity and Infrastructure Security Agency shared technical details and data gleaned from investigations as recently as this month to help organizations thwart and mitigate attacks. Yet, officials say more information is needed, as a lack of reporting hinders law enforcement’s ability to take action.
    • “Scattered Spider’s high level of activity underscores the importance of prevention and the need for more victim organizations to report cyberattacks to CISA or the FBI, agency officials said.”
  • The American Hospital Association News adds,
    • “Scattered Spider’s sophisticated technical cyberattacks begin with sophisticated psychological attacks,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Scattered Spider employs social engineering techniques to deceive end users into providing their credentials, authentication codes or downloading ‘help desk’ tools on their computers that allow the adversary to gain and maintain persistent access to computer networks. Staff should be advised of help desk verification protocols and that help desk personnel should not be asking staff to divulge their credentials or multi-factor authentication codes. Conversely, the help desk should enhance its verification protocols and challenge questions to ensure they do not improperly reset staff credentials and to help staff distinguish valid help desk interaction from social engineering attempts.
  • On November 15, 2023, CISA issued a #StopRansomware Advisory regarding Rhysida Ransomware.
  • On November 13, 2023, CISA posted an update to its Royal Ransomware Advisory.
    • “The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.”
  • Bleeping Computer’s The Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • On November 17, CISA postedthe Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.”
  • Forta tells us about Amazon Web Services’ Six Pillars of Cybersecurity.
  • Dark Reading explains how to build a resilient incident response team.