Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Uncategorized

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports
    • “An international law enforcement operation disrupted the Qakbot botnet and associated malware that has been connected with countless cyberattacks and nearly $60 million in losses from victims around the world, the U.S. Department of Justice announced Tuesday. 
    • “The operation that included the FBI, DOJ and authorities in France, Germany, the Netherlands, Romania, Latvia and the United Kingdom — is “one of the largest U.S.-led disruptions of a botnet infrastructure” used by criminals to facilitate ransomware, financial fraud and other cyber-enabled criminal activity, the FBI said in a statement.
    • “There were no arrests in connection with the operation but the investigation remains ongoing, a senior FBI official told reporters Tuesday.
    • “Qakbot, also known as Qbot or Pinksipbot, is malware first detected in 2008 that has been associated with hundreds of millions of dollars in losses to individuals and businesses in the U.S. and around the world, according to the FBI. The malware has been an initial entry mechanism for a variety of ransomware groups over the years. Groups such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta have been known to use it. Between October 2021 and April 2023, the FBI said, Qakbot administrators have received fees corresponding to approximately $58 million in ransoms paid by victims.
  • Cybersecurity Dive adds
    • “The FBI was able to redirect botnet traffic toward servers it controlled and disrupt the operation. More than 200,000 computers in the U.S. alone were found to be infected. Authorities also seized $8.6 million in illicit cryptocurrency as part of the takedown. ***
    • “The FBI and Dutch National Police have set up website links where stolen credentials can be accessed to find out if they were used.” 
  • Here are links to the related CISA announcement and Security Week’s report on industry reaction to this news.
  • Krebs on Security informs us,
    • “Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
    • “.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
    • “That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022, and April 30, 2023, and found 30,000 .US phishing domains.
    • “.US is overseen by the National Telecommunications and Information Administration(NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.”
  • Go figure.
  • Cybersecurity Dive tells us last Monday
    • “The blast radius from the mass exploit of a zero-day vulnerability in the MOVEit file transfer service reached another milestone in its destructive spread: more than 1,000 organizations are impacted, according to Emsisoft and KonBriefing Research.
    • “The number of organizations hit by the wide-scale attack increased nearly 40% last week, underscoring the scope of impact and challenge organizations are encountering as they work to determine potential exposure.
    • “The pool of victims from Clop’s attack spree, which was discovered Memorial Day weekend, continues to grow as downstream victims, which lead to more downstream victims, are identified via public disclosures and the threat actor’s website.
  • Health IT Security adds
    • “This week, Singing River Health System in Mississippi is actively facing system downtime as it investigates a cyberattack on its network. What’s more, Prospect Medical Holdings, which operates 16 hospitals and more than 165 clinics across Southern California, Rhode Island, Pennsylvania, and Connecticut, is still experiencing a systemwide outage that began on August 9.
    • “As these incidents continue to develop, other entities have continued to report confirmed data breaches to HHS, as exemplified in this week’s data breach roundup. Third-party data breaches continue to dominate breach notifications, causing breaches across the country.”
    • The article goes on to highlight recent breach announcements. 

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Organizations are facing more obstacles obtaining or renewing cyber insurance coverage,  according to a survey of 300 organizations conducted by Censuswide, on behalf of Delinea. Organizations also face strict requirements to get a claim covered.
    • “The majority of organizations, 4 in 5,  said their insurance rates went up when they submitted a new application or applied for policy renewals, with two-thirds reporting premium hikes of between 50% and 100%. 
    • “It is also taking organizations longer to obtain new coverage. The process for 20 of those surveyed, roughly 7%, took six months or longer.”
  • The Healthcare and Public Sector Critical Infrastructure Security and Resilience Partnership released an updated version of its Health Industry Cybersecurity Tactical Crisis Response Guide.
  • An ISACA expert discusses “Contending with Artificially Intelligent Ransomware.”
  • HHS’s 405(d) group released a cyber-hygiene poster oriented toward healthcare providers. Nevertheless, it can be adapted for health plan use.
  • Forbes identifies ten “captivating” cybersecurity conferences being held in Fall 2023.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Federal News Network informs us
    • “Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.
    • “Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
    • “The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy. * * *
    • “Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.
    • “In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center released its July 2023 report on vulnerabilities of interest to the health sector.
    • “In July 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for July are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, MOVEit, Oracle, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Administration added a new known exploited vulnerability to its catalog on August 21; two more on August 22, and another two on August 24.
  • Per Health IT Security,
    • “Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.
    • “While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.”

In HIPAA Privacy Rule news,

  • Health IT Security says,
    • “The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.
    • “The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.
    • “The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.”

From the ransomware front,

  • Cybersecurity Dive reports
    • “The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
    • “The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
    • “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”
  • and
  • and
    • “The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
    • “The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web. 
    • “Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday [August 24].”
  • Bleeping Computers’ The Week in Ransomware is on summer vacation this week.

From the cybersecurity defenses front,

  • Per CISA,
    • “[On August 21,] the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
    • “CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources about CISA’s PQC work, visit the Post-Quantum Cryptography Initiative.”
  • Per Health IT Security,
    • “The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.
    • “Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC), the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.
    • “The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information-sharing entities.”
  • Dark Reading identifies five best practices for implementing Risk-First Cybersecurity.
    • “Organizations face an uphill battle to safeguard hybrid cloud assets and sensitive data from evolving cyber threats in an increasingly interconnected and digitized world. While the security-first approach is essential, it has limitations in addressing the dynamic nature of these threats. The risks resulting from these threats are multifaceted and sophisticated, encompassing cybersecurity, compliance, privacy, business continuity, and financial implications. Therefore, a shift toward a risk-first approach is necessary.”
  • ISACA shares an executive view of key cybersecurity trends in 2023.
    • “2023 has further proven that the state of cybersecurity is constantly evolving. New technologies are emerging and increasingly being adopted for purposes of enhancing threat detection, analyzing large volumes of data for anomalies and automating security processes. Meanwhile, cyber threats are becoming increasingly sophisticated. In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected.1 To more effectively defend against such attacks, it is important for cyber professionals to understand current trends and challenges that exist in the field of cybersecurity.”
  • The Wall Street Journal offers its quarterly cyber insurance update.
    • In this quarter’s update, we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors, how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile, and whether having a cyber insurance policy increases the likelihood of being a victim of a ransomware attack?

Cybersecurity Dive

David ErmerCybersecurity

From the cybersecurity policy front —

  • Ars Technica reports
    • The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to healthcare systems, hospitals and clinics, and health-related devices.
  • FedScoop tells us,
    • Federal agencies got a reminder from the White House yesterday [August 16] of the need to firm up their cybersecurity in compliance with a Biden executive order.
    • The National Security Advisor Jake Sullivan sent a memo to departments and agencies Wednesday morning “to ensure their cyber infrastructure is compliant with” a May 2021 cybersecurity executive order on improving U.S. agencies’ cyber defense, a National Security Council spokesperson said in an emailed statement. 
  • Per NextGov,
    • “The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation’s cyber posture, a top official said Tuesday.
    • “Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year. 
    • “We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW’sIdentity Security Workshop. “Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems.”
  • NIST released a summary of public comments received on draft Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. FEHB claims data falls within the scope of this SP.
    • “NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171r3 security requirements. NIST anticipates releasing SP 800-171r3 fpd and SP 800-171A ipd for public comment in Q1 of FY 2024 (October – December 2023) and looks forward to ongoing engagement with users during the comment period.” 
  • Per Cybersecurity Dive,
    • Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.
    • The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency [CISA] said.

From the cybersecurity vulnerabilities and breaches front,

  • The Health Sector Cybersecurity Coordination Center released a threat analysis of China-based threat actors.
    • “This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.”
  • CISA added one more known exploited vulnerability to its catalog on August 16, 2023.
  • Dark Reading reports
    • “Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
    • “Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.”
  • Bloomberg Technology examines a larger email hack of Microsoft.
    • “No one likes losing their keys. But after a single Microsoft Corp. key fell into the hands of Chinese hackers, it’s going to take more than changing the locks to restore its reputation. 
    • “The consumer signing key was used to forge authentication tokens — which are meant to verify a user’s identity — and access emails, including the accounts of Commerce Secretary Gina Raimondo and State Department officials, shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping in June.
    • “The world’s largest software maker is now facing increasing criticism from computer security experts and government officials alike over the hack, among the more embarrassing breaches of US government networks since the so-called SolarWinds attack was disclosed in 2020. Russian state-sponsored hackers also abused Microsoft’s software as part of that attack.
    • “Senator Ron Wyden, in a blistering letter last month about the lapse, called for multiple investigations. Shortly after, a US cybersecurity advisory panel opened a probe into the risks of cloud computing, and it is also looking at Microsoft’s role in the email hack.”
  • Health IT Security brings us up to date on the hack that keeps on giving – the MoveIT transfer hack.
    • Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.
    • Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.
    • MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

From the cybersecurity defenses front,

  • Cybersecurity Dive explains why
    • “Security basics aren’t so basic — they’re hard; Lax security controls cause heavy damages, and security experts warn how unmet basics turn up, time and again, when things go wrong” and
  • identifies
    • AWS customers’ most common security mistake; All too often organizations are not doing least-privilege work with identity systems, AWS’ Mark Ryland told Cybersecurity Dive,” and
  • discusses how to take advantage of sometimes disjointed threat intelligence.
  • The Wall Street Journal reports
    • “Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors, resulting in potentially damaging targeted and untargeted attacks.
    • “Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk, though some threats are nearly impossible to mitigate.
    • “Multiple internal stakeholders working together with technology solutions and consultancy expertise can significantly reduce the risk of, or impact from, supply chain attacks[, e.g., the MoveIT transfer hack].”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive informs us,
    • “The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday,  the first major update of the agency’s risk guidance since 2014. 
    • “After originally focusing risk guidance on critical infrastructure, the updated framework includes a wider array of organizations, including small- and medium-sized businesses, local schools and other entities. 
    • “The revised framework also addresses the role of corporate governance and the growing risks to digital networks via third-party relationships. * * *
    • “NIST will release a CSF 2.0 reference tool in a few weeks to help users browse, search and export data in a format that is machine-readable. It will also hold a workshop in the fall for additional public comments. 
    • “The deadline for public comments is Nov. 4, and NIST plans to publish a final version of CSF 2.0 in early 2024.”
  • Health IT Security adds,
    • As previously reported, the NIST CSF can be an asset to healthcare organizations looking to bolster their cybersecurity programs. Alongside other voluntary frameworks and HIPAA compliance actions, healthcare organizations can leverage the NIST framework to enhance privacy and security protections.
  • Politico updates us on the Federal Trade Commission’s proposed health data breach rule.
    •  In May, the Federal Trade Commission proposed a sweeping expansion of health data privacy rules, and now, the period for the public to weigh in has ended.
    • “While many comments were supportive, others were concerned that the FTC was overstepping its authority, opening itself up to litigation, and urged more clarity.” * * *
    • “The proposal would clarify that health app developers would be subject to regulations requiring them to notify customers if their identifiable data is accessed by hackers or business partners or shared for marketing without patient approval. The rule would include those offering health services and supplies — broadly defined to include fitness, sleep, diet and mental health products and services, among a laundry list of categories.”
  • The Wall Street Journal summarizes the Security and Exchange Commission’s final cyber rule:
    • The U.S. Securities and Exchange Commission has approved new regulations requiring public companies to disclose cybersecurity breaches within four business days of becoming aware of a material impact resulting from the incident.
    • The regulations dropped the requirement for companies to disclose the names of cybersecurity experts on company boards and the nature of their expertise..
    • Companies are now required to report information regarding their cybersecurity risk management, strategy and governance annually.
    • Despite the SEC not requiring cyber expertise, experts believe having cyber oversight on the board is still beneficial and a priority.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us,
    • “The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.
    • “The victim pool represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.
    • “The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized. * * *
    • “The widespread attack against MOVEit and its customers was “highly creative, well-planned, organized by multiple groups and executed well since they were able to poach records at scale,” independent analyst Michael Diamond said via email.
    • “Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” Diamond said. “My impression is that this is only going to get worse over time.”
    • “Diamond isn’t alone in forecasting the worst is yet to come.”
  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on August 7 and another one on August 9.
  • The Wall Street Journal reports that “AI Is Generating Security Risks Faster Than Companies Can Keep Up: Rapid growth of generative AI-based software is challenging business technology leaders to keep potential cybersecurity issues in check.”
  • The Healthcare Sector Cybersecurity Coordination Center released a threat analysis on multifactor authentication (good) and smishing (bad).

From the ransomware front,

  • Cybersecurity Dive pointed out on August 7, 2023,
    • “A ransomware attack against Prospect Medical Holdings disrupted healthcare services across multiple states last week, prompting multiple hospital closures as response and recovery efforts are underway.
    • “Prospect Medical Holdings recently experienced a data security incident that has disrupted our operations,” the healthcare provider said Friday in a statement. The California-based company operates 16 hospitals and more than 165 clinics and outpatient facilities in California, Connecticut, Pennsylvania and Rhode Island.”

From the cybersecurity defenses front,

  • FedScoop reports
    • “The White House on Wednesday [August 9] announced a competition for cybersecurity researchers that is intended to spur the use of artificial intelligence to identify and fix software vulnerabilities.
    • “Teams that compete in the “AI Cyber Challenge,” which the Defense Advanced Research Projects Agency will lead, can win prizes worth up to $18.5 million. The agency has also allocated an additional $7 million in prize money for small businesses that participate.
    • “As part of the competition, researchers will use AI technology to fix software vulnerabilities, with a particular focus on open-source software. Leading AI companies Anthropic, Google, Microsoft and OpenAI will make their technology available for the challenge, according to the Biden administration.
    • “The White House’s announcement comes amid continued concern over rising cyber supply-chain risk across the federal government and the private sector. Last September, the Office of Management and Budget stipulated that all software providers would have to self-attest to the security of their products before deploying them on federal agency systems.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Cybersecurity Scoop reports,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] released its strategic plan for fiscal year 2024 through 2026 on Friday, following a plethora of strategies and implementation plans released over the past several months by the White House aimed at improving the nation’s overall cybersecurity preparedness. 
    • “Within CISA, this Plan will serve as a keystone for implementation, resource, and operational planning, as further executed through our Annual Operating Plans. Externally, it will help stakeholders understand and participate in our long-term cybersecurity planning and prioritization,” the document reads.
    • CISA’s strategic plan will focus on three goals: address immediate threats, harden the terrain and drive security at scale. Additionally, the strategy has nine objectives, three for each goal, outlining the agency’s scope for the next three years.
    • “The release comes shortly after the Office of the National Cyber Director released a National Cyber Workforce and Education Strategy, as well as the National Cybersecurity Strategy in March and subsequent Implementation Plan in July.”
  • and
    • “The Biden administration’s strategy for building the U.S. cybersecurity workforce calls for government, industry and civil society groups to collaborate in increasing the number of cybersecurity workers and also urges an overhaul of the U.S. immigration system. 
    • “To address a dire shortage of cybersecurity workers, Monday’s strategy document takes a broad approach in overhauling the cybersecurity workforce. “The national cyber director’s office can only really task federal departments and agencies because, realistically, we need all of society. We need them to be feel supported and heard and seen as we approach these ecosystem models,” Acting National Cyber Director Kemba Walden told CyberScoop.”

From the cybersecurity breaches and vulnerabilities front —

  • Health IT Security brings us up to date on MOVEit breaches affecting healthcare organizations.
  • Health IT Security adds, “The healthcare sector continued to face a high volume of cyberattacks in the past few months as infostealing malware rose in popularity, BlackBerry stated in its latest Global Threat Intelligence Report.”
  • Cybersecurity Dive reports
    • “Half of the 12 most-commonly exploited vulnerabilities in 2022 were discovered the previous year, cyber authorities from the Five Eyes said in a joint advisory released Thursday. One of the top 12 vulnerabilities was discovered in 2018.
    • “Flaws in Microsoft products accounted for 1 in 3 of the most-routinely exploited vulnerabilities, including three Exchange Server CVEs from 2021. Two-thirds of the most-exploited vulnerabilities were found in products from three vendors: Atlassian, Microsoft and VMware.
    • “Other vendors that made the list include Apache’s Log4j, F5 Networks, Fortinet and Zoho.
    • * * * “Delayed or inconsistent vulnerability patching remains an underlying problem. This, combined with the unmet need for vendors, designers and developers to adhere to secure-by-design and secure-by-default principles, is aggravating the risk of compromise by malicious cyber actors.
    • “The Five Eyes intelligence alliance, which includes authorities from the U.S., Australia, Canada, New Zealand and the U.K., reiterated the need for vendors to follow secure design practices throughout the software development lifecycle.”
  • Security Week tells us
    • The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI [Unified Extensible Firmware Interface], warning that the dominant firmware standard presents a juicy target for malicious hackers.
    • “UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky. 
  • CISA’s Director Jen Easterly blogs about the importance of securing the Border Gateway Protocol, which she describes as being the most important part of the internet you have never heard of.
  • On July 31, CISA added another known exploited vulnerability to its catalog.

From the ransomware front —

  • HHS’s Health Sector Cybersecurity Coordination Center released a sector alert on August 4, 2023.
    • “Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector.”
  • Bleeping Computer informs us that “Clop ransomware now uses torrents to leak data and evade takedowns” and it offers its Week in Ransomware.
    • “Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.
    • “This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.”

From the cybersecurity defenses front —

  • Per Forbes
    • “Traditional passwords have proven to be an increasingly problematic authentication strategy in the evolving face of cybersecurity. Biometrics, such as fingerprints, facial recognition and iris scanning, are ushering in a new era of safe authentication.
    • “Biometrics provide distinct advantages over passwords in terms of security, convenience and user experience. But why exactly are biometrics more secure, and how can businesses successfully implement this technology into their existing strategies?
    • Forbes article explains how.
  • HelpNet offers advice on building cybersecurity defenses.
  • Security Intelligence explains how artificial intelligence can reduce data breach life cycles and costs.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front —

  • Cyberscoop reports
    • “President Biden on Wednesday nominated Harry Coker, a long-time CIA and National Security Agency official, to serve as the next national cyber director, a choice that elevates a relatively unknown official to take on a high-profile assignment as the president’s leading cybersecurity adviser. 
    • “Coker’s nomination ends a protracted search to replace Chris Inglis, who led the Office of the National Cyber Director until February after leading efforts to draft the administration’s cybersecurity strategy. 
    • “Leading voices in Capitol Hill have urged Biden in recent weeks to nominate Inglis’s deputy, Kemba Walden, who has been serving as the acting director. Despite the support of key lawmakers, the White House passed on elevating Walden to the permanent position — reportedly out of concern that her significant financial debts might hinder her confirmation before the Senate.”
  • The Cybersecurity and Infrastructure Security Agency tells us,
    • “Now that the cross-sector CPGs have been published, CISA is working with Sector Risk Management Agencies (SRMAs) to directly engage with each critical infrastructure sector to develop Sector-Specific Goals (SSGs).  In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector or, materials to assist sector constituents with effective implementation of the existing cross-sector CPGs. Sector-specific goals will be developed by:
    • “Identifying any additional cybersecurity practices not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.  
    • “Providing examples for recommended actions specific to the infrastructure and entities in that sector; and  
    • “Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.  
    • “As there are 16 Critical Infrastructure sectors with varying needs, CISA will be tackling this effort in several phases. The first four sectors CISA is working with include the Energy, Financial Services, IT, and Chemical Sectors. In addition, CISA will be working throughout the year with the Water/Wastewater Sector, Healthcare Sector, and K-12 Subsector on identifying approaches for how organizations in those sectors/subsectors can enhance their cybersecurity posture through the implementation of the existing body of cross-sector goals.”
  • Here is a link to the website for the healthcare sector coordinating council (HSCC), whose work the FEHBlog will begin to track. Surprisingly to the FEHBlog, OPM is not an HSCC member.

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive informs us,
    • “Healthcare continues to be the most expensive industry for data breaches, beating out other sectors for the 13th year in a row, according to research conducted by the Ponemon Institute and published by IBM Security
    • “The average cost of a healthcare data breach reached nearly $11 million in 2023, an increase of 8% from last year and a 53% jump since 2020, the report found. 
    • “Although the healthcare sector faces high levels of industry regulation, expenses accrued from data breaches in the sector were almost double compared to the financial industry, which saw the second-most expensive data breaches at $5.9 million.”
  • Cybersecurity Dive adds
    • “The investigation phase of data breaches is the fastest growing and costliest category of data breach expenses, contributing to the consistent year-over-year increase in costs. Detection and escalation costs jumped almost 10% to nearly $1.6 million per incident, IBM found.
    • “The breadth and depth of incident response investigations are scaling up directly with the overall costs, along with the off tempo of the criminal,” John Dwyer, head of research at IBM Security X-Force, told Cybersecurity Dive.”
  • On a related topic, Cybersecurity Dive lets us know,
    • “Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies, according to the Cybersecurity and Infrastructure Security Agency.
    • “Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year.
    • Valid accounts, including former employee accounts, not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment released Wednesday.
    • Spear-phishing links — malware-laced emails sent to targeted individuals — were responsible for 1 in 3 attacks, the report found.
    • The success rate of these techniques underscores the staying power of the most common methods threat actors use to gain initial access to targeted systems.
  • Cyberscoop relates
    • “Apple on Monday issued its third security update in roughly a month to remedy vulnerabilities exploited in Operation Triangulation, a spyware campaign that researchers say specifically targeted iMessage users in Russia. 
    • “The Russian arm of cybersecurity firm Kaspersky on June 1 revealed the details of a zero-click iOS exploit. The company’s researchers said they discovered it while monitoring the company’s own corporate Wi-Fi network dedicated to mobile devices. The findings were released the same day Russia’s Federal Security Service, or FSB, said it had uncovered an American espionage operation targeting Apple devices in Russia in cooperation with Apple. 
    • “Apple told CyberScoop at the time that it had “never worked with any government to insert a backdoor into any Apple product and never will.”
  • Per Cyberscoop,
    • “Executives, researchers and engineers at big tech companies and startups alike working on artificial intelligence face a growing threat from criminal and nation-state hackers looking to pilfer intellectual property or data that underlies powerful chatbots, the FBI warned on Friday.
    • “The growing risk coincides with the increasing availability of AI tools and services to the general public in the form of products such as OpenAI’s ChatGPT, or Google’s Bard, for instance, as well as the increasing ease and ability for many companies to develop AI language models.
    • “The warning comes two days after FBI Director Christopher Wray and Bryan Vorndran, the agency’s assistant director, cyber division, warned about the distinct AI-related threats from China, which political leaders in the U.S. and Europe have long warned wants to dominate all aspects of AI research and implementation.”
  • Per Security Week,
    • “New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications.
    • “Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user.
    • “These requests are successful because the authentication or authorization of the user submitting the request is not properly validated, the three agencies explain.”
  • CISA added an additional known exploited vulnerability to its catalog on July 25, July 26, and July 27, 2023.
  • Yesterday CISA “published three malware analysis reports on malware variants associated with the exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero-day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.”
  • Also, yesterday, CMS shared its MOVEIt breach notice to Medicare beneficiaries.

From the ransomware front —

  • HelpNet Security points out that “In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.”
  • Here is a link to yesterday’s The Week in Ransomware from Bleeping Computer.
    • “With ransom payments declining, ransomware gangs are evolving their extortion tactics to utilize new methods to pressure victims.
    • “This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.
    • “Clop has begun to create clear websites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.”

From the cybersecurity defenses front —

  • TechRepublic shares cybersecurity defense ideas included in the Ponemon/IBM report.
  • Forbes offers a cybersecurity expert’s view on adopting a new paradigm in cybersecurity stemming from this conundrum:
    • Today, companies that house secure data and information are encountering an accessibility dilemma: On the one hand, they face an increased need for security and privacy of data, particularly as cyber threats become self-generating and more sophisticated. On the other hand, the value in securing assets lies in being able to utilize them, share them, and transact them effectively and efficiently with intended stakeholders so as to improve customer service and attain competitive differentiators. Companies struggle to balance these needs with the imperative to secure these data, particularly in accordance with certain industry standards or digital privacy regulations

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive tells us,
    • “Distributed denial of service attacks surged during the second quarter as criminal and state-linked hacking organizations unleashed a number of sophisticated attacks against critical infrastructure providers and other organizations across the globe, Cloudflare said in a report released Tuesday.  
    • “Experts linked pro-Russia hacktivist groups, including Killnet and Anonymous Sudan, to recent major DDoS attacks against Microsoft and threats against financial centers in the U.S. and Europe. 
    • “Cloudflare research shows a sharp increase in deliberately engineered and targeted DNS attacks.”
  • Health IT Security adds,
    • “Healthcare organizations face an uptick in cyber threats as malicious actors turn to tools like ransomware, artificial intelligence (AI), and Internet of Things (IoT) attacks. These threats are becoming increasingly significant in the dynamic cyber threat landscape, a Trustwave SpiderLabs report revealed.
    • “The report “Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape” provides insights and practical strategies to address the specific threats faced by healthcare organizations.”
  • Security Week informed us on July 21, 2023,
    • “Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.
    • “Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, and OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
    • “Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality and multi-tenant applications in certain conditions.”
  • Also per Security Week on July 18, 2023, “At least two new Adobe ColdFusion vulnerabilities have been exploited in the wild, including one that the software giant has not completely patched.”

From the ransomware front —

  • Cyberscoop interviews an FBI official about how the agency fights ransomware.
  • The FEHBlog welcomes back Bleeping Computer’s Week in Ransomware after two weeks away. This week’s article covers news from July 8 forward.

From the cybersecurity defenses front —

  • CISA explains how to take the first steps toward better cybersecurity.
  • What’s more, CISA “has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transition into a cloud environment and identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.” 
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) on July 18, 2023, informed us about patches available for Critical and High Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) vulnerabilities.
  • HC3 also issued an analyst note on July 21, 2023, about Remote Identity Management.
    • “Identity theft is not limited to stolen medical records, social security numbers, and financial data. Threat actors can also target institutions by capitalizing on gaps in user access protocols, hiring processes, and mitigation capabilities to conceal some aspect of their identity and attention. Identity verification, fraud detection and user authentication are imperative when implementing a robust Identity and Access Management (IAM) program.”
  • Security Week looks into improving security awareness training for employees.
  • ISACA explains how to build cybersecurity resilience throughout an organization.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Homeland Security Today reports
    • “This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems. 
    • “The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”
  • Cybersecurity Dive tells us,
    • The Biden administration released its implementation plan for the national cybersecurity strategy Thursday, delegating cyber initiatives to a smattering of government agencies.
    • The plan, which is designed to guide the government’s completion of the national cybersecurity strategy, comes four months after the policy blueprint was unveiled.
    • “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Kemba Walden, acting national cyber director, said Wednesday during a press briefing.
    • “Fundamentally, we are publishing this plan because we will only achieve our goals with a whole-of-society approach,” Walden said. * * *
    • The 57-page document divides the five pillars and 27 objectives of the national cybersecurity plan into a broader series of initiatives.
    • While the implementation plan calls for the majority of initiatives to be completed before the end of fiscal year 2024, 11 are slated to be done in FY23, which closes at the end of September.
  • Cyberscoop adds
    • “As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner-operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
    • “In pushing for one big set of regulation for all critical infrastructure, you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
    • “And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.”
  • The Wall Street Journal points out,
    • “The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials. 
    • “The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the past few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.”
  • In sum, crafting an effective cybersecurity strategy is a tall order.

From the cybersecurity vulnerabilities and breaches front —

  • Bleeping Computer reported on July 11,
    • “HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
    • “HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
    • “As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
    • “The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
    • “The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
    • “However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.”
  • Cybersecurity Dive offers an update on the slow-moving MOVEit file transfer disasters.
    • “More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.”
  • Speaking of zero-day vulnerabilities, Security Week reported on July 11
    • “In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
    • “Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added five known exploited vulnerabilities to its catalog on July 11 and two more on July 13.
  • HHS’s Health Sector Cybersecurity Coordination Center released its report on June Vulnerabilities of Interest to the Health Sector.
    • “In June 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for June are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • HC3 also posted a PowerPoint titled “Artificial Intelligence, Cybersecurity and the Health Sector.”
  • Health IT Security points out
    • The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a new publication entitled “Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP).”
    • HIC-CHIRP provides healthcare organizations with a template for navigating a coordinated incident response when faced with disruptive cyber incidents. Specifically, the publication seeks to address healthcare-specific gaps in existing incident response resources.

In ransomware news,

  • Bleeping Computer lets us know,
    • “Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
    • “According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.”

From the cybersecurity defenses front —

  • CSO Online shares best practices for an effective cybersecurity strategy.
  • Tech Republics discusses Gartner’s 2023-24 cybersecurity outlook.
  • Forbes offers twenty cybersecurity training tips designed to make the training “stick.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity breaches and vulnerability front —

  • Cybersecurity Dive informed us on July 5,
    • “The widely exploited vulnerability in Progress Software’s MOVEit file transfer service has impacted nearly 200 organizations, according to Brett Callow, a threat analyst at Emsisoft.
    • “The scope of damage caused by Clop’s mass exploit of a zero-day vulnerability in MOVEit continues to snowball as third-party vendors expose multiple downstream victims. Progress discovered the zero-day over Memorial Day weekend on May 28.
    • “Despite the number of victims so far, experts anticipate more will come forward. “While many organizations have made a disclosure, a significant number have yet to do so,” Callow said via email.
    • “Progress on Wednesday released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.”
  • Here is a Cybersecurity and Infrastructure Security Agency (CISA) link about the Progress Software MOVEit patch.
  • CISA added another known exploited vulnerability yesterday.
  • On July 6, CISA issued a “Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants.”
    • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.
    • “Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with the Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.
    • “CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware-related incidents.” 
  • Bleeping Computer reports
    • “CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates.
    • “The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.
    • “A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm’s advisory reads.”
  • and
    • “Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
    • “Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.
    • “Today [July 8], Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.”
  • Cybersecurity Dive points out
    • “More than two-thirds of Fortinet’s FortiGate firewalls remain at risk of exploits through a vulnerability the company disclosed on June 12, according to research Bishop Fox released Friday.
    • “Researchers at Bishop Fox, an offensive security testing firm, identified 490,000 affected SSL VPN interfaces exposed to the internet and determined 69%, around 338,000, of those FortiGate firewalls are unpatched.
    • “The heap-based overflow vulnerability, CVE-2023-27997, could allow a remote attacker to execute arbitrary code or commands and has a CVSS score of 9.8 out of 10.”
  • ISACA warns us
    • “In the US, the FBI and FCC recently warned that free USB charging stations in public spaces, such as airports, hotels, hospitals, business buildings and any other type of publicly available location, can have devices hidden within them to steal data, spread malware and commit other malicious activities broadly referenced as juice jacking. The term “juice jacking” started being used several years ago to mean that while individuals using USB charging ports to charge (or “juice”) their phones, they were also having their data highjacked (“jacked”) through malicious, unnoticed skimming tech. I actually started covering this risk at a few onsite security and privacy training courses in 2010 when I first became aware of what was then an emerging new threat from a business friend, an electrical engineer, who I think may have invented what the first juice jack blocker—a data blocker for USB ports was.
    • “The malicious USB charging connection not only gives access to the phone apps and data, but it creates a connection to all the networks that the phone is connected to that do not have active access controls and blocks established when the phone was connected to the USB charger. So, malicious USB charging ports, cables and possibly other components of the public charging stations can also be used to plant ransomware, keystroke loggers and other types of malware, GPS tracking and audio eavesdropping. They can also take control of the device being charged. All these malicious activities can occur not only on the device being charged (phone, laptop, tablet, etc.) but also on devices and network components within those other connected networks.”
  • The FEHBlog notes the ISACA article offers the following suggestions plus policy advice
    • “Juice jack blockers attach to the end of your USB cable to protect against skimmers when you charge your devices in public places. This is not as bulky as hauling around most portable chargers and extra cables. I’ve purchased USB juice jack blockers for as low as two for US$12. They’re small and easily fit in a pocket without any bulkiness.
    • “It’s also a good idea to travel with personal charging devices. While not as small as juice jack blockers, they have become much smaller, with much more power, and less expensive in recent years. They limit the need to use public chargers at all.
    • “Ideally, it would be best to make sure only non-data power-only ports and cables are used in public areas. However, most cables used to support data transfer, and there is not an easy way for most folks to visually tell if a cable is charge-only.”

From the cybersecurity defenses front —

  • Cybersecurity Dive discusses “the role for AI in cybersecurity; generative AI can be an ally for new security professionals. For more seasoned security analysts, it can offer time to refine their skills through automation of repetitive tasks.” Check it out.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front

  • Cybersecurity Dive reports
    • “The White House outlined its cybersecurity budget priorities for fiscal year 2025 in a memorandum sent to executive departments and agencies Tuesday.
    • “The Biden administration is looking to connect cybersecurity investments to the five pillars of the national cybersecurity strategy it released in early March, the document shows.
    • “The letter, signed by Acting National Cyber Director Kemba Walden and Office of Management and Budget Director Shalanda Young, advises federal agencies to prioritize spending on critical infrastructure defense, disrupting and dismantling threat actors, software that is secure by design, resiliency and international partnerships. * * *
    • “Agencies that bear responsibility for disrupting ransomware are advised to submit budgets that prioritize staff resources to investigate ransomware, disrupt ransomware infrastructure and participate in interagency task forces focused on cybercrime.”
  • The Government Accountability Office issued a report on launching and implementing the national cybersecurity strategy.
    • “Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.
    • “This Snapshot covers the status of the National Cybersecurity Strategy. The strategy’s goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.
    • “It will be difficult to implement the strategy when the specific details have yet to be issued. The continued vacancy in the role of National Cyber Director is also a challenge.”

From the cybersecurity vulnerabilities and breaches front —

  • Health IT Security breaks down the breach reports submitted to the HHS portal in the first six months of 2023.
    • HealthITSecurity has compiled a list of the top ten biggest healthcare data breaches reported to the HHS Office for Civil Rights (OCR) data breach portal this year as of late June 2023, based on the number of individuals impacted for each event. It is important to note that this list refers to breaches reported to OCR in 2023, but a few occurred in 2022 or earlier.
    • “Some of the biggest breaches so far this year stemmed from known cybersecurity vulnerabilities in Fortra’s GoAnywhere managed file transfer (MFT) solution and attacks on other third-party vendors, while others involved direct cyberattacks against healthcare organizations.”
  • Cybersecurity Dive tells us
    • “Fallout from Clop’s mass exploit of a zero-day vulnerability in Progress Software’s MOVEit file transfer service continues to ensnare additional victims. The prolific ransomware actor is listing new compromised systems on its leak site daily and some organizations are still disclosing breaches.
    • “At least 108 organizations, including seven U.S. universities, have been listed by Clop or disclosed as having been impacted thus far, according to Brett Callow, threat analyst at Emsisoft.
    • “The University of California, Los Angeles, is the latest organization to disclose a breach of its MOVEit platform. The school’s IT security team discovered malicious activity on June 1, a spokesperson told Cybersecurity Dive. * * *
    • “Organizations are disclosing breaches weeks after Progress first acknowledged the MOVEit vulnerability and cybersecurity experts warned about mass exploits. Two additional vulnerabilities in the file-transfer service have subsequently been discovered. * * *
    • “Some organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file transfer service, including PBI Research Services and Zellis.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) informs us
    • “The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. 
    • “The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV)
    • “CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”
  • On June 29, 2023, CISA added eight known exploited vulnerabilities to its Catalog.
  • The Cybersecurity and Infrastructure Security Agency advises us
    • “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
    • “If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.
    • “Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
    • “Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.
    • “Organizations can take proactive steps to reduce the effects of an attack—See the following guidance for more information:

From the ransomware front, here is a link to Bleeping Computer’s the Week in Ransomware.

From the cybersecurity defenses front —

  • Venture Beat reports
    • “Forrester’s recent report, The State of Cloud in Healthcare, 2023, provides an insightful look at how healthcare providers are fast-tracking their cloud adoption with the hope of getting cybersecurity under control. Eighty-eight percent of global healthcare decision-makers have adopted public cloud platforms, and 59% are adopting Kuber netesto ensure higher availability for their core enterprise systems. On average, healthcare providers spend $9.5 million annually across all public cloud platforms they’ve integrated into their tech stacks. It’s proving effective — to a point.
    • “What’s needed is for healthcare providers to double down on zero trust, first going all-in on identity access management (IAM) and endpoint security. The most insightful part of the Forrester report is the evidence it provides that continuing developments from Amazon Web ServicesGoogle Cloud PlatformMicrosoft Azure and IBM Cloud are hitting the mark with healthcare providers. Their combined efforts to prove cloud platforms are more secure than legacy network servers are resonating.”
  • CISA released cloud services guidance and resources.
  • Cybersecurity Dive points out that “Long before a data breach, well-prepared companies set up incident response teams with workers from multiple departments.”