From the cybersecurity policy front, the Wall Street Journal offers its quarterly cyber regulations update for June 2023.

From the cybersecurity vulnerabilities and breaches front —

• On June 16, HHS’s health sector Cybersecurity Coordination Center (HC3) announced
  • “On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. As of June 15, 2023, the vulnerability has been serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036. The updates can be found on the Progress Security Center webpage.”

• HC3 also released its May 2023 Cybersecurity Vulnerabilities Bulletin.

• The Cybersecurity and Infrastructure Security Agency (CISA) added one more known exploited vulnerability to its catalog.

• On June 15, CISA, the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released an update for joint Cybersecurity Advisory (CSA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server. 

• Health IT Security reports
  • “Johns Hopkins University and Johns Hopkins Health are actively investigating a cyberattack and data breach that occurred on May 31. Johns Hopkins said that the attack involved a “widely used software tool” and impacted “thousands of other large organizations across the world.”
  • “While the notice does not explicitly mention MOVEit, the timeline of the attack lines up with the discovery of a critical vulnerability in Progress Software’s MOVEit Transfer software, a widely used software tool.
  • “As previously reported, Clop ransomware has taken a special interest in this vulnerability and began exploiting the previously unknown SQL injection vulnerability on May 27.”

• The Associated Press adds
  • “The Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments [MOVEit], but the impact was not expected to be great, Homeland Security officials said Thursday.
  • “But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts. 
  • “Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly. 
  • “Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.”

From the cybersecurity threat actors front —

• HC3 issued a threat actor profile on FIN11
  • “FIN11 is a cybercriminal group that has been active since at least 2016, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, the group has shifted towards other initial access vectors. FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP). The group has targeted pharmaceutical companies and other health care targets during the COVID-19 pandemic and continues to target the health sector. The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture. This Threat Actor Profile provides information associated with FIN11, including recent campaigns, associated malware, CVEs exploited, and TTPs.”

• HHS’s Administration for Strategic Preparedness and Response released a TimisoaraHackerTeam analysis.

• On June 13, “CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents.”

• On June 15 Cybersecurity Dive reported
  • “A suspected threat actor affiliated with China is exploiting a subset of compromised Barracuda Email Security Gateway SG devices to launch a widespread espionage campaign in support of the People’s Republic of China, according to a report released Thursday by Mandiant. 
  • “The threat actor, tracked as UNC4841, has been sending emails with malicious attachments since October 2022, in order to exploit the zero-day vulnerability disclosed in May. The hackers used a variety of custom malware to maintain a presence in targeted systems, and most of the exploitation taking place in the Americas. 
  • “This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in 2021,” Charles Carmakal, CTO of Mandiant Consulting, Google Cloud said in a statement. “In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations.”

From the ransomware front, we have the latest Week in Ransomware from the Bleeping Computer.

From the cybersecurity defenses front

• Cybersecurity Dive tells us “LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack; Karim Toubba is ready to talk nearly a year after LastPass suffered a cyberattack that became one of the biggest security blunders of 2022.”

• On June 13,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
  • “Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.”

• On June 14,
  •  CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. 
  • “BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential.  
  • “CISA and NSA encourage all organizations managing servers to apply the recommended actions in this CSI.”

• On June 15,
  • “Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately. 
  • “CISA urges organizations to review the Barracuda advisory and for all impacted customers to follow the mitigation steps as well as hunt for the listed indicators of compromise (IOCs) to uncover any malicious activity. For more information, see Mandiant’s advisory on Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.”

• Also on June 15,
  • “Progress Software has released a security advisory for a privilege escalation vulnerability (CVE-2023-35708) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take control of an affected system.
  • “CISA urges users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.”

From the cybersecurity policy front —

• A CSO analysis reports, “Federal cyber incidents reveal challenges of implementing US National Cybersecurity Strategy. As federal government cybersecurity incidents continue to mount, the Biden administration’s National Cybersecurity Strategy should help, although experts say implementing it won’t be easy.”
  • “More than any previous administration, the Biden administration has taken a serious step forward to secure federal government infrastructure (and, by extension, the private sector through government contractor requirements) with its expansive National Cybersecurity Strategy, released in March.
  • “The strategy outlines five broad “pillars” of cybersecurity efforts that civilian agencies must meet, including approaches to defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and enhancing public-private operational collaboration to disrupt adversaries.
  • “But the details of how agencies should start tackling the challenges won’t be fully understood until the administration releases the strategy’s implementation guidance, which officials say could occur over the next month or so.
  • “No matter how the guidance shakes out, government agencies’ challenges in implementing the strategy will undoubtedly be significant. First off is the sheer size and complexity of the federal government.”

• The Wall Street Journal similarly explains that while “The Biden administration’s proposal to hold software makers accountable offers a starting point, it leaves a lot of questions open.

From the cybersecurity vulnerabilities and breaches front —

• Health IT Security tells us,
  • “Just like in years past, threat actors are leveraging ransomware, social engineering, denial of service, and basic web application attacks to disrupt operations and compromise data with great success. Verizon’s newly released 2023 Data Breach Investigations Report (DBIR) provided significant evidence of these trends through its analysis of more than 16,300 security incidents that occurred between November 1, 2021, and October 31, 2022.
  • “Of the 16,312 security incidents analyzed, 5,199 of them were confirmed data breaches. What’s more, 74 percent of all breaches involved a human element, such as social engineering, use of stolen credentials, or privilege misuse. * * *
  • “Verizon defines a “breach” as an incident that results in confirmed data disclosures to an unauthorized party, while an “incident” is a security event that compromises the integrity, availability, or confidentiality of information.
  • “Top attack patterns in healthcare included system intrusions, basic web application attacks, and miscellaneous errors, which collectively accounted for 68 percent of all healthcare breaches.
  • “The [h]ealthcare vertical is highly targeted by ransomware gangs, which results in both the loss of use of their systems—potentially with life-threatening consequences—as well as data breaches,” the report stated.”

• Cybersecurity Dive reports (June 9)
  • “Barracuda’s email security gateway appliances, which were compromised by a zero-day vulnerability disclosed last month, need to be scrapped and replaced immediately, the company said Tuesday in an action notice.
  • “The vulnerability, CVE-2023-2868, has been actively exploited for at least eight months. Despite a series of patches issued to all appliances last month, Barracuda said, regardless of patch version level, its “remediation recommendation at this time is full replacement of the impacted ESG.”
  • “Barracuda’s decision to effectively retire all compromised ESG appliances is akin to an admission the company could not fully remove threat actor access and recover the devices for customers, according to experts.”
• and (also June 9)
  • “Microsoft is investigating claims by an alleged hacktivist group that it launched a series of DDoS attacks that disrupted the company’s OneDrive and other Microsoft 365 services. 
  • “The company suffered a series of outages this week that impacted a range of services, including Microsoft Teams, SharePoint Online and OneDrive for Business. The OneDrive disruption was still impacting customers as of Thursday. 
  • “The group, known as Anonymous Sudan, has claimed credit for the alleged DDoS attacks and made additional threats against the company. Microsoft officials acknowledged the public claims and are working to fully restore services. 
  • “We are aware of these claims and are investigating,” a Microsoft spokesperson said via email. “We are taking the necessary steps to protect customers and ensure the stability of our services.”

• HHS’s Health Sector Cybersecurity Coordination Center offers a PowerPoint presentation titled “Types of Cyber Threat Actors That Threaten Healthcare.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added two known exploited vulnerabilities to its catalog on June 5 and one more on June 7.

• Cybersecurity Dive adds
  • “Senior level corporate executives are increasingly being targeted by sophisticated cyberattacks that target their corporate and home office environments and even extend to family members, according to a study released Monday from BlackCloak and Ponemon Institute. 
  • “About 42% of organizations surveyed had a senior executive or an executive’s family member attacked over the past two years. The study is based on a survey of more than 550 IT security leaders. 
  • “These attacks often lead to the theft of sensitive company data, including financial information, intellectual property or other information. In one-third of these cases, hackers are reaching these executives through insecure home-office networks used during remote work.”

From the ransomware front –

• Cybersecurity Dive informs us,
  • “Most of Dallas’ network and IT infrastructure has been restored following a ransomware attack in early May that took most of the city’s services offline and disrupted operations, the city said Monday.
  • “Our staff has worked tirelessly to restore and rebuild systems and return all systems to full functionality as quickly and securely as possible,” the city said Monday in a statement. “At this time, we are more than 90% restored, with most public-facing services restored.”
  • “Dallas previously cautioned full functionality would take weeks, and some services are still non-operational. The city’s municipal court reopened on May 30, but trials and jury duty remain canceled until further notice and library staff are still tracking item availability manually.

• CISA and the FBI released an “Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability” on June 7.
  • Cyberscoop provides background on the advisory.
  • Bleeping Computer’s The Week in Ransomware” focuses on this case.

• Security Week reports
  • “Cybersecurity firm Obsidian has observed a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.
  • “The attack was analyzed post-compromise when the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim but believes the attacker was the group known as 0mega.”
• and
  • “Japanese pharmaceutical giant Eisai [a developer of the new Alzheimer’s Disease drug Leqembi] this week announced that it has fallen victim to a ransomware attack that forced it to take certain systems offline.
  • “Headquartered in Tokyo, the company has manufacturing facilities in Asia, Europe, and North America and has subsidiaries on both American continents, in Asia-Pacific, Africa, and Europe. Last year, the company reported more than $5 billion in revenue.
  • “The ransomware attack, the company says in an incident notification on its website, was identified on June 3 and resulted in the encryption of multiple servers.
  • “Eisai says it immediately implemented its incident response plan, which involved taking systems offline to contain the attack, and launched an investigation.”

From the cybersecurity defenses front —

• On June 6, “CISA, Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.”  
  • Health IT Security and Security Boulevard offer reports on the new guidance.

• ISACA discusses the increasing importance of information technology audits to Boards of Directors.

• Security Boulevard offers ten “go-to” tips for achieving/maintaining HIPAA Security Rule compliance.

• Help Net Security suggests twenty cybersecurity projects on GitHub you should check out.

From the cybersecurity policy front —

• The Wall Street Journal reports,
  • “Companies shouldn’t wait for new rules around cybersecurity, privacy and emerging technologies to be finalized before preparing for them, lawyers say, particularly as senior executives with the right experience can be hard to come by.
  • “Proposed cybersecurity rules from the Securities and Exchange Commission would require public companies to disclose which board members have security knowledge or experience, along with details about the board’s approach to cyber oversight. The SEC published draft rules in March 2022 and is expected to finalize them in the coming months.” 

• Nextgov tells us,
  • A federal council tasked with harmonizing future cyber incident reporting requirements is set to release proposed recommendations on how to develop an incident-reporting framework across key agencies and regulatory bodies, according to the chair of the council.
  • Department of Homeland Security Under Secretary for Policy Robert Silvers said the Cyber Incident Reporting Council is expecting to submit its report to Congress “in the next month or two” during a panel discussion Thursday at the Center for Strategic and International Studies, a nonprofit think tank.
  • The council was established under the Cyber Incident Reporting for Critical Infrastructure Act last year with the goal of minimizing industry burden while ensuring timely awareness of cyber incidents impacting critical infrastructure sectors across all required federal components. 
  • The Cybersecurity and Infrastructure Security Agency is currently developing regulations as required under the law for critical infrastructure owners and operators to report cyber incidents within 72 hours and has led a series of listening sessions with sector-specific industries to aid its rule-making process. 
  • “CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements,” CISA’s Executive Director Brandon Wales wrote in a March blog post reflecting on his agency’s implementation of the bill a year after it was signed into law. 
  • CISA also issued a request for information from key stakeholders on the proposed regulations and said it was specifically interested in “definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content and procedures for submission of reports required under CIRCIA.”

From the cybersecurity reports front —

• The OPM Inspector General released its latest semi-annual report to Congress. That report includes a section on cybersecurity audits of FEHB plans.

• The National Institutes of Standards and Technology issued its Fiscal Year 2022 Cybersecurity and Privacy Annual Report.

From the cybersecurity vulnerabilities front —

• Cybersecurity Dive reports
  • “A zero-day vulnerability first disclosed by Barracuda last week was actively exploited up to seven months ago, the security vendor said in an updated incident report Tuesday [May 30].
  • “The sizable time gap between the first known active exploitation of CVE-2023-2868 in October and Barracuda’s disclosure increases the potential for widespread compromise for customers using the security vendor’s email security gateway appliances.
  • “Malware was identified on a subset of appliances allowing for persistent backdoor access,” the company said. Data exfiltration was also identified on a subset of impacted appliances.
  • “Barracuda did not respond to questions about how many customers use its ESG appliances nor how many customers are potentially compromised and had data stolen.”

• On June 2, 2023, HHS’s health sector Cybersecurity Coordination Center issued a sector alert titled “Healthcare Sector Potentially at Risk from Critical Vulnerability in MOVEit Transfer Software.”
  • “On May 31, 2023, Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. As of May 31, 2023, the vulnerability does not have a CVE. File transfer solutions are frequently targeted by multiple threat actors, including ransomware groups. Progress Software has yet to report any attempts of extortion due to exposure to the vulnerability, nor is there any attribution to any specific threat actors. However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers. Both of these products are managed on file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) released a corollary alert.
    • “Progress Software has released a security advisory for a SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take over an affected system.
    • “CISA urges users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.”

• CISA announced on May 31, 2023, adding one more known exploited vulnerability to its catalog and another on June 2, 2023.

From the ransomware front, we have Bleeping Computer’s The Week in Ransomware.

• “There have been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said they share very strong similarities.
• “While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.
• “Finally, IBM released a report about BlackCat/ALPHV’s new ‘Sphynx’ encryptor and other tools used by the operation that is a worthwhile read.”

From the cybersecurity defenses front —

• The Wall Street Journal reports
  • “Retail giant Walmart said artificial intelligence is helping it to make sense of the data its security systems generate and to spot patterns that its analysts might miss. Generative AI systems like ChatGPT might enhance that ability further.
  • “Rob Duhart, Walmart’s deputy chief information security officer, said the sheer amount of information the company handles means that some form of automation is essential.
  • “There’s scale, and then there’s Walmart scale,” he said, speaking at the WSJ Pro Cybersecurity Forum held virtually Wednesday.
  • “With around 10,500 stores globally and 2.3 million employees, the company scans around 11 billion lines of code each year, Duhart said. Its cybersecurity tools generate around 6 trillion data points annually, and it blocks 8.5 billion malicious bots a month.
  • “Walmart has developed a number of AI tools in-house, given that off-the-shelf products typically can’t handle the vast body of data it needs to analyze, Duhart said. It’s also a problem for human analysts, who can’t comb through the information they need quickly enough.”

• Health IT Security adds
  • “With recent economic trends pointing toward a recession, companies are bracing for the downturn and slashing resources in anticipation of financial turmoil.  
  • “Yet, cybersecurity budgets remain resilient. A recent survey revealed that most IT security decision-makers, including those in healthcare, have ramped up their 2023 cybersecurity spending to strengthen programs. 
  • “Nuspire’s Second Annual CISO Research Report on Challenges and Buying Trends surveyed 200 CISOs across various sectors. The results showed that 58 percent had increased their budgets in 2023, with 42 percent planning to pour more even funding into cybersecurity within the following year. 
  • “This uptick in budget allocation speaks volumes as leaders recognize the importance of a strong landscape. 
  • “As we’ve seen in previous years, the current economic conditions have shown how resilient cybersecurity budgets are in the face of business cost reductions,” said Lewie Dunsworth, CEO of Nuspire.”

From the cybersecurity policy front —

• DefenseScoop reports
  • The Department of Defense sent its new classified cyber strategy to Congress this week, the Pentagon said Friday.
  • The highly anticipated strategy is the first since 2018 and follows the release of the National Cybersecurity Strategy in March.
  • The DOD also publicly released an unclassified “fact sheet” on Friday, and said an unclassified “summary” will be provided in the “coming months.” 
  • Of note, the fact sheet explains that the updated strategy is based upon real-world operations. Prior to 2018, the Pentagon had only conducted a limited number of cyber ops due to a variety of factors such as stringent authorities and a high-risk calculous.
  • The 2018 National Defense Authorization Act combined with changes to executive policy streamlined authorities and made it easier for the DOD to approve and conduct operations.\

• Politico adds
  • “President Joe Biden has nominated U.S. Air Force Lt. Gen. Timothy Haugh, the no. 2 at U.S. Cyber Command, to serve as the new head of both Cyber Command and the National Security Agency, according to an Air Force notice.
  • “The notice, obtained by POLITICO, was sent out on Monday and is titled “General Officer Nomination.” It announces that the president has nominated Haugh to the Senate for promotion to four-star general and assignment in the dual-hatted role. * * *
  • “If confirmed, Haugh will replace Gen. Paul Nakasone, who has led both NSA and Cyber Command since 2018. Nakasone is planning to step down sometime this year.”

• Cyberscoop also tells us
  • “Microsoft rolled out a blueprint for regulating artificial intelligence on Thursday that calls for building on existing structures to govern AI.
  • “Microsoft’s proposal is the latest in a string of ideas from industry on how to regulate a technology that has captured public attention, attracted billions of dollars in investments and prompted several of its principal architects to argue that AI is in desperate need of regulation before it has broad, harmful effects on society. 
  • “In remarks before a Washington, D.C. audience on Thursday, Microsoft President Brad Smith proposed a five-point plan for governing AI: implementing and building upon existing frameworks, requiring effective brakes on AI deployments, developing a broader legal and regulatory framework, promoting transparency and pursuing new public-private partnerships.”

From the cybersecurity breaches and vulnerabilities front —

• Cybersecurity Dives informs us
  • “PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers.
  • “The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren’t involved. PillPack said more than 3,600 affected accounts included prescription data.
  • “The online pharmacy said it discovered the breach on April 3, and it determined an unauthorized person used users’ email addresses and passwords to sign into their accounts between April 2 and April 6.”

• Dark Reading relates
  • “China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.
  • “That’s according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) “Volt Typhoon.” It’s a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.”

• Cyberscoop adds
  • “A rare form of malicious software designed to infiltrate and disrupt critical systems that run industrial facilities such as power plants has been uncovered and linked to a Russian telecom firm, according to a report released Thursday from the cybersecurity firm Mandiant. 
  • “The discovery of the malware dubbed “CosmicEnergy” is somewhat unusual since it was uploaded to VirusTotal — a service that Google owns that scans URLs and files for malware — in December 2021 by a user with a Russian IP address and was found through threat hunting and not following an attack on a critical infrastructure system. 
  • “Whatever the motivation for developing it and uploading the code to VirusTotal, CosmicEnegy joins an highly specialized group of malware such as Stuxnet, Industroyer and Trisis that are purpose built for industrial systems. Furthermore, the discovery adds another layer of concern for critical infrastructure operators and organizations that are increasingly targeted by criminal and nation-backed hackers.
  • “Researchers at Mandiant, which is part of Google Cloud, noted that its highly unusual for this type of code to be discovered or even disclosed to the public. Yet, it’s not clear if the malware was intended for use in a cyberattack or it could have been developed for internal red-teaming exercises before the code was released into the wild.”

• Health IT Security reports
  • “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA) regarding BianLian ransomware group.
  • “The group has been observed targeting a variety of United States critical infrastructure sectors since June 2022, as well as Australian critical infrastructure sectors. BianLian typically gains access via valid Remote Desktop Protocol (RDP) credentials and uses open-source tools for credential harvesting. In 2023, BianLian has threatened negative financial, legal, and business impacts if victims refuse to pay the ransom.
  • “BianLian group actors then extort money by threatening to release data if payment is not made,” the advisory stated. “BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.”

• CISA warned of hurricane/typhoon-related scams and identified three and then one more known vulnerabilities to its catalog.

From the ransomware front —

• Cybersecurity Dive informs us, “A trio of [recent] ransomware attacks targeting the Dallas metro area have the hallmarks of a targeted campaign. They also underscore a very real problem: society is becoming desensitized to disruption.”

• Here’s a link to the latest issue of Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

• Cybersecurity Dive reports
  • “The Cybersecurity and Infrastructure Security Agency for the first time since 2020 released an updated version of #StopRansomware, in partnership with the FBI, National Security Agency and the Multi-State Information Sharing and Analysis Center. 
  • “The updated guide, developed through the Joint Ransomware Task Force, reflects lessons learned over the last few years, adding the FBI and NSA as co-authors for the first time. It offers recommendations to prevent initial intrusion as well as steps to protect data using cloud backups. * * *
  • “It includes a comprehensive list of best practices to defend against attacks, including: 
    • “Maintain offline, encrypted backups of critical data and regularly test those backups in a simulation of disaster recovery. This should include “golden images” of critical systems, including preconfigured operating systems and associated applications. 
    • “Develop, maintain and practice a basic cyber incident response plan for ransomware and data breaches. This should include a communications plan, including disclosure notifications to government authorities. 
  • “The guide also includes a comprehensive set of measures to prevent and mitigate ransomware and data extortion, including: 
    • “Conduct regular scanning to identify and address vulnerabilities, particularly on internet facing devices. 
    • “Regularly patch and update software and operating systems to the latest versions. 
    • “Make sure all on premises, cloud services, mobile and bring your own devices are properly configured and security features are enabled. 
    • “Implement phishing-resistant multifactor authentication.
    • “Enforce lockout policies after a certain number of failed login attempts.
  • “The guide suggests creating illustrated guides that provide detailed information about data flows inside an organization. This will help incident responders understand which systems to focus on during an attack.” 

• The Wall Street Journal informs us
  • “Cyber insurance prices in the United States rose 11% year over year on average in the first quarter of 2023 according to insurance broker Marsh. This was a noticeably smaller increase than the 28% rise in Q4 2022 and was the fifth straight quarter that prices rose by less than the previous quarter. Additionally, rate increases moderated during 2022, with an average increase of 17% in December 2022, which was down significantly from a December 2021 high average increase of 133%. 
  • “Marsh said increased competition, improved cybersecurity controls, and a reduction in ransomware attacks in 2022 were factors that affected the continued moderation in pricing, while noting there has been an upturn in ransomware incidents and claims since Q4 2022.”

• Tom’s Guide updates us on best VPN logging practices.

• The Harvard Business Review offers ideas on creating effective cybersecurity training programs.

From the cybersecurity policy front —

• Defense One reports,
  • “By November, Pentagon cybersecurity leaders aim to lay out just how private contractors will be expected to work with government agencies to safeguard data and ward off attacks.
  • “We are working on a strategy—a [defense industrial base] cybersecurity strategy—that we hope to have out later this year,” David McKeown, DOD’s chief information and security officer, said at GovExec’s Cyber Summit event Thursday. “Our strategy is bringing all of the pieces and parts within the department together…laying it out who’s going to be doing what, and we overlay everything on top of the NIST cybersecurity framework.”
  • “Lawmakers requested the strategy as a step toward reducing the vulnerabilities created by doing sensitive business with hundreds of thousands of private contractors.”

• Cyberscoop tells us,
  • “Lawmakers on Wednesday [May 17, 2023] passed a series of bills to give the Cybersecurity and Infrastructure Security Agency new responsibilities when it comes to safeguarding open source software, protecting U.S. critical infrastructure and expanding the cybersecurity workforce. 
  • “The Senate Homeland Security and Governmental Affairs Committee advanced a bill that would require CISA to maintain a commercial public satellite system clearinghouse and create voluntary cybersecurity recommendations for the space sector. Additionally, the committee advanced legislation requiring CISA to create a pilot civilian cyber reserve program to respond to incidents.
  • “The House Homeland Security Committee advanced legislation that would require CISA to work with the open source community to better secure it as well as create a framework to assess the general risks of open source components for federal agencies. The House advanced another bill that would give CISA the authority to train employees at DHS that aren’t currently in cybersecurity positions to move to such a role.”

• Health IT Security adds,
  • “At a House Committee on Energy and Commerce hearing held on May 16, 2023, experts from the energy, water, and healthcare sectors testified on how sector-specific agencies within critical infrastructure are taking steps to protect their industries from cyberattacks.
  • “Each of the 16 critical infrastructure sectors has a designated Sector Risk Management Agency (SRMA) that is responsible for managing threats faced by each sector. The hearing gave committee members a chance to explore how various federal agencies work to secure critical infrastructure against cyber threats, assess their responses to emerging threats, and learn more about the roles and responsibilities of each agency.
  • “Brian Mazanec, PhD, deputy director at the HHS Administration for Strategic Preparedness and Response (ASPR) Office of Preparedness, delivered both a spoken and written testimony to the committee on the growing threats facing the healthcare sector and the role of HHS in mitigating these threats.
    • HHS is working diligently to strengthen cybersecurity and address the impacts of cyberattacks on the healthcare system. As we move forward, there are additional authorities and resources that would advance ASPR’s ability to fully implement its plan to bolster HHS’s Cyber Sector Risk Management Agency (SRMA) activities. For example, we are in the process of establishing a dedicated Cyber Division within ASPR’s Office of Critical Infrastructure Protection. If ASPR is granted direct hire authority, as requested through the Pandemic and All-Hazards Preparedness Act (PAHPA) reauthorization process, we would be able to bring critical staff with cyber expertise into the organization more quickly and move forward to address challenges without delay. We would also be better positioned to immediately expand and enhance our efforts as the SRMA lead for the HPH sector. Additionally, we are looking to establish a new HHS cyber incident ticketing system to better track incidents and strengthen threat intelligence sharing through embedded liaisons within CISA and the FBI. Dedicated resources are needed to implement and operate supporting systems, as included in the FY 2024 President’s Budget request. We continually assess and identify whether any additional authorities are needed to support our 

From the cyber vulnerabilities and breaches front —

• The Health Sector Cybersecurity Coordination Center issued its April 2023 Cybersecurity Vulnerability report.
  • In April 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

• Dark Reading points out three ways hackers use ChatGPT to cause security headaches.

• MeriTalk informs us
  • “The Department of Transportation (DoT) is investigating a data breach affecting administrative systems at the department, an agency spokesperson confirmed to MeriTalk today.
  • “According to a Reuters report, DoT notified Congress of the data breach on Friday, which exposed the personal information of about 237,000 current and former Federal government employees. * * *
  • “DoT did not say when the hack was first discovered or who might be responsible for it.
  • “DoT is the latest agency to face a data breach after the U.S. Marshals Service (USMS) responded to a ransomware attack and data breach in February that compromised sensitive law enforcement information.”

• Dark Reading adds
  • “PharMerica Healthcare has disclosed that its systems were breached earlier this year by an unauthorized third party, which resulted in the leak of the personal details of more than 5.8 million deceased people.
  • “PharMerica provides pharmacy services for patients under long-term care, including those in senior living facilities, hospice care, and using behavioral health services.”

From the ransomware front,

• Cyberscoop and Healthcare Dive reports
  • “A new and highly active ransomware threat actor, RA Group, is targeting organizations in the manufacturing, finance, insurance and pharmaceuticals sectors, researchers at Cisco Talos said Monday.
  • “Within a week of its emergence on April 22, RA Group compromised three organizations in the U.S. and one in South Korea. The group listed its first three victims on its leak site on April 27 and added a fourth victim on April 28, according to Cisco Talos.
  • “Initial victim organizations have had their data encrypted and stolen, a form of double extortion designed to increase pressure on the organizations to pay the ransom.

• CISA announced
  • CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory.
    To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

• Here’s this week’s link to Bleeping Computers Week in Ransomware.

• Cybersecurity Dive provides guidance on why and how to report a ransomware attack.

From the cyber defenses front —

• The Wall Street Journal reports on how tabletop exercises can improve cyber preparedness, while Cybersecurity Dive tells us,
  • Corporate programs designed to boost the cyber resilience of employees are falling short on their goals, with more than half of cybersecurity leaders saying their workforce is not prepared for an attack, according to an Osterman Research report sponsored by Immersive Labs. 
  • At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack. Priority tasks might include operating without core IT systems and switching to manual processes to get important tasks completed. 
  • “There is an unfortunate disconnect between leaders’ confidence in team preparedness and real cyber resilience,” Max Vetter, VP of cyber at Immersive Labs, said via email. “This is because legacy training measures attendance, not real capabilities.”

From the cybersecurity policy front —

• On May 10, 2023, the National Institute of Standards and Technology posted “revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3).”
  • “Notable updates in the draft include: 
    • “Changes to reflect the state-of-practice cybersecurity controls;
    • “Revised criteria used by NIST to develop security requirements;
    • “Increased specificity and alignment of the security requirements in SP 800-171 Rev. 3 with SP 800-53 Rev. 5, to aid in implementation and assessment; and
    • “Additional resources to help implementers understand and analyze the proposed updates.”
  • “NIST is requesting public comments on the draft guidelines by July 14, 2023.”
  • “NIST anticipates releasing at least one more draft version of SP 800-171 Rev. 3 before publishing the final in early 2024. Following the publication of the final version, the authors plan to revise the set of supporting NIST publications on protecting controlled unclassified information, including SPs 800-171A (security requirement assessment), SP 800-172 (enhanced security requirements) and SP 800-172A (enhanced security requirement assessment).” 
  • “NIST is planning a webinar for June 6, 2023, to introduce the changes made to SP 800-171. Registration information will be posted next week on the Protecting CUI project site.” 

• Cybersecurity Dive reports, “White House considers ban on ransom payments, with caveats. Experts suggest the effort, a reversal from the administration’s previous stance, is fraught with complications that could cause unintended consequences.”
  • Cybersecurity Dive adds,
    • “As the White House floats the possibility of a ban on ransom payments, the number of organizations hit by ransomware that ultimately pay a ransom remains high. 
    • “Nearly half, 46%, of organizations hit by ransomware during the past year paid a ransom to recover data, according to research Sophos released Wednesday [May 10].”
    • “The survey also found that cybersecurity insurance plays a direct role in the likelihood of an organization making a ransom payment. Nearly 3 in 5 organizations with a standalone cyber insurance policy paid the ransom, compared to the 15% of uninsured organizations that paid the ransom.”
  • Cybersecurity Dive points out,
    • “The number of ransomware claims filed by U.S. clients of insurance broker Marsh spiked 77% in the first quarter of the year compared with the prior three-month period, the company told CFO Dive.
    • “Marsh saw 55 ransomware claims from U.S. clients in the first quarter of the year versus 31 claims in the fourth quarter. The figures, which are expected to be published in an upcoming report, follow a downward trend in 2022 that had been credited with helping to moderate skyrocketing premiums in the cyber insurance market.
    • “I do think that we can still continue to see a deceleration of rate increases for those companies that have an optimal cyber risk maturity profile and have not suffered significant events that have caused the carriers to make claim payments,” Meredith Schnur, Marsh’s U.S. and Canada cyber brokerage leader, said in an interview.”

• Cybersecurity Dive reports,
  • “Acting National Cyber Director Kemba Walden said the national cybersecurity strategy has been well received, however, acknowledged there were areas of disagreement. 
  • “Walden speaking Tuesday [May 9, 2023] at a forum hosted by The Software Alliance, also known as BSA, said there are two major areas of common ground that form the basis of the policy. Individual technology users, small businesses, local governments and small infrastructure providers like schools and hospitals are currently bearing the brunt of the cybersecurity risk — and that needs to change. 
  • “Cybersecurity risk is in the wrong place,” Walden said. “I think that’s an area of common ground.”
  • “Secondly, the U.S. is currently engaged in a game of Whac-A-Mole with malicious actors and the country needs to work together to make sure systems can be properly defended.
  • “Walden said her main concern regarding the national cyber strategy is to make sure the U.S. can build a more resilient digital ecosystem.”

From the cyber vulnerabilities front —

• Health IT Security informs us,
  • “The Health Sector Cybersecurity Coordination Center’s (HC3) latest alert [dated May 10, 2023] details the growing trend of threat actors targeting a known vulnerability in Veeam Backup & Replication (VBR) software. VBR is a popular software product that can be used to back up, replicate, and restore data on virtual machines (VMs).
  • The vulnerability, known as CVE-2023-27532, is a high-severity vulnerability with a CVSS score of 7.5 that exposes encrypted credentials stored in the VBR configuration to unauthenticated users. If successfully exploited, threat actors may be able to gain access to the backup infrastructure hosts and could steal data or deploy ransomware.”

• Health IT Security further tells us,
  • “The internet has a bot problem, cybersecurity company Imperva suggested in its 2023 Bad Bot Report. Nearly half of all internet traffic came from bots in 2022, while human traffic dipped to its lowest level in eight years.
  • “Bots are not inherently bad – they can help automate select tasks, measure customer engagement, or simulate conversations. However, malicious bots can help threat actors launch denial-of-service attacks, distribute malware, or crack passwords. Imperva observed an uptick in bad bot traffic volume for the fourth consecutive year, growing to 30.2 percent in 2022, compared to 27.7 percent in 2021.
  • “Bad bots interact with applications like legitimate users would, making them harder to detect and block. They abuse business logic by exploiting the way a business operates, rather than exploiting technical vulnerabilities,” the report stated. * * *
  • “Imperva suggested that businesses begin mitigating risk by protecting exposed APIs and mobile apps, monitor traffic, and remain aware of data breaches and leaks occurring across the industry.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added one and then seven more known exploited vulnerabilities to its catalog.

From the ransomware front —

• Cyberscoop calls our attention to “The Ransomware Malicious Quadrant, published Wednesday by ransomware-focused cybersecurity firm Halcyon and first shared with CyberScoop, takes a range of the most consequential and effective ransomware groups over the past year and gathers the most critical datapoints on each, and categorizes them.”

• Silicon Angle tells us,
  • “A new ransomware group targeting vulnerabilities in virtual private network appliances has been found that has a unique twist: The ransomware encrypts itself to avoid detection by security software.
  • “Discovered by security researchers at Kroll LLC, the ransomware, dubbed “Cactus,” is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet Inc. VPN appliances to gain access to major organizations before getting to work.”

• “CISA and FBI have released [on May 11, 2023] a joint Cybersecurity Advisory (CSA), Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG. This joint advisory provides details related to an exploitation of PaperCut MF/NG vulnerability (CVE-2023-27350). FBI observed malicious actors exploit CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, the FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity. CISA encourages network defenders to review and apply the recommendations in the Detection Methods and Mitigations sections of this CSA.”

• Here’s the latest’s Bleeping Computer Week in Ransomware report.

From the cyberdefenses front —

• The Washington Post reports,
  • “The Justice Department announced on Tuesday [May 9] that it disrupted Russian government cyberespionage malware that has infected targets in at least 50 countries. The U.S. government had been investigating it for more than 20 years.
  • “On the same day, a coalition of U.S. and U.S.-allied cyber agencies released technical details on the malware, known as Snake, to help industry and governments to shut it down.”

• The Washington Post also discusses the growing use of artificial intelligence as a hacking tool, adding,
  • AI will help defenders as well, scanning reams of network traffic logs for anomalies, making routine programming tasks much faster, and seeking out known and unknown vulnerabilities that need to be patched, experts said in interviews.
  • Some companies have added AI tools to their defensive products or released them for others to use freely. Microsoft, which was the first big company to release a chat-based AI for the public, announced Microsoft Security Copilot in March. It said users could ask questions of the service about attacks picked up by Microsoft’s collection of trillions of daily signals as well as outside threat intelligence.
  • [However, b]y multiplying the powers of both sides, AI will give far more juice to the attackers for the foreseeable future, defenders said at the RSA conference.”

From the cybersecurity policy front —

Cybersecurity Dive reports

• “The White House is crafting a roadmap to guide the implementation of the national cybersecurity strategy that it is set to release early this summer, Acting National Cyber Director Kemba Walden said Tuesday during a discussion with journalists at the RSA Conference.
• “The strategy, framed around principles, was developed to have a 10-year shelf life. The dynamic and evolving nature of cybersecurity requires flexibility as new threats or technologies emerge, Walden said.
• “The devil’s in the implementation planning process,” Walden said. “It’s really going to be who’s accountable for what, who’s responsible for what in the policymaking process, in the sort of sausage factory of the government.”

Cyberscoop informs us that “US cybersecurity officials are stepping up their push for tech companies to adopt secure by-design practices. Efforts at CISA and the Department of Energy are both meant to encourage the practice of building in better security protections.

• “Small and medium businesses, local school districts, water utilities, local hospitals, are not going to be successful in managing cybersecurity risk alone if they ever get in the crosshairs of a ransomware gang or an APT actor,” said Eric Goldstein on Wednesday during the annual RSA Conference here that brings together government officials and industry executive. “Those who can bear the burden are held accountable for providing services that are safe and secure by design by default.” 
• Jack Cable, a senior technical adviser at CISA, told CyberScoop that CISA held two listening sessions recently with industry partners as well as one with the open-source community. He said the agency plans to build on secure by design principles recently outlined in a white paper the agency published. “This is the first chapter of the story here and we want to work closely with industry and governmental partners with this.”

The Cybersecurity and Infrastructure Security Agency (CISA) tells us,

• “In line with the theme for this year’s RSA Conference, Stronger Together, Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Army Maj. Gen. William J. Hartman, U.S. Cyber Command’s Cyber National Mission Force commander, delivered a presentation on the importance of partnership in defending America’s critical infrastructure while holding malicious cyber actors accountable.
• “Goldstein and Hartman shared newly-declassified details of interagency responses to cyber attacks from nation-state actors and cybercriminals, including how CNMF shares information from foreign operations to enable CISA’s domestic defensive mission. They also discussed how CISA shares information from domestic cyber incidents to enable CNMF’s operations to impose costs on foreign malicious cyber actors. Goldstein and Hartman discussed case studies, including the “SolarWinds” campaign, the mitigation of Chinese hacking of Microsoft Exchange, the disruption of Iranian targeting of an election reporting website, and ongoing data-sharing from cyber criminal targeting of federal agencies and educational institutions to enable CNMF operations.
• “As our nation’s cyber defense agency, CISA recognizes that we must leverage all tools and capabilities to increase costs against our adversaries. Our work with CNMF enables us to not only more effectively defend our nation’s critical infrastructure from cyberattacks but also clearly demonstrate to our adversaries that there is a price to pay if you decide to attack American infrastructure,” said CISA EAD Goldstein. “Our presentation demonstrated for the first time how this partnership yields real-world operational benefits and how we rely upon collaboration with, and incident reporting from, the private sector to catalyze this work.”

NIST’s Computer Security Resource Center announced

• “For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.
• “Thank you to all who provided feedback during the open comment period; in total, over 250  unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. NIST agrees… and anticipates follow-on work in this area—but NIST can’t do it alone and plans to work collaboratively with other agencies, entities, and colleagues to produce useful resources. Stay tuned for more information about this in the coming months.
• “NIST and OCR are still in the process of adjudicating the received comments carefully. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 r2 (with the goal being to publish a final version of SP 800-66 r2 later this year).Thank you for the opportunity to share this update. Feel free to reach out with any questions or comments to sp800-66-comments@nist.gov (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).”

From the cyber vulnerabilities front -=

Bloomberg points out

• “As hacking has gotten more destructive and pervasive, a powerful type of tool from companies including CrowdStrike Holdings Inc. and Microsoft Corp. has become a boon for the cybersecurity industry.
• “Called endpoint detection and response software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices – “endpoints” on a computer network — and block them before intruders can steal data or lock the machines. 
• “But experts say that hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems. 
• “Investigators from multiple cybersecurity firms said the number of attacks where EDR is disabled or bypassed is small but growing, and that hackers are getting more resourceful in finding ways to circumvent the stronger protections it provides. * * *
• “Security software cannot stand alone — you need eyes on-screen combined with technology,” [an investigator] said. EDR “is much better than antivirus software. So for sure you need it. It’s just not the silver bullet that some think it is.”

CISA relates

• “The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
• “CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks.”

From the ransomware front —

HHS’s Healthcare Sector Cybersecurity Coordination Center issued a sector alert yesterday

• “Ransomware-as-a-service (RaaS) groups Cl0p and Lockbit recently conducted several distinct attacks, exploiting three known vulnerabilities (CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669). The Cybersecurity and Infrastructure Security Agency (CISA) added the latter two vulnerabilities to its Known Exploited Vulnerabilities Catalog but has not yet added the first. This Sector Alert follows previous HC3 products on Cl0p (Cl0p Allegedly Targeting Healthcare Industry and Cl0p Ransomware) and Lockbit (Lockbit Ransomware, LockBit 3.0, and LockBit 2.0 IOCs), and provides an update on the recent attacks, and recommendations to detect and protect against future ransomware attacks.”

Here is the latest Bleeping Computers’ Week in Ransomware.

From the cybersecurity defenses front

Health IT Security reports, “KLAS, the American Hospital Association (AHA) and healthcare risk management solutions company Censinet released the much-anticipated first wave of results of its Healthcare Cybersecurity Benchmarking Study.”

Cybersecurity Dive calls attention to “Mandiant CEO Jack Mandia’s seven tips for cyber defense; Organizations’ institutional knowledge is an advantage that no adversary can match, Kevin Mandia told RSA Conference attendees.” The FEHBlog’s favorites are

2. Lean on multifactor authentication

“The biggest bang for the buck against any impactful attack is multifactor authentication period,” Mandia said. “Figuring out a way to get it everywhere and know that you have it everywhere with some sort of validation is critical.”

3. Build honeypots

Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can’t stop, Mandia said.

The FEHBlog uses multifactor authentication but had not heard of honeypots.

Tech Radar reports

• “A new prototype technology has the potential to revolutionize cybersecurity, making it possible for businesses to prevent the majority of cyberattacks with ease.
• “In a joint project developed by ARM and the University of Cambridge, world-renowned for its computer science pedigree, the prototype processor was used in experiments by various companies for six months as part of the Technology Access Programme, courtesy of Digital Catapult with support from the University of Cambridge and Arm.
• “As a result of this programme, 27 of the participating companies gathered Digital Catapult’s London HQ to demonstrate their findings, and many were impressed it seems with the prototype’s ability to defend against memory-related cyberattacks. * * *
• “Although it is still in the research phase, the prototype is claimed to have the potential to help protect industries and firms. already, the programme has racked up over a thousand days in development work wot other 13 million lines of code being experimented with.”

From the cyber breaches front —

• Health IT Security reports that the recent DC Healthlink data breach resulted from unspecified human error.

• Cybersecurity Dive informs us,
  • “NCR, a payments processor that offers point-of-sale systems to restaurants and retailers, digital banking and ATM services, is still responding to and recovering from a ransomware attack that began impacting systems on April 12.
  • “The cyberattack caused a data center outage that is impacting some functionality in Aloha, a POS used by restaurants, and Counterpoint, which integrates front- and back-office management systems for retailers, NCR said in an incident report update Monday. The company first publicly disclosed it was hit by a ransomware attack on April 15.”

• Health IT Security adds,
  • The average cost of a healthcare ransomware attack was $4.82 million in 2021, according to IBM Security’s “Cost of a Data Breach Report.” In a new report by ThreatConnect, the cyber threat intelligence company suggested that there is more to be discovered about the true cost of a ransomware attack.
  • “[T]hat average attack figure takes into account a large number of incidents that cost relatively little (less than $25k) and a few that cost a lot,” the report stated. “The question is—does the average apply to you?”
  • “ThreatConnect analyzed thousands of companies in the manufacturing, healthcare, and utility industries in order to estimate median losses to operating incomes.”

• According to Cybersecurity Dive,
  • “Premiums for stand-alone cyber insurance rose by 62% in 2022 following a 91% increase in the prior year, according to a recent report by Fitch Ratings.
  • “The deceleration was driven by a moderation of ransomware incidents, a heightened level of cyber risk awareness among corporate executives, and more strict enforcement of cyber hygiene standards by insurance companies, according to Fitch.
  • “You will likely see rates decelerate further,” Gerald Glombicki, a senior director in Fitch Ratings insurance group, said in an interview.”

From the cyber vulnerabilities front —

• The Health Sector Cybersecurity Coordination Center released its March 2023 vulnerabilities report.
  • “In March 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Administration (CISA) added two, one, and three known exploited vulnerabilities to its catalog.

• CISA and other federal agencies issued a joint advisory about “APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy), a highly skilled threat actor” that “accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. “

• Cybersecurity Dive tells us,
  • “Threat actors can use ChatGPT to sharpen cyberthreats, but no need to panic yet
  • “Startling dangers, such as autonomous attack mechanisms and sophisticated malware coding, have yet to materialize. For now, the threat is more specific.”

From the ransomware front

• CISA issued
  • “a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CX’s Desktop App.
  • “CISA recommends users and administrators to review the following resources for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:
  • “MAR-10435108.r1.v1 – ICONICSTEALER
  • “Supply Chain Attack Against 3CXDesktopApp“

• Here’s a link to the latest Bleeping Computer Week in Ransomware.

From the cyber defenses front —

• The Department of Health and Human Services announced
  • “On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector:
  • “Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
  • “Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
  • “Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).”

• Forbes points out
  • “Cyber investments have become table stakes for businesses around the world. Cybercrime is increasing, with 91% of organizations reporting at least one cyber incident in the past year. Not only are they growing in numbers, but they are becoming more sophisticated and diverse, with new threats constantly emerging. According to the 2023 Deloitte Global Future of Cyber survey, in this environment, business leaders are changing how they think of cyber, and it’s emerging as a larger strategic discussion tied to an organization’s long-term success.
  • “Today, leaders should consider how to work cyber into every part of their business—from operations to the employee and the consumer. By creating business strategies that embed cyber, improve employee training, and build cyber into digital transformation initiatives; businesses can stay ahead of the curve and better protect their organizations. [The linked article explains] how some leaders are rethinking their approaches to cyber to help drive long-term growth for their companies.”

• Cyberscoop reports
  • “Some of the biggest names in modern computing — including a winner of the prestigious Turing Award — are betting on a new type of operating system they say will be resilient against common cyberattacks and bounce back from ransomware infections within minutes. 
  • “Those are bold claims. But the people behind the project include Michael Stonebraker, a serial tech entrepreneur and computer scientist at the Massachusetts Institute of Technology whose groundbreaking work on database systems earned him the Turing honor in 2015. He’s teaming up with Matei Zaharia, an associate professor at Stanford University and creator of the Apache Spark project, and Jeremy Kepnew, head of the MIT Lincoln Laboratory Supercomputing Center.
  • “It’s a total new paradigm,” said Michael Coden, associate director of cybersecurity at MIT Sloan School of Management, who took a part-time position at Boston Consulting Group as senior adviser in order to help lead the database-oriented operating system, or “DBOS” for short. “
  • “Stonebraker and Coden plan on demonstrating the open-source operating systems during the RSA Conference, the annual cybersecurity gathering San Francisco, next week and show in real time how it will bounce back from a simulated ransomware attack.”

• The NIST Cybersecurity and Privacy Program made available,
  • “The initial public draft of NIST Special Publication (SP) 800-207A, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments, is now available for public comment.
  • “Enterprise application environments consist of geographically distributed and loosely coupled microservices that span multiple cloud and on-premises environments. They are accessed by a userbase from different locations through different devices. This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.”
  • The public comment deadline is June 7, 2023.