Harvard Business Review explains what U.S. business needs to know about the new U.S. cybersecurity policy.
“While the 39-page document features bureaucratic buzzwords like “harmonize”, “stakeholders,” and “multilateral,” we’ve identified three concrete things business leaders should know about the new strategy.
“First, every company needs to identify their distinct vulnerabilities and risks.
“Second, companies then need to adopt measures that address those supply chain vulnerabilities, and
“Third, companies need to recognize that one size will not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger business, critical infrastructure, and software providers.”
“In order for cybersecurity initiatives to be effective in reducing security failures, Gartner, a research and consulting firm, finds that it will be essential for security and risk management leaders to turn to a human-centered approach.
“A human-centric approach in cybersecurity practices prioritizes the individual employee and their experience, which ultimately encourages better practices while also reducing friction and risk.
In the past, there has been a focus in improving the technology or the many different processes that uphold security practices. Going forward, having a “human-centric talent management approach” means focusing on the employees that require these kinds of updates to technology and program processes to be made in the first place, and shifting from external hiring to internal or “quiet hiring,” according to Gartner.”
“The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and cybersecurity authorities of other international allies on Thursday published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products.
“The cybersecurity guidance is the first of its kind, and is intended to speed up cultural shifts within the technology industry that are needed to achieve a safe and secure future online.
“Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security.
“Publication of the secure-by-design principles follows the publication in March of a new national cybersecurity strategy by the Biden administration, which sought to shift the responsibility for maintaining the security of computer systems further towards larger software makers.”
“The healthcare industry is “cyber poor” and the most targeted sector for data breaches over the past four years, according to a Moody’s Investors Service report from this week.
“Moody’s said healthcare’s vulnerable state makes it “target rich,” which could bring service disruptions and personal data disclosures.
“Nonprofit healthcare organizations received a “very high risk” rating, while corporate healthcare was deemed “high risk.” Providers must ramp up investment in cybersecurity to protect patient data and avoid interruption of critical operations, the report said.”
The Cybersecurity and Infrastructure Security Agency added to its catalog two known exploited vulnerabilities on April 10, one more on April 11, and two more on April 13.
From the ransomware front
Cybersecurity Dive relates, “Rorschach ransomware, with a rare encryption speed, makes it even harder for companies to respond. The potential impact and victims claimed by Rorschach remain unknown, but one expert said some yet-undetected attacks are likely underway.”
Cyberscoop informs us “Ransomware gangs increasingly deploy zero-days to maximize attacks; Microsoft issued a patch for a zero-day that researchers at Kaspersky said was used to deliver Nokoyawa ransomware.
The Bleeping Computer’s Week in Ransomware is back.
“an update to the Zero Trust Maturity Model (ZTMM), superseding the initial version released in September 2021. ZTMM provides a roadmap for agencies to reference as they transition towards a zero-trust architecture. ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.
“The objective of this update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture.”
An ISACA expert points out “Five Key Considerations When Developing a Collaboration Strategy for Information Risk and Security.”
Cyberscoop offers a commentary on Russian hackers — and how to stop them — after a year of cyberwar in Ukraine
The Health Sector Cybersecurity Coordination Center (HC3) released its first quarter 2023 healthcare cybersecurity bulletin.
“In Q1 of 2023, HC3 observed a continuation of many ongoing trends with regard to cyber threats to the Healthcare and Public Health community. Ransomware attacks, data breaches and often both together continued to be prevalent in attacks against the health sector. Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”
The Cybersecurity and Infrastructure Security Agency launched National Supply Chain Integrity Month.
“Threat actors are increasingly abusing cloud apps to deliver malware in healthcare settings, Netskope revealed in its latest Threat Labs Report. Cloud-delivered malware increased from 38 percent to 42 percent in the past 12 months, researchers found.”
“Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps,” the report stated. “Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.”
HC3 released a sector alert about “DNS NXDOMAIN Attacks.”
“Through a trusted third party, information was shared with HC3 regarding a distributed denial-of-service (DDoS) attack, which has been tracked since November 2022. These attacks are flooding targeted networks and servers with a fake Domain Name Server (DNS) request for non-existent domains (NXDOMAINs).”
Health IT Security provides more background on these attacks.
“Their signature DDoS attacks on critical infrastructure sectors typically only cause service outages lasting several hours or even days,” HC3 noted. “However, the range of consequences from these attacks on the United States health and public health (HPH) sector can be significant, threatening routine to critical day-to-day operations.”
HC3 also released a presentation explaining “why electronic health records are still a top target for cyber threat actors.”
The Cybersecurity and Infrastructure Security Administration added five known exploited vulnerabilities. Bleeping Computer explains the action.
“Researchers at Check Point detected a highly sophisticated – and previously unnamed – ransomware strain whichthe company says may be the fastest ever, with an encryption speed almost twice as fast as LockBit.The ransomware, which Check Point dubbed “Rorschach,” was used in an attack against a U.S. company.
“The ransomware was deployed using a DLL-sideloading technique using Palo Alto Network’s Cortex XDR, which is a signed commercial security product. This technique has not commonly been used for ransomware.
“Check Point has disclosed the information to Palo Alto, which will release new versions of Cortex XDR Agent next week to prevent misuse of the software.”
“Corporate leaders would be mistaken to interpret reports of fewer ransomware-related cyber insurance claims and decelerating premiums in 2022 as evidence of a diminished threat level, according to cybersecurity experts.”
“While the private sector and government have made some progress in the fight against ransomware, the threat is still serious and evolving, the experts warned.”
“I think hackers are always going to evolve, so we can’t rest on the laurels of 2022,” John Farley, managing director of the cyber practice at Gallagher, an insurance brokerage firm based in Rolling Meadows, Ill., told CFO Dive. “We have to be able to adapt quickly to this ever-evolving threat.”
Organizations that implement automated hardening techniques will have the best opportunity to prevent cyberattacks, according to a report released Thursday by Marsh McLennan. Those that apply baseline security techniques to servers, operating systems and other components are six times less likely to suffer a security breach.
Insurers have historically recommended three major controls to reduce cyber risk: endpoint detection and response, multifactor authentication and privileged access management.
However, the report shows multifactor authentication only works when it is implemented across all access points for critical and sensitive data, including remote access and administrator account access points.
Organizations using these methods are 1.4 times less likely to suffer damage from an attack.
Another key control is patching highly-severity vulnerabilities within seven days of the initial patch release. More than half of organizations are patching critical vulnerabilities within the first seven days, but only 24% of organizations are patching high-severity vulnerabilities — rated with a CVSS score of 7.0 to 8.9 — in that same time period.
“Software giant Microsoft received a court order from the U.S. District Court for the Eastern District of New York that will allow the company to disrupt infrastructure used by ransomware gangs during hospital attacks.
“The court order allows Microsoft to cut off communication between hackers and a fake version of the cybersecurity software Cobalt Strike, used by hackers to breach hospital systems.
“The abuse of the cybersecurity software is a tactic used by Russian-speaking ransomware gangs Conti and LockBit, according to an April 6 Microsoft news release.”
From the cybersecurity policy front, the Cybersecurity and Infrastructure Security Agency (CISA) reflects on its activities over the year since “the President signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law—an act that is critical to improving America’s cybersecurity.” Here is CISA’s overview of that law which will be implemented by rulemaking. The proposed rule is expected soon.
The FEHBlog has been tracking two Federal Acquisition Regulation cybersecurity rulemakings:
It turns out that on March 15, 2023, OMB’s Office of Information and Regulatory Affairs bounced those rules back to the FAR Council, which has gone back to the drawing board.
From the cyber vulnerabilities front –
CISA added ten new known exploited vulnerabilities to its catalog. Bleeping Computer provides background on this action.
CISA issued the following warning, for which Cybersecurity Dive provides background.
CISA is aware of open-source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.
CISA urges users and organizations to review the following reports for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:
Venture Beat identifies eight ChatGPT cybersecurity vulnerabilities for this year.
Bleeping Computer warns about an actively exploited bug affecting a WordPress page plug-in called Elementor Pro.
From the ransomware front, which is missing The Week in Ransomware (spring break?) Bleeping Computer, tells us,
Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid.
Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message. * * *
The attackers behind this activity use the name Midnight and started targeting companies in the U.S. since at least March 16.
Thanks to a joint effort by the HHS Office of Inspector General (OIG) and the Federal Bureau of Investigation (FBI), a cybercriminal marketplace known as BreachForums was forced offline, the Department of Justice (DOJ) announced.
In addition, BreachForums founder Conor Brian Fitzpatrick, 20, of Peekskill, New York, was arrested in mid-March and made his first appearance in court on March 24. Fitzpatrick allegedly created and administered a major hacking forum that allowed its 340,000 members to buy, sell, and trade stolen data since March 2022.
The platform offered its users bank account information, hacking tools, Social Security numbers, breached databases, and account login information, along with other personally identifiable information (PII).
U.S. corporate leaders need to embrace cybersecurity as an issue of central importance to the success of their businesses, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said.
Easterly, in a Thursday appearance before the Economic Club of New York, told attendees that top corporate executives, including CEOs and corporate board members, need to understand the risks posed by cybersecurity and take an active role in.
Speaking just weeks after the Biden administration unveiled the national cybersecurity strategy, Easterly said this is not an issue the government can fix on its own, but businesses will need to play an important role in solving.
[T]he House Committee of Oversight and Accountability heard testimony from Acting National Cyber Director Kemba Walden on how to implement the National Cybersecurity Strategy.
In opening statements, Walden outlined several pillars the national strategy plans to rely on when incorporating stronger defenses into U.S. digital networks. These include forming international partnerships, investing in a workforce, incentivizing stronger cybersecurity requirements, disrupting threat actors, and implementing stronger security measures.
The paramount principle guiding the strategy, however, iealth s imparting more responsibility on the federal government and Big Tech players to safeguard U.S. networks.
“The biggest, most capable and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe––and that includes the federal government,” Walden said.
The Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of its Cybersecurity Performance Goals (CPGs), a set of voluntary practices that critical infrastructure organizations may adopt to mitigate cyber risk.
The CPGs are now more closely aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily navigate the CPGs and prioritize investments accordingly.
The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued its 2022 Internet Crime Report, which revealed key trends that emerged in the cyber threat landscape last year. The IC3 received 800,944 complaints in 2022, signifying a 5 percent decrease from 2021.
Despite this decrease, the potential total loss grew from $6.9 billion in 2021 to more than $10.2 billion in 2022. Ransomware alone racked up $34.3 million in losses in 2022.
“While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3,” the report noted.
“As such, we assess ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity.”
The healthcare sector reported the most ransomware attacks to IC3 in 2022 compared to any other critical infrastructure, accounting for 210 of the 870 complaints tied to critical infrastructure. IC3 data shows that 14 of the 16 critical infrastructures had at least one member that fell victim to a ransomware attack last year.
CBS News brings us up to date on the recent DC Health Link breach.
Exploits of zero-day vulnerabilities fell by almost a third in 2022, but it was still the second highest year on record, according to Mandiant research released Monday.
Mandiant tracked 55 zero-day vulnerabilities that were exploited in 2022, including three instances linked to financially motivated ransomware threat actors.
Products from the three largest vendors — Microsoft, Google and Apple — were the most commonly exploited for the third year in a row, according to Mandiant.
Microsoft has observed an increase in distributed denial of service (DDoS) attacks against healthcare organizations in recent months, a blog post by the Azure Network Security Team explained. Microsoft observed an increase from 10-20 DDoS attacks against healthcare applications hosted in Azure in November 2022 to 40-60 attacks daily in February 2023.
As previously reported, HHS warned the healthcare sector earlier this year about pro-Russian hacktivist group KillNet, a threat group known to target the sector with DDoS attacks.
“While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days,” HHS stated at the time.
From the ransomware / data retrieval and extortion front
Ransomware groups are pulling no punches in their attempts to force compromised organizations to pay up. A report released Tuesday by Unit 42, a Palo Alto Networks threat intelligence team, found that attackers are increasingly harassing victims and associated parties to make sure their ransom demands are met.
For its new 2023 Ransomware and Extortion Threat Report, Unit 42 analyzed approximately 1,000 incidents that the team investigated between May 2021 and October 2022. Around 100 cases were analyzed for insight into ransomware and extortion negotiations. Most of the cases were based in the U.S., but the observed cybercriminals conducted attacks against businesses and organizations around the world.
By the end of 2022, harassment was a factor in 20% of the ransomware cases investigated by Unit 42, a significant jump from less than 1% in mid 2021.
This week’s news has been dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability.
Over the past month, one hundred new companies have been added to Clop’s data leak site, with the extortion gang threatening to leak data if a ransom is not paid.
From the cybersecurity defenses front —
The Healthcare Cybersecurity Coordination Center released a mobile device security checklist.
Mobile devices are prevalent in the health sector, and due to their storage and processing of private health information (PHI) as well as other sensitive data, these devices can be a critical part of healthcare operations. As such, their data and functionality must be protected. This document represents a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself.\
CISA “released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.”
In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.
The pre-ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies.
Cyberscoop explains how “the FBI Breachforum’s bust is causing chaos in the cybercrime underground. The dramatic fall of one of the preeminent cybercrime communities on the web will have major implications for the cybercrime markets.”
The FEHBlog’s Friday Insights did not publish as scheduled on Saturday morning. To get the email distribution back on schedule the FEHBlog is combining the Weekend Update and the Cybersecurity Saturday posts below.
Recently, the Centers for Medicare and Medicaid Services confirmed that the No Surprises Act air ambulance reporting will not occur in 2023.
Under section 106 of the No Surprises Act, air ambulance providers, insurance companies, and employer-based health plans must submit to federal regulators information about air ambulance services provided to consumers. The Centers for Medicare & Medicaid Services (CMS) in the Department of Health & Human Services (HHS) is conducting this Air Ambulance data collection (AADC), which will be used to develop a public report on air ambulance services. The proposed rules describing the proposed form and manner of the data collection can be found at this link. The final rules will specify the final reporting requirements, including the data elements and the deadlines for the data collection. The data collection will not begin until after the final rules are published. This page will be updated when the rules are finalized and more information on data collection is available.
From the value added care front, Behavioral Health Business discusses how Aetna and Optum are collaborating with a large mental health provider, Universal Health Services, to develop reliable outcome measurements for mental health services.
When the FDA approved bempedoic acid, marketed under the brand name Nexletol, back in 2020, it was clear that the drug helped lower LDL — “bad”cholesterol. The drug was intended for people who can’t tolerate statin medications due to muscle pain, which is a side effect reported by up to 29% of people who take statins.
What was unknown until now, is whether bempedoic acid also reduced the risk of cardiovascular events. Now, the results of a randomized, controlled trial published in TheNew England Journal of Medicine point to significant benefit. The study included about 14,000 people, all of whom were statin intolerant.
“The big effect was on heart attacks,” says study author Dr. Steven Nissen of Cleveland Clinic.
People who took daily doses of bempedoic acid for more than three years had about a 23% lower risk of having a heart attack, in that period, compared to those taking a placebo.There was also a 19% reduction in coronary revascularizations, which are procedures that restore blood flow to the heart, such as a bypass operation or stenting to open arteries.
A common chemical that is used in correction fluid, paint removers, gun cleaners, aerosol cleaning products, and dry cleaning may be the key culprit behind the dramatic increase in Parkinson’s disease (PD), researchers say.
An international team of researchers reviewed previous research and cited data that suggest the chemical trichloroethylene (TCE) is associated with as much as a 500% increased risk for Parkinson’s disease (PD).
Lead investigator Ray Dorsey, MD, professor of neurology, University of Rochester, New York, called PD “the world’s fastest-growing brain disease,” and told Medscape Medical News that it “may be largely preventable.”
“Countless people have died over generations from cancer and other disease linked to TCE [and] Parkinson’s may be the latest,” he said. “Banning these chemicals, containing contaminated sites, and protecting homes, schools, and buildings at risk may all create a world where Parkinson’s is increasingly rare, not common.”
The paper was published online March 14 in the Journal of Parkinson’s Disease.
The FEHBlog has several friends with Parkinson’s Disease.
From the Medicare front, Health Payer Intelligence relates
Beneficiaries with end-stage renal disease (ESRD) are increasingly shifting from Medicare fee-for-service (FFS) to Medicare Advantage, leading more Medicare Advantage plans to form value-based arrangements with kidney care management companies, according to Avalere.
Beneficiaries with ESRD have typically received coverage through Medicare FFS because only those already enrolled in a Medicare Advantage plan before initiating dialysis were eligible for the private program through 2020.
A provision under the 21st Century Cures Act that went into effect on January 1, 2021, made all Medicare beneficiaries with ESRD eligible to enroll in Medicare Advantage plans.
Although patient safety awareness week is over, the Wall Street Journal makes us aware that
Black boxes on airplanes record detailed information about flights. Now, a technology that goes by the same name and captures just about everything that goes on in an operating room during a surgery is making its way into hospitals.
The OR Black Box, a system of sensors and software, is being used in operating rooms in 24 hospitals in the U.S., Canada and Western Europe. Video, audio, patient vital signs and data from surgical devices are among the information being captured.
The technology is being used primarily to analyze operating-room practices in hopes of reducing medical errors, improving patient safety and making operating rooms more efficient. It can also help hospitals figure out what happened if an operation goes wrong. * * *
Duke University Hospital, where two operating rooms are equipped with black boxes, is using the technology to study and improve on patient positioning for surgery to reduce the possibility of skin-tissue and nerve injuries. It is also studying and using the technology to improve communication among nursing personnel throughout a surgical procedure to ensure that key tasks—such as confirming that surgical instruments and medical devices are available for a procedure—are being completed promptly, effectively and efficiently.
Cybersecurity Saturday
From the cybersecurity policy front, the American Hospital Association informs us that
The Senate Homeland Security and Governmental Affairs Committee held a full Committee hearing examining cybersecurity risks to the healthcare sector on March 16. Witnesses included Scott Dresen, chief information security officer for Corewell Health, a large integrated health system in Michigan.
“The increasing frequency of attack from nation state actors and organized crime has created a sense of urgency within the healthcare sector and we need help from the United States government to respond to these threats more effectively,” Dresen said.
Specifically, he called for enhancing existing partnerships with and between federal agencies, expanding the sharing of actionable threat intelligence, incentivizing access to affordable technology to defend against advanced threats, ensuring there is an adequate cyber workforce, and reforming legislation to encourage the adoption of best practices while not penalizing the victims of cyberattacks.
STAT News reveals why an HHS rule amending the HIPAA Privacy Rule will wreak financial havoc on health systems. The proposed rule was issued in January 2021, so the final rule has been pending for a long time.
The Cybersecurity and Infrastructure Security Agency (CISA) is looking to position a new “Cyber Analytics and Data System” at the center of national cyber defenses, as the agency’s post-EINSTEIN plans come into focus in its fiscal 2024 budget request.
CISA is seeking $424.9 million in the 2024 budget for “CADS.” The program is envisioned as a “system of systems,” budget documents explain, that provides “a robust and scalable analytic environment capable of integrating mission visibility data sets and providing visualization tools and advanced analytic capabilities to CISA cyber operators.”
The new program is part of the “restructuring” of the National Cybersecurity Protection System, according to the documents. More commonly known as “EINSTEIN,” the NCPS has been in place to defend federal agency networks since the Department of Homeland Security’s inception in 2003.
From the cyber breaches front, Tech Target brings us up to date on the DC Health Link breach.
An additional wrinkle to the breach came Monday [March 13] when another user on the same dark web forum using the alias Denfur, who had previously published sample data from the breach, created a thread supposedly aiming to clear up misinformation surrounding the breach.
Claiming to be a friend of IntelBroker, Denfur said the attack vector for the breach was an exposed, insecure database belonging to DC Health Link. Moreover, the poster said the database was likely exposed “for over a year and a half” before the breach occurred. TechTarget Editorial contacted DC Health Link in order to verify Denfur’s claims, but a spokesperson declined to comment.
At least two hacking groups were able to gain access to at least one federal agency’s servers through an old vulnerability in a software development and design product, according to a cybersecurity advisory issued Wednesday.
According to an alert issued by the Cybersecurity and Infrastructure Security Agency, or CISA, hackers were able to gain access to and run unauthorized code on a federal agency’s server, though they were not able to gain privileged access or move deeper into the network. The malicious activity was observed between November 2022 and early January, though the initial compromise goes as far back as August 2021.
Hackers used a vulnerability in old versions of Telerik UI, a software developer kit for designing apps, which, when exploited, allows hackers with access to execute code. The vulnerability was discovered in 2019 and builds on previous vulnerabilities discovered in 2017 that allow bad actors to gain privileged access and “successfully execute remote code on the vulnerable web server.”
The National Vulnerability Database—managed by the National Institute of Standards and Technology—rates this a critical vulnerability, with a score of 9.8 out of 10.
From the cyber vulnerabilities front, HHS’s Healthcare Cybersecurity Coordination Center (HC3) released its February 2023 list of vulnerabilities of interest to the health sector.
In February 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Citrix, Intel, Cisco, VMWare, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.
Researchers are warning that state-linked and financially motivated threat actors may try to exploit a critical zero-day vulnerability in Microsoft Outlook to launch new attacks against unpatched systems.
Microsoft urged customers to patch their systems against CVE-2023-23397 to address the critical escalation of privilege vulnerability in Microsoft Outlook for Windows, the company said Tuesday. Microsoft Threat Intelligence warned that a Russia-based threat actor launched attacks against targeted victims in several European countries.
Mandiant researchers warned that other criminal and cyber-espionage actors will race to find new victims vulnerable to the zero day before organizations can apply patches.
CISA added three and then one more known exploited vulnerability to its catalog this week.
Security Week highlights that “Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant.”
Deepfakes are part of the ongoing trend of weaponized AI. They’re extremely effective in the context of social engineering because they use AI to mimic human communications so well. With tools like these, malicious actors can easily hoodwink people into giving them credentials or other sensitive information, or even transfer money for instant financial gain. Deepfakes represent the next generation of fraud, by enabling bad actors to impersonate people more accurately and thus trick employees, friends, customers, etc., into doing things like turning over sensitive credentials or wiring money.
Here’s one real-world example: Bad actors used deepfake voice technology to defraud a company by using AI to mimic the voice of a CEO to persuade an employee to transfer nearly $250,000 to a Hungarian supplier. Earlier this year, the FBI also warned of an uptick in the use of deepfakes and stolen PII to apply for remote work jobs – especially for positions with access to a lot of sensitive customer data.
The Security Week article also discusses defenses to deepfake tactics.
From the ransomware date infiltration front –
The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlatedwith LockBit 3.0 ransomware as recently as March 2023. LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit. CISA encourages network defenders to review and apply the recommendations in the Mitigations section of this CSA.
“Black Basta was initially spotted in early 2022, known for its double extortion attack, the Russian-speaking group not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom. The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta. Nevertheless, as ransomware attacks continue to increase, this Threat Profile highlights the emerging group and its seasoned cybercriminals and provides best practices to lower risks of being victimized.”
Here is a link to the always interesting Bleeping Computer Week in Ransomware.
the creation of the Ransomware Vulnerability Warning Pilot (RVWP). Through the RVWP, CISA:
Proactively identifies information systems—belonging to critical infrastructure entities—that contain vulnerabilities commonly associated with ransomware intrusions.
Notifies the owners of the affected information systems, which enables the owners to mitigate the vulnerabilities before damaging intrusions occur.
Review the RVWP webpage for details, including information on the authorities and services CISA leverages to enable RVWP notifications.
HelpNetSecurity tells us how to use ChatGPT to improve cyber defenses.
From Capitol Hill, the Senate Homeland Security and Governmental Affairs Committee will hold a full Committee hearing to examine cybersecurity risks to the healthcare sector. The hearing will occur on Thursday, March 16, 2023, at 10 am.
Among the topics at the hearing will be a serious cybersecurity breach at DC Health Link which runs the DC health marketplace under the Affordable Care Act (“Act”). In the Affordable Care Act (“ACA”) Congress shifted its health benefits coverage for its members and senior staffers from FEHB to the ACA marketplace. Of note, Congress was directly hit in the OPM breach and this new one.
A hacker who uses the pseudonym “Denfur” is selling a database they claim includes stolen sensitive data from at least 55,000 customers of D.C.’s health insurance marketplace, including members of Congress and their staffs.
DC Health Link, which confirmed the breach and dark web leaks in a statement, helps all city residents purchase health insurance, not just members of Congress.
What’s happening: Researchers at Check Point Research told Axios Thursday that a malicious hacker had posted the database for sale on the “biggest English-speaking dark web hacking forum.” The member claims the database includes sensitive data from thousands of customers, including Social Security numbers, birthdates and home addresses.
Denfur is now selling the stolen database for just “a few dollars,” researchers noted. Denfur signed off the post with “Glory to Russia!”
CyberScoop reports that a sample of the stolen data includes information about former defense officials and lobbyists, and the Associated Press reported it was able to authenticate data belonging to two victims in the set.
Axios has seen the dark web post, which was still live as of Friday morning.
A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned.
Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed.
At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.
From the cybersecurity risks / vulnerabilities front —
CrowdStrike, a cybersecurity firm that tracks the activities of global threat actors, reported the largest increase in adversaries it has ever observed in one year — identifying 33 new threat actors and a 95% increase in attacks on cloud architectures. Cases involving “cloud-conscious” actors nearly tripled from 2021.
“This growth indicates a larger trend of e-crime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments,” said CrowdStrike in its 2023 Global Threat Report.
Besides the raft of new threat actors in the wilds that it pinpointed, CrowdStrike’s report also identified a surge in identity-based threats, cloud exploitations, nation-state espionage and attacks that re-weaponized previously patched vulnerabilities. * * *
Last week’s revelation of an attack on password manager LastPass, with 25 million users, says a lot about the difficulty of defending against data thieves entering either by social engineering or vulnerabilities not usually targeted by malware. The insurgency, the second attack against LastPass by the same actor, was possible because the attack targeted a vulnerability in media software on an employee’s home computer, releasing to the attackers a trove of unencrypted customer data.
The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog on March 7, 2023, and two more on March 10. Bleeping Computer provides its perspective here.
Tech Republic also highlights a cybersecurity report from the World Econonic Forum that is worth a gander.
From the ransomware front
Tech Republic informs us based on the CrowdStrike report that cybercriminals are shifting tactics from ransomware to data exfiltration and extortion like what happened at DC Health Link. “There was a 20% increase in the number of adversaries conducting data theft and extortion last year, by CrowdStrike’s reckoning.”
HHS’s Healthcare Sector Cybersecurity issued a threat alert on data exfiltration trends in the healthcare sector on March 9.
Here’s a link to Bleeping Computer’s The Week in Ransomware.
HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the healthcare sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.
The guide aims to help healthcare organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). * * *
The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.
Bank Info Security points out that “In addition to the new joint NIST cybersecurity framework toolkit, the Health Sector Coordinating Council and HHS are also close to completing an update of a joint 2019 publication, Health Industry Cybersecurity Practices.”
The Biden administration said it would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections, concluding that market forces alone aren’t sufficient to guard consumers and the nation.
Free markets and a reliance on voluntary security frameworks have imposed “inadequate costs” on companies that offer insecure products or services, according to a national cybersecurity strategy released Thursday. It says the administration would work with Congress and the private sector to create liability for software vendors, sketching out in broad terms what such legislation should entail. * * *
In addition to making a forceful call for expanded liability, the plan reiterates several top priorities that have frequently been listed by various senior cybersecurity officials in recent years, such as urging more collaboration and threat-intelligence sharing with the private sector, forging international partnerships to develop cyber norms, and modernizing federal technology. While much of it is consistent with the goals of past administrations, the focus on liability and mandates on critical infrastructure largely depart from President Biden’s predecessors.
The strategy also emphasizes the need for persistent use of offensive cyber capabilities, such as those housed at the U.S. Cyber Command, to disrupt and dismantle cyber threats to the U.S. The strategy’s language effectively endorses steps taken during the Trump administration to allow the military to be more active with offensive cyber weapons. Mr. Biden’s strategy replaces one issued by former President Donald Trump in 2018.
Security experts and former officials said establishing liability for software manufacturers was the most significant—if hardest to achieve—element of the strategy.
Security Week offers insider observations on the new strategy.
The document is divided into five pillars, representing key focus areas: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.
Each pillar has significant implications for critical infrastructure entities, including those in the healthcare sector. Namely, the National Cybersecurity Strategy highlights the need to further prioritize Internet of Things (IoT) device security and to transfer some cyber responsibilities away from software users and onto vendors.
“We must make fundamental changes to the underlying dynamics of the digital ecosystem, shifting the advantage to its defenders and perpetually frustrating the forces that would threaten it,” the document states.
“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
Cybersecurity Dive discusses the path to implementing this strategy.
From the cyber breaches front, Security Week points out four recent healthcare sector data breaches.
Nearly one-third of companies lost money following a phishing attack in 2022, Proofpoint research found.
The 76% year-over-year increase in phishing attacks resulting in a wire transfer or invoice fraud reflects threat actors’ resolve to narrow their scope and steal money more quickly, according to Proofpoint’s annual State of the Phish report released Tuesday.
“We saw a significant jump in the direct financial loss,” said Sara Pan, team manager of product marketing at Proofpoint. “What that really implies is that we’re seeing attackers being more impatient and really wanting to claim their trophy right after a successful phishing attack.”
The Cybersecurity and Infrastructure Agency (CISA) added one more known exploited vulnerability to its catalog.
From the ransomware front —
Bank Info Security reports on an FBI report on ransomware attacks against critical infrastructure in 2022.
Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransom being paid to criminals.
Coveware ascribed the decline directly to the FBI, which has “subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable.” Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.
The FBI and CISA issued an alert on Royal Ransomware.
Today [March 2, 2023], the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.
Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
CISA encourages network defenders to review the CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.
The Bleeping Computer’s Week in Ransomware is back!
Today [February 28, 2023], CISA released a Cybersecurity Advisory, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks. This advisory describes a red team assessment of a large critical infrastructure organization with a mature cyber posture. CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders proactive steps to reduce the threat of similar activity from malicious cyber actors.
As detailed in the advisory, the CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems. This cybersecurity advisory highlights the importance of early detection and continual monitoring of cyber assets.
CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to ensure security processes and procedures are up to date, effective, and enable timely detection and early mitigation of malicious activity.
The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure providers to harden their defenses and enable phishing resistant multifactor authentication, after conducting a red team assessment of a large organization over a three-month period in 2022.
During the voluntary assessment, a CISA red team was able to gain access to workstations at separate geographic locations using spearphishing emails. The red team leveraged that access to move laterally around the network, gaining root access to multiple workstations adjacent to specialized servers.
The organization largely failed to detect multiple actions by the red team, including lateral movement, persistence and command and control activity. However, the use of strong service account passwords and MFA prevented the red team from accessing a sensitive business system.
“This highly detailed and technical report is an excellent guide to help implement specific cybersecurity tools that will help detect a cyberattack in the early stages and significantly reduce its spread and impact,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The ‘red team’ or penetration test used a common combination of voice and email social engineering techniques to gain trust of the end users and compromise their credentials, which reaffirms government and AHA cybersecurity guidance that relatively low-cost basics such as establishing phishing-resistant multi-factor authentication are essential to reduce cyber risk. I would strongly encourage hospitals and health systems to explore the possibility of leveraging CISA’s authority and capacity to provide free technical assistance, including red team penetration testing.”
Also, an ISACA expert explains why “LastPass Hack Highlights Importance of Applicable Acceptable Use Policies.”
A forthcoming White House cybersecurity strategy document aims to force large companies to shoulder greater responsibility for designing secure products and to redesign digital ecosystems to be more secure, Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security, said at a CyberScoop event Thursday.
By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said.
According to an early draft of the document obtained by Slate — which White House officials have emphasized is not a final document — the strategy includes a wide range of mandatory regulations on American critical infrastructure companies to improve security and authorizes law enforcement and intelligence agencies to take a more aggressive approach to hack into foreign networks to prevent attacks or retaliate after they have occurred.
The strategy document is expected to broadly abandon the mostly voluntary approach that has defined U.S. policy in recent years in favor of more comprehensive regulation.
PortSwigger delves into the National Institute of Standards and Technology (NIST) plans for “significant changes to its Cybersecurity Framework (CSF) – the first in five years, and the biggest reform yet” as first noted here last week.
From the cyber vulnerabilities front —
The Cybersecurity and Infrastructure Security Agency (CISA) offers this alert
CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine. CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat.
Security Week adds the perspective of “Several cybersecurity companies’ reports [that published] in the past week summarizing what they have seen in cyberspace since the start of the war.”
“Phishing remained the top initial access vector for security incidents last year with more than 2 in 5 of all incidents involving phishing as the pathway to compromise, IBM research found.
“Three in 5 of all phishing attacks were conducted through attachments last year, according to IBM Security X-Force’s annual threat intelligence report released Wednesday. Phishing via links accounted for one-third of all phishing attacks.
“One-quarter of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just 1 in 10 involved external remote services.”
“Threat actors are shifting tactics and embracing new tools to run more efficient and impactful operations.
“Attackers are now often looking to build an economy of scale,” Wendi Whitmore, SVP of Unit 42 at Palo Alto Networks said Wednesday during a keynote at the company’s annual user summit.
“Instead of using one attack vector against one company, threat actors are targeting an entire supply chain.
“Likewise, instead of encrypting data, then decrypting it on the back end, ransomware groups can just steal the information and threaten to release it publicly if their ransom demand isn’t met.”
CISA added three more known exploited vulnerabilities to its catalog on February 21. It’s worth noting that CISA refreshed its website. As a result, CISA’s known exploited vulnerabilities reports now identifies the additions rather than require the reader to click over to the catalog. Bravo.
From the ransomware front, the Bleeping Computer provides no Week in Ransomware this week, but it does inform us about “A threat actor [that] has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains.”
HHS’s healthcare sector cybersecurity coordination center (HC3) released the following alert
Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. Cybersecurity & Infrastructure Security Agency (CISA) added the GoAnywhere flaw (CVE-2023-0669) to its public catalog of Known Exploited Vulnerabilities. This Sector Alert follows previous HC3 Analyst Notes on Clop (CLOP Poses Ongoing Risk to HPH Organizations and CLOP Ransomware) and provides an update on its recent attack, potential new tactics, techniques and procedures (TTPs), and recommendations to detect and protect against ransomware attacks.
“The Russia-linked Clop ‘ransomware-as-a-service’ gang has been targeting health care since 2019, evolving its tactics to effectively combine ransomware and data theft in novel ways,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Last month HC3 reported that Clop was infecting files disguised to look like medical documents, submitting them to providers and requesting a medical appointment. The objective is to deceive the recipient into clicking on the malicious document and infecting the organization with highly disruptive ransomware. Health care organizations should immediately apply the security patches recommended in these alerts and review the scope, security and necessity of secure file transfer systems.”
For more from the AHA click here, and Health IT Security discusses this Alert here.
To mitigate risk, HC3 urged organizations to patch the GoAnywhere MFT vulnerability where applicable. HC3 also encouraged healthcare organizations to “acknowledge the ubiquitous threat of cyberwar against them” and focus on educating staff and assessing enterprise risk against all potential vulnerabilities.
“Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations,” HC3 concluded.
HC3 posted an Analyst Note about MedusaLocker ransomware yesterday.
Ransomware variants used to target the healthcare sector, from relatively well-known cyber threat groups, continue to be a source of concern and attention. (See HC3 reports on Royal Ransomware and Clop Ransomware). Likewise, the threat from lesser known but potent ransomware variants, such as the MedusaLocker, should also be a source of concern and attention by healthcare security decision makers and defenders.
Extortion payments from ransomware, a hacking scourge that has crippled hospitals, schools and public infrastructure, fell significantly last year, according to federal officials, cybersecurity analysts and blockchain firms.
After ballooning for years, the amount of money being paid to ransomware criminals dropped in 2022, as did the odds that a victim would pay the criminals who installed the ransomware. With ransomware, hackers lock up a victim’s computer network, encrypting hard drives until victims pay.
Alphabet Inc.’s Mandiant cybersecurity group said it had responded to fewer ransomware intrusions in 2022—a 15% decrease from 2021. CrowdStrike Holdings Inc., another U.S. cybersecurity firm, said it saw a drop in average ransom-demand amounts, from $5.7 million in 2021 to $4.1 million in 2022, a decline the company attributed to disruption of major ransomware gangs, including arrests, and a decline in crypto values. Ransomware payments are generally made using cryptocurrency.
The blockchain-analytics firm Chainalysis Inc. says that payments that it tracked to ransomware groups dropped by 40% last year, totaling $457 million. That is $309 million less than 2021’s tally.
“It reflects, I think, the pivot that we have made to a posture where we’re on our front foot,” Deputy Attorney General Lisa Monaco said in an interview. “We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”
Federal cybersecurity leaders are looking forward to a major update for the National Institute of Standards and Technology’s Cybersecurity Framework, as NIST aims to add new details on governance, supply chain risks and more to a document that guides the cybersecurity practices of many organizations.
NIST released the original framework in 2014 and last updated the document in 2018. It began gathering feedback on the shift to “CSF 2.0” through a request for information last February, and hosted an initial workshop on the new framework in June.
Last month, NIST published a concept paper laying out some of the initial planned changes. Comments on the paper are due March 3. NIST plans to have a draft of CSF 2.0 ready by this summer, before releasing a final version in early 2024.
During a Wednesday workshop hosted by the standards agency, CISA Director Jen Easterly applauded NIST’s work to update the framework. She reiterated a recent push from CISA for the technology community to focus on “product safety and “the idea that software and hardware must be secure by design and secure by default,” adding that NIST’s work on the framework is an important element in that endeavor.
The Social Security Administration is getting $23.3 million from the Technology Modernization Fund to implement multifactor authentication across its internal systems, part of a trio of recent TMF awards focused on cybersecurity and reliability.
The TMF announced three new investments today for SSA, the Treasury Department and the U.S. Agency for Global Media (USAGM).
USAGM is getting $6.2 million from the TMF to implement a zero trust architecture across its global network. * * * Other agencies to receive zero trust architecture funding from the TMF, include USAID, the Office of Personnel Management, the Education Department, and the General Services Administration.
The U.S. government is stepping up its effort to combat threats from foreign technology investments, data acquisition and cyberattacks with a new collaboration between the Departments of Justice and Commerce, Deputy Attorney General Lisa Monaco said Thursday.
Speaking at the Chatham House in London as part of a conversation on disruptive technologies by nation states and malign actors, Monaco announced the “Disruptive Technology Strike Force,” to fight the ability of autocrats seeking “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.”
Venture Beat identifies five cybersecurity trends for 2023:
These reports, delivered to Congress today, may benefit regulated entities to assist in their HIPAA compliance efforts. The reports also share steps OCR took to investigate complaints, breach reports, and compliance reviews regarding potential HIPAA rule violations. The reports include important data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.”
The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog on February 14, 2023, and one more on February 16, 2023. Bleeping Computer discusses February 14, 2023, additions.
The Healthcare Sector Cybersecurity Coordination Center produced a Healthcare Sector DDoS Guide:
“Distributed Denial of Service (DDoS) attacks have the potential to deny healthcare organizations and providers access to vital resources that can have a detrimental impact on the ability to provide care. In healthcare, disruptions due to a cyber-attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software-based medical equipment, and websites to coordinate critical tasks. (See HC3 Analyst Note titled: Pro- Russian Hacktivist Group ‘Killnet’ Threat to HPH Sector). Link can be found here.
“Threat actors utilize DDoS attacks due to the cost-effectiveness and relatively low resources and technical skills needed to deploy this type of attack as a hacker doesn’t have to install any code on a victim’s server. Moreover, DDoS attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate as cyber criminals take advantage of the sheer number of insecure internet-connected devices. (Analyst Comment: It is strongly recommended by cybersecurity institutions, like the National Institute of Standards and Technology, that organizations effectively manage the cybersecurity and privacy risks associated with Internet-of-Things (IoT)). (See NIST Report (NISTIR) – 8228). Link can be found here.”
One of the biggest hospital chains in the US said hackers obtained protected health information for 1 million patients after exploiting a vulnerability in an enterprise software product called GoAnywhere.
Community Health Systems of Franklin, Tennessee, said in a filing with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a managed file transfer product Fortra licenses to large organizations. The filing said that an ongoing investigation has so far revealed that the hack likely affected 1 million individuals. The compromised data included protected health information as defined by the Health Insurance Portability and Accountability Act, as well as patients’ personal information.
From the cybersecurity defenses front —
Cyberscoop fills us in on the benefits of proactive cyber threat protection.
Venture Beat explains how to use blockchain to prevent data breaches.
The Wall Street Journal discusses “How Companies Can Minimize the Cybersecurity Risk From Their Tech Vendors.”
Set up a rigorous review process when hiring vendors;
Spell out expectations in vendor agreements, including how data will be shared;
Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities;
Carefully guard access to company data from the vendors, and
Empower the chief information security officer and bring security expertise to boards.
From the cybersecurity policy front, Cybersecurity Dive informs us
National Cyber Director Chris Inglis will retire from his position Feb. 15, ending a more than four decade career in national security.
Kemba Walden, principal deputy national cyber director and a former legal executive at Microsoft, will become acting director until Biden names a nominee for the post. The NCD post requires Senate confirmation.
From the cyber vulnerabilities front —
The Health Sector Cybersecurity Coordination Center (HC3) issued a PowerPoint presentation titled “2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead.”
HC3 also released its January 2023 Cybersecurity Vulnerability Bulletin.
The Cybersecurity and Infrastructure Agency (CISA) added three known exploited vulnerabilities to its catalog.
The Government Accountability Office produced a report titled “Challenges in Protecting Cyber Critical Infrastructure.”
CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. The ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.
As detailed in the advisory, CISA has created and released an ESXiArgs recovery script at https://github.com/cisagov/ESXiArgs-Recover. CISA and FBI encourage organizations that have fallen victim to ESXiArgs ransomware to consider using the script to attempt to recover their files.
CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.
The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:
Train users to recognize and report phishing attempts.
Enable and enforce phishing-resistant multifactor authentication.
Install and regularly update antivirus and antimalware software on all hosts.
Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.
The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.
Cyberscoop considers whether “After the Hive takedown, could the LockBit ransomware crew be the next to fall?”
Here is a link to Bleeping Computers The Week in Ransomware.
The Wall Street Journal offers its quarterly cybersecurity insurance update.
ZDNet reports, “Reddit was hit with a phishing attack. How it responded is a lesson for everyone. A quick and transparent response shows that there’s a correct way to respond to cybersecurity incidents.”
An ISACA expert asks, “How does one fix people?” and answers, “Through governance, processes and planning. Governance, processes and planning are all essential components of effective cybersecurity management.”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
