Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

TWO BIG STORIES with an interlude

  • Good news
  • Cybersecurity Dive reported on Tuesday February 20,
    • “An international group of law enforcement partners said it disrupted LockBit ransomware operations Tuesday, seizing the infrastructure of one of the most prolific ransomware groups in recent history. 
    • “The Department of Justice, working in conjunction with U.K. authorities and other international law enforcement agencies, unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev, charging them with deploying LockBit against numerous companies around the U.S. and other targets overseas. 
    • “The FBI and U.K. National Crime Agency, working with multiple partners, also seized numerous public facing websites and servers used by Lockbit. Authorities obtained decryption keys that will allow hundreds of targeted organizations and others to regain their stolen data.”
  • Cyberscoop adds more details on this important take down.
    • “A LockBit representative confirmed the operation in an online message posted on X by VX-Underground, an online malware repository. “FBI pwned me,” the representative said. 
    • “As of today, LockBit are locked out,” Graeme Biggar, the National Crime Agency Director General, said in a statement. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
    • Two people were arrested as part of the operation — one in Poland and one in Ukraine — as part of the operation, Europol said in its statement.
  • Dark Reading suggests that “Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit.”
  • Interlude
  • Cybersecurity reported on Thursday February 22, 2024.
    • “Critical vulnerabilities in ConnectWise ScreenConnect are under active exploitation by threat actors, and there is an urgent need for users to patch their systems, according to security researchers.
    • “ConnectWise ScreenConnect is a remote desktop application widely used by help desks and remote workers. A critical authentication bypass vulnerability, with a CVSS score of 10, could allow an attacker access to critical systems or confidential information. A path transversal vulnerability, with a score of 8.4, could allow an attacker to execute remote code.
    • “ConnectWise on Wednesday urged on-premises partners to immediately upgrade to the latest version of ScreenConnect, after its incident response team began to investigate reports of suspicious activity. The vulnerability applies to on-premises users.”
  • Dark Reading provides more details on this massive vulnerability
    • “Just days after initial exploitation reports started rolling in for a critical security vulnerability in the ConnectWise ScreenConnect remote desktop management service, researchers are warning that a supply chain attack of outsized proportions could be poised to erupt.
    • “Once the bugs are exploited, hackers will gain remote access into “upwards of ten thousand servers that control hundreds of thousands of endpoints,” Huntress CEO Kyle Hanslovan said in emailed commentary, opining that it’s time to prepare for “the biggest cybersecurity incident of 2024.”.
  • Bad News
  • The Wall Street Journal reports yesterday,
    • Pharmacies warned of long waits for customers and U.S. military clinics worldwide have been affected after a cyberattack against one of the country’s largest prescription processors rolled into a third day of downtime.
    • Health industry experts said that a cyberattack against Change Healthcare, part of insurer 
    • UnitedHealth Group’s Optum business, could have severe and lasting consequences should outages continue past the weekend.
    • “It’s a mess, and I believe it’s our Colonial Pipeline moment in healthcare,” said Carter Groome, chief executive of healthcare-focused consulting firm First Health Advisory, referring to a 2021 cyberattack that forced the major fuel artery for the U.S. East Coast to shut down for six days, causing long lines at gas stations. * * *
    • “Parent company UnitedHealth said Thursday in a regulatory filing with the U.S. Securities and Exchange Commission that it identified a cyberattack affecting systems at Change Healthcare on Wednesday. The company suspects a nation-state was behind the attack, the filing said. ***
    • “The American Hospital Association urged healthcare facilities Wednesday to disconnect from Optum and to check their systems for security vulnerabilities.
      • “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said.
    • “The association also urged members to test their data backups, check that critical patches are up-to-date and designate staff for shifts to manage manual processes.
    • “There is fragility in our infrastructure and in the lack of redundancy, the lack of rehearsals,” said Theresa Payton, CEO at cybersecurity consulting firm Fortalice.”
  • SC Media brings the stories together as follow:
    • “Security experts have warned for the past couple of days that the two flaws recently uncovered in ConnectWise’s ScreenConnect app could become the major cybersecurity story of 2024 – and that the healthcare and critical infrastructure sectors were especially vulnerable.
    • “Today, we’re inching closer to that reality as SC Media has learned that the recent cybersecurity incident at UnitedHealth’s Change Healthcare that led to slowdowns at pharmacies was caused by a strain of LockBit malware that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.
    • “Toby Gouker, chief security officer at First Health Advisory, stressed that while it was a LockBit strain of malware, it doesn’t mean that the recently taken down LockBit gang was responsible. Gouker said the two flaws were discovered as part of a crowdsourced team for the ConnectWise bugs on Feb. 15 and that the vulnerability notifications went out on Feb. 19.
    • “And that’s where the problems started. As many of you know, malicious actors watch for these announcements to come out,” said Gouker. “They prey on the timeframe between the announcement and when an organization is able to apply the patch. So from the get-go, these actors are working to figure out a way to exploit the disclosed vulnerability and capitalize on it.”
    • “While Goucker stands by his comments, ConnectWise remained somewhat defensive, yet cautious, issuing this statement late Friday night:”
      • “At this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.” * * *
  • Here is a link to the CISA notice adding the Connect wise known exploited vulnerability (CVE-2024-1709) to its catalog on February 22. This was the only KEV change announced this week.
  • Optum provided the following update on the Change Healthcare breach this morning
    • Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.
    • We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.

In other vulnerabilities and breaches news,

  • On February 22, 2024, the HHS Office for Civil Rights announced
    • “On February 14, 2024, the U.S. Department of Health & Human Services Office for Civil Rights issued two Reports to Congress on Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance and enforcement, specifically, on HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. These reports are required to be submitted to Congress annually by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HIPAA Rules provide the minimum required privacy and security safeguards for protected health information, and give individuals rights with respect to that information, such as the right to access their health information. These reports, delivered to Congress, help regulated entities (such as most health care providers, health plans, and healthcare clearinghouses) and their business associates in their HIPAA compliance efforts by sharing steps taken by OCR to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules. The reports include important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.  * * *
    • “As in previous years, hacking/IT incidents remain the largest category of breaches occurring in 2022 affecting 500 or more individuals, and affected the most individuals, comprising 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.
    • “OCR’s 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
    • “OCR’s 2022 Report to Congress on Breaches of Unsecured Protected Health Information may be found at:  https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.”
  • Cybersecurity Dive tells us,
    • “Organizations with weak cloud security controls and gaps in cross-domain visibility are getting outmaneuvered by threat actors and struck by intrusions, CrowdStrike said Wednesday in its annual Global Threat Report.
    • “Cloud environment intrusions jumped 75% from 2022 to 2023, as threat actors abused unique cloud features to initiate attacks, the report found.
    • “This is not surprising,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “We’ve seen more and more organizations deploying more and more cloud resources without necessarily having a cohesive or equivalent security posture for their cloud deployments as they do in their traditional enterprise deployments.”
  • Cyber Express informs us
    • “The fusion of Artificial Intelligence (AI) and cybersecurity has ushered in a new era of warfare, one conducted not on physical battlegrounds but in the vast expanse of cyberspace. With the global AI in the cybersecurity market projected to surge to $133.8 billion by 2030, the landscape is undergoing a seismic shift, with both promise and peril on the horizon. 
    • “At the heart of this revolution lies a paradox: while AI bolsters defenses, it also empowers malicious actors, fueling a surge in cybercrime. As cyberattacks grow in both scale and sophistication, the stakes have never been higher, with a staggering $9.22 trillion expected to be drained from the world’s internet users in 2024 alone. * * *
    • “As we navigate this tumultuous terrain, the imperative lies in striking a delicate balance between innovation and vigilance. Harnessing AI’s potential while mitigating its risks demands a multifaceted approach, one rooted in proactive defense, continuous adaptation, and unwavering resilience. 
    • “In the crucible of cyber conflict, AI emerges not merely as a technological marvel but as a beacon of hope, illuminating the path toward a safer, more secure digital future. Only by embracing the transformative power of AI can we hope to outmaneuver the adversaries lurking in the shadows of cyberspace.” 
  • CSO points out,
    • “Attackers prefer compromised valid accounts over phishing or any other infection methods to gain access into victim environments, according to an IBM report.
    • “As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals, considering the alarming volume of compromised yet valid credentials available — and easily accessible — on the dark web,” IBM said in the report.
    • “The report, which is based on IBM X-Force’s penetration testing data from incidents in 2023, also found security misconfigurations and poor authentication enforcement as top application security risks opening organizations to identity-based attacks.”

From the ransomware front,

  • Tech Crunch identifies the “top 13 ransomware targets in 2024 and beyond.” Education is the top target, and healthcare is ranked number 11.
  • Cybersecurity Dive relates,
    • “The HHS has reached its second-ever settlement related to a ransomware attack, which exposed the protected health information of more than 14,000 people, the agency announced Wednesday. 
    • “Maryland-based Green Ridge Behavioral Health agreed to pay $40,000 and implement a corrective action plan after an investigation found potential violations of the HIPAA rule and lax protections after an attack reported in early 2019, according to the HHS’ Office for Civil Rights.
    • “The settlement comes as ransomware has become a growing and critical threat to healthcare organizations, and regulators have signaled interest in enforcing cybersecurity standards.” 

In other cybersecurity news,

  • SDXCentral calls our attention to the fact that
    • Gartner unveiled the top cybersecurity trends for 2024, including the impact of generative artificial intelligence (genAI), boardroom communication gaps, human risks, third-party security risks, continuous threat exposure and identity-first approaches to security.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • At the American Hospital Association News informs us,
    • “The National Institute of Standards and Technology this week released updated guidance to help HIPAA-covered entities and business associates assess and manage cybersecurity risks to electronic protected health information and comply with the HIPAA security rule. The Department of Health and Human Services’ Office for Civil Rights collaborated with NIST on the guidance, last updated in 2008, which identifies activities that a regulated entity might consider implementing as part of an information security program and resources to help in complying with the HIPAA security rule.” 
  • Fedscoop tells us,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] is opening up an office dedicated to helping federal agencies implement zero trust security principles, leaning further into the Biden administration’s push toward broader adoption of the framework.   
    • “Speaking Thursday [February 15] at CyberScoop’s Zero Trust Summit, Sean Connelly, CISA’s senior cybersecurity architect and trusted internet connections program manager, said the agency’s Zero Trust Initiative Office is intended to provide federal agencies with more comprehensive trainings and resources. 
    • “We’re working with various organizations to support broad training,” Connelly said. “We also have some in-house training we’ve done with a number of agencies [and have made available] playbooks and guidance [for] agencies that want to know how to move toward zero trust.”
    • “The new office will offer expanded training on zero trust principles and will also include an effort to better identify the skills and knowledge needed for successful implementations of the architecture. The office’s playbooks will build on current CISA resources, specifically the agency’s Zero Trust Maturity Model and Trusted Internet Connections 3.0.”  
  • Health IT Security points out,
    • “The US Government Accountability Office (GAO) issued recommendations to HHS surrounding its oversight of ransomware practices across the sector in a recent report. The report assessed four federal agencies, including HHS, to evaluate each agency’s efforts to oversee sector adoption of leading cybersecurity practices.
    • “GAO chose to focus on four critical infrastructure sectors in particular – critical manufacturing, energy, healthcare and public health, and transportation systems – due to the fact that half of the cyber incidents tracked by the FBI in 2022 impacted these four sectors.”

From the cybersecurity vulnerabilities and attacks front,

  • The American Hospital Association notes,
    • “The FBI Feb. 15 released an alert to help organizations detect and reduce the risk of network compromise from the Warzone Remote Access Trojan, a malware service used by over 7,000 cybercriminals and nation-state actors.
    • “In other news, the Cybersecurity & Infrastructure Security Agency and other agencies recently released joint advisories to help organizations defend against Volt Typhoon and other cyber threat groups using living-off-the-land techniques to compromise and access U.S. critical infrastructure.”
  • According to TechCrunch,
    • “The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year.
    • “According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency — the DOD’s military intelligence agency — said, “numerous email messages were inadvertently exposed to the Internet by a service provider,” between February 3 and February 20, 2023.
    • “TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft’s cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.”
  • HHS’s Health Sector Cybersecurity Coordination Center issued a report on Russian threat actors targeting the U.S. health sector.
  • Cyberscoop adds,
    • “U.S. U.S. authorities took down a network of hundreds of compromised small office and home office routers being used by Russian military intelligence to carry out global cyber espionage campaigns, the Federal Bureau of Investigation and Department of Justice announced Thursday.
    • “Speaking at the Munich Cyber Security Conference on Thursday, FBI Director Christoper Wray said the operation aimed to “kick the Russian GRU off” a large network of compromised routers “and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe.”
    • “The operation, approved by a U.S. court in January, dismantled a botnet used by GRU Military Unit 26165 that targeted Ubiquiti Edge OS routers that were still using publicly known default administration passwords, the DOJ said in its announcement.”

From the ransomware front,

  • An ISACA expert explains how to navigate the shifting ransomware landscape for the benefit of IT governance and cybersecurity leaders.
  • The FEHBlog found this temporary (?) SC Magazine replacement for Bleeping Computer’s the Week in Ransomware.

From the cybersecurity defenses front,

  • TechTarget identifies five steps involved in performing a cybersecurity risk assessment.
  • Dark Reading suggests that the time has come to rethink third party risk assessment.
  • ZDNet explains why businesses should upgrade to Windows 11 Pro.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Cybersecurity Dive reports on a speech that the National Cyber Director (NCD) Harry Coker gave on February 7. He urged private sector cooperation to counter nation state cyber threats. Specifically,
    • “The Office of the NCD is working on several key initiatives that are part of the Biden administration’s national cybersecurity strategy: 
      • “Officials are consulting with academic and legal experts to explore a variety of tactics to hold manufacturers accountable when they rush insecure products to market. Officials will be reaching out to industry for additional feedback.
      • “The office is reaching out to interagency partners in an effort to harmonize a number of wide ranging cyber rules and regulations so companies are not overwhelmed by compliance burdens.
      • “The administration is working to build a more diverse and robust cybersecurity workforce, as the industry still has about a half million vacant job opportunities and there is a desperate need to attract qualified workers. 
    • “Coker also highlighted an upcoming white paper on efforts to develop the use of memory-safe languages and improve software measurability. 
  • Also on Wednesday, the Cybersecurity and Infrastructure Security Agency [CISA] posted a joint agency advisory about the “People’s Republic of China State-Sponsored Hacking of U.S. Critical Infrastructure.”
  • Cybersecurity Dive also interviewed Ty Greenhalgh who is an HHS cybersecurity “ambassador” to the healthcare sector, about “what to expect from federal cybersecurity guidance in healthcare.” For example,
    • Q. “What are the next steps as far as the cybersecurity goals and what HIPAA standards the HHS could implement going forward?”
    • A. “I think they’re going to quickly open up the HIPAA Security Rule and revise it to include these HPH CPGs and talk more about vulnerability management as a practice and not just a compliance checklist. So in doing that, HHS will then be able to go through the rulemaking process and ferret out what the language really looks like from a regulation perspective. Hospitals can start figuring out how they’re going to embrace these HPH CPGs. 
    • The first move is to reinforce that these will become requirements. And what the regulations look like around that as they go to Congress and try to get money or determine whether they’re going to use their Medicare reimbursement to incentivize either through reduction or increase. So I think it’s open up HIPAA, include HPH CPGs, start figuring out what that regulation is going to look like, what the requirements are actually going to be, as they’re simultaneously trying to find funding to make this more palatable.”
  • Similarly, Fedscoop reports,
    • “CISA has proven to be a critical partner and resource over the past five years for federal cybersecurity. But as CISA enters the second half of its first decade, the cyber agency and its Joint Cyber Defense Collaborative should focus on better governmentwide coordination and tougher security standards, a panel of federal IT officials said this week.
    • “During a Center for Strategic & International Studies panel discussion, tech leaders from the Treasury Department and the Department of Veterans Affairs detailed the ways in which they’re pleased with and frustrated by CISA, expressing an overarching sentiment that while the agency has been helpful, there’s room for improvement as it matures.
    • “We need really common operating standards to which we are aggressively held, versus this sort of voluntary, participative notion — ‘get in touch with us when you need it’ kind of thing,” said Jeff King, Treasury’s principal deputy chief information officer. 
    • “Amber Pearson, deputy chief information security officer at the Department of Veterans Affairs, largely agreed, noting that she’d like to see “more expansion from CISA” when it comes to “those key areas.”

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued its compendium of “January Vulnerabilities of Interest to the Health Sector.”
    • “In January 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for January are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, and Jenkins.
    • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
  • CISA added another known exploited vulnerability (Google Chromium V8 Type Confusion Vulnerability) to its catalog on February 6 and another (Fortinet FortiOS Out-of-Bound Write Vulnerability)on February 9.
  • Cybersecurity Dive reported on Tuesday,
    • “Ivanti Connect Secure and Ivanti Policy Secure Gateways are facing renewed exploitation, days after the company release a patch for two zero-days vulnerabilities that were under active exploitation. Ivanti disclosed two new vulnerabilities when it released the patch, which addresses all known issues.  
    • “At this point exploitation is widespread with every exposed Ivanti Connect Secure VPN instance hit,” Piotr Kijewski, CEO of the Shadowserver Foundation, said via email. Specific details on the attackers were not immediately known, but the attacks include reverse shell setup attempts and config dumping.”
  • More information on the Ivanti problem is available from Tech Crunch.
  • Dark Reading told us yesterday,
    • “Researchers have discovered a new backdoor targeting macOS that appears to have ties to an infamous ransomware family that historically targets Windows systems.
    • “Researchers at Bitdefender say the so-called Trojan.MAC.RustDoor is likely linked to BlackCat/ALPHV. The newly discovered backdoor is written in Rust coding language and impersonates an update for Visual Studio code editor.
    • “Bitdefender in its advisory said there have been multiple variants of the new backdoor, and that it has been in action for at least three months.”
  • Two cybersecurity breach settlements were announced last week.
    • Health IT Security informs us that “US Fertility (USF) reached a $5.75 million settlement [in a consolidated class action pending in the Maryland federal court] to resolve allegations of negligence following a 2020 ransomware attack and data breach that impacted nearly 900,000 individuals. USF provides IT platforms and services to a network of more than 200 physicians across 100 clinic locations and more than two dozen IVF laboratories.”
  • and
    • HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million HHS Office for Civil Rights Settlement with Montefiore Medical Center resolves multiple potential  HIPAA Security Rule Violations.

From the ransomware front,

  • Cybersecurity Dive reports,
    • “Ransomware attacks inflicted more financial damage and hit more companies last year than ever before, according to Unit 42 and Chanalysis research. 
    • “Victim organizations paid a collective $1.1 billion in ransom demands in 2023, the largest amount ever recorded, Chainalysis said in a Wednesday report on financially-motivated criminal activity in cryptocurrency exchanges. 
    • “Threat actors named and publicly threatened almost 4,000 victim organizations on their dark web leak sites last year, a 49% increase over 2022, Palo Alto Networks’ Unit 42 said Monday in a ransomware retrospective report.”
  • Physician Practice pointed out yesterday,
    • Federal cybersecurity experts are warning health care information technology experts about a new threat that has become significant in less than a year.
    • Akira ransomware was first identified in May 2023 and has claimed at least 81 victims, according to the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health and Human Services. Akira “has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan,” said the HC3 analyst note published this week.

From the cybersecurity defenses front,

  • Health IT Security notes,
    • “KLAS Research recognized several leading security and privacy vendors as Best in KLAS winners for 2024. The 2024 Best in KLAS software and services winners were designated based on information collected from more than 26,000 evaluations collected over the past year from more than 5,000 healthcare organizations.
    • “The Best in KLAS designation recognizes “software and services companies who excel in helping healthcare professionals improve patient care” and “signifies to the healthcare IT industry the commitment and partnership that the top vendors should provide,” KLAS stated.”
  • Tech Republic offers cybersecurity defense ideas related to “a botnet created by Volt Typhoon, a group of attackers sponsored by the Chinese government.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • The Wall Street Journal reported on Wednesday,
    • “The U.S. government said it had disrupted a uniquely dangerous and potentially life-threatening Chinese hacking operation that hijacked hundreds of infected routers and used them to covertly target American and allied critical infrastructure networks.
    • “Senior officials described the operation in unusually blunt terms as part of an evolving and increasingly worrisome campaign by Beijing to get a foothold in U.S. computer networks responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a future conflict, including over Taiwan.
    • “Wednesday’s announcement was part of an effort by senior Biden administration officials to underscore what Federal Bureau of Investigation Director Christopher Wray called the “apocalyptic scenarios” animating their fears about China’s advanced and well-resourced hacking prowess. Western intelligence officials say its skill and sophistication has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, which they say poses an unrivaled cybersecurity challenge.”
  • Here’s Cybersecurity Dive’s story on this chilling development.
    • “The FBI and Department of Justice disclosed Wednesday a court-authorized disruption of a botnet linked to the Volt Typhoon threat campaign from 2023, which Wray noted during his testimony. The hackers installed KV Botnet malware on hundreds of small office/home office routers in the U.S., in a plan to target critical infrastructure providers through the compromised hosts. * * *
    • “Volt Typhoon is very focused on targeting U.S. critical infrastructure by staying below the radar, and works hard to reduce the signatures we use to hunt them across networks,” Sandra Joyce, VP, Mandiant Intelligence, Google Cloud, said in a statement. “They are making use of compromised systems to blend in with normal network activity and constantly change the source of their activity.”
  • Cyberscoop adds,
    • “Any federal agency running Ivanti Connect Secure or Ivanti Policy Secure devices must disconnect them from their networks before midnight Friday [February 2], the United States’s top civilian cyber defense agency said Wednesday amid reports the vulnerable devices are being targeted by espionage operations linked to China. 
    • “Last month, CISA warned that the vulnerable Ivanti devices were subject to “widespread exploitation of vulnerabilities by multiple threat actors.” On Wednesday, the agency issued new instructions for how to update and bring those devices back online. 
    • “A CISA spokesperson did not immediately respond to a question about how many instances of Ivanti’s affected product are present in federal networks. * * *
    • “Chinese hackers appear to be exploiting the Ivanti vulnerabilities to carry out espionage. Researchers with Google’s Mandiant wrote in a blog post Wednesday that they’d identified “broad exploitation activity” by suspected Chinese-linked espionage hackers they track as “UNC5221,” as well as other uncategorized attackers.” 
  • and
    • “The Office of the National Cyber Director has work to do to improve the implementation of President Joe Biden’s national cybersecurity strategy, according to a watchdog report.
    • The Government Accountability Office said in a report released Thursday that the national cybersecurity strategy lacks performance measures and estimated costs, which the watchdog believes is essential for a national strategy.
    • “The GAO said that “neither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.” The initiatives outlined in the implementation planinclude milestones and expected completion dates, but lacked assessments in “the extent to which the initiatives are achieving outcome-oriented objectives” like information sharing or updated federal cyber defenses, GAO said.
    • “ONCD staff told the GAO said it wasn’t actually feasible to develop outcome-oriented measures, simply because those measures do not yet exist in the broader cybersecurity field. “They acknowledged the value of having meaningful outcome-oriented performance measures to assess cybersecurity effectiveness but stated that such measures do not currently exist in the cybersecurity field in general,” the GAO wrote.”
  • On Wednesday Cybersecurity Dive tells us,
    • The Biden administration came out forcefully this week against a congressional effort to undo the U.S. Securities and Exchange Commission’s recently adopted rule requiring public companies to disclose cybersecurity incidents.
    • President Joe Biden would veto the joint resolution, S.J. Res. 50, if it comes to his desk, the administration said Wednesday in a policy statement.
    • The legislation to disapprove the SEC’s authority to require companies to quickly disclose material cyber incidents and describe how they manage cyberthreats in annual reports was introduced by Republican senators in November alongside a companion resolution by House Republicans.
  • Federal News Network offers an interview with “Kirsten Moncada, OPM’s chief privacy officer and a longtime federal privacy expert, [who remarked that] the rise of AI tools in government is sure to create more work for privacy officials across the government.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us
    • “An identity-based attack Cloudflare previously declared contained and unimpactful turned out to be quite the opposite. The threat actor that intruded Cloudflare’s Okta environment in mid-October regained access to some of the content delivery network’s systems in mid-November, the company said Thursday in a blog post.
    • “The threat actor used one access token and three service account credentials Cloudflare failed to rotate after the environment was compromised by an early October attack against Okta, the company said. The Okta incident ultimately exposed data on all of the single sign-on provider’s customer support system clients.
    • “We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” CEO Matthew Prince, CTO John Graham-Cumming and CSO Grant Bourzikas said in the blog post.”
  • Dark Reading points out,
    • “Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users.
    • “What makes the campaign different from numerous others that have employed a similar tactic — such as one reported just earlier this month involving Chinese websites — is its sheer scale and its novel, multistage payload delivery technique. Also noteworthy is the threat actor’s use of cracked macOS apps with titles that are of likely interest to business users, so organizations that don’t restrict what users download can be at risk as well.
    • “Kaspersky was the first to discover and report on the Activator macOS backdoor in January 2024. A subsequent analysis of the malicious activity by SentinelOne has showed the malware to be “running rife through torrents of macOS apps,” according to the security vendor.”
  • On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) announced “New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways.”
  • CISA added a known exploited vulnerability to its catalog on January 31 and another later the same day.

From the ransomware front,

  • Security Week discuses why the ransomware threat continues to grow.
    • “The volume of ransomware attacks is not a constant and can be affected by many short term factors (take downs, criminal retirements, retooling, etcetera). 2022 showed a reduction, and some commentators suggested that the tide was turning against ransomware. 2023 has demonstrated this was a false dawn, with more than twice the number of victims in 2023 compared to 2022. 
    • “Anyone who believes ransomware will go away doesn’t understand the nature of criminality. Extortion has and always will be a primary criminal business plan. The current Delinea report demonstrates that the delivery of extortion can be fine-tuned (the evolution from encryption to data exfiltration), but the purpose remains the same, and the incidence will continue to increase.
    • “The success of this business plan is demonstrated by an increase in the number of victims who have paid the ransom — up from 68% to 76% (and remember that is 76% of a higher number of victims). What cannot be measured is the effect of cyberinsurance on ransomware delivery and response. Some commentators believe that attackers look for victims with cyberinsurance, and the report notes, “One reason for the willingness to pay may be the rise of cyberinsurance.”
  • Bleeping Computer’s The Week in Ransomware returns this week.
    • “Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks.
    • “While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to see affiliates targeting healthcare with complete disregard to the disruption they are causing patients in trying to receive care.”

From the cybersecurity defenses front,

  • TechTarget identifies “sixteen common types of cyberattacks and how to prevent them.”
  • CISA announced,
    • “CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.
    • “This third publication in CISA’s SbD Alert series examines how manufacturers can eliminate the path threat actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group—are taking to compromise small office/home office (SOHO) routers.” 
  • An ISACA expert writes about “Navigating the Treacherous Waters of IT Risk: The MOVEit Transfer Exploit as a Case Study.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Healthcare Dive informs us,
    • “The HHS released voluntary cybersecurity goals for healthcare and public health organizations on Wednesday, as the industry grapples with increasing large data breaches and ransomware attacks. 
    • “The performance goals, broken down into essential and enhanced safeguards, aim to help organizations prevent cyberattacks, improve their response if an incident occurs and minimize remaining risk after security measures are applied. 
    • “The resources come after the HHS released a concept paper in December, which detailed plans to create hospital cybersecurity requirements through Medicare and Medicaid and eventually update the HIPAA rule.”
  • Cybersecurity Dive also considers whether “the movement to ban ransom payments gain steam in 2024? Policies and regulations around ransomware payments are widely expected to change in 2024, but how and to what effect remains in flux.”
  • Tim Liu, a cybersecurity expert writing in Forbes, offers his cybersecurity predictions for 2024. Nevertheless, the author adds
    • “With all the concerns about AI, cloud and endpoints, we can’t forget that people—employees, contractors and others with network access—remain one of the most common attack vectors. The largest breach of U.S. military systems occurred when someone inserted an infected flash drive into a single computer. More recently, MGM Resorts was hit with a crippling attack that purportedly began via a convincing but impersonated phone call (a.k.a. vishing).
    • “That’s why it’s so important to focus on the basics first—keeping up to date with patches and providing training for staff and management. In other words, cybersecurity is really not just a technology discussion; it’s a people problem. And by consistently concentrating on people, policy, procedure and practice, cyberattacks can be averted.”

From the cybersecurity vulnerabilities and defenses front,

  • Cybersecurity Dive tells us,
    • “Microsoft plans to make significant changes to its internal security practices after disclosing a hack by the state-sponsored threat group Midnight Blizzard, which stole emails and other data from senior-level Microsoft executives and other employees, the company said Friday in a filing with the Securities and Exchange Commission.
    • “The hackers compromised a legacy non-production test tenant account to gain access to the company, Microsoft said. The threat actor used the account’s permissions to reach a “very small percentage” of emails and attachments of senior executives and employees in the cybersecurity, legal and other departments. 
    • “The actor, formerly known as Nobelium, was behind the 2020 Sunburst attacks against SolarWinds and other companies. U.S. authorities raised alarms about Midnight Blizzard in December after the actor was found exploiting unpatched vulnerabilities in JetBrains TeamCity servers across the globe.”
  • and
    • Data compromises were more abundant and organizations were less forthright about the root cause of cyberattacks throughout 2023, according to the Identity Theft Resource Center’s annual data breach report.
    • The number of data compromises reported in the U.S. last year jumped 78% to a record high of 3,205 incidents, the non-profit organization said Thursday. These compromises ultimately impacted more than 353 million victims, including individuals affected multiple times.
    • “The sheer scale of the 2023 data compromises is overwhelming,” ITRC CEO Eva Velasquez said in the report.
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted a sector alert concerning a “Possible Threat of Unauthorized Access to HPH Organizations from Remote Access Tool.”
    • “Security researchers are warning that Healthcare and Public Health (HPH) organizations that use the remote access tool ScreenConnect could be adversely affected or targeted by threat actors. The impact of potential unauthorized access on both federal and private industry victims, many of which rely on this tool, would be a concerning development for the healthcare sector. This Sector Alert provides a technical overview of issues concerning the remote access tool, IOCs, and recommendations for mitigations to detect and protect against future cyberattacks.”
  • The Cybersecurity and Infrastructure Security Agency added a new known exploited vulnerability to its catalog on January 22, January 23, and January 24.
  • Per Cybersecurity Dive,
    • “Nearly 800 instances of Forta’s GoAnywhere MFT remain unpatched and potentially exposed to a critical vulnerability disclosed earlier this week, according to Shadowserver data published Friday.
    • “While many instances of the file-transfer service remain unpatched, less than 30 are vulnerable to exploits due to admin panel exposure on the public internet, Shadowserver said. Remote access to the administration panel is required for threat actors to exploit the critical authentication bypass vulnerability, CVE-2024-0204
    • “Forta released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose the vulnerability with a CVSS score of 9.8 until this week.”

From the ransomware front,

  • Dark Reading tells us,
    • “Despite takedowns of top ransomware groups, those remaining threat actors have continued to develop new tricks, while maintaining their ability to capitalize on zero-day vulnerabilities, helping them do more damage to industrial control systems (ICS) with fewer attacks, according to new research.
    • “Dragos released its latest industrial ransomware analysis for the last quarter of 2023, finding the landscape more refined, and potent, than ever before in its attacks against ICS. It’s a surprising reveal given recent high-profile busts of ransomware operators in the space, including Ragnar Locker and ALPHV, the new report explained.”
  • Health IT Security alerts us,
    • “The healthcare sector was hit hard by data breaches in 2023, with more than 540 organizations reporting breaches to HHS last year. Ransomware remains a top threat to healthcare, as exemplified by the number of high-profile attacks carried out by prolific threat actor groups and lesser-known gangs alike.
    • “In its annual ransomware report, the GuidePoint Research and Intelligence Team (GRIT) used publicly available data to explore these trends and how they vary across the threat landscape, uncovering troubling changes in the threat landscape. GRIT observed 63 distinct ransomware groups compromising thousands of victims throughout 2023. Healthcare was the third-most targeted industry in 2023 according to GRIT, behind manufacturing and technology.
    • “Attacks by prolific ransomware groups such as LockBit, Alphv, and Clop accounted for the vast majority of victims across all analyzed industries. GRIT identified these groups as “established,” meaning that they are groups that have operated for at least nine months and maintain well-defined tactics.”

From the cybersecurity defenses front,

  • HHS’s 405d program offers guidance on implementing cybersecurity insurance.
  • From the ISACA blog,
    • An expert identifies the top ten things every cybersecurity professional needs to know about privacy, and
    • Another expert explains how to run a well-executed risk and control self-assessment.
  • Tech Republic discusses how to prevent phishing attacks with multi-factor authentication.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive points out five cybersecurity trends to watch this year.
  • Dark Reading informs us,
    • Following the Securities and Exchange Commission’s X account, formerly known as Twitter, compromise on Jan. 9, two Senators have issued a statement calling the hack “inexcusable” and urging the Inspector General of the US Securities and Exchange Commission (SEC) to investigate the regulator’s failure to have basic multifactor authentication (MFA) protections in place.
    • “Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” Senators Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo. said in a statement. “We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.” * * *
    • “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity,” the letter to the SEC Inspector General said, adding the agency was warned in 2023 about its “poor cybersecurity.”
    • “The letter added a shot at the regulator’s increasingly rigorous oversight of enterprise cybersecurity.
    • “The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure,” the Senators wrote.”
  • Cyberscoop reports
    • “Over-classification, a lack of policy guidance, and tensions between private sector cybersecurity firms are continuing to hamper federal government efforts to share cybersecurity threat information, according to a report released Friday by the U.S. intelligence community’s top watchdog. 
    • “Friday’s report, released by the Office of the Inspector General of the Intelligence Community, concludes that while federal agencies have broadly improved their ability to share threat information and defensive mitigations, long-standing policy and technical concerns are providing barriers to rapid information sharing. 
    • “The IG’s report examines how relevant federal agencies shared cyber threat information and defensive measures over the past two years through a framework created by the Cybersecurity Information Sharing Act of 2015. The report finds that the “policies, procedures, and guidelines” for sharing information are “sufficient” to carry out the requirements of the legislation and noted that “sharing has improved” in the last two years.
    • “However, a section on barriers to sharing information among federal entities describes a set of familiar issues — to cyber pros at least — that has long been a rallying cry for improvement, including failures to be more forthcoming in sharing threat information with private sector entities.”
  • and
    • “As dozens of states race to establish standards for how their agencies use AI to increase efficiency and streamline public-facing services, researchers at the National Institute of Standards and Technology found that artificial intelligence systems, which rely on large amounts of data to perform tasks, can malfunction when exposed to untrustworthy data, according to a report published last week.
    • “The report, part of a broader effort by the institute to support the development of trustworthy AI, found that cyber criminals can deliberately confuse or “poison” AI systems to make them malfunction by exposing them to bad data. And what’s more, according to the study, there’s no one-size-fits-all defense that developers or cybersecurity experts can implement to protect AI systems.”
  • The Wall Street Journal adds,
    • “U.S. intelligence authorities are using AI to pick up on the presence of hackers trying to infiltrate and attack American critical infrastructure—and identifying signs of hackers using AI themselves in the attacks.
    • “At a conference Tuesday, cybersecurity leaders discussed burgeoning aspects of AI use by hackers—as well as by law enforcement. Rob Joyce, cybersecurity director at the National Security Agency, said machine learning and artificial intelligence are helping cybersecurity investigators track digital incursions that would otherwise be very difficult to see. 
    • “Specifically, Chinese hackers are targeting U.S. transportation networks, pipelines and ports using stealthy techniques that blend in with normal activity on infrastructure networks, Joyce said, speaking at Fordham University in New York.
    • “These methods are “really dangerous” as their aim is societal disruption, as opposed to financial gain or espionage, Joyce said. The hackers don’t use malware that common security tools can pick up, he added.” 

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • Mortgage lender loanDepot is responding to a cyberattack that led the company to take some of its IT systems offline, the California-based company said Monday. 
    • “Though our investigation is ongoing, at this time, the company has determined that the unauthorized third-party activity included access to certain company systems and the encryption of data,” the company said Monday in filing with the Securities and Exchange Commission. “In response, the company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident.”
    • A spokesperson for the non-bank mortgage lender declined to say how or when the threat actor gained access to its systems and if it’s received an extortion demand or paid a ransom.
  • and
    • “Distributed denial of service attacks hit an all-time high in 2023, more than doubling year over year in the fourth quarter, Cloudflare said Tuesday in a threat report.
    • “The record high year for DDoS attacks coincided with mass exploits of the novel zero-day vulnerability HTTP/2 Rapid Reset, which threat actors used to launch DDoS attacks that broke records during the third quarter of 2023.
    • “Cloudflare said it was mitigating about 201 million requests per second at the peak of the series of HTTP/2 vulnerability attacks.
    • “Massive DDoS attacks require significantly fewer capabilities, resources and time, according to Omer Yoachimik, senior product manager of DDoS protection and security reporting at Cloudflare.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) let us know on January 11,
    • “Cisco released a security advisory to address a vulnerability (CVE-2024-20272) in Cisco Unity Connection. A cyber threat actor could exploit this vulnerability to take control of an affected system.
    • “CISA encourages users and administrators to review the Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability advisory and apply the necessary updates.”
  • CISA added six known exploited vulnerabilities to its catalog on January 8, one more on January 10, and another one on the same day.

From the ransomware front,

  • Per Cybersecurity Dive,
    • “Almost 5,200 organizations were hit by ransomware attacks in 2023, Rapid7 said in a Friday blog post, pulling research from public disclosures and incident data from its managed detection and response team.
    • “In reality, we believe that number was actually higher because it doesn’t account for the many attacks that likely went unreported,” Christiaan Beek, senior director of threat analytics at Rapid7, said in the report.
    • “Rapid7 didn’t provide numbers for 2022, but research from other firms concludes the number of ransomware attacks is rising. There were twice as many ransomware attacks in the second half of 2023, compared to the latter half of 2022, according to BlackFog.”
  • Security Week reports,
    • “Over the weekend, the LockBit ransomware gang claimed responsibility for a November 2023 cyberattack on the hospital system Capital Health.
    • “In December, Capital Health announced that it fell victim to a cyberattack that resulted in network outages and that it immediately launched an investigation, informed law enforcement, and started the restoration process.
    • “At this time, all services are available at our facilities, all systems have been restored, and all operations have returned to normal,” the organization said in an incident notification.
    • “According to the LockBit ransomware gang, only data exfiltration occurred.
    • “We purposely didn’t encrypt this hospital so as not to interfere with patient care,” the gang notes on its Tor-based leak site.
    • “The ransomware group says it stole more than 10 million files from the healthcare organization, which allegedly includes medical confidentiality data.”
  • Here’s a link to Bleeping Computer’s latest Week in Ransomware.

From the cybersecurity defenses front,

  • Federal New Network identifies five steps for building an adaptable, dynamic zero trust architecture within federal agencies.
  • Security Boulevard considers how to recover after failing a cybersecurity audit.

Weekend Update

David ErmerCongress, Cybersecurity, Medical / Rx research, Mental health care, OPM, SCOTUS, U.S. Healthcare
Photo by JOSHUA COLEMAN on Unsplash

The FEHBlog was tied up with family business yesterday so Cybersecurity Saturday appears below the Weekend Update

From Washington, DC,

  • Congress is back to work on Capitol Hill. The Wall Street Journal describes the situation as “Battered Congress Has Two Weeks to Fix Three Big Problems: Talks to stop a government shutdown, fix the border and fund Ukraine converge on Capitol Hill.”
  • The Journal adds this evening,
    • “Congressional leaders reached a bipartisan deal on Sunday setting a roughly $1.6 trillion federal spending level for the year, but the pact drew quick criticism from some conservatives, and it remained unclear whether lawmakers would be able to quickly pass legislation averting a government shutdown.”
  • Congress does not have any hearings scheduled for this week.
  • The Washington Post reports,
    • “The Supreme Court said Friday it will review a case (No. 23-727) challenging Idaho’s strict abortion ban, which the Biden administration says conflicts with a federal law [EMTALA] requiring emergency room doctors to perform the procedure in some circumstances.”
  • Federal News Network provides more background to reduce retirement program overpayments.
    • “For OPM, many of the improper payments that the agency makes through retirement services may stem from limited data, on account of not using enough analytics to identify beneficiaries who have died and therefore are no longer entitled to the benefits, [Linda] Miller, [Audient Group CEO] said.
    • “There is more than one way of identifying people who have passed away — looking at Social Security, obituary data and more accurate information on deaths,” Miller said. “OPM doesn’t use much of that data, so the reports are likely less accurate.”

From the public health and medical research front,

  • Fortune Well offers us four strategies for older folks to get good quality sleep and an approach to adding beneficial thirty-second-long micro-workouts to your day.
  • Govexec tells us,
    • “The Veterans Affairs Department will soon begin funding research into the use of psychedelics such as MDMA and mushrooms to treat PTSD and depression, the first time the agency has done so since the 1960s. 
    • “The announcement answers the call from some veterans and researchers who have long advocated for the potential medical benefits of MDMA and psilocybin, or psychoactive mushrooms. VA on Friday issued a request for applications to its network of researchers, collaborating with academic institutions to solicit proposals to study the impact of using the compounds to treat post-traumatic stress disorder and depression in veterans.” 

From the U.S. healthcare front,

  • STAT News reminds us that the JP Morgan Healthcare Conference will be held this week in San Fransico.
    • “Nonprofit hospitals often get overshadowed at the J.P. Morgan Healthcare Conference, the health care industry’s swankiest investor meeting whose agenda is dominated by drugmakers and biotech companies.
    • “But hospitals are still the largest part of America’s health care economy, commanding nearly a third of the country’s $4.7 billion health care tab. And similar to last year, when hospitals touted their plans for expansion and hiking prices, they will have a rosy picture to sell to financiers as patients flock to their facilities.”
  • The American Medical Association informs us, “What doctors wish patients knew about scope of practice.”
  • Health Payer Intelligence points out,
    • “Despite efforts to reduce drug costs through Medicare negotiation for 10 common medications, the US still pays more for these drugs than almost any other nation, even after factoring in discounts and rebates, according to a Commonwealth Fund chart pack.
    • “The researchers used 2021 data from IQVIA and the Medicare Payment Advisory Commission (MedPAC) to assess how US drug prices differed from international trends. With this information, the researchers compiled 12 charts that situate the drug prices in the United States compared to other countries.”
  • Per Fierce Healthcare,
    • “Duluth, Minnesota-based Essentia Health and Marshfield, Wisconsin-based Marshfield Clinic Health System have scrapped their plan to merge into a 25-hospital Midwest system.
    • “The two nonprofit health systems said in a statement that they have “engaged in meaningful discussion” over the last two years about how the organizations could combine their unique strengths.
    • “We have decided that a combination at this time is not the right path forward for our respective organizations, colleagues and patients,” the health systems said in a statement posted to Essentia Health’s website Friday.”
  • BioPharma Dive reports,
    • “Metagenomi, a biotechnology startup working to identify new CRISPR enzymes for editing genes, has filed to go public.
    • “Backed by healthcare investors and pharmaceutical firms including Novo Nordisk’s parent company and Bayer’s venture arm, Metagenomi most recently raised a $275 million Series B round. The startup is also partnered with Moderna and Ionis Pharmaceuticals.
    • “The Emeryville, California-based biotech is one of at least three life sciences companies to publicly plan for an initial public offering so far this year. Should it successfully price an IPO, its performance could serve as an early barometer for the sector in 2024.”
  • The Society for Human Resource Management notes HR trends for which we should be prepared in 2024

Cybersecurity Saturday

HealthcareIT Today offers a boatload of cybersecurity predictions for 2024.

From the cybersecurity vulnerabilities front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) released its December 2023 monthly vulnerabilities report on January 4:
    • In December 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for December are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Agency added two more known exploited vulnerabilities to the catalog on January 2.
  • Cybersecurity Dive reported on January 5,
    • “A critical vulnerability in Apache OFBiz was hit with a surge in exploitation attempts in recent weeks, which could allow attackers to take control of affected systems and launch supply chain attacks, according to researchers from SonicWall
    • “Apache OFBiz is an open source enterprise resource system that is used in a wide range of software, including Atlassian Jira, which is used by more than 120,000 companies. “Jira uses a customized OFBiz Entity Engine that does not implement the vulnerable framework module,” a spokesperson for Atlassian told Cybersecurity Dive via email.
    • “The authentication bypass vulnerability, listed as CVE-2023-51467, has a CVSS score of 9.8 and could expose sensitive data or allow an unauthenticated attacker to execute arbitrary code.”

From the ransomware front,

  • Here’s a link to the Bleeping Computer’s Week in Ransomware.

From the cyber defenses front,

  • The Wall Street Journal offers tips for security computers for personal and small business use.
  • An ISACA expert explains,
    • “As the digital realm continues to expand, it is axiomatic that cybersecurity threats are escalating concurrently. The fight against cybercrime has transformed from an optional frontline battle to a mandatory survival skill for businesses and individuals. Unfortunately, humans have now surpassed machines as the most favored targets for cybercriminals. An effective approach that merges change management methodology with cybersecurity procedures is needed to combat this.”
  • Security Intelligence offers a wholisitc approach to information and operational technology.

Cybersecurity Saturday

David ErmerCybersecurity

Reflections

  • WIRED Magazine looks back on 2023’s worst “breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns.”\
  • Security Intelligence provides a round of federal actions that shaped cybersecurity in 2023.
  • Info-Security Magazine discusses the top five cybersecurity mergers and acquisitions of 2023.

Recent breaches

  • Health IT Security reports on recent health sector breaches.
  • The Cybersecurity and Infrastructure Security Agency did not post news this week.

Ransomware

  • Bleeping Computer did update The Week in Ransomware yesterday.
    • “It’s been a quiet week, with even threat actors appearing to take some time off for the holidays. We did not see much research released on ransomware this week, with most of the news focusing on new attacks and LockBit affiliates increasingly targeting hospitals.
    • “These attacks include ones against Yakult Australia and the Ohio Lottery by the new DragonForce ransomware operation.
    • “The most concerning news is that LockBit affiliates increasingly target hospitals in attacks, even though the ransomware operation says it’s against the rules.
    • FEHBlog note — There’s no honor among thieves.

Looking forward,

  • The Wall Street Journal reports,
    • “Companies in 2023 saw rising cybersecurity threats, rising regulation and rising costs for cyber insurance, while dealing with tight budgets and a tighter labor market. 
    • “The year ahead will bring no letup. 
    • “Both geopolitical adversaries and common criminals will intensify strikes on U.S. companies to steal information and disrupt business, government security officials say. Ransomware remains a significant threat, with new malware strains emerging as quickly as older ones fade. Serious attackers linked to China and Russia are exploiting bugs in the technology supply chain to get into corporate networks through a side door. 
    • “Chief information security officers increasingly are responding by working with the chief risk officer, general counsel, chief financial officer and chief information officer to set cyber risk policies and processes. That collaboration is vital as the Big Four cyber adversaries of the U.S.—China, Iran, North Korea and Russia—show no signs of slowing attacks.”  
  • Info-Security Magazine offers ten cybersecurity predictions for next year.

Happy New Year1

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Fortune offers a commentary on the topic aptly titled “A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats.”
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency is seeking comment on a global effort to improve software security through major changes in development practices.
    • “The request for information, released Wednesday, seeks input about how to best incorporate security into the software development life cycle. Specifically, CISA is asking for input on how to tackle recurring software vulnerabilities, how to implement security into higher education, and how to enhance security into operational technology and how secure practices may impact costs.
    • “Our goal to drive forward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every consumer, which in turn requires us to rigorously seek and incorporate input,” CISA Director Jen Easterly said in the announcement.”
  • Federal News Network points out,

    • The Defense Department’s long-awaited proposed rule for the Cybersecurity Maturity Model Certification (CMMC) lays out DoD’s plan to introduce the CMMC requirements over the next three years. The proposed rule, released today [December 22] and scheduled to be published in the Federal Register on Dec. 26, would establish requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors are implementing required security protections.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports
    • “Comcast’s Xfinity broadband entertainment platform disclosed a massive data breach involving 35.9 million customers on Monday, an incident connected to the ongoing CitrixBleed vulnerability.
    • “Xfinity promptly patched the vulnerability in Citrix software it uses in mid-October and took additional mitigation steps, the company said in an announcement. However, during a routine cybersecurity exercise on Oct. 25, Xfinity found an anomaly in its systems and identified a breach between Oct. 16-19 by an unauthorized party. 
    • “After launching an investigation and contacting law enforcement, on Nov. 16 the company determined that customer data was likely stolen. On Dec. 6, Xfinity determined the compromised data included user names and hashed passwords. In some cases, names, contact information, the last four digits of Social Security numbers, dates of birth and secret questions and answers were accessed.”
  • Health IT Security adds,
    • “Genetic testing company 23andMe notified 6.9 million individuals that their personal information was compromised in October 2023. However, 23andMe had no evidence that there was a data security incident within its systems. Instead, threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords. * * *
    • “The 23andMe breach exemplified the effects that poor cyber hygiene by end users can have on data security. What’s more, the breach’s impact was expanded since access to one account gave hackers further access to other user profiles via the DNA Relatives feature.
    • Multi-factor authentication (MFA) often emerges as a sensible solution to this issue. The cornerstones of authentication revolve around three factors: something you know, something you have, and something you are. While single-factor authentication requires the user to identify only one of those factors, MFA necessitates that users produce two or more factors, such as a password and a security token, or a pin number and a fingerprint.”
  • CISA added two known exploited vulnerabilities to its catalog on December 21.

From the ransomware front,

  • The American Hospital Association tells us,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre Dec. 18 released a warning about actions and tactics used by the Play ransomware group. The group has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe since 2022, in addition to incidents in Australia in April and November this year. 
    • “The cyber threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors use a double-extortion model, which encrypts systems after exfiltrating data; their ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.” 
  • On December 19,
    • “CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), #StopRansomware: ALPHV Blackcat, to disseminate known ALPHV Blackcat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023. The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.”
  • Bleeping Computer’s The Week in Ransomware” offers details on the ALPHV situation that are worth a gander.

From the cybersecurity defenses front,

  • Dark Reading reports,
    • “Cisco is closing out a busy year of acquisitions with a new deal to boost its multicloud networking and security capabilities.
    • “The networking giant announced its intention to acquire Isovalent, a cloud-native security and networking startup that helped develop two widely used visibility projects, eBPF, Cilium, and Tetragon. The open source technology eBPF provides developers with “unmatched visibility into the inner workings of the operating system,” Cisco said in a statement. The technology presents a way for building security systems that can protect a workload while running, according to the company. * * *
    • “Isovalent will join Cisco Security Business Group after the acquisition closes, which is expected in the second quarter of 2024 (third quarter of Cisco’s fiscal year). The purchase price was not disclosed.”
  • CISA issued a blog post about planned improvements to its cybersecurity information sharing.
    • “Our shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Cybersecurity Dive reported on December 13,
    • “The Senate confirmed Harry Coker Jr. as national cyber director Tuesday, ending a 10-month absence of a permanent leader in the role.
    • “The Navy veteran and executive director of the National Security Agency from 2017 to 2019, will lead the Office of the National Cyber Director and its team of about 100 employees after the Senate confirmed his nomination by a 59-40 vote.
    • “Coker joins the White House at a critical time, with the onus now on him to implement the national cybersecurity strategy that aims to shift the responsibility for security to technology manufacturers and vendors instead of customers.”
  • Bank Info Security explains,
    • “In a Friday advisory, CISA said it had performed the assessment in January at the request of a “large organization deploying on-premise software” that the agency did not identify.
    • “The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.
    • “Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.
    • “CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.
    • “The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.”

From the cybersecurity vulnerability and breaches front,

  • Cybersecurity Dive reports,
    • “U.S. authorities warn that threat actors linked to the Russian Foreign Intelligence Service (SVR) are exploiting a critical vulnerability in JetBrains TeamCity software as part of a worldwide effort that could lead to extensive supply chain attacks.
    • “The FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, along with U.K. and Polish authorities, said Nobelium/Midnight Blizzard — a threat group linked to the 2020 Sunburst attacks against SolarWinds — has been targeting hundreds of unpatched TeamCity servers across the globe, which are widely used for software development. 
    • “The hackers have not yet launched supply chain attacks, but have used their initial access to escalate privileges, move laterally within systems and install malicious backdoors in preparation for larger attacks, authorities said.”
  • and
    • “CitrixBleed isn’t going away: Security experts struggle to control critical vulnerability. While officials echo urgent mitigation steps to contain the zero-day vulnerability, high-profile organizations continue to bear the impact.”
  • CISA added a known exploited vulnerability to its catalog on December 11.

From the ransomware front, Bleeping Computer’s Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • CISA offers insights from its intensive risk assessment project discussed above under cybersecurity policy.
    • Here are the headlines:
      • “ACTIONS TO TAKE TODAY TO HARDEN YOUR INTERNAL ENVIRONMENT TO MITIGATE FOLLOW-ON ACTIVITY AFTER INITIAL ACCESS.
      • “Use phishing-resistant multi-factor authentication (MFA) for all administrative access.
      • “Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials.
      • “Implement network segregation controls.”
  • ISACA offers five things for various professionals to put on their 2024 to-do lists. Here are the five things for cybersecurity and privacy professionals. Check them out.
  • Security Boulevard discusses the next great line of defense, security as a code (SaC).
    • “Security as Code (SaC) is the practice of building and integrating security into tools and workflows by identifying places where security checks, tests, and gates may be included.”