From the cybersecurity policy front,

• Cyberscoop lets us know,
  • “Bipartisan legislation to close a loophole in federal cybersecurity standards by requiring vulnerability disclosure policies for government contractors is getting another shot at passage in this Congress.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act, a bicameral, bipartisan bill that stalled out last year in the Senate, was reintroduced Friday [January 31] in the House by Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio. 
  • “The bill, whose 2024 companion in the upper chamber came from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., calls on the Office of Management and Budget and the Defense Department to update federal acquisition policies to require all federal contractors to institute vulnerability disclosure policies (VDPs).
  • “This is a matter of national security,” Mace said in a press release. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses. This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches.”

• The Wall Street Journal reports,
  • “Lawmakers announced Thursday they planned to introduce a bill to ban DeepSeek’s chatbot application from government-owned devices, over new security concerns that the app could provide user information to the Chinese government. 
  • “The legislation written by Reps. Darin LaHood, an Illinois Republican, and Josh Gottheimer, a New Jersey Democrat, is echoing a strategy that Congress used to ban Chinese-controlled TikTok from government devices, which marked the beginning of the effort to block the company from operating in the U.S. 
  • “This should be a no-brainer in terms of actions we should take immediately to prevent our enemy from getting information from our government,” Gottheimer said.  

• SC Media tells us,
  • “A U.S. cybersecurity agency issued a fresh set of guidance for organizations regarding best practices in securing their networks and data storage.
  • “The U.S. Cyber Security and Infrastructure Security Agency (CISA) posted a set of guidelines aimed at helping companies better secure the commonly used devices that sit at the edges of most networks.
  • “This set of guidance, led by international cybersecurity authorities, is intended to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems,” CISA explained.
  • “It’s thought that American organizations will be motivated in the new year to brush up on security and install updates for commonly exploited security vulnerabilities in their edge devices.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added eleven known exploited vulnerabilities to its catalog this week.
  • February 4, 2025
    • CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
    • CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
    • CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
    • CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
  • February 5, 2025
    • CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability
  • February 6, 2025
    • CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
    • CVE-2022-23748 Dante Discovery Process Control Vulnerability
    • CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
    • CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
    • CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability
  • February 7, 2025
    • CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability
      
• Supplemental Information on the additional KEVs.
  • Bleeping Computer provides background on the February 4 additions.
  • This Linux Security article explains the February 5 addition.
  • ACA Global explains the 7-Zip (a file compression) tool addition on February 6.
  • WNE Security explains the Dante Discovery addition also on February 6.
  • Bleeping Computer discusses the Microsoft Outlook addition also on February 6.
  • Hacker News delves into the Trimble Cityworks addition on February 7.

• Cybersecurity Dive points out,
  • “Microsoft has identified more than 3,000 publicly exposed ASP.NET machine keys that could be used by threat actors in code injection attacks against enterprise servers.
  • “In a blog post Thursday, Microsoft Threat Intelligence said it observed “limited activity” in December, in which a threat actor used a publicly available ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. While Microsoft said the threat actor is “unattributed,” the U.S. government previously has tied the Godzilla framework, which creates malicious web shells that can be used as backdoors, to Chinese state-sponsored threat actor.
  • “In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers,” Microsoft said in the blog post.”
• and
  • “Security researchers warned about a surge in web login brute force attacks against edge devices from a suspected botnet since mid-to-late January, according to a post on X from the Shadowserver Foundation. 
  • “The threat activity targeted devices from several major vendors, including Palo Alto Networks, SonicWall and Ivanti, with more than 2.8 million source IPs per day, according to Shadowserver. The observed threat activity goes well beyond scanning and involves actual login attempts, researchers said.
  • “We do not know who is being targeted in particular, we can only observe attacks against our own honeypots,” Piotr Kijewski, CEO of Shadowserver, said via email.

• Dark Reading reports
  • More than two weeks after China’s DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company.
  • The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors.

• Per SC Media,
  • “Infostealers were identified as the largest group of new macOS malware, having increased by 101% in the last two quarters of 2024, according to the Palo Alto Networks Unit42 research group.
  • “The Unit42 research team pointed to three prevalent macOS infostealers in the wild: Poseidon, Atomic and Cthulhu.
  • “While infostealers are often seen as limited in capability compared with trojans, the researchers said in a Feb. 4 blog post that by exfiltrating sensitive credentials, financial records and intellectual property, infostealers often lead to data breaches, financial losses and reputational damage.
  • “Most infostealers are indiscriminate, aiming to maximize data collection for impact and monetization,” wrote the researchers. “This broad range of information stealing capabilities exposes organizations to significant risks, including data leaks and providing initial access for further attacks, such as ransomware deployment.”

From the ransomware front,

• Cyberscoop informs us,
  • “Ransomware payments saw a dramatic 35% drop last year compared to 2023, even as the overall frequency of ransomware attacks increased, according to a new report released by blockchain analysis firm Chainalysis. 
  • “The considerable decline in extortion payments is somewhat surprising, given that other cybersecurity firms have claimed that 2024 saw the most ransomware activity to date. Chainalysis itself warned in its mid-year report that 2024’s activity was on pace to reach new heights, but attacks in the second half of the year tailed off.
  • “The total amount in payments that Chainalysis tracked in 2024 was $812.55 million, down from 2023’s mark of $1.25 billion.
  • “Despite its small half-over-half (HoH) increase, we expected 2024 to surpass 2023’s totals by the end of the year,” the company wrote on its website. “Fortunately, however, payment activity slowed after July 2024 by approximately 34.9%. This slowdown is similar to the HoH decline in ransom payments since 2021 and the overall decline during H2 2024 in some types of crypto-related crime, such as stolen funds. Notably, the decline this year is more pronounced than in the last three years.”
  • “The disruption of major ransomware groups, such as LockBit and ALPHV/BlackCat, were key to the reduction in ransomware payments. Operations spearheaded by agencies like the United Kingdom’s National Crime Agency (NCA) and the Federal Bureau of Investigation (FBI) caused significant declines in LockBit activity, while ALPHV/BlackCat essentially rug-pulled its affiliates and disappeared after its attack on Change Healthcare. 
  • “As the industry has seen in past years, ransomware groups often fill the market after the heads of the pack have been dismantled by law enforcement. However, when LockBit and BlackCat disappeared, a well-known ransomware group did not immediately take the mantle. Instead, smaller groups took advantage of the situation, focusing on small to medium-sized targets and asking for small ransoms, according to Chainalysis’ report. 
  • “Additionally, the company says more organizations have become stronger against attacks, with many choosing not to pay a ransom and instead using better cybersecurity practices and backups to recover from these incidents.”

• Hacker News identifies the Top 3 Ransomware Threats Active in 2025.

• Per Bleeping Computer
  • “The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • “This is a sign of shifting tactics for Kimsuky, according to AhnLab SEcurity Intelligence Center (ASEC), who discovered the campaign.
  • “ASEC says the North Korean hackers now use a diverse set of customized remote access tools instead of relying solely on noisy backdoors like PebbleDash, which is still used.”

From the cybersecurity defenses and business / history front

• ISACA has released its 2025 State of Privacy Report.

• Here’s a link to Dark Reading’s CISO Corner.

• Cybersecurity Dive relates,
  • “Thoma Bravo-backed cybersecurity firm Sophos completed its acquisition of Secureworks Monday in an all-cash transaction valued at $859 million. 
  • “Sophos said the purchase of Secureworks positions Sophos as the largest pure-play provider of managed detection and response services, with a customer base of 28,000 organizations worldwide.
  • “The agreement also expands Sophos’s threat intelligence capabilities operating under the Sophos X-Ops name, with the addition of the Secureworks Counter Threat Unit and other security operations and advisory services.”
• and
  • “SolarWinds Corp. has agreed to a $4.4 billion deal with Turn/River Capital whereby the private equity firm buys the software firm in an all-cash transaction at $18.50 per share. 
  • “The observability and IT management software provider will become a privately held company and no longer trade on the New York Stock Exchange. 
  • “We have built a great track record of helping customers accelerate business transformations through simple, powerful, secure solutions designed for hybrid and multicloud environments,” Sudhakar Ramakrishna, president and CEO of SolarWinds said in a statement. 
  • “The Austin, Texas-based firm took center stage in one of the most consequential cyberattack campaigns in history when state-linked hackers infected its Orion platform. The attack, disclosed in late 2020, led to massive reforms in how the industry developed software and attempted to secure IT systems against increasingly sophisticated state actors.”
    

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “A bipartisan pair of House lawmakers are seeking to improve private-public coordination for financial institutions amid a surge of ransomware attacks on the sector.
  • “The Public and Private Sector Ransomware Response Coordination Act, introduced this week by Reps. Zach Nunn, R-Iowa, and Josh Gottheimer, D-N.J., would direct the Treasury secretary to deliver a report on existing collaboration between federal agencies and private financial companies, examining how those partnerships can be improved to better protect the industry from cyberattacks.
  • “The legislation from Nunn and Gottheimer, both members of the House Financial Services Committee, comes as global ransomware attacks jumped 67% from 2023 to 2024, according to the director of national intelligence. And according to Statista, approximately 65% of financial institutions globally reported experiencing a ransomware attack in 2024, up from 34% in 2021.”

• Per a House of Representatives announcement,
  • On Wednesday, February 5, 2025, the Committee on Homeland Security will hold a hearing entitled, “Preparing the Pipeline: Examining the State of America’s Cyber Workforce.”
  • The Committee will meet at 10:00 a.m. EST in 310 Cannon House Office Building. Witnesses will be by invitation only.
  • This event will be streamed live at homeland.house.gov and on YouTube.

• Cyberscoop adds
  • “The Federal Bureau of Investigation, along with several other international law enforcement departments, has seized control of several high-profile online platforms linked to cybercrime in a sweeping operation aimed at disrupting digital marketplaces for stolen credentials and hacking tools. The domains of forums Cracked[.]io and Nulled[.]to now redirect to FBI-controlled servers, signaling efforts to dismantle infrastructure that supports cybercriminal activity.
  • “As of Wednesday, visitors to the forums — long criticized as hubs for password theft, software piracy, and credential-stuffing attacks — encountered DNS error messages indicating federal intervention. Eagle-eyed cybersecurity researchers discovered Wednesday that the specialized servers that translate IP addresses into domain names redirected visitors to FBI-owned assets, effectively shutting down access. 
  • “Also seized were domains and services belonging to SellIX, which enabled users to create storefronts for illicit goods, and StarkRDP, a Windows remote desktop hosting service, which was allegedly leveraged by threat actors to anonymize attacks.
  • “According to the image on the Cracked and Nulled websites, law enforcement from Australia, France, Germany, Greece, Italy, Spain, and Romania were also involved. Europol also played a role, according to the image. 

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop lets us know,
  • Cryptojacking, the tactic of breaking into a device to steal computing resources and mine crypto, is a pervasive, frustrating and expensive problem. But attacks like these can also raise cybersecurity concerns, especially when they happen to the federal government. 
  • Last fall, the U.S. Agency for International Development learned it was hit by a cryptojacking incident, according to documents viewed by Scoop News Group. The agency was notified by Microsoft that a global administrator account located in a test environment had been breached through a password spray attack — a brute force attempt to enter a system by guessing a series of passwords. 
  • That account was then used to create another account — and both were then deployed to begin crypto-mining processes through USAID’s Azure resources. The result was around half a million dollars in cloud service charges to the agency.
  • Using government resources to break into an agency’s resources for the purpose of mining crypto might sound strange, but it happens. 

• Per Cybersecurity Dive,
  • “The Food and Drug Administration has released a safety communication about the cybersecurity vulnerabilities of certain patient monitors from Contec and Epsimed.
  • “The notice, which the FDA published Thursday [January 30], describes three vulnerabilities that can allow people to gain access to remote monitoring technology and potentially manipulate the devices.
  • ‘The FDA is not aware of cybersecurity incidents, injuries or deaths linked to the vulnerabilities but is advising patients, healthcare providers and IT staff to take steps to mitigate the risks.”
• and
  • “Threat actors are exploiting a zero-day vulnerability in Zyxel CPE Series devices months after the security flaw was originally reported to the company, researchers at GreyNoise disclosed in a blog post Tuesday.
  • “The critical command-injection vulnerability, tracked as CVE-2024-40891, allows an attacker to execute arbitrary commands on a CPE Series device, which can lead to exfiltration of data, infiltration of a computer network or total system compromise. 
  • “Due to GreyNoise’s first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted,” a spokesperson for GreyNoise said via email. “All decisions to move forward were made in conjunction with VulnCheck and its policies.”

• Dark Reading informs us,
  • “Researchers have discovered two new ways to manipulate GitHub’s artificial intelligence (AI) coding assistant, Copilot, enabling the ability to bypass security restrictions and subscription fees, train malicious models, and more.
  • “The first trick involves embedding chat interactions inside of Copilot code, taking advantage of the AI’s instinct to be helpful in order to get it to produce malicious outputs. The second method focuses on rerouting Copilot through a proxy server in order to communicate directly with the OpenAI models it integrates with.
  • “Researchers from Apex deem these issues vulnerabilities. GitHub disagrees, characterizing them as “off-topic chat responses,” and an “abuse issue,” respectively. In response to an inquiry from Dark Reading, GitHub wrote, “We continue to improve on safety measures in place to prevent harmful and offensive outputs as part of our responsible AI development. Furthermore, we continue to invest in opportunities to prevent abuse, such as the one described in Issue 2, to ensure the intended use of our products.”

• The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog this week.
  • January 29, 2025
  • CVE-2025-24085. Apple Multiple Products Use-After-Free Vulnerability’

• The CIS Center for Internet Security adds,
  • “Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • “THREAT INTELLIGENCE:
    • Apple is aware of a report that CVE-2025-24085 may have been actively exploited against versions of iOS before iOS 17.2.”

From the ransomware front,

• Forbes reports,
  • “With LockBit already stating that Feb. 3 will see it restart operations, the threat is about as real as it gets. So, what do you need to do?
  • “The primary mitigations are:
    • Install updates for operating systems, software and firmware as soon as they are released.
    • Require phishing-resistant, non SMS-based multi-factor authentication.
  • “In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive,” Matt Hull, global head of threat intelligence at NCC Group, warned, and that’s good advice that you would be well-advised to action immediately before the ransomware threat becomes a reality for you.”

• Dark Reading points out,
  • “Two healthcare institutions, Frederick [Maryland] Health and New York Blood Center Enterprises (NYBCe), are grappling with disruptions from separate ransomware attacks they faced this past week.
  • “Frederick Health posted an update to its website on Jan. 27 noting that it “recently identified a ransomware event” and is working to contain it with third-party cybersecurity experts to get its systems back online.
  • “Though most of its facilities remain open and are still providing patient care, Frederick Health reported that its Village Laboratory is closed and that patients may experience some operational delays.
  • “New York Blood Center Enterprises, a nonprofit made up of a collection of independent blood centers, first identified suspicious activity affecting its IT systems on Jan. 26. On Jan. 29, it alerted the public that it took its systems offline in an effort to contain the threat, which was attributed to a ransomware attack. NYBCe is working to restore its systems; however, it remains unclear when it will be fully operational again. The organization expects processing times for blood donations at its centers and offsite blood drives may take longer than usual.”

• Bleeping Computer adds,
  • “Community Health Center (CHC), a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their personal and health data.
  • “The non-profit organization provides primary medical, dental, and mental health services to more than 145,000 active patients.
  • “CHC said in a Thursday filing with Maine’s attorney general that unknown attackers gained access to its network in mid-October 2024, a breach discovered more than two months later, on January 2, 2025.
  • “While the threat actors stole files containing patients’ personal and health information belonging to 1,060,936 individuals, the healthcare organization says they didn’t encrypt any compromised systems and that the security breach didn’t impact its operations.”

• Hackers News explains how Interlock Ransomware infects healthcare organizations.

From the cybersecurity defenses front,

• Cyberscoop informs us
  • “Imagine, for a moment, that your network is hit with ransomware.
  • “One of your employees clicked on a malicious link and now your network is compromised, data is encrypted and most of the organization’s systems are locked or offline.
  • “Then imagine if instead of assembling an incident response team, notifying the board and contacting law enforcement, the forensic sensors in your device’s firmware spring to life. They begin healing your network, restoring locked files, and communicating with other systems to collect forensic data.
  • “The firmware then analyzes the data to identify how the attackers entered and exploited system weaknesses, then blocks those vulnerabilities to prevent future breaches through the same entry points. 
  • “While it sounds like science fiction, researchers at one of the Pentagon’s top cyber innovation hubs are attempting to prove the idea is more than a pipe dream.
  • “Red-C, a new project being rolled out by the Defense Advanced Research Projects Agency, seeks to build new defenses into bus-based computer systems, which are firmware-level systems used in everything from personal computers to weapons systems to vehicles.”

• Cybersecurity Dive tells us,
  • “Organizations that have consolidated security spending into integrated platforms have experienced improved cyber resilience and stronger operational efficiencies, according to a study released Tuesday by IBM and Palo Alto Networks. 
  • “Managing security stacks has been a struggle for organizations, which juggle an average of 83 different security tools from 29 different vendors, according to the study.
  • “More importantly, the “platformization” model reduces the time it takes to identify and mitigate security incidents by an average of 74 days and 84 days, respectively, the study found.”

• Per Dark Reading,
  • “When automated pen-testing tools appeared a few years ago they prompted an interesting question: How close are they to replacing human pen testers? While the short answer was “not that close — yet,” they definitely had potential and were worth keeping an eye on.
  • “As I’ve just had the chance to review the latest iteration of these tools, it’s interesting to see how they’ve evolved and how close are they now are to replacing the human pen tester for offensive security work.” * * *
  • “Overall, it’s good to see these tools evolve. The rate of change is glacial, but they now understand cloud environments and can target Web applications, though they are still temperamental, costly, and miss a few things. One could argue humans are the same. For now, however, humans maintain the advantage — but they aren’t mutually exclusive. Just like crowdsourced security and traditional pen testing, automated pen testing is now another tool that can be layered onto your offensive security testing, where it can help you find the exploits that matter to your organization.”

• Here is a link to Dark Reading’s CISO Corner/

From the cybersecurity personnel front

• Saturday morning, two term South Dakota Governor Kristi Noem received Senate confirmation of the President’s nomination of her to be Secretary of Homeland Security, which is the home of the Cybersecurity and Infrastructure Security Administration (CISA). The Senate vote was 59-34 in her favor.

• In the meantime, Benjamine Huffman has been the acting Department of Homeland Security Secretary this week.

• Federal News Network reports in a January 24, article,
  • Greg Barbaccia seems to be the new federal chief information officer. Barbaccia updated his LinkedIn page just recently.
  • He replaces Clare Martorana, who was the federal CIO for the last three-plus years.
  • Emails to OMB and the White House seeking confirmation and comment was not immediately returned.
  • Barbaccia is a former Army intelligence sergeant and intelligence community analyst from 2003 to 2009. Since then, he’s worked in the private sector.

• FedScoop lets us know in a January 22, 2025, article,
  • The Office of Personnel Management again has a new chief information officer. 
  • Greg Hogan will serve as CIO, an agency spokesperson confirmed to FedScoop on Wednesday [January 22]. His appointment comes roughly a week after Melvin Brown II took over that role following former CIO Guy Cavallo’s retirement from federal service. 

From the cybersecurity vulnerabilities and breaches front,

• On January 16, 2025, HHS’s Health Sector Cybersecurity Coordination Center issued its report on December 2024 vulnerabilities of concern to the health sector.

• MedCity News points out that “Cybersecurity Threats Continue to Rise for Healthcare Organizations, Research Shows. The vast majority of healthcare organizations have spotted a cyberattack and suffered financial consequences as a result in the past 12 months, according to new research. A separate report also found that overall cyberattacks on healthcare organizations have risen by 32% year-over-year.”

• Cybersecurity Dive tells us,
  • “Conduent, a New Jersey-based government contractor that provides technology platforms to multiple social service agencies and transit systems across the U.S., confirmed Wednesday it was impacted by a cyberattack.
  • “The incident first became public after Wisconsin officials reported delays in child support payments. Wisconsin was one of four states impacted by the outage.
  • “A spokesperson for Conduent confirmed the disruption was due to a cyber incident, but did not elaborate on the details. Conduent did not provide any details about how the incident was initially discovered or a specific timeline about the response.”
• and
  • “BeyondTrust determined 17 customers were impacted in a December attack spree related to the compromise of a Remote Support SaaS API key. 
  • “The attack, attributed to a state-linked threat actor, included the compromise of several offices of the U.S. Treasury Department, where hackers gained access to unclassified data. 
  • “BeyondTrust said it worked with its affected customers to support their respective investigations by providing them with artifacts, logs, indicators of compromise and other information.
• and
  • “Hewlett Packard Enterprise said it is investigating claims a threat group gained access to a trove of sensitive company data. 
  • “The threat group, IntelBroker, posted a claim on BreachForums that it had access to a large trove of HPE data, according to researchers from Arctic Wolf. 
  • “The allegedly stolen data includes private GitHub repositories, Docker builds, source code and other information, according to the posting. 
  • “Upon learning of the claim Thursday [January 23], the company immediately activated cyber response protocols, disabled related credentials and launched an investigation to determine whether the claims were valid, a spokesperson said Tuesday via email. 
  • “There is no operational impact to our business at this time, nor evidence that customer information is involved,” the spokesperson said.”

• The American Hospital Association informs us
  • “The Cybersecurity and Infrastructure Security Agency and FBI Jan. 22 released an advisory explaining how cyberthreat actors “chained” vulnerabilities — deploying multiple vulnerabilities in rapid succession — during attacks on certain versions of Ivanti Cloud Service Appliances in September. Threat actors used an administrative bypass, structured query language and remote code execution vulnerabilities during the attack. The agencies said the actors gained initial access, obtained credentials and implanted webshells on victim networks.
  • “These attacks serve as another reminder of the importance of patch management in defending networks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “Think of this as a thief using bolt cutters to get through a perimeter fence, using a pry bar to force the door to the building open, and then using a hammer to break the glass protecting the jewels they came to steal. The good news for network defenders in this instance regarding Ivanti is that each of these tools can be detected.”
  • “CISA and the FBI strongly encouraged network administrators to upgrade to the latest supported version of Ivanti CSA.
  • “Any hospitals still using outdated versions of Ivanti CSA should update their systems immediately,” Gee said. “If unable to remove the outdated version, network security teams should implement detections based on the indicators of compromise in the advisory and understand the risk posed by this vulnerable technology.”

• Cyberscoop notes,
  • “Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,” to execute malicious commands. 
  • “The campaign, which researchers at the cybersecurity wing of Lumen Technologies refer to as “J-Magic,” was active between mid-2023 and mid-2024. The malware uses a custom variant of the open-source backdoor ‘cd00r,’ which operates invisibly to lay the groundwork for a reverse shell attack. The malware scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the malware sends a confirmation request. Once confirmed, J-Magic establishes a reverse shell on the local file system, allowing operators to control the device, steal data, or deploy further malware.
  • “Although the specific method of transmission into these routers remains unclear, many targeted devices are configured as virtual private network (VPN) gateways. Lumen’s analysis found that approximately half of the routers affected during the campaign functioned as VPN gateways.  
  • “The strategic focus of J-Magic on routers underscores a level of stealth, given that routers are rarely monitored with security software. The malware specifically targets JunoOS, Juniper’s FreeBSD-based operating system.” 

• Per Dark Reading,
  • Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.
  • “Cisco Meeting Management is a management tool for Cisco’s on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for “video operators,” who only have access to the meetings and overview pages.
  • “The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because “proper authorization” is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.
  • “This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.”

• Per Bleeping Computer,
  • “SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks.
  • “The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions.
  • “The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix). * * *
  • “We strongly advise users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.”
  • “Microsoft’s Threat Intelligence Center discovered the flaw, so more details about the exploitation activity and when it started might be shared by Microsoft at a later date.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • January 23, 2025
    • CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability
  • January 24, 2025
    • CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability

• The Hacker News adds,
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
  • “The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution.
  • “Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code,” according to a GitHub advisory released for the flaw.

• Plus we learn friom Cyberscoop,
  • A critical security flaw has been identified and potentially exploited in SonicWall’s Secure Mobile Access (SMA) 1000 series appliances, sparking significant concern among cybersecurity experts and users worldwide. 
  • The vulnerability, registered as CVE-2025-23006, allows remote, unauthenticated attackers to execute arbitrary operating system commands under certain conditions. The issue specifically impacts the Appliance Management Console (AMC) and Central Management Console (CMC) used widely in enterprise and government networks for administrative functions.
  • SonicWall issued a warning Wednesday [January 22, 2025] saying the flaw has a severity rating of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS) and may have been exploited by malicious actors. Microsoft’s Threat Intelligence Center is credited with uncovering the flaw, although it remains unclear when the exploitation might have commenced. Despite this, SonicWall’s advisory urges all SMA1000 users to upgrade immediately to the patched software version to prevent potential security breaches.
  • SonicWall’s products provide secure remote access for a wide swath of organizations, often serving managed security service providers (MSSPs), enterprises, and government agencies.

• Bleeping Computer relates,
  • “The FBI warned today [January 23] that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.
  • “The security service alerted public and private sector organizations in the United States and worldwide that North Korea’s IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers’ networks.
  • “North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code,” the FBI said.

From the ransomware front,

• Cyberscoop reports,
  • “Researchers at cybersecurity firm Sophos are tracking multiple clusters of hacking activity leveraging Microsoft 365 instances, Microsoft Teams and email bombing tactics to deliver ransomware.
  • “In new research released Tuesday [January 21], the company said it had identified at least two distinct clusters of hacking activity using the tactics to infect targets between November and December 2024.
  • “First, several individuals at an organization are inundated with emails — up to 3,000 in 45 minutes in some cases. The sheer volume of spam is designed to overwhelm the target’s inbox and “create a sense of urgency” that may push them to reach out to IT for assistance, the researchers said.
  • “Then, using an external account, the hackers will message one of the targets over Microsoft Teams, posing as the organization’s IT support or a “Help Desk Manager.” Under the guise of assistance, the actors push the victim to permit a remote screen control session through Teams or Microsoft Quick Assist, which is then used to create command shells, access an external Sharepoint file and deploy malware on the victim’s device.
  • “With a command-and-control channel established, the attackers then use the target’s credentials to disable multifactor authentication and antivirus protections, connect to other hosts on the network and move laterally to compromise other systems.”
    
• Cybersecurity News lets us know,
  • “New ransomware strains are quietly infiltrating VMware ESXi hosts by setting up SSH tunnels and concealing malicious traffic within legitimate activity.
  • “This stealth tactic allows attackers to access critical virtual machine environments without triggering many of the standard alarms or detection systems that monitor more conventional network paths.
  • “Because ESXi appliances often remain unmonitored, cybercriminals have seized the opportunity to hide in plain sight, exfiltrate data, and lock down virtual machines with minimal interference.
  • “Virtualized infrastructures are attractive targets for ransomware actors due to the high value of virtual machines and the rapid damage attackers can inflict if they seize control.
  • “Instead of compromising each guest system individually, criminals can focus on the ESXi host itself, enabling them to encrypt all virtual disks in one coordinated attack.”

• Per the SentinelOne blog,
  • “The previous six months have seen heightened activity around new and emerging ransomware operations. Across the tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0).
  • “Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy.
  • “As a result of this recent activity, we analyzed payloads from both HellCat and Morpheus ransomware operations. In this post, we discuss how affiliates across both operations are compiling payloads that contain almost identical code. We take a high-level look at two samples in particular and examine their characteristics and behavior.” Check it out.

From the cybersecurity defenses front,

• CISA advises,
  • “If you’re an IT defender or a vulnerability management pro, CISA’s Vulnrichment project can make your life easier. It enriches basic CVE data with actionable insights like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS), all bundled into the CVE records you’re already pulling. Think of it as a turbocharged upgrade to the CVE data you’re already consuming. Best part? You don’t need to set up anything new—this enriched data is automatically baked into the CVE feeds you’re already using.
  • “You’re soaking in it! Today, all Vulnrichment data ends up in the Authorized Data Publisher (ADP) container for individual CVEs, so if you’re pulling CVE data from https://cve.org via the API, or from GitHub at https://github.com/CVEProject/cvelistV5 ,  you’re already collecting Vulnrichment data. It’s just a matter of parsing it out.”

• Check out Dark Reading for an article about MITRE’s Latest ATT&CK Simulations Tackle Cloud Defenses. The MITRE framework’s applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.”

• Security Week discusses attack surface management.
  • “The attack surface of an organization represents all of the assets (physical, virtual or human) that a malicious actor can potentially use to breach an organization,” says Alex Hoff, co-founder and chief strategy officer at Auvik Networks.
  • “Traditionally,” continues Raj Samani, SVP and chief scientist at Rapid7, “the focus of attack surface management has been on securing the broader attack surface – but the emphasis is now on preventing the exploitation of assets within increasingly complex environments.”
  • “While we have traditionally considered the Attack Surface to be a part of the overall IT infrastructure that can be treated and managed discretely, our view now is that the AS includes anything and everything a threat actor can target for exploitation.” 

• Per Beckers Health IT,
  • “Global IT spending is expected to grow 9.8% in 2025, to $5.6 trillion, with much of that increase going to price hikes, according to Gartner.
  • “And while CIOs’ expectations for generative AI are on the wane — what the IT consultant called a “trough of disillusionment” — their spending on the technology will continue to rise, Gartner predicted. Those hardware upgrades will drive double-digit growth in data center systems, devices and software this year.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “Congress might pull in opposite directions on cybersecurity in its new two-year term, while President-elect Donald Trump’s position on key cyber topics remains a wild card.
  • “The agenda is packed: Corporate executives want regulatory harmonization, policymakers realize that key critical infrastructure sectors like healthcare need more support and oversight, and artificial intelligence continues to intrigue lawmakers.
  • “Despite partisan tensions over everything from taxes to immigration, cybersecurity is likely to remain an issue that brings Democrats and Republicans together on national security grounds. Still, Republicans are expected to go after regulation they see as burdensome, in particular the Securities and Exchange Commission’s incident-reporting rule.
  • “It’s important now more than ever that policymakers ensure advancing common-sense and bipartisan cybersecurity policy is a top priority for the 119th Congress,” said John Miller, senior vice president of policy, trust, data and technology at the Information Technology Industry Council, a trade group.”

• NextGov/FCW discusses the Defense Department related cybersecurity and other provisions found in the Fiscal Year 2025 National Defense Authorization Act which Congress passed this week.

• Security Affairs lets us know,
  • “According to the WSJ, the U.S. government is considering banning TP-Link routers starting in 2025.
  • “TP-Link holds 65% of the U.S. market and is the top choice on Amazon, powering internet communications for the Defense Department.
  • “In August, two U.S. lawmakers urged the Biden administration to investigate TP-Link over concerns its devices could be used in cyberattacks.
  • “The Commerce, Defense and Justice departments have opened separate probes into the company, with authorities targeting a ban on the sale of TP-Link routers in the U.S. as early as next year, the report said.” reported Reuters. “An office of the Commerce Department has even subpoenaed the company while the Defense Department launched its investigation into Chinese-manufactured routers earlier this year, the newspaper reported, citing people familiar with the matter.” * * *
  • “[A] spokesperson for TP-Link’s U.S. subsidiary told the WSJ that the company welcomes any opportunities to engage with the U.S. government to demonstrate that its security practices align with industry standards and to show its ongoing commitment to the U.S. market, consumers, and addressing national security risks.”

• The Office of Management and Budget’s Office of Information and Regulatory Affairs concluded its review of the HHS’s Office for Civil Rights proposed amendments to the HIPAA Security Rule on December 18.
  • AGENCY: HHS-OCR  RIN: 0945-AA2 Status: Concluded
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    Section 3(f)(1) Significant: Yes
    STAGE: Proposed Rule  Economically Significant: No
    RECEIVED DATE: 10/18/2024. LEGAL DEADLINE: None   COMPLETED: 12/18/2024
    COMPLETED ACTION: Consistent with Change
• The next step is publication of the proposed rule in the Federal Register.

• Last Monday, the Cybersecurity and Infrastructure Security Agency released its “2024 Year in Review Highlights CISA’s Achievements in Reducing Risk and Building Resilience in Cybersecurity and Critical Infrastructure Security.”

• Cyberscoop adds,
  • “Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.
  • “CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.
  • “CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”
  • “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
• and
  • “The Cybersecurity and Infrastructure Security Agency unveiled a detailed set of guidelines Wednesday to safeguard the mobile communications of high-value government targets in the wake of the ongoing Salt Typhoon telecom breach.
  • “The guide aims to help both political and federal leadership harden their communications and avoid any data interception by the Chinese-linked espionage group. As of earlier this month, government agencies were still grappling with the attack’s full scope, federal officials told reporters. Among the targets were officials from both presidential campaigns, including the phone of President-elect Donald Trump.
  • “The advisory details several key practices intended to mitigate risks associated with cyber threats and raise awareness on techniques that can thwart any type of malicious actor.
  • “I want to be clear that there’s no single solution that will eliminate all risks, but implementing these best practices will significantly enhance the protection of your communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. “We urge everyone, but in particular those highly targeted individuals, to review our guidance and apply those that suit their needs.”
  • “Even with the guidance’s focus on high-value targets, the advice is good for anyone that wants to take actions to secure their mobile devices. One of the primary recommendations includes the exclusive use of end-to-end encrypted messaging applications for secure communication. CISA suggests adopting apps like Signal, which provide robust encryption for both Android and iPhone platforms, preventing unauthorized interception of messages.”
    
• The American Hospital Association News tells us,
  • The Cybersecurity and Infrastructure Security Agency is seeking comments on its draft National Cyber Incident Response Plan Update. The plan describes how the federal government, private sector, and state, local, tribal and territorial government entities will coordinate to manage, respond to and mitigate the consequences of high-profile cyberattacks. The update addresses changes in the cyberthreat and operations landscape by incorporating feedback and lessons learned from stakeholders in previous incidents. Comments are being accepted in the Federal Register until Jan. 15.

• Per a Justice Department press release,
  • “A superseding criminal complaint filed in the District of New Jersey was unsealed today charging a dual Russian and Israeli national for being a developer of the LockBit ransomware group.
  • “In August, Rostislav Panev, 51, a dual Russian and Israeli national, was arrested in Israel pursuant to a U.S. provisional arrest request with a view towards extradition to the United States. Panev is currently in custody in Israel pending extradition on the charges in the superseding complaint.
  • “The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” said Attorney General Merrick B. Garland. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

From the cyber vulnerabilities and breaches front,

• SC Media relates,
  • “A Chinese-backed malware operation is building a botnet out of smart cameras and video boxes.
  • “The FBI said [on December 16] that a group identified as HiatusRAT has been seeding internet-of-things (IoT) devices with malware that allows for remote access and control. Targets include smart cameras and DVR boxes.
  • “In addition to gathering video footage or traffic data from the compromised hardware, attackers can use the edge-facing devices as a foothold to gain access into other hardware on the network and perform further attacks and data exfiltration.
  • “In this case, the FBI believes that the attackers are trying to compromise U.S. government agencies and the private contractors that work with them. It is believed that the threat actors are working on behalf of the Chinese government to infiltrate networks and gather data that would benefit Beijing.”

• The American Hospital Association adds,
  • “This recent campaign appears to have targeted vulnerable Chinese-branded webcams and DVRs for specific, published vulnerabilities and default passwords set by the vendor,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “These devices are often used in security video monitoring systems. Several of these vulnerabilities impacting older, end-of-life devices have not been patched by the manufacturer and the FBI recommends replacing them with updated devices. The critical takeaway from this bulletin is that patch management programs must cover not only traditional computer systems, but also Internet of Things devices on your network.” 

• On December 17, HHS’s Health Sector Cybersecurity Coordination Center issued an analyst note about credential harvesting.

• Bleeping Computer lets us know,
  • “A new Microsoft 365 phishing-as-a-service platform called “FlowerStorm” is growing in popularity, filling the void left behind by the sudden shutdown of the Rockstar2FA cybercrime service.
  • “First documented by Trustwave in late November 2024, Rockstar2FA operated as a PhaaS platform facilitating large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.
  • “The service offered advanced evasion mechanisms, a user-friendly panel, and numerous phishing options, selling cybercriminals access for $200/two weeks.
  • According to Sophos researchers Sean Gallagher and Mark Parsons, Rockstar2FA suffered from a partial infrastructure collapse on November 11, 2024, making many of the service’s pages unreachable.
  • Sophos says this does not appear to be the result of law enforcement action against the cybercrime platform but rather a technical failure.
  • A few weeks later, FlowerStorm, which first appeared online in June 2024, started quickly gaining traction.

• CISA added eight known exploited vulnerabilities to its catalog this week.
  • December 16, 2024
    • CVE-2024-20767 Adobe ColdFusion Improper Access Control Vulnerability
    • CVE-2024-35250 Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability
  • December 17, 2024
    • CVE-2024-55956 Cleo Multiple Products Unauthenticated File Upload Vulnerability
  • December 18, 2024
    • CVE-2018-14933 NUUO NVRmini Devices OS Command Injection Vulnerability
    • CVE-2022-23227 NUUO NVRmini 2 Devices Missing Authentication Vulnerability
    • CVE-2019-11001 Reolink Multiple IP Cameras OS Command Injection Vulnerability
    • CVE-2021-40407 Reolink RLC-410W IP Camera OS Command Injection Vulnerability
  • December 19, 2024
    • CVE-2024-12356 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
      
• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical vulnerability in Apache Struts 2 just days after it was originally disclosed and patched, researchers warn.  
  • “The vulnerability, listed as CVE-2024-53677, involves a flaw in file upload logic, according to a bulletin from Apache. The vulnerability has a CVSS score of 9.5 out of 10, indicating the risk is considered critical.  
  • “An attacker can manipulate file upload parameters to enable path traversal. Apache urged users to upgrade to Struts 6.4.0 or greater and use the Action File Upload Interceptor. Security researchers warn the vulnerability can allow an attacker to conduct malicious actions.”\
• and
  • “Researchers have now traced exploitation of a critical vulnerability in Cleo file transfer software back to October, Mandiant Consulting CTO Charles Carmakal said in a LinkedIn post Wednesday. Mandiant’s discovery puts active exploitation at least a month earlier than previously observed by other researchers.
  • “Mandiant identifies the cluster actively exploiting the two vulnerabilities, CVE-2024-50623 and CVE-2024-55956, as UNC5936. Researchers say the cluster has overlaps with FIN11, also known as Clop, which claimed responsibility for the attacks earlier this month. 
  • “There is currently no evidence of mass data theft, which was observed in prior campaigns by the threat group, Carmakal said. However, malicious backdoors including Beacon and Goldtomb have been deployed on exploited systems.”
• and
  • “An attacker gained access to a limited number of BeyondTrust customers’ instances of Remote Support SaaS, an access-management tool, the company said in a Dec. 8 blog post, which was updated Wednesday. The attacker compromised a Remote Support SaaS API key and reset passwords of multiple accounts.
  • “The cybersecurity vendor initially detected anomalous activity on one customer instance of Remote Support SaaS on Dec. 2, according to the updated blog. Three days later, the company determined multiple customers were impacted, suspended those instances and revoked the compromised API key.
  • “Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted,” the company said in the blog post.”

From the ransomware front,

• Cybersecurity Dive points out,
  • “Data from nearly 5.6 million people was exposed due to a ransomware attack on nonprofit health system Ascension this spring, according to a report to federal regulators.
  • “The attack compromised personal information from some current and former Ascension patients, senior living residents and employees, the system said on Thursday [December 19]. Personal details, medical information, payment information, insurance details and government ID numbers, including Social Security numbers, could have been exposed.
  • “The breach is the third largest reported to the HHS’ Office for Civil Rights’ healthcare data breach portal this year, trailing only incidents at Change Healthcare and Kaiser Foundation Health Plan.” * * *
  • “In June, Ascension reported that cybercriminals gained access to its systems after a worker accidentally downloaded a malicious file, and that personally identifiable and protected health information may have been exposed.
  • “Now, the health system has completed its review of what data may have been compromised. Ascension is mailing letters to affected people, which should be delivered over the next two to three weeks, the health system said in an update Thursday [December 19].
  • “Though patient data was involved, Ascension said it found no evidence that data was stolen from EHR and other clinical systems, where full patient records are stored.” 

• Statescoop lets us know,
  • Hackers are threatening as early as this week to release the personal information of potentially hundreds of thousands of Rhode Islanders connected with RIBridge, the state’s health and social services system that suffered a cyberattack on Dec. 5, Gov. Dan McKee and state officials told media over the weekend.
  • Brian Tardiff, Rhode Island’s chief digital officer, said that the cybercriminals behind the attack threatened to release the data they claim to have obtained in the Dec. 5 cyberattack unless they receive a ransom payment. Tardiff did not specify the ransom deadline, amount of money demanded or if the hackers identified themselves.
  • “Any individual who has received or applied for state health coverage or health and human services programs or benefits could be impacted by this breach,” according to an update posted to the state’s website Friday after the cyberattack was detected.
  • The state’s benefits programs that may be impacted by the breach include Medicaid, Supplemental Nutrition Assistance Program, Temporary Assistance for Needy Families,  Child Care Assistance Program, health coverage purchased through HealthSource RI, Rhode Island Works, Long-Term Services and Supports, General Public Assistance and Program At HOME Cost Share.

• Per TechTarget,
  • “Despite being taken down and humiliated by the National Crime Agency (NCA) coordinated Operation Cronos in February 2024, an unknown individual(s) associated with, or claiming to represent, the LockBit ransomware gang has broken cover to announce the impending release of a new locker malware, LockBit 4.0.
  • “In screengrabs taken from the dark web that have been widely circulated on social media in the past day, the supposed cybercriminal invited interested parties to “sign up and start your pen tester billionaire journey in 5 minutes with us”, promising them access to supercars and women. At the time of writing, none of the links in the post direct anywhere, while a countdown timer points to a ‘launch’ date of 3 February 2025.
  • “Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said it was hard to say at this stage what LockBit 4.0 entailed – whether the gang was launching a new leak site, its old one having been seized, or whether it has made changes to its ransomware.
  • “It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It’s therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement,” said Fitzsimons.”

From the cybersecurity defenses front,

• Dark Reading discusses
  • “Managing Threats When Most of the Security Team Is Out of the Office. During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls”
• and
  • “To Defeat Cybercriminals, Understand How They Think. Getting inside the mind of a threat actor can help security pros understand how they operate and what they’re looking for — in essence, what makes a soft target.”

• Here is a link to Dark Reading’s CISO Corner.

• The Cyberscoop article on CISA’s mobile communications protection guide adds
  • “The guidelines advocate for the use of Fast Identity Online (FIDO) phishing-resistant authentication as a superior alternative to traditional multifactor authentication (MFA) methods. FIDO authentication, especially through hardware-based security keys such as Yubico or Google Titan, is recommended for enhancing the security of high-targeted accounts.
  • The guidance also emphasizes moving away from Short Message Service (SMS) messages as a form of MFA, advising that SMS-based authentication is not encrypted and can be easily intercepted by those with access to telecommunications infrastructure.
  • “Additional recommendations include the use of a password manager, regular software updates for both operating systems and applications to patch vulnerabilities and setting telecommunications account PINs to prevent SIM-swapping attacks — a common technique used by hackers to hijack phone numbers and intercept sensitive communications.
  • “Specific guidelines tailored for Apple iPhone and Android users were also included. iPhone users are advised to enable “Lockdown Mode” to restrict app access and deploy Apple iCloud Private Relay for secure internet browsing. Meanwhile, Android users are encouraged to choose devices with strong security records and long-term update commitments, and to ensure the use of encrypted Rich Communication Services (RCS) for messaging.”

From the cybersecurity policy and law enforcement front

• Cyberscoop reports,
  • “The $3 billion that Congress folded into the annual defense policy bill to remove Chinese-made telecommunications technology from U.S. networks would be a huge start to defending against breaches like the Salt Typhoon espionage campaign, senators and hearing witnesses said Wednesday.
  • “Federal Communications Commission Chairwoman Jessica Rosenworcel recently told Hill leaders that the $1.9 billion Congress had devoted to the “rip and replace” program to get rid of Huawei and ZTE equipment left the agency with a $3.08 billion hole to reimburse 126 carriers for eliminating use of that tech, “putting our national security and the connectivity of rural consumers who depend on these networks at risk.”
  • “The fiscal 2025 National Defense Authorization Act (NDAA), which passed the House by a 281-140 vote Wednesday, contains language authorizing funds to fill that gap. Sen. Ben Ray Luján, the New Mexico Democrat who chairs the Commerce Subcommittee on Communications, Media and Broadband, said at Wednesday’s hearing of his panel that Congress should approve that funding even though there’s much still unknown about the attacks from the Chinese government hackers known as Salt Typhoon.
  • “What we do know is that more must be done to prevent attacks like this in the future,” he said. “One obvious thing we can do today is get equipment manufactured by companies that collaborate with our foreign adversaries out of our American networks. … I’m hopeful that there’s strong bipartisan agreement to fully fund this program through this year’s National Defense Authorization Act and address one of the major known vulnerabilities facing our networks every day once and for all.”

• Federal News Network discusses the Defense Department cybersecurity provisions found in the Fiscal Tear 2025 NDAA which is expected to clear the Senate next week.

• Per a December 10, 2024, press release,
  • [T]he U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the internet. * * *
  • “In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.” * * *
  • “Under the terms of the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement – PDF with 33 states that includes corrective actions that address OCR’s findings in this matter.” * * *
  • “The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html“

• Cyberscoop tells us,
  • “A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.
  • “The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment. 
  • “When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday [December 12].
  • “The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.
• and
  • The Justice Department announced Thursday [December 12] that it had participated in a coordinated effort to seize and dismantle Rydox, an online marketplace for stolen personal information and cybercrime tools. The operation led to the arrest of three individuals alleged to be the site’s administrators.
  • Rydox has been linked to over 7,600 illicit sales and generated substantial profits since its inception in 2016. Authorities reported the site’s revenue exceeded $230,000, primarily sourced from selling sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The site has offered for sale at least 321,372 cybercrime products to over 18,000 users.
  • The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.
  • Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo. They will be extradited to the Western District of Pennsylvania to face multiple charges, including identity theft and money laundering. A third man, Shpend Sokoli, also from Kosovo, was detained in Albania. Sokoli will be prosecuted in Albania.

From the cyber vulnerabilities and breaches,

• HHS’s Heath Sector Cybersecurity Coordination Center released on December 9 its bulletin about November vulnerabilities of interest to the health sector.

• Bleeping Computer informs us,
  • “Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks.
  • “In March, Cisco reported that threat actors were conducting password spray attacks on the Cisco VPN devices. In some cases, these attacks caused a denial-of-service state, allowing the company to find a DDoS vulnerability they fixed in October.
  • “In October, Microsoft warned that the Quad7 botnet was abusing compromised TP-Link, Asus, Ruckus, Axentra, and Zyxel networking devices to perform password spray attacks on cloud services. * * *
  • “Today [December 13], Citrix released a security bulletin warning of the uptick in password spray attacks on Netscaler devices and provided mitigations on how to reduce their impact.”

• The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
  • December 10, 2024
    • CVE-2024-49138. Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
  • December 13, 2024
    •  CVE-2024-50623. Cleo Multiple Products Unrestricted File Upload Vulnerability

• Bleeping Computer adds,
  • “CISA confirmed today [December 13] that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks.
  • “This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online.
  • “Cleo released security updates to fix it in October and warned all customers to “immediately upgrade instances” to additional potential attack vectors.
  • The company has not disclosed that CVE-2024-50623 was targeted in the wild; however, on Friday, CISA added the security bug to its catalog of known exploited vulnerabilities, tagging it as being used in ransomware campaigns.” * * *
  • “While the cybersecurity agency didn’t provide any other information regarding the ransomware campaign targeting Cleo servers left vulnerable to CVE-2024-50623 exploits, these attacks are uncannily similar to previous Clop data theft attacks that exploited zero-days in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in recent years.
  • “Some also believe the flaw was exploited by the Termite ransomware operation. However, it is believed that this link was only made because Blue Yonder had an exposed Cleo software server, and they were breached in a cyberattack claimed by the ransomware gang.”

From the ransomware front,

• Oh, the humanity! The Wall Street Journal reports,
  • “Doughnut maker Krispy Kreme said a cyberattack detected in late November is still disrupting its online ordering. The attack, which happened shortly before a big annual holiday promotion, comes as other hacks have snarled supply chains in the retail industry.
  • “The company said it is working with outside experts to restore online capabilities and it expects the attack to have a short-term material impact on its business. Krispy Kreme’s physical locations remain open.”

• In that regard, InfoSecurity Magazine points out,
  • “Ransomware claims reached an all-time high in November 2024, with Corvus Insurance reporting 632 victims claimed on ransomware groups’ data leak sites (DLS).
  • “More than double the monthly average of 307 victims, the November count exceeds the previous peak of 527 victims recorded in May 2024.
  • “According to a December 11 report by Corvus, these record numbers can be attributed to heightened activity by several ransomware groups, especially RansomHub and Akira.”

• Forbes reports,
  • “Although little is known, in truth, about a cybercriminal actor employing what has become known as the Cloak ransomware threat, the group has risen rapidly to gain status as a significant player in the ransomware landscape since first emerging in 2022.
  • “Threat researchers at Halcyon have now analyzed the Cloak ransomware threat and uncovered a new and worrying variant that not only displays “sophisticated extraction and privilege escalation mechanisms” but also terminates processes related to both security and data backup tools. This new Cloak variant, Halcyon warned, can spread by way of dangerous drive-by downloads disguised as legitimate updates like Microsoft Windows installers.”

From the cybersecurity defenses front,

• HP shares ransomware prevention tips.

• An ISACA commentator examines approaches to mitigating human cybersecurity risks.

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Fedscoop reports,
  • “Legislation to improve federal agency oversight and management of software purchases passed the House on Wednesday [December 4], keeping top IT and software trade groups’ hopes alive that the bill will get through the Senate and become law before this congressional term is up.
  • “The Strengthening Agency Management and Oversight of Software Assets Act (H.R.1695) was introduced by Rep. Matt Cartwright, D-Pa., last year and co-sponsored by a bipartisan group of 20 House lawmakers. 
  • “Calling the rooting out of waste, fraud and abuse a “signal mission” of the House Oversight Committee, Cartwight said the bill would ensure that federal agencies are required to conduct a “comprehensive assessment of their current software assets and restructure their operations to reduce unnecessary costs.” 
  • “Our federal government spends billions of taxpayer dollars every year on software licenses alone. Most of these software license purchases are purposeful, but some are redundant, duplicative, simply unnecessary,” he said. “This commonsense bill will reduce waste, strengthen cybersecurity and modernize government operations.”

• Cyberscoop adds,
  • “Private-sector tech leaders told House lawmakers Thursday [December 5] that the Cybersecurity and Infrastructure Security Agency’s [CISA] secure-by-design push may benefit from more of an incentive structure, but poorly trained developers remain “a real problem” for the nearly two-year-old initiative.
  • “The four witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection all characterized CISA’s voluntary secure-by-design pledge as a net positive that has resulted in significant industry-wide progress. The question posed by subcommittee Chair Andrew Garbarino, R-N.Y., and ranking member Eric Swalwell, D-Calif., was how the initiative could level up and better enhance cybersecurity across more U.S. sectors.
  • “Shane Fry, chief technology officer at RunSafe Security, acknowledged that CISA’s secure-by-design program — which now counts over 250 companies as signees — “is making a lot of waves.” But there’s a missing piece, Fry said, in limiting the program to IT systems and not addressing operational technology device manufacturers.
  • “Let’s work with Congress and find a good way, or CISA to find a good way, to incentivize these companies to actually secure their systems,” Fry said. “Because I think limiting it to just IT systems is a little bit short-sighted.”

• Cybersecurity Dive lets us know,
  • Federal Communications Commission Chair Jessica Rosenworcel on Thursday [December 5] proposed stronger rules requiring telecom operators to secure their networks from intrusions, in response to the wave of China-linked attacks on U.S. carriers’ infrastructure.
  • The measure has two parts. Rosenworcel proposed a declaratory ruling to clarify telecom operators are legally obligated to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act. The second lever, a notice of proposed rulemaking, includes an annual certification requirement for telecom providers to maintain cybersecurity risk management plans.
  • “While the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future,” Rosenworcel said in a statement Thursday.

• Dark Reading tells us,
  • “Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he’s talking.
  • “Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.
  • “He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.”

• Per Department of Health and Human Services press releases,
  • “[On December 3], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI).” * * * 
  • “In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.
  • “The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html“
• and
  • “[On December 5], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $548,265 civil monetary penalty against Children’s Hospital Colorado, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following receipt of breach reports in 2017 and 2020, relating to email phishing and cyberattacks. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI).” * * *
  • “In June 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Children’s Hospital Colorado waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $548,265.
  • “The Notice of Proposed Determination can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens-hospital-colorado-npd/index.html.
  • “The Notice of Final Determination can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens-hospital-colorado-nfd/index.html.”

From the cybersecurity vulnerabilities and breaches front,

• STAT News reports,
  • “As many as 172 million individuals — more than half the population of the United States — may have been impacted by large health data breaches reported to the Department of Health and Human Services in 2024, according to a STAT analysis of records from HHS’ Office for Civil Rights. It’s a new record for the scale of large health care breaches, breaking one set just last year. 
  • “The vast majority of those health data breaches — 532 of the 656 reported as of December 4 — have resulted from hacks and ransomware attacks, continuing a years-long trend. Since 2018, HHS has reported, it has seen a 264% increase in large ransomware breaches, and seven health systems have been fined up to $950,000 for failing to protect patients’ protected health information from ransomware attacks.” * * *
  • “It’s unlikely that 172 million Americans had their health data exposed in breaches reported this year. There are overlaps in the individuals included in each breach. And after an attack, covered entities have to report that individual data was compromised unless they can actively prove that it wasn’t. “In ransomware, it’s hard to prove that the data was not exfiltrated,” said Jigar Kadakia, chief information security and privacy officer for Atlanta-based Emory Healthcare. “That’s where the escalation has been probably in the last three years.” 

• The Wall Street Journal adds,
  • “Data breaches at healthcare organizations have become common in recent years. But what do hackers want with your health information, anyway?
  • “Usually, hackers break into providers’ networks looking for a ransom, doing things like locking the provider out of its own computer systems or threatening to release its data online. But they are also looking for patient data.
  • “Healthcare records have personal information that hackers are always eager to grab, like addresses and credit-card numbers. But the records also hold an array of private information about patients, ranging from insurance-policy numbers to medical conditions to medications—data that lets crooks scam insurance companies and Medicare and Medicaid, leaving patients exposed to steep financial and medical risk.
  • “They give hackers a full picture to commit insurance fraud, identity theft or other malicious activity in the future,” says John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, a trade organization that represents 90% of the hospitals in the U.S.
  • “What’s more, the theft of health records can have a longer-lasting impact on victims than regular financial fraud or identity theft, because the information in those records is harder to detect and more challenging to correct when misused.

• Per the Wall Street Journal,
  • “Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign that has affected dozens of countries, a top U.S. security official said Wednesday.
  • “Speaking during a press briefing Wednesday, Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached.
  • “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” Neuberger said.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 3, 2024
    • CVE-2023-45727 North Grid Proself Improper Restriction of XML External Entity (XEE) Reference Vulnerability
    • CVE-2024-11680 ProjectSend Improper Authentication Vulnerability
    • CVE-2024-11667 Zyxel Multiple Firewalls Path Traversal Vulnerability
  • December 4, 2024
    • CVE-2024-51378 CyberPanel Incorrect Default Permissions Vulnerability

• Cybersecurity Dive adds,
  • “Multiple government authorities and security researchers are warning about a directory traversal vulnerability in Zyxel Networks firewalls that threat actors are actively exploiting to deploy Helldown ransomware.
  • “The vulnerability, listed as CVE-2024-11667, with a CVSS score of 7.5, is located in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38, and could allow an attacker to download or upload files through a crafted URL. The Cybersecurity and Infrastructure Security Agency on Tuesday added the CVE to its known exploited vulnerabilities catalog.
  • “Zyxel, in a blog post, confirmed it is aware of recent attempts to exploit the vulnerability, following disclosures from security researchers at Sekoia. The company is urging users to immediately update their firmware and change their admin passwords.”

From the ransomware front,

• CBS News reported on December 4,
  • PIH Health [located in southern California] was targeted in a ransomware attack, forcing officials to completely shut their network offline and leaving millions in the dark when it comes to healthcare. 
  • Families are being told that they can either wait it out for systems to turn back online, or to go to another hospital for treatment because of the issue, which happened over the weekend. 
  • Officials say that they were targeted on Sunday by a “criminal act” that “compromised their network.” In turn, network services were turned off at their hospitals in Downey, Whittier and downtown LA. 
  • While urgent care centers and emergency room remained open, patients and physicians were left without access to health records, laboratory systems, pharmacy orders and radiation access. On top of that, internet access and phone lines were completely turned off. 

• Cybersecurity News informs us,
  • “Black Basta ransomware operators have improved their tactics, leveraging Microsoft Teams to deploy Zbot, DarkGate, and Custom Malware.
  • “The ongoing social engineering campaign comprises a threat actor flooding a user’s inbox with junk and contacting the user to offer assistance. 
  • “Researchers observed that threat actors used Microsoft Teams as their primary medium for initial communication with the target.
  • ‘Suppose the user responds to the lure by answering the call or sending a message. In that case, the threat actor will try to persuade them to install or run a remote management (RMM) program, such as QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect, among others.
  • “After establishing a remote connection, the threat actor proceeds to download payloads from their infrastructure to obtain the credentials of the affected users and continue to persistently target their assets.
  • “The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. Operators will still attempt to steal any available VPN configuration files, when possible,” Rapid7 said in a report shared with Cyber Security News.”

From the cybersecurity defenses front,

• Techradar tells us,
  • “US authorities are urging Americans to use encrypted messaging apps to secure their sensitive data against foreign attackers.
  • “The security call comes in the wake of an “unprecedented cyberattack” on the countries’ telecoms companies, NBC News reported. The attack is considered among the largest intelligence compromises in US history and isn’t yet fully fixed.
  • “The China-linked Salt Typhoon group was first spotted targeting US telecoms with a new backdoor malware a few months ago. It has reportedly hacked the likes of AT&T, Verizon, and Lumen Technologies to spy on their customers’ activities.”

• Cybersecurity Dive adds, “T-Mobile undeterred as telecom sector reels from attack campaign. Cybersecurity Dive spoke with CSO Jeff Simon about how the carrier says it thwarted a threat group resembling Salt Typhoon despite its past security failures.”

• The Wall Street Journal asks, “Do Your Passwords Meet the Proposed New Federal Guidelines? New standards want to make passwords secure—but also more user-friendly.”
  • “The key to password security, the standards institute emphasizes, is length rather than special characters. The guidelines recommend passwords be at least eight characters long while suggesting organizations push for a minimum of 15 characters. The shorter minimum is acceptable when combined with multifactor authentication, Regenscheid says, which most federal websites now require when accessing personal information. That means having two different ways to confirm identity, not just the password itself.
  • “The institute also suggested a maximum length of at least 64 characters, a number Regenscheid calls “fairly arbitrary” but sufficient for security needs. Systems need some upper limit to prevent malicious users from trying to overwhelm servers with extremely long passwords, he says, and do things like download sensitive data from databases. 
  • “The emphasis on length over complexity reflects decades of research showing longer passwords are significantly harder to crack. “A truly randomly chosen 24-character password is not going to be broken,” says Stuart Schechter, an associate at Harvard’s School of Engineering and Applied Sciences. “That’s long enough that it’s not likely to be broken in the lifespan of the universe.
  • “When it comes to creating long, strong passwords, research shows that both random strings of characters and random sequences of words can work well. “People’s brains work differently, and our tech should be designed to help you achieve your desired level of security with the option that works best for you,” Schechter says. His research found most people can memorize either type effectively.
  • “But it is a time-consuming process, and it isn’t clear how many passwords people can remember, Schechter says, so he uses the password manager built into his browser, an option available in browsers like Safari and Chrome. While some security experts push for stand-alone password managers that must be purchased separately, Schechter argues that built-in browser options are a good solution for most people’s needs and are very secure.”

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. The SCC was recently updated based on the new National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Version 2.0 mapping updates. 
  • “The TIC 3.0 SCC provides a list of deployable security controls, security capabilities, and best practices. The catalog is intended to guide secure implementations and help agencies satisfy program requirements within discrete networking environments. 
  • “Further, the SCC helps agencies to apply risk management principles and best practices to protect federal information in various computing scenarios. The trust considerations presented in the TIC 3.0 Reference Architecture can be further applied to an agency’s implementation of a given use case to determine the level of rigor required for each security capability. In some cases, the security capabilities may not adequately address residual risks necessary to protect information and systems; agencies are obligated to identify and apply compensating controls or alternatives that provide commensurate protections. Additional collaboration with vendors is necessary to ensure security requirements are adequately fulfilled, configured, and maintained.”

• Per Cybersecurity Dive,
  • “Protecting the cloud: combating credential abuse and misconfigurations. To defend again two of today’s biggest cloud security threats, organizations must adapt and develop proactive strategies, Google Cloud’s Brian Roddy writes [in an opinion piece],
• and
  • “For IT pros, the CrowdStrike crisis was a ‘call to arms’. The global outage triggered investments in people, processes and technologies to beef up enterprise resilience, Adaptavist research found.”

• Here is a link to Dark Reading’s CISO Corner.