From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.
  • “The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.
  • “Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  
  • “In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 
• and
  • “A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.
  • “The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
  • “Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.”
• and
  • “A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
  • “South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
  • “The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.”

From the cybersecurity vulnerabilities and breaches front,

• Per a Cybersecurity and Infrastructure Security Agency press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
  • “Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”

• CISA added eight known exploited vulnerabilities to its catalog this week.
  • November 18, 2024
    • CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
    • CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
    • CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • November 20, 2024
    • CVE-2024-38812 VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
    • CVE-2024-38813 VMware vCenter Server Privilege Escalation Vulnerability
  • November 21, 2024
    • CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability
    • CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
    • CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability

• Cybersecurity Dive adds,
  • “Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
  • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
  • “The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9.” 

• Security Week adds,
  • “Apple has rushed out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.
  • “The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday.
  • “As is customary, Apple’s security response team did not provide any details on the reported attacks or indicators of compromise (IOCs) to help defenders hunt for signs of infections.
  • “Raw details on the patched vulnerabilities:
    • “CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
    • “CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
  • “The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1, macOS Sequoia 15.1.1 and the older iOS 17.7.2.”

• Cybersecurity Dive lets us know,
  • “Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
  • “The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
  • “Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.”

• HHS Health Sector Cybersecurity Coordination Center offers an alert discussing a widespread phishing campaign abusing DocuSign software by impersonating well-known brands. The alert offers tips for avoiding this scam.

• Dark Reading lets us know,
  • “Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-serviceplatform that enabled its customers to target companies and individuals since 2017.
  • “ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft’s “Digital Defense Report 2024,” with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.”

From the ransomware front,

• The American Hospital Association News reports,
  • A joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of cybercriminal activity by the BianLian ransomware group. The agencies said actions by BianLian actors have impacted multiple sectors across the U.S. since 2022. They operate by gaining access to victims’ systems through valid remote desktop protocol credentials and use open-source tools and command-line scripting for finding and stealing credentials. The actors then extort money from victims by threatening to release the stolen data. 
  • “The BianLian group has been listed as one of the most active groups over the last several years, and they have been known to attack the health care sector,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The group often uses RDP for access, which serves as a reminder to ensure that hospitals strictly limit the use of RDP and similar services to help mitigate this threat and the many others which use RDP as part of their initial access to penetrate networks. They do not appear to be encrypting networks and disrupting hospital operations. In the event that anyone’s personally identifiable information is stolen and think they may be a victim of identity theft, an excellent resource to help assist them is identitytheft.gov.” 
     
• Hacker News informs us,
  • “Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
  • “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
  • “Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
  • “Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.”

• Per Dark Reading,
  • “The Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.
  • “The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.
  • “Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.
  • “The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other affected sectors include manufacturing, construction, retail, technology, education, and critical infrastructure.” 
    
• Security Intelligence tells us,
  • “Any good news is welcomed when evaluating cybercrime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.
  • “Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.”

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Artificial intelligence could ease pernicious labor challenges facing the healthcare sector, but health systems will need to boost their cybersecurity spending to manage increased risks, according to a report by Moody’s Ratings. 
  • “The emerging technology could help recruit and retain staff through tools that help nurses pick more flexible schedules or assist clinicians documenting clinical care, according to the credit ratings agency. 
  • “But new technology also brings more vulnerabilities for hackers to exploit — already a challenge for the healthcare industry, which is dependent on IT systems that house sensitive and valuable patient data.”
• and
  • “Microsoft unveiled the Windows Resiliency Initiative Tuesday, which follows the July global IT outage linked to a faulty CrowdStrike software update, according to a blog post from David Weston, VP of enterprise and OS security at Microsoft. The effort is intended to advance the company’s prior efforts to overhaul its security culture.
  • “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers,” Weston said in the blog. 
  • “Microsoft will allow IT administrators to make changes to Windows Update on PCs, even if the machines are unable to boot up. Administrators will not require physical access to the machines to make the necessary changes. 
  • “The service will be available to the Windows Insider Program community starting in early 2025.”

• CISA shares “Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization” and a “Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication.”

• Cyberscoop reports,
  • “Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 
  • “New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 
  • “Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 
  • “CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional [professional liability] insurance policies.”

• Here is a link to Dark Reading’s CISO Corner.

• An ISACA commentator explains how to grow cyber defenses from seed to system using a plant pathology approach.

• Dark Reading offers a commentary on the importance of learning from cybersecurity mistakes.
  • “Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM “Cost of a Data Breach Report 2024” estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it’s about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It’s time to shift the mindset: Every breach is an opportunity to innovate.”

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
  • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
  • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”

• NextGov/FCW tells us,
  • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
  • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
  • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
  • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
• and
  • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
  • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
  • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
  • “Second up is facilitating an effective transition for the incoming Trump administration 
  • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
  • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 

• The Government Accountability Office released a report highlighting that
  • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”

• The National Institute for Standards and Technology announced,
  • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
  • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
  • “The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
• FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

• From a November 12, 2024, CISA press release
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
  • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
    
• Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • November 12, 2024
    • CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
    • CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
    • CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
    • CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
    • CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
  • November 14, 2024
    • CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
    • CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

• Per Cybersecurity Dive,
  • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
  • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation. 
  • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”

• Per Dark Reading,
  • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
  • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
  • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
• and
  • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
  • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
  • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
  • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”

• Per AI Business,
  • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
  • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
  • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
  • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
  • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

• On November 13, the Register reported,
  • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
  • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
  • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
  • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”

• Bleeping Computer informs us,
  • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
  • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
  • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
  • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
    
• Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
  • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
  • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
  • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
  • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
  • “S3 buckets are one of the most referenced targets of malicious activity.
  • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
  • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
  • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”

• HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.

• Here is a link to Dark Reading’s CISO Corner.

• Bleeping Computer lets us know,
  • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
  • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
  • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”
    
    
    
    
    
    

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).
  • “The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.
  • The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.
  • “OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.”

• Here’s the entry in reginfo.gov
  • AGENCY: HHS-OCR. RIN: 0945-AA22. Status: Pending Review. Request EO Meeting
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    STAGE: Proposed Rule. SECTION 3(f)(1) SIGNIFICANT: Yes. RECEIVED DATE: 10/18/2024
    LEGAL DEADLINE: None  
    
• Fedscoop tells us,
  • “The Biden administration published its anticipated national security memo on artificial intelligence Thursday, establishing a roadmap that aims to ensure U.S. competitiveness with adversaries on the technology, while still upholding democratic values in its deployment. 
  • “Specifically, the memo details more responsibilities for the Department of Commerce’s AI Safety Institute, directs agencies to evaluate models for risks and identify areas in which the AI supply chain could be disrupted, outlines actions to streamline acquisition of AI used for national security, and defines new governance practices for federal agencies through a new framework.
  • “In remarks on the memo delivered Thursday at National Defense University, National Security Advisor Jake Sullivan highlighted the potential AI has for the country’s national security advantage but spoke in dire terms about taking action.
  • “The stakes are high,” Sullivan said. “If we don’t act more intentionally to seize our advantages, if we don’t deploy AI more quickly and more comprehensively to strengthen our national security, we risk squandering our hard-earned lead.”

• Per a NIST announcement,
  • “NIST has released an initial public draft (ipd) revision of Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths.
  • “NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance on transitioning to the use of stronger cryptographic keys and more robust algorithms.
  • “This revision proposes a) the retirement of ECB as a confidentiality mode of operation and the use of DSA for digital signature generation and b) a schedule for the retirement of SHA-1 and the 224-bit hash functions. This draft also discusses the transition from a security strength of 112 bits to a 128-bit security strength and to quantum-resistant algorithms for digital signatures and key establishment.
  • “The public comment period is open through December 4, 2024. See the publication details for a copy of the draft and instructions for submitting comments.”

• The Wall Street Journal reports,
  • “Four tech companies settled federal cases over allegations they misled investors about the extent to which they were compromised in the 2020 SolarWinds hack. 
  • “Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys didn’t admit wrongdoing in separate deals with the U.S. Securities and Exchange Commission, which found their financial disclosures played down what the companies knew about how their systems were affected by breached SolarWinds software. 
  • “Unisys agreed to pay a penalty of $4 million, and the other three companies will pay about $1 million each.
  • “In a breach disclosed in 2020, which the U.S. later attributed to Russia, hackers slipped malicious code into software from Austin, Texas-based SolarWinds. Thousands of customers inadvertently downloaded the malware. Moscow has denied involvement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop lets us know,
  • “The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.
  • “The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.
  • “Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.
  • “The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.”

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
• October 21, 2024
  • CVE-2024-9537. ScienceLogic SL1 Unspecified Vulnerability
• October 22, 2024
  • CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability
• October 23, 2024
  • CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability
• October 24, 2024
  • CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
  • CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
  • “Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
  • “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”

• Dark Reading informs us,
  • “Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world’s most notorious threat actor. An arm of the Russian Federation’s Foreign Intelligence Service (SVR), it’s best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft’s codebase and political targets across Europe, Africa, and beyond. Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior staff research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

• Per Bleeping Computer,
  • “Cisco fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.
  • ‘The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.
  • “A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 security advisory.”

From the ransomware front,

• Dark Reading points out,
  • “Nearly 400 US healthcare organizations have been infected with ransomwarethis fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.
  • “The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware’s most lucrative target sectors.
  • “The disruption that healthcare operations face when hit with ransomware attacks doesn’t just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.” * * *
  • According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.
    
• Cyberscoop relates,
  • “Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
  • “That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant. 
  • “Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
  • “Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.”

• Per Cybersecurity Dive,
  • “Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
  • “SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
  • “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.”

• Bleeping Computer alerts us,
  • “The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
    “Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
    “After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Microsoft Chair and CEO Satya Nadella asked for the board to reduce part of his annual compensation package to account for his role in how the company prepared for malicious cyberattacks that led to an overhaul of its internal security culture. 
  • “Nadella received more than $79 million in total compensation in fiscal 2024, which included a base salary of $2.5 million, about $71.2 million in stock awards and $5.2 million in non-equity incentive plan compensation, according to a filing with the Securities and Exchange Commission. The total included almost $170,000 classified as other compensation. 
  • “However, Nadella “asked the board to consider departing from the established performance metrics and reduce his cash incentive to reflect his personal accountability for the focus and speed required for the changes that today’s cybersecurity threat landscape showed were necessary,” according to a letter included in the filing from the compensation committee at Microsoft.” 

• Per Bleeping Computer,
  • Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.
  • The company also seeks to improve the system’s security and has expanded its security bounty program to include rewards of up to $1 million for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC.”
  • Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy.
    
• Cybersecurity Dive shares Gartner’s four ways AI could impact employees, workflows.

• Here is a link to Dark Reading’s CISO Corner.

• An ISACA commentator discusses “How the Emerging Technology Landscape is Impacting Cybersecurity Audits.”

• “In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.”

• Tripwire shares “Advanced Tips for Leveraging the NIST Cybersecurity Framework for Compliance.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
  • “Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
  • ‘On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.” * * *
  • “The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
  • “The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.”

• Federal News Network lets us know,
  • “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today [October 11], further paving the way for CMMC requirements to show up in contracts starting next year.
  • “The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.
  • “The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.”

• Per an October 3, 2024, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.
  • “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.” * * *
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html“
    
• Fedscoop notes,
  • “The Department of Health and Human Services is working on a new strategic plan for the use of artificial intelligence across the entire breadth of its mission, the department’s top AI official said Tuesday.
  • “Micky Tripathi — HHS’s acting chief AI officer and its assistant secretary for technology policy — said at the NVIDIA AI Summit in Washington, D.C., that the AI strategic plan should arrive sometime in January and that it will span “the entire, you know, sort of breadth of what the department covers.”
  • “During a panel discussion, Tripathi detailed the complex web of mission sets spanning “the value chain of life sciences and health care” that HHS oversees that the new strategic plan will attempt to wrap its arms around. Those include medical research and discovery, preclinical work, measuring the safety and effectiveness of medical products, health care delivery, health technology standards setting, human services, public health and more, he said.”

From the cybersecurity vulnerabilities and breaches front,

• Beckers Health IT informs us,
  • “In the past 12 months, 92% of healthcare organizations reported experiencing at least one cyberattack, up from 88% in 2023, an Oct. 8 survey from Proofpoint and Ponemon Institute found.
  • “Of those cyberattacks, 69% reported disruptions to patient care as a direct consequence.”

• The American Hospital Association News reports,
  • “The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint agency advisory on cyber operations by the Russian Federation’s Foreign Intelligence Service (SVR), also known as APT29, Midnight Blizzard, Cozy Bear, and the Dukes, targeting U.S. and global entities. The agencies recommend prioritizing rapid patch deployment and keeping software up to date to protect against cyberattacks.
  • “This alert highlights the SVR’s aggressive targeting of U.S. critical infrastructure for espionage and possible future offensive cyber operations,’ said John Riggi, AHA national advisor for cybersecurity and risk. “Although health care is not cited as being intentionally targeted by this SVR campaign, it is noted that any entity could become a target of opportunity if it has internet-facing vulnerabilities. The SVR takes advantage of opportunistic tactics to host malicious infrastructure, conduct follow-on operations from compromised accounts, or attempt to pivot to other networks on unprotected victim infrastructure. To mitigate this threat and other types of cyberattacks, such as ransomware attacks, it is imperative that health care entities prioritize patching internet-facing vulnerabilities, employ multi-factor authentication and follow the voluntary cybersecurity performance goals.”

• HHS’s Health Section Cybersecurity Coordination Center issued its September report on vulnerabilities of interest to the health sector.

• Cyberscoop points out,
  • “The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
  • “The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
  • “Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
  • “Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.”

• The Cybersecurity and Infrastructure Security Agency (CISA) alerted us on October 10,
  • CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.
  • CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.

• CISA added six more known exploited vulnerabilities to its catalog this week.
  • October 8, 2024
    • CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
    • CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
    • CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability
  • October 9, 2024
    • CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability
    • CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
    • CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

• Cybersecurity Dive adds,
  • “Ivanti released updates for three actively exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance, which hackers are chaining together with a previously disclosed path traversal vulnerability, the company said in a Tuesday blog post. 
  • “Successful exploitation of the flaws can allow an attacker to gain administrative privileges to bypass restrictions, obtain remote code execution or run arbitrary SQL statements. The vulnerabilities are listed as CVE-2024-9379, CVE-2024-9380, CVE-2024-9381. 
  • “Ivanti previously disclosed and issued a patch that would address the prior critical vulnerability, listed as CVE-2024-8963, on Sept. 10. The company said it discovered the path traversal vulnerability when it was investigating exploitation of an OS command injection vulnerability, listed as CVE-2024-8190.”

From the ransomware front,

• Tech Radar reports,
  • “The number of active ransomware groups over the last 12 months is on the rise as criminals look for more ways to target businesses, new research has claimed.
  • “The 2024 State of Threat Report from Secureworks has revealed a rise in the number of active ransomware groups over the last 12 months – identifying a 30% rise in the number of active groups.
  • “The figures represents a diversification of the landscape rather than a particularly drastic increase in criminals. Since the notorious Lockbit disruption, in which the most prolific group was briefly shut down, the ransomware ecosystem has evolved, with 31 new groups being established.” * * *
  • “One of the key findings from the report is that unpatched vulnerabilities remain the top Initial Access Vector (IAV) in ransomware attacks, making up almost 50% of all IAVs. This outlines more than ever the importance of staying on top of cybersecurity and software updates.”

• Per Security Affairs,
  • “Sophos researchers warn that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.
  • “In early September 2024, Veeam released security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
  • “The most severe flaw included in the September 2024 security bulletin is a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).”

• Palo Alto Networks Unit 24 tells us,
  • “In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.
  • “Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.”

From the cybersecurity defenses front,

• American Hospital Association cybersecurity expert John Riggi offers his perspective on this year’s cybersecurity challenges in the healthcare sector.

• “Moffitt Cancer Center was one of many health systems impacted by the Change Healthcare ransomware attack earlier this year. The organization’s VP of RCM operations [Lynn Ansley] explains [in Health Leaders] how she navigated the disaster.”

• Here is a link to Dark Reading’s CISO Corner.

• HHS’s 405(d) program shares an endpoints security poster with the public.

From the cybersecurity policy front,

• Healthcare Dive informs us,
  • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
  • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
  • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
  • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
  • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
  • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
• Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.

• Why? Beckers Health IT adds,
  • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
  • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”

• Cybersecurity Dive points out,
  • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
  • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
  • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”

• Per a NIST press release,
  • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
  • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

• Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

• Cybersecurity Dive lets us know,
  • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
  • “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
  • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”

• This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
  • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

• Cybersecurity Dive cautions,
  • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
  • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
  • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
  • “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

• Modern Healthcare tells us,
  • The number of healthcare providers affected by ransomware attacks is steadily growing. 
  • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.

• Bleeping Computer warns,
  • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
  • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
  • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”

• PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

• SC Media calls attention to “five ways to beef up network security and reduce data theft.”
  • “Rethink access control
  • “Raise the firewall game
  • “Take incident response seriously
  • “Tap into network visibility
  • “Segment the network
• “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  
• A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”

• Per a CISA press release,
  • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
  • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
  • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”