From the cybersecurity policy front –

• The Wall Street Journal reports,
  • “[On July 9, 2024,] Australia, the U.S. and six other allies warned that a Chinese state-sponsored hacking group poses a threat to their networks, in an unusual, coordinated move by Western governments to call out a global hacking operation they say is directed by Beijing’s intelligence services.
  • “Tuesday’s advisory was a rare instance of Washington’s major allies in the Pacific and elsewhere joining to sound the alarm on China’s cyber activity. Australia led and published the advisory. It was joined by the U.S., U.K., Canada and New Zealand, which along with Australia are part of an intelligence-sharing group of countries known as the Five Eyes. Germany, Japan and South Korea also signed on.” * * *
  • “The technical advisory detailed a group known in cybersecurity circles as Advanced Persistent Threat 40, or APT40, which conducts cybersecurity operations for China’s Ministry of State Security and has been based in the southern island province of Hainan. The advisory detailed how the group targeted two networks in 2022—though it didn’t identify the organizations—and said the threat is continuing.”

• Federal News Network informs us,
  • “A top Department of Homeland Security official says DHS is working to harmonize new cyber incident reporting rules, as industry and even some lawmakers criticize the draft rule’s scope and potential duplicative requirements.
  • “The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.
  • “Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.
  • “We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”
  • “He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”
  • “We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so, you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

• The FEHBlog finds it interesting that recent cyberbreach news articles rely on Securities and Exchange Commission 8-K reports from public companies.

• Cyberscoop summarizes a variety of criticisms levelled against the CIRCIA proposed rule in the public comments.

• Cyberscoop adds,
  • “New legislation from a bipartisan pair of senators would create an interagency committee tasked with streamlining the country’s patchwork system of cybersecurity regulations if signed into law.
  • “The Streamlining Federal Cybersecurity Regulations Act [S. 4630] from Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., calls on the White House’s national cyber director to create a committee that would harmonize the myriad cyber requirements imposed on companies by federal regulatory agencies, according to bill text shared with CyberScoop.
  • “The introduction of the bill comes a month after a Senate hearing in which Nicholas Leiserson, the assistant national cyber director for cyber policy and programs, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. “It is a problem that requires leadership from ONCD and Congress informed by the private sector,” he said.”

• Cybersecurity Dive tells us,
  • “The Cybersecurity and Infrastructure Security Agency and FBI advised software vendors to eliminate operating system command injection vulnerabilities from products before they ship. The agencies issued the advisory Wednesday [July 10, 2024] as part of their secure-by-design alert series.
  • “Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs and CVE-2024-3400 in Palo Alto Networks firewalls. 
  • “OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA and the FBI said in the advisory.” 

• Per the HeathIT.gov website,
  • “ONC’s HTI-2 proposed rule [released July 10] implements provisions of the 21st Century Cures Act and reflects ONC’s focused efforts to advance interoperability and improve information sharing among patients, providers, payers, and public health authorities.
  • “Key proposals include:
    • “Two sets of new certification criteria, designed to enable health IT for public health as well as health IT for payers to be certified under the ONC Health IT Certification Program. Both sets of certification criteria focus heavily on standards-based application programming interfaces to improve end-to-end interoperability between data exchange partners (health care providers to public health and to payers, respectively).
    • “Technology and standards updates that build on the HTI-1 final rule, ranging from the capability to exchange clinical images (e.g., X-rays) to the addition of multi-factor authentication support.
    • “Requiring the adoption of United States Core Data for Interoperability (USCDI) version 4 by January 1, 2028.
    • “Adjustments to certain “exceptions” to the information blocking regulations to cover additional practices that have recently been identified by the regulated community, including a new “Protecting Care Access” exception, which would cover practices an actor takes in certain circumstances to reduce its risk of legal exposure stemming from sharing information.
    • “Establishing certain Trusted Exchange Framework and Common Agreement^TM (TEFCA^TM) governance rules, which include requirements that implement section 4003 of the 21st Century Cures Act.”
  • The public comment deadline will end in early September, depending on the date of the proposed rule’s publication in the Federal Register.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “A cyberattack targeting AT&T’s Snowflake environment compromised data on nearly all of the telecom provider’s wireless customers, the company said in a Friday filing with the Securities and Exchange Commission. Nearly 110 million customers are impacted, according to AT&T’s annual report for the period of compromised data.
  • “Data stolen during the intrusion includes records of AT&T customers’ calls and text messages spanning a six-month period ending Oct. 31, 2022, and records from Jan. 2, 2023, the company said in the SEC filing. 
  • “The attack did not expose the content of calls or text messages, customer names or personally identifiable information, according to AT&T. Yet, the stolen records include the phone numbers AT&T wireless customers interacted with, counts of those interactions and aggregate call duration for a day or month.”

• Dark Reading adds,
  • “Nearly all” of AT&T’s wireless customers are affected, the company admitted, as well as customers of mobile virtual network operators (MVNOs) using AT&T’s network. According to public resources, those MVNOs likely include popular wireless service providers like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless.” * * *
  • “Earlier this year, data belonging to more than 70 million AT&T customers leaked to the Dark Web. The trove included all the hallmark personally identifying information (PII) types, like Social Security numbers, mailing addresses, and dates of birth.
  • “This time, none of the stolen data has as yet been observed on the public web, and customers’ most sensitive PII has remained untouched. [FEHBlog note the theft occurred in April — the public notice was delayed with Justice Department approval.]
  • Still, AT&T warned, “There are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

• Cyberscoop notes that Snowflake “announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users.”  

• On a related note, Help Net Security discloses,
  • “On July 1, Twilio – the company that develops the Authy MFA mobile app – shared with the public that attackers have leveraged one of its unauthenticated API endpoints to compile a list of phone numbers and other data belonging to Authy users.
  • “Company systems were not breached, Twilio said, and Authy accounts have not been compromised, but the company warned that “threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.”
  • “The list, which apparently holds data of 33 million Authy users, has been offered for sale by ShinyHunters, a threat actor that specializes in breaching companies and stealing their customers data, then holding it for ransom and/or selling it to the highest bidder on forums and markets frequented by cybercriminals.”

• Cybersecurity Dive calls attention to a recent survey,
  • “Almost 60% of organizations can’t track what happens to their information once it goes out in an email or through another communication channel, a survey by data security company Kiteworks finds. 
  • “That’s a risk management problem because data breaches are correlated with how information leaves an organization. 
  • “The more communication tools an organization uses — email, file sharing, managed file transfer, secure file transfer protocol, web forms, among others — the higher the risk of information ending up where it wasn’t intended, the survey finds. 
  • “Respondents with over seven communication tools experienced 10-plus data breaches — 3.55x higher than the aggregate,” the survey report says. “

• On July 9, 2024 —
  • “CISA added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
    • “CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
    • “CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability”
    • “CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability”
  • Health IT Security pointed out recent breaches involving healthcare entities.
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted its bulletin on June 2024 vulnerabilities of interest to the health sector.

• Health IT Security alerts us,
  • “Change Healthcare published a substitute data breach notice on its website [earlier this week] to inform affected individuals of the breach that resulted from the February 2024 cyberattack against the company. Change has publicly stated that the cyberattack involved the data of approximately one-third of Americans.
  • “Change Healthcare said that it would begin mailing written letters to affected individuals on June 20, once it completed its data review. Additional customers may be identified as impacted as the review continues.
  • “The company provided a brief timeline of events in its substitute notice, which was published on its website. Although the cyberattack began on February 21, it was not until March 13 that Change was able to obtain a dataset of exfiltrated files that was safe to investigate. * * *
  • “Any individual who believes that their information has been impacted by the data breach can enroll in two years of complimentary credit monitoring and identity theft protection services. Ahead of the breach notice, state attorneys general encouraged consumers to take advantage of these free resources.”

From the ransomware front,

• Cyberscoop reports,
  • “The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop. 
  • “A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoins on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop. 
  • “The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.”

• SC Media and Bleeping Computer discuss RansomHub attacks on the Florida Department of Health and the Rite Aid pharmacy chain.

• Dark Reading reports,
  • “Akira ransomware actors are now capable of squirreling away data from victims in just over two hours, marking a significant shift in the average time it takes for a cybercriminal to move from initial access to information exfiltration.
  • “That’s the word from the BlackBerry Threat Research and Intelligence Team, which today released a breakdown of a June Akira ransomware attack on a Latin American airline. According to BlackBerry’s anatomy of the attack, the threat actor, using Secure Shell (SSH) protocol, gained initial access via an unpatched Veeam backup server, and immediately set about heisting information before deploying the Akira ransomware the next day.
  • “The likely culprit is Storm-1567 (aka Punk Spider and Gold Sahara), a prolific user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, according to the report. The gang is known for using double-extortion tactics and has attacked more than 250 organizations across numerous industry verticals globally since emerging from the shadows in March 2023. It mainly sets its sites on Windows systems, but has developed Linux/VMware ESXi variants as well, and has consistently shown a high level of technical prowess.”

• The Register (UK) tells us,
  • “As ransomware crews increasingly shift beyond just encrypting victims’ files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the more mature crime organizations are developing custom malware for their data theft.
  • “In a report published on Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs). Talos selected the 14 based on volume and impact of attacks and “atypical threat actor behavior,” using data from the criminals’ leak sites, internal tracking, and other open-source reporting.
  • “The 14, listed here by number of victims on their respective shaming sites, are the ones you’d likely expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona. 
  • “Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” the report’s authors note.”

From the cybersecurity defenses front,

• Cybersecurity Dive discusses “What does your CEO need to know about cybersecurity? CEOs don’t necessarily have to become experts in the technical aspects of cybersecurity to be prepared in case of an attack or — hopefully — stop one before it starts.”

• Per a July 11, 2024, CISA press release,
  • “CISA released CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth in coordination with the assessed organization. This Cybersecurity Advisory (CSA) details key findings and lessons learned from a 2023 assessment, along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.
  • “The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.
  • “CISA encourages all organizations review the advisory and apply the recommendations and mitigations within, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication.”

From the cybersecurity policy front,

• The Wall Street Journal makes available an interview with an assistant U.S. attorney general in a 10-minute-long podcast.
  • “The U.S. government has delayed public disclosures of cyber incidents several times since new rules came into force last December, according to Matthew Olsen, assistant attorney general at the U.S. Department of Justice. He spoke with WSJ reporter Dustin Volz at WSJ Tech Live: Cybersecurity on June 6 about the government’s reason for granting companies exemption to delay disclosing hacks. They also discussed the heightened risk of cyber-attacks. Zoe Thomas hosts.”

• The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, announced on Monday July 1, “a settlement with Heritage Valley Health System (Heritage Valley), which provides care in Pennsylvania, Ohio and West Virginia, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, following a ransomware attack.”
  • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html
  • Background on the attach which occurred in 2017 is available at the Pittsburg Post Gazette link.

• Cybersecurity Dive reports
  • “The U.S. Supreme Court ruling Friday [June 28] to overturn the Chevron doctrine could have major implications on the cybersecurity regulatory landscape at a time when federal agencies have enacted significant requirements designed to strengthen incident reporting and meet baseline security standards.” * * * 
  • “Legal and cybersecurity experts are still evaluating what the impact of the Chevron doctrine ruling will be on future regulations. However, Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink how they approach future cyber regulations to make sure they don’t create an overly burdensome environment for critical infrastructure and industry partners. 
  • “I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity,” Pugh said in an interview.”

From the cybersecurity vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on July 2.
  • “CVE-2024-20399 Cisco NX-OS Command Injection Vulnerability”

• Cybersecurity Dive provides background on the KEV.
  • “A suspected threat actor with ties to China is actively exploiting a zero-day vulnerability in Cisco NX-OS software, researchers said Monday [July 1].
  • “The suspected actor, dubbed Velvet Ant, is exploiting a command injection vulnerability, identified as CVE-2024-20399, which impacts a wide range of Cisco Nexus devices, according to researchers at Sygnia. The vulnerability has a CVSS score of 6.0, however researchers warn the threat actor is highly sophisticated and is deploying custom malware, Sygnia. 
  • “Cisco on Monday released software updates for some NX-OS hardware platforms, and will continue to release additional fixes when they are ready. The company said there are no other workarounds to address the flaw.”

• Cybersecurity Dive further reported on July 1,
  • “At least 700,000 OpenSSH servers are at risk of exploit from a remote code execution vulnerability, CVE-2024-6387, Qualys said Monday. Researchers at Qualys, which discovered the vulnerability, dubbed it “regreSSHion.”
  • “Though Qualys researchers have not yet scored the CVE, they describe it as critical, presenting a significant security risk. The signal handler race condition in OpenSSH’s server allows unauthenticated remote code execution as root on glibc-based Linux systems.
  • “This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in complete system takeover, installation of malware, data manipulation and the creation of backdoors for persistent access,” Bharat Jogi, senior director of Qualys threat research unit, said in the report.”

• Cybersecurity Dive let us know on July 2,
  • “Microsoft researchers on Tuesday warned that critical vulnerabilities in Rockwell Automation PanelView Plus can be exploited by unauthenticated hackers, putting the devices at risk for remote code execution and denial of service. The vulnerabilities were initially disclosed and patched in late 2023.
  • “PanelView Plus devices are human-machine interfaces that are widely used in industrial settings, and malicious control of these devices can lead to disruptive attacks. The remote code execution vulnerability, listed as CVE-2023-2071, has a CVSS score of 9.8. The denial of service vulnerability, listed as CVE-2023-29464, has a CVSS score of 8.2. 
  • “Microsoft initially discovered the vulnerabilities and shared its findings with Rockwell Automation in May and July 2023. Rockwell Automation released security advisories and patches for the CVEs in September and October 2023. Microsoft researchers urged users to patch and apply other mitigation steps.”

From the ransomware front,

• SC Media reported on July 2,
  • “Operations at Northern California’s Patelco Credit Union have been disrupted by a ransomware attack over the weekend, hindering banking service access to nearly 500,000 individuals, according to CBS Bay Area.
  • “Despite the attack prompting the immediate shutdown of Patelco’s banking systems, its ATMs, branches, and call centers continued operating regular hours although individual account information was inaccessible to employees, said a Patelco spokesperson. Other services affected by the outage included the credit union’s website and mobile app, electronic transactions, and online bill payments, as well as portions of its debit and credit card transactions.

• Bleeping Computer reports,
  • “A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows.
  • “The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors.
  • “Researchers at cybersecurity company Group-IB monitored the Eldorado’s activity and noticed its operators promoting the malicious service on RAMP forums and seeking skilled affiliates to join the program.”
• and
  • “Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner’s account was compromised and used to access the Company’s systems to steal protected health information.
  • “The Company says it detected the compromise after detecting ‘anomalous behavior’ from a partner’s personal device and launched an investigation into the incident.
  • “The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity’s systems and, later, exfiltrate sensitive health data.”

• The Record notes,
  • “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. 
  • “The group’s targets were companies in the manufacturing and logistics industries, said Tim West, an analyst at the cybersecurity firm Halcyon, in a comment to Recorded Future News. He declined to provide further information about the targets. 
  • “What’s interesting about this ransomware group, Halcyon researchers said, is that it has no public leaks website but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone, the researchers said.

From the cybersecurity defenses front,

• Check out these helpful articles from Dark Reading
  • “How the CISO Can Transform into a True Cyber Hero. Three steps that can help CISOs bring calm to incident response, redefine how they are perceived, and emerge as the hero in a cyber crisis.”
  • “Are SOC 2 Reports Sufficient for Vendor Risk Management? SOC 2 reports are a valuable tool for evaluating vendor security, but they shouldn’t be the only piece of the puzzle.” and
  • “A CISO’s Guide to Avoiding Jail After a Breach. Yahoo, Uber, SolarWinds — increasingly, the government is incentivizing better corporate security by punishing the individuals leading it. Is that a good idea? And how can security pros avoid ending up on the butt end of a lawsuit?

• The FEHBlog got a kick out of title of the third article because as a young lawyer his go to assurance to clients was “I’ll get you out even if takes me 20 years.”

From the cybersecurity policy front,

• The Wall Street Journal reports,
  • “Insurers told a congressional hearing Thursday {June 27, 2024] that they need the flexibility to determine what they will and won’t cover under cyber policies, saying they are still trying to understand the risks associated with cyberattacks.
  • “The House Committee on Homeland Security’s subcommittee on cybersecurity and infrastructure protection held the hearing to explore how cyber insurance is being used by critical-infrastructure operators, amid warnings of hacking efforts from China and Russia.
  • “Insurers have tightened underwriting standards and raised premiums for cyber policies in recent years, spooked by an increase in losses starting in 2019 as cyberattacks spiked during the coronavirus pandemic. Many now require a raft of cybersecurity controls for organizations to qualify for coverage, such as multifactor authentication and network monitoring, and carriers have restricted what they will cover. 

• Cybersecurity Dive adds,
  • “In an effort to qualify for cyber insurance three-quarters of companies have invested in cyber defense, according to a report released Wednesday by Sophos and Vanson Bourne. 
  • “These investments were either required to obtain coverage, helped organizations secure lower premiums or, in other cases, improved the coverage terms of their insurance plans. The research is based on a survey of 5,000 IT and cybersecurity leaders across 14 countries in the Americas, Asia Pacific and Europe, the Middle East and Africa.
  • “Despite the investments, significant gaps remain between recovery costs and the coverage provided by insurance providers, Sophos found.”

• The National Institute of Standards and Technology announced,
  • “The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is returning to Washington, D.C.
  • “DATES: October 23–24, 2024
  • “LOCATION: HHS Headquarters (Hubert H. Humphrey Building) in Washington, D.C. * * *
  • “Registration will open later in the summer.“

• Fedscoop tells us,
  • “Chris DeRusha, the former federal chief information security officer and deputy national cyber director, is joining Google Cloud to lead the tech giant’s global public sector compliance work, according to a Tuesday press release.
  • “DeRusha, who left the federal government last month after more than three years as the federal CISO, will lead the expansion of Google Cloud’s suite of artificial intelligence, cloud computing and security products within the public sector, both in the United States and abroad.”

From the cybersecurity vulnerabilities and breaches front,

• Health IT Security tells us,
  •  “Third-party data breaches have been a top concern for healthcare cybersecurity leaders in recent years, following a string of high-profile cyberattacks across the healthcare supply chain.
  • “Threat research from SecurityScorecard, a company that provides cybersecurity ratings for corporations, showed that 35% of third-party breaches that occurred in 2023 affected healthcare organizations, overtaking all other sectors.
  • “SecurityScorecard analyzed the security ratings and historical breach data of the 500 largest US healthcare companies to glean insights into the sector’s top risk factors. Despite the perception that healthcare is behind other industries when it comes to cyber defense, healthcare organizations averaged a security score of 88.”

• For example, Dark Reading points out,
  • “A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children’s Hospital in Chicago taking its systems offline.
  • “Cybercriminals accessed the children’s hospital’s systems, disrupting its patient portal, communications, and ability to access medical records.
  • “In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.
  • “Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.”

• Health IT Security adds,
  • “Geisinger began notifying upwards of one million individuals of a data breach that occurred in November 2023, when a former Nuance Communications employee accessed certain Geisinger patient information two days after being terminated. The individual has since been arrested and is facing federal charges.
  • “Geisinger serves 1.2 million people across Pennsylvania in rural and urban care settings. Geisinger used Nuance, a Microsoft-owned company, for information technology services.”

• Cybersecurity Dive further informs us,
  • “Microsoft has notified additional enterprise customers this week that a password-spray campaign by the state-linked Midnight Blizzard threat group led to a compromise of their emails. 
  • “Microsoft also provided additional detail to other customers that were previously notified about the intrusions. Customers who received the notifications took to social media, as they feared they were being potentially phished. The new disclosures were first reported by Bloomberg.
  • “This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” the company said in an emailed statement. “This is increased detail for customers who have already been notified and also includes new notifications.”

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a Threat Actor Profile on a Russian cyber threat group known as Seashell Blizzard.

Cybersecurity Dive relates,

• “UPDATE: June 27, 2024: Progress Software upgraded the severity score of a MOVEit file-transfer service vulnerability, CVE-2024-5806, from a 7.4 to 9.1 on Tuesday. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched,” the company said in the updated advisory. “While the patch distributed by Progress on June 11 successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

• HC3 issued a Sector Alert on the MOVEit vulnerability on June 27, and CISA advised yesterday
  • “Progress Software released a security bulletin to address a vulnerability in MOVEit Transfer. A cyber threat actor could exploit this vulnerability to take control of an affected system.
  • “Users and administrators are encouraged to review the following bulletin and apply the necessary updates:
    • “MOVEit Transfer Critical Security Alert Bulletin – June 2024 – (CVE-2024-5806)

• CISA added three known exploited vulnerabilities to its catalog on June 26, 2024
  • “CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
  • “CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
  • “CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability”

• The American Hospital Association News reports,
  • “The Health Information Sharing and Analysis Center June 27 issued a threat bulletin alerting the health sector to active cyberthreats exploiting TeamViewer. H-ISAC recommends users review logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.”
• and
  • “The FBI and Department of Health and Human Services June 24 released an advisory about cyberthreat actors targeting health care organizations in attempts to steal payments. The agencies have recommended mitigation efforts to help reduce the likelihood of being impacted. Threat actors have been found to use phishing efforts to gain access to employees’ email accounts, and then pivoting to target login information related to the processing of reimbursement payments to insurance companies, Medicare or similar entities, the agencies wrote. In some instances, threat actors would call an organization’s information technology help desk posing as an employee of the organization to trigger a password reset for the employee’s account. 
  • “The AHA was initially made aware of this type of scheme in January, and HHS issued an advisory on similar threats in April. 

• Pharmacy Practice News calls attention to an
  • “increasingly popular tool for hackers trying to sneak around information technology (IT) protections.
  • “Smishing is a variant of phishing (the by now familiar practice of sending fraudulent emails to steal personal information). In this case, the attacker “uses a compelling text message to trick targeted recipients into clicking a link, which sends the attacker private information or downloads malicious programs to a smartphone,” the Department of Health and Human Services (HHS) explained in an August 2023 report. (The term comes from combining SMS, which refers generally to text messaging, with “phishing.”)
  • “If you have ever received a text message insisting that a UPS package could not be delivered [and the FEHBlog has], or warning you that you’re in trouble with the IRS and urgently requesting that you click the embedded link, then you’ve been a target of attempted smishing. And if you think you’ve seen more of these messages lately, you’re not alone.

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Cloud security is a top priority for organizations around the world, Thales found in a study released Tuesday. The report is based on a survey of 3,000 IT and security professionals from 18 different countries.
  • “More than 2 in 5 respondents said they have had their cloud environments breached in the past, with 14% of respondents reporting a breach in the past year. 
  • “For nearly one-third of incidents, human error and misconfiguration are to blame. Respondents also cited the exploitation of known vulnerabilities in 28% of breaches and failure to use multifactor authentication in 17%.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Federal News Network lets us know,
  • “Agencies that oversee critical infrastructure should address threats posed by China and work to establish baseline cybersecurity requirements over the next two years.
  • “That’s according to new guidance signed out by Homeland Security Secretary Alejandro Mayorkas on June 14. The document lays out priorities over the next two years for sector risk management agencies. SRMAs are responsible for overseeing the security of specific critical infrastructure sectors.
  • “From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Mayorkas said in a statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work.”

• The Wall Street Journal adds,
  • “The U.S. government is pushing board directors at critical-infrastructure companies to improve cybersecurity oversight amid intense espionage and hacking campaigns from China and other adversaries.  “The U.S. government is pushing board directors at critical-infrastructure companies to improve cybersecurity oversight amid intense espionage and hacking campaigns from China and other adversaries.  
  • “On Tuesday [June 18], the U.S. Secret Service, the Cybersecurity and Infrastructure Security Agency, the National Association of Corporate Directors, credit card giant Mastercard and venture-capital firm NightDragon delivered a one-day course to 16 such directors.
  • “The attending directors, all of whom serve in leadership roles such as chairing audit committees on the boards of critical-infrastructure companies, sat for instruction at the Secret Service’s Laurel, Md.-based training facility. The course isn’t a primer on cybersecurity basics, but practical education on current threats and oversight.

• The Washington Post reports,
  • “The Biden administration announced Thursday [June 20] that it will ban Kaspersky Lab from distributing its anti-virus software and cybersecurity products in the United States, pointing to national security concerns related to the Russian company.
  • “Commerce Secretary Gina Raimondo told reporters the decision was made following an “extremely thorough investigation,” and that Kaspersky has “long raised national security concerns.” The United States in 2017 banned federal agencies [and contractors] from using those products. * * *
  • “The ban on Kaspersky products comes into full effect Sept. 29, according to a statement from the Commerce Department. Until then, Kaspersky will be allowed to continue providing some services in the United States, including certain updates, to give U.S. consumers and businesses time to find alternatives.
  • “Individuals or businesses that continue to use the products will not face legal penalties, department said, but assume “all the cybersecurity and associated risks of doing so.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive informs us,
  • “At least 147,000 ASUS routers are potentially exposed to a critical vulnerability, which can allow a remote attacker to bypass authentication and gain login access, researchers at Censys said Thursday [June 20].
  • “ASUS issued a security advisory on June 14 recommending customers upgrade their firmware or apply mitigation steps if the upgrade was not possible.  
  • “The improper authentication vulnerability, listed as CVE-2024-3080, has a CVSS score of 9.8.”  

• FEHBlog note — The Cybersecurity and Infrastructure Security Agency did not add new known exploited vulnerabilities to its catalog this week.

• Cybersecurity Dive adds,
  • “Multifactor authentication appeared in almost half of all security incidents the Cisco Talos incident response teams encountered during the first quarter of the year, according to data released Tuesday. 
  • “In 25% of cases, incident response specialists responded to fraudulent MFA push notifications sent by attackers, Cisco Talos found.
  • “Users did not properly implement MFA in 1 in 5 Cisco Talos engagements, the firm said.”

• Health IT Security tells us
  • “UnitedHealth Group (UHG) has begun notifying affected entities of the Change Healthcare data breach and will begin mailing breach notifications to individual cyberattack victims in late July, the company stated in a June 20 media notice.
  • “Change said it has completed a review of over 90% of impacted files and continues to see no evidence that full medical histories were exfiltrated from its systems during the cyberattack. Change explained that it only recently obtained a dataset that was safe to analyze, as its own systems were difficult to access during recovery.
  • “Even though the data review is not yet complete, Change has begun notifying the customers it has identified as impacted as of June 20 so they can proactively respond. * * *
  • “Change Healthcare’s latest update further confirmed that the company will make HIPAA and state attorney general notifications on behalf of victim entities unless those entities decide to opt out and handle the notifications themselves.
  • “The affected information varied by individual but may have included contact information, health insurance information, billing and claims information, medical record numbers, diagnoses, test results, Social Security numbers, and other personal information.
  • “Change offered two years of complimentary credit monitoring and identity theft protection services to victims and said that it reinforced its security and privacy policies in light of the incident.

From the ransomware front,

• NPR reflects on the ransomware attack on Ascension Health.

• CIS0 Series adds,
  • “As many as 10 companies are facing ransom payments between $300,000 and $5 million following a breach against cloud-based data analytics firm Snowflake earlier this month. According to Mandiant, who has helped lead Snowflake’s case, the hacking scheme has “entered a new stage” as the ransom demands flow in, as well as death threats against the cybersecurity experts investigating the breach. The hackers gained access to the information by targeting Snowflake users using single-factor authentication techniques. Mandiant has said it anticipates the ransomware group to “continue to attempt to extort victims.”

• The American Hospital Association News tells us,
  • “The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Qilin, formerly “Agenda,” a ransomware-as-a-service group targeting health care and other industries worldwide. The group was observed recruiting affiliates in late 2023, and has variants written in Golang and Rust, HC3 said. Qilin is known to gain initial access through spear phishing, as well as leveraging remote monitoring and management and other common tools in cyberattacks. The group is also known to practice double extortion. HC3 said the group’s targeting appears to be opportunistic rather than targeted.” 

• Per Cybersecurity Dive,
  • “Crime is paying less often for threat actors as improved corporate security measures — and dramatically higher ransom demands — sway more companies to reject extortion payments for seized data.
  • “Less than a quarter of 1,800 companies that submitted cyber claims to Marsh, or 23%, paid ransom demands last year, despite a 64% jump in extortion events from 2022 to a record 282, the insurance broker and risk advisor said in a June 11 report. 
  • “In 2021, Marsh noted, 63% of its clients paid an extortion demand to protect data.
  • “Companies, especially larger ones, are “just more resilient than they were three, four, five years ago,” Meredith Schnur, managing director of Marsh’s U.S. and Canada cyber practice, told Legal Dive.”

From the cybersecurity defenses front,

• Dark Reading explains why multi-factor authentication is not enough while Tech Radar points out why we need a password-less world.

• Tech Target gives advice on how to write a useful cybersecurity incident report.

• Here’s a link to this week’s CISO Corner in Dark Reading.

From the cybersecurity policy front,

• Per Cybersecurity Dive,
  • “The Biden administration outlined a comprehensive plan Tuesday [June 4] to harmonize a bevy of federal, state and international regulations designed to boost cyber resilience among the nation’s private sector and critical infrastructure providers. Industry stakeholders want the administration to simplify the reporting process to cut back on duplicative disclosure requirements. 
  • “National Cyber Director Harry Coker Jr. said the administration is working on a pilot reciprocity framework to determine how best to streamline the administrative load on critical infrastructure subsectors, in a Tuesday blog post. 
  • “The administration will also seek additional help from Congress to find legislative authorities to reduce administrative redundancies.

• The Senate Homeland Security and Governmental Affairs Committee held a hearing on this topic on June 5.
  • “During the hearing, Peters and the witnesses emphasized the importance of having standardized regulations across critical infrastructure sectors to ensure our nation is best prepared to respond to cybersecurity threats. They also reinforced that cybersecurity remains one of the most pressing challenges facing our nation due to our reliance on interconnected systems and increasingly complex cyberattacks. “During the hearing, Peters and the witnesses emphasized the importance of having standardized regulations across critical infrastructure sectors to ensure our nation is best prepared to respond to cybersecurity threats. They also reinforced that cybersecurity remains one of the most pressing challenges facing our nation due to our reliance on interconnected systems and increasingly complex cyberattacks. 
  • “Nicholas Leiserson, Assistant National Cyber Director for Cyber Policy and Programs for the Office of the National Cyber Director (ONCD) – the lead federal agency for harmonizing cybersecurity regulations – discussed the challenges the office faces when trying to promote harmonization. David Hinchman, Director of Information Technology and Cybersecurity at the Government Accountability Office, discussed how regulators can best tailor cybersecurity requirements to promote a cohesive response to protect themselves and critical infrastructure owners and operators from cyberattacks.”  
• Cyberscoop reports on the hearing and a related CISA action.

• Cybersecurity Dive adds,
  • “Sen. Ron Wyden, D-Ore., is urging the HHS to require large healthcare organizations to improve their cybersecurity practices as increasing attacks and data breaches rock the industry. “Sen. Ron Wyden, D-Ore., is urging the HHS to require large healthcare organizations to improve their cybersecurity practices as increasing attacks and data breaches rock the industry. 
  • “In a letter to Secretary Xavier Becerra, the chairman of the Senate Committee on Finance said the agency’s approach to regulating healthcare cybersecurity is “woefully inadequate,” leaving the sector vulnerable to attack.” 

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive (June 6) and HHS’s Health Sector Cybersecurity Coordination Center (HC3) (June 7) discuss vulnerabilities to Snowflake’s cloud platform.
  • On June 02, 2024, Snowflake observed an increase in cyber threats targeting accounts on their cloud data platform. The vulnerability is possibly associated with CVE-2023-51662. HC3 strongly encourages all users to review the following advisory, and to apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.

• Dark Reading informs us,
  • “SolarWinds has released its version 2024.2, including a variety of new features and upgrades, along with patches for three different security vulnerabilities.
  • “Notably, one high-severity SWQL injection bug, tracked under CVE-2024-28996 (CVSS 7.5), was reported to SolarWinds security by Nils Putnins, a penetration tester affiliated with the North Atlantic Treaty Organization (NATO), the company reported along with the new release. The other flaws fixed in the latest SolarWinds update included a high-severity cross-site scripting flaw, tracked under CVE-2024-29004 (CVSS 7.1), and a medium-severity race condition vulnerability affecting the Web console, tracked under CVE-2024-28999 (CVSS 7.1), the company said.”

• HC3 issued on June 4 threat guidance concerning Baxter Welch Allyn vulnerabilities. Baxter Welch Allen manufactures medical devices.

• On June 3, “CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  • CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability

From the ransomware front,

• Per Cybersecurity Dive,
  • “Ransomware activity surged last year as attackers flocked to legitimate remote access tools to break into enterprise networks, Mandiant said in a Monday [June 3] report. “Ransomware activity surged last year as attackers flocked to legitimate remote access tools to break into enterprise networks, Mandiant said in a Monday [June 3] report.
  • “There were 4,520 posts on data leak sites last year, a 75% increase from 2022. Threat groups use data leak sites to make claims and ramp up pressure on alleged victims. The number of posts surged to more than 1,300 in the third quarter, setting a quarterly record, Mandiant said. The firm tracked more than 1,200 data leak site posts in the second quarter.
  • “In 2023, Mandiant led 20% more investigations involving ransomware than the previous year, underscoring further evidence of a swell in attacks. “The slight dip in extortion activity in 2022 was an anomaly,” the incident response and research firm said.”

• Per Fierce Healthcare, “Ascension targets June 14 for system-wide EHR restoration after ransomware attack.”

• Statescoop lets us know,
  • “Victims of ransomware attacks by the Russian ransomware group LockBit can now unlock their encrypted data for free using the 7,000 decryption keys obtained by the FBI, a federal official announced during an event in Boston on Wednesday [June 4]. “Victims of ransomware attacks by the Russian ransomware group LockBit can now unlock their encrypted data for free using the 7,000 decryption keys obtained by the FBI, a federal official announced during an event in Boston on Wednesday.
  • “The announcement comes after law enforcement took down the group’s infrastructure in February through “Operation Cronos,” an international operation designed to disrupt LockBit’s business model and expose members of the ransomware gang, FBI Cyber Division Assistant Director Bryan Vorndran said in a keynote Wednesday at the 2024 Boston Conference on Cyber Security.
  • “Though the gang still operates, reports show the mission disrupted its activities.
  • “From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said.”

From the cybersecurity defenses front,

• Cybersecurity Dive tells us
  • “Telecommunications, media and technology companies are outperforming other sectors in cybersecurity, with more advanced defenses and cyber governance models, Moody’s said Thursday in a report on the sector.” Telecommunications, media and technology companies are outperforming other sectors in cybersecurity, with more advanced defenses and cyber governance models, Moody’s said Thursday in a report on the sector.
  • “Companies in these sectors accelerated cybersecurity spending by more than 125% on average during the last five years, compared to a 100% growth rate over that period for all global companies, according to the report. Technology companies doubled their cybersecurity spending over the five-year period while telecom businesses increased spending by more than 250%. 
  • “Cybersecurity spending nearly doubled during the past five years, accounting for 10% of companies’ technology budgets in 2023, according to Moody’s. The report is based on Moody’s research and a survey of more than 1,700 respondents.”

• Here’s a link to Dark Reading’s CISO corner.

From the cybersecurity policy front,

• Federal News Network tells us,
  • “The Biden administration, having struggled in some cases to set cybersecurity requirements for critical infrastructure, sees a new plan for minimum cyber standards coming together by early 2025.
  • “That’s according to Caitlin Durkovich, special assistant to the president and deputy homeland security advisor for resilience and response. During an event on Thursday hosted by the ICS Village, Durkovich spoke about the Biden administration’s efforts to implement a recently signed national security memorandum on critical infrastructure security.
  • “One of the reasons that we pushed so hard to make sure this NSM was signed out when it was, was so we had some runway to drive the implementation,” Durkovich said. “The president essentially signed it 270 days until the end of his first term. We wanted that first term to be able to implement the majority of actions.”

• The Wall Street Journal reports,
  • “The U.S. Department of Health and Human Services doesn’t want to get caught flat-footed by the next healthcare hack. 
  • “The agency is leading work to create a map of the cybersecurity risks inherent in having a single technology supplier dominate a particular aspect of the market, a threat known as a single point of failure. The concern comes after a cyberattack on UnitedHealth Group’s Change Healthcare unit early this year produced cascading effects on health claims, freezing millions of dollars in payments. The repercussions took care providers, regulators and lawmakers by surprise.”

• Yesterday, HHS added the following guidance to its Change Healthcare cyberattack FAQs:
  • “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • “Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
  • “If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
  • “The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.”

From the cyber vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency (CISA) added the following known exploited vulnerabilities to its catalog this week:
  • May 28, 2024 — CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability
  • May 29, 2024 — CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
  • May 30, 2024 — CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability and CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability

• Cybersecurity Dive adds,
  • The National Institute of Standards and Technology expects to clear the towering backlog of unanalyzed vulnerabilities in the National Vulnerability Database by the end of September, the agency said in a Wednesday update.
  • NIST scaled back its activities on the NVD program in mid-February following a change in interagency funding support and a staggering deluge of CVE disclosures. The agency reported an all-time high of 33,137 vulnerabilities last year, according to Flashpoint research.
  • To help clear the logjam, the agency awarded a cybersecurity analysis and email support contract to Maryland-based Analygence for $865,657 to support the processing of incoming vulnerabilities for the NVD, according to USAspending.gov. “We expect to begin performance the week of June 3,” Analygence COO Tom Peitler said via email.

• HHS’s Health Sector Cybersecurity Coordination Center posted a “Healthcare Sector DDoS Guide.”
  • “A Distributed-Denial-of-Service (DDoS) attack is a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. In the health and public health (HPH) sector, they have the potential to deny healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care.
  • “Disruptions due to a cyber attack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical healthcare assets such as electronic health records, software based medical equipment, and websites to coordinate critical tasks. As such, this comprehensive DDoS guide is intended for target healthcare audiences to understand what DDoS attacks are; what causes them; types of DDoS attacks with timely, relevant examples; and mitigations and defenses against a potential attack.”

From the ransomware front,

• Beckers Hospital Review lets us know,
  • “Most attacks on U.S. healthcare are coming from Russia, ABC affiliate KGTV reported May 28. 
  • “John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, told the publication that ransomware attacks targeting hospitals have increased by more than 300%, with most of these attacks coming from Russia.
  • “The Russian government refuses to cooperate with U.S. law enforcement on these issues, therefore providing them safe harbor,” he told the news outlet.
  • “Mr. Riggi noted that ransomware gangs have also been identified operating in China, North Korea and Iran.
  • “The hacking groups most actively targeting healthcare as of April 2024 were LockBit, BlackCat/ALPHV and BianLian, according to HHS’ Health Sector Cybersecurity Coordination Center, or HC3.”

• CSO adds,
  • “Two weeks ago, the UK National Crime Agency and the US Department of Justice announced unmasked the Russian national alleged to be the creator and administrator of the LockBit ransomware program.
  • “Now, cybersecurity company NCC Group reports that for the first time in eight months, LockBit has also been overtaken by Play as the world’s top ransomware gang, with 32 attacks in April compared to LockBit’s 23 attacks.”

• Bloomberg informs us,
  • “It’s time to formally stop ransom payments.
  • “That’s the argument that a top cybercrime researcher — one who until recently staunchly opposed such a ban — made to scores of threat intelligence experts who gathered last week in a darkened basement ballroom at a hotel not far from the US Capitol.
  • “Banning ransom payments is an extreme step but it also might be the least bad option available to us,” Allan Liska, a threat analyst at the cyber firm Recorded Future, told the crowd. * * *
  • “On stage, Liska said he’s aware of the counter arguments: A ban won’t work to stop attacks, and blocking companies paying ransoms will do them harm. But, he said, what companies are doing now hasn’t stopped attacks either. While blocking payments might hurt some companies, so do the breaches themselves, he said. 
  • “Afterwards, Liska told me he was “dragged kicking and screaming” into opposing ransom payments. The unrelenting pace of attacks last year convinced him that it was time to take a radical step. 
  • “It’s not because I think it’s a good idea. It’s because, right now, nothing else has worked and we need to do something,” he said. “I don’t know what else it could possibly be.”

From the cyber defenses front,

• Cyberscoop relates,
  • “A coalition of international law enforcement agencies carried out what they said was the “largest ever” operation to counter botnet and dropper malware by taking down or disrupting more than 100 servers, seizing 2,000 domains and identifying nearly 70 million euros earned by one of the main suspects in the case. 
  • “Officials with Europol announced early Thursday that “Operation Endgame” targeted droppers — malware used to get other malware onto a system — used extensively to facilitate a range of consequential cybercrimes, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
  • “As part of the operation, authorities made one arrest in Armenia and three in Ukraine, and eight suspects linked to the activities and wanted by Germany will be added to Europe’s Most Wanted list, Europol said in its statement.”

• Modern Healthcare reports,
  • “Healthcare’s cybersecurity challenges have shined a light on how the industry has failed to protect patient data by not dedicating enough resources to address the problem.  
  • “Health systems and insurers are dealing with the aftermath of the industry’s latest large-scale ransomware attacks on St. Louis-based Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital, among others. Conversations are happening over whether organizations should be bringing in outside consultants or hiring more employees, executives say.
  • “Do we have enough people? Do we need consulting help to accelerate resiliency projects and testing? Those are the conversations going on right now,” said James Case, chief information security officer at Jacksonville, Florida-based Baptist Health. “The current climate is causing us to bubble those conversations to the top, and whether we should get help one way or another.”  

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Fedscoop reports,
  • “Chris DeRusha is exiting his role as federal chief information security officer after more than three years on the job, the Office of Management and Budget confirmed Tuesday [May 14].
  • “DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurityand the corresponding national cybersecurity strategy and implementation plan.  * * *
  • “As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director. 
  • “DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.”

• Cyberscoop adds,
  • “[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.”[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.
  • “As executive assistant director for cybersecurity, Goldstein has had his hands in many of CISA’s major undertakings, from its goal of pressuring companies into making their products secure during the design process to issuing emergency directives for agencies to shoring up defenses against vulnerabilities.”
• Cyberscoop also offers an interview with Mr. Goldstein.

• The CISA Director Jen Easterly discusses the “ninth iteration of the national cyber exercise, Cyber Storm. The planners, representing private industry, federal, state, and international government partners, managed an exercise that spanned across the globe to simulate a coordinated cyberattack targeting critical infrastructure. * * * Outcomes from Cyber Storm IX will be published later this year at Cyber Storm: Securing Cyber Space | CISA.

From the cyber vulnerabilities front,

• Cybersecurity Dive reports,
  • The threat from nation state cyber adversaries with ties to Russia and China is growing more sophisticated and dangerous, National Cyber Director Harry Coker Jr. warned Tuesday [May 14]. International cooperation is required to defend common economic and national security interests, he said in a keynote speech at CyberUK 2024 in Birmingham, England.
  • Coker said Russia has enhanced its capabilities since the beginning of the Ukraine invasion in 2022, which has helped it gain success on the battlefield. 
  • “The Russian cyber threat in 2024 marks a new standard of aggression, persistence and operational agility,” Coker said.

• The Cybersecurity and Infrastructure Security Agency (CISA) added six known exploited vulnerabilities to its catalog this week.
  • On May 13 —
    • CVE-2024-4671 Google Chromium in Visuals Use-After-Free Vulnerability
  • On May 14 —
    • CVE-2024-30051 Microsoft DWM Core Library Privilege Escalation Vulnerability
    • CVE-2024-30040 Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability
  • On May 15 —
    • CVE-2014-100005 D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability
    • CVE-2021-40655 D-Link DIR-605 Router Information Disclosure Vulnerability
    • CVE-2024-4761 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability

From the Ascension Healthcare breach front,

• Here’s a link to the Ascension website about its May 8 “cybersecurity event.”

• Cybersecurity Dive tracks the state by state impact of the event here.

• The hospital community is praising Ascension for its transparency per Beckers Hospital Review.

• Notwithstanding the kudos, Healthcare Dive reports,
  • “Ascension is staring down two proposed class-action lawsuits just one week after a cyberattack took systems offline across its 140-hospital portfolio, forcing the nonprofit system to divert ambulances and pause elective care.
  • “In complaints filed in the District Courts of Illinois and Texas plaintiffs allege Ascension acted negligently by failing to encrypt patient data and said the attack leaves them “at a heightened risk of identity theft for years to come.”
  • “Ascension has not said the attack compromised patient data. However, an investigation remains ongoing.

From the ransomware front,

• IT Pro examines the Black Basta ransomware variant.
  • “CNN reported that Black Basta was the variant of ransomware used [against Ascension] while Healthcare IT security group Health-ISAC said the group has recently accelerated attacks against the healthcare sector.
  • “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions. Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector,” it said.

• Cybersecurity Dive adds,
  • Microsoft researchers warn that a financially-motivated hacker has misused the company’s Quick Assist client management tool since mid-April in social-engineering attacks, ultimately leading to the deployment of Black Basta ransomware, according to a blog post released Wednesday [May 15]. With Quick Assist, users can remotely connect Windows or macOS with another person.
  • The attacks began using voice phishing, also known as vishing, and led to malicious use of remote-monitoring tools like ScreenConnect or NetSupport Manager, according to Microsoft. The hackers also deployed malware, including Cobalt Strike or Qakbot, before launching the Black Basta ransomware.
  • The disclosure came less than a week after the FBI and Cybersecurity and Infrastructure Security Agency warned about Black Basta ransomware being deployed in hundreds of attacks against critical infrastructure and healthcare worldwide.

• Cybersecurity Dive further notes,
  • “Remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year, cybersecurity insurance firm At-Bay said Wednesday [May 15] in a report.
  • “Attackers primarily targeted perimeter-access tools in 2023, but shifted their focus from remote desktop protocol to targeting self-managed VPNs. These on-premises VPNs were linked to more than 3 in 5 ransomware attacks where remote access was the initial entry vector, according to At-Bay.
  • “Attackers go after the same things. If you have a city that has walls around it, you’re going to go after the gate because the gate is a weaker point than the actual wall,” Rotem Iram, At-Bay founder and CEO, said last week at an Axios event on the sidelines of the RSA Conference in San Francisco.”

• Tech Target offers National Security Agency views on the ransomware front while Politico reports on what happens after a ransomware attack is discovered.

• Here’s a link to Bleeping Computer’s The Week in Ransomware.
  • “Ransomware phishing attacks also took front stage this week, with the Phorpiex botnet sending millions of emails that led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit’s leaked source code.
  • “BlackBasta was also found mailbombing employees in targeted organizations by subscribing their email addresses to various subscription services. They then contacted the target as IT support from their company to conduct a social engineering attack that let them gain access to the victim’s computer.”

From the cybersecurity defenses front,

• Here’s a link to Dark Reading’s CISO Corner.

• Cybersecurity Dive reports,
  • “A once volatile cyber insurance market has stabilized considerably as new companies have entered an increasingly competitive market, helping lower premium costs and raise coverage limits, according to S&P Global Ratings research released last week.
  • “Insurance companies have evolved underwriting methods by incorporating sophisticated tools to assess potential cyber risk with more flexibility and personalization, according to S&P. 
  • “Municipal governments have made significant advances in their ability to manage cyber risk and respond to malicious attacks, too, S&P found. After years of foregoing expensive commercial policies, these local organizations are now incorporating cyber risk coverage, while smaller governments in many cases are joining cyber risk pools.”