From the cybersecurity policy front,

• Cybersecurity Dive lets us know,
  • “Microsoft President Brad Smith promised to move forward with significant culture changes at the tech giant as the company accepted full responsibility for its security failures, he said in testimony Thursday [June 13] before the House Committee on Homeland Security.
  • “Smith, who also serves as vice chair, testified before lawmakers Thursday in response to a blistering report from the U.S. Cyber Safety Review Board that analyzed Microsoft’s security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group. 
  • “Smith was asked repeatedly during the hearing about whether Microsoft is changing its culture to encourage workers to speak up about security concerns. 
  • “We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems and then learn from the problems,” Smith said during questioning.” 

• Cyberscoop tells us,
  • “A congressional watchdog is sending a reminder to the White House that it has a long laundry list of cybersecurity regulations to address as the 2024 election draws near.
  • “The Government Accountability Office is breaking biennial tradition with the latest update to its “high-risk list,” a term the watchdog uses to denote areas that are “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”
  • “Cybersecurity has been on the GAO’s high-risk list since 1997, Sarah Kaczmarek, acting managing director for GAO’s Office of Public Affairs, said during a call with reporters this week. * * *
  • “The more than 80-page report goes over four main areas: establishing a comprehensive cybersecurity strategy with effective oversight, securing federal systems and information, protecting critical infrastructure and protecting privacy and sensitive data.
  • “The White House has yet to implement 567 out of 1,610 cybersecurity-related recommendations the government watchdog has issued since 2010, according to the report.
  • “A lot of them are really, really critical to securing the cybersecurity of our nation,” said Marisol Cruz Cain, director of information technology and cybersecurity at the GAO.”

• Federal News Network adds,
  • “The number of cybersecurity incidents in 2023 grew by almost 10%. Agencies reported more than 32,000 cyber incidents to the Cybersecurity and Infrastructure Security Agency in fiscal 2023. The latest Federal Information Security Modernization Act (FISMA) report to Congress from the Office of Management and Budget showed an increase from more than 29,000 cyber incidents from the year before. Of those 32,000 incidents, 38% — or more than 12,000 — were due to improper usage, which means someone violated an agency’s acceptable use policy. The second biggest attack vector, once again, was email phishing, which saw more than a 50% increase in 2023 as compared to 2022. The good news, OMB said, is 99% of all incidents in 2023 were considered “unsubstantiated or inconsequential event[s].”(Most cyber events in 2023 were ‘unsubstantiated or inconsequential,’ OMB says – White House)”

• Per a Cybersecurity and Infrastructure Security Agency (CISA) press release,
  • “Yesterday [June 13], the Cybersecurity and Infrastructure Security Agency (CISA) conducted the federal government’s inaugural tabletop exercise with the private sector focused on effective and coordinated responses to artificial intelligence (AI) security incidents. This exercise brought together more than 50 AI experts from government agencies and industry partners at the Microsoft Corp. facility in Reston, Virginia.
  • “The four-hour exercise was led by the Joint Cyber Defense Collaborative (JCDC), a public-private partnership model established by CISA to undertake joint planning efforts and drive operational collaboration. This exercise simulated a cybersecurity incident involving an AI-enabled system and participants worked through operational collaboration and information sharing protocols for incident response across the represented organizations. CISA Director Jen Easterly and FBI Cyber Division Deputy Assistant Director Brett Leatherman delivered opening and closing remarks, respectively, emphasizing the need for advancing robust operational structures to address existing and potential security threats, while prioritizing secure-by-design AI development and deployment.
  • “This tabletop exercise is supporting the development of an AI Security Incident Collaboration Playbook spearheaded by JCDC.AI, a dedicated planning effort within JCDC focused on building an operational community of AI providers, AI security vendors, and other critical infrastructure owners/operators to address risks, threats, vulnerabilities, and mitigations concerning AI-enabled systems in national critical infrastructure. The playbook, slated for publication by year-end, will facilitate AI security incident response coordination efforts among government, industry, and global partners.”

From the cybersecurity vulnerabilities and breaches front,

• Modern Healthcare informs us,
  • “Ascension said Friday it has restored access across all markets to the core system for electronic health records and patient portals after a cyberattack.
  • “Patients should see a smoother process for scheduling appointments and filling prescriptions, plus improved wait times, Ascension said in a news release. Some information may be temporarily inaccessible as the system updates medical records collected in the last month, according to the health system. * * *
  • “Ascension did not provide further details on what additional systems still need to be restored and the expected timeline for restoration. Ascension set a June 14 deadline for restoring electronic medical records.”

• Cybersecurity Dive adds,
  • “Personally identifiable and protected health information may have been exposed during a cyberattack at Ascension last month, the Catholic health system said Wednesday. 
  • “Hackers were able to take files from seven servers used by Ascension for routine tasks. The provider said it has about 25,000 servers across its network.
  • “The attackers gained access to Ascension systems after a worker accidentally downloaded a malicious file, according to the health system.”

• HHS’s Health Sector Cybersecurity Coordination Center released its May 2024 report on vulnerabilities of interest to the health sector.

• CISA added the following known exploited vulnerabilities to its catalog last week
  • June 12, 2024
    • CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
    • CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability
  • June 13, 2024
    • CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability
    • CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability
    • CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

• Bleeping Computer adds,
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Windows vulnerability abused in ransomware attacks as a zero-day to its catalog of actively exploited security bugs [on June 13].
  • “Tracked as CVE-2024-26169, this security flaw is caused by an improper privilege management weakness in the Windows Error Reporting service. Successful exploitation lets local attackers gain SYSTEM permissions in low-complexity attacks that don’t require user interaction.
  • “Microsoft addressed the vulnerability on March 12, 2024, during its monthly Patch Tuesday updates. However, the company has yet to update its security advisory to tag the vulnerability as exploited in attacks.”

• CISA further warns the public,
  • “Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.
  • “If you suspect you are a target of an impersonation scammer claiming to be a CISA employee: 
    • Do not pay the caller.
    • Take note of the phone number calling you.
    • Hang up immediately.
    • Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.

• Per Cybersecurity Dive,
  • “More than 100 Snowflake customers are caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers, Mandiant said Monday in a threat intelligence report. The attacks were not caused by a breach of Snowflake’s systems, Mandiant said.
  • “Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants,” Mandiant Consulting CTO Charles Carmakal said Monday in a prepared statement. “The threat actor systematically compromised customer tenants, downloaded data, extorted victims and advertised victim data for sale on cybercriminal forums.”
  • “Snowflake first disclosed the attacks on May 30 and said it first became aware of the malicious activity on May 23. Snowflake was not immediately available to comment on Mandiant’s research. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation.”
• and
  • “Researchers on Friday [June 14] warned a critical vulnerability in the PHP programming language is under increased exploitation activity, as the TellYouThePass ransomware group is targeting vulnerable sites, according to a blog post from Censys. 
  • “The vulnerability, listed as CVE-2024-4577, has been under attack from the threat group since at least June 7, with about 1,000 infected hosts observed as of Thursday — they are mainly located in China. The number of observed infections is down from about 1,800 as of June 10. 
  • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday. [June 12]” 

From the cybersecurity defenses front,

• Health IT Security reports,
  • “Microsoft and Google have pledged to help rural hospitals prevent cyberattacks by offering free or discounted cybersecurity resources. The commitment from the tech giants is part of a White House-led initiative to bolster cybersecurity in the healthcare sector.”
  • “According to an announcement from the White House, Microsoft will extend its nonprofit program to provide grants to independent critical access hospitals and rural emergency hospitals. For these types of hospitals, the company will also offer a 75% discount on security products optimized for smaller organizations. Larger rural hospitals already using eligible Microsoft solutions will receive the company’s “most advanced security suite at no additional cost for one year.”
  • “The White House also said Microsoft will offer free cybersecurity assessments by technology security providers and free training for frontline and IT staff at eligible rural hospitals. The company also pledged to extend security updates for Windows 10 to participating hospitals for one year at no cost.”

• Here’s a link to Dark Reading’s CISO corner.

• Here ares links to an ISACA Blog article titled “Managing AI’s Transformative Impact on Business Strategy & Governance: Strategies for CISOs,” and a Tech Target article titled “How to craft a responsible generative AI strategy.”

From the cybersecurity policy front,

• Cybersecurity Dive tells us,
  • “An HHS agency revealed a new cybersecurity program Monday [May 20, 2024,] that aims to better safeguard hospitals as the healthcare sector faces increasing cyber threats that can derail patient care. 
  • “The initiative, which comes out of the Advanced Research Projects Agency for Health, will invest more than $50 million to build a software suite that could automatically scan model hospital environments for vulnerabilities that could be exploited by hackers and quickly develop and deploy fixes.
  • “The project seeks to help hospitals keep their vast array of internet-connected devices up to date, preventing attacks and subsequent technology outages that can last for weeks and threaten patient safety.”

• American Hospital News adds,
  • “The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program will proactively evaluate potential vulnerabilities by probing for weaknesses in software. When it detects a threat, a patch could be automatically developed, tested and deployed with minimal interruption to hospital devices. 
  • “We applaud HHS’ recognition of the unique challenges and systemic nature of vulnerability management in health care,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The research which will be empowered through the ARPA-H funding will yield technical solutions which should be applied strategically to help secure the entire sector. It is clear, health care is a critical infrastructure sector, which must not be left to defend itself on its own through uncoordinated and uneven capabilities. Continuing ransomware attacks on the health care sector represent an urgent national security, public health and safety issue. The UPGRADE program is an innovative and welcomed ‘whole of nation’ approach, which will combine the expertise of the health care sector and government experts.” 

• Cybersecurity Dive informs us,
  • Providers are still looking for clarification on whether they’ll have to report or notify patients about data breaches stemming from the cyberattack against Change Healthcare earlier this year.
  • In a letter sent to HHS Secretary Xavier Becerra Monday [May 20, 2024], more than 50 organizations — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association— urged the federal government to publicly confirm that Change could manage data breach reporting and notification requirements, since the technology firm and major claims processor experienced the breach. 
  • UnitedHealth Group, Change’s parent company, has previously said it would handle reporting for customers whose data may have been exposed — which could be a huge swath of Americans.

• Bloomberg Law reports,
  • “Companies working with the US government may be required to start protecting their data and technology from attacks by quantum computers as soon as July.
  • “The National Institute for Standards and Technology, part of the Department of Commerce, will in July stipulate three types of encryption algorithms the agency deems sufficient for protecting data from quantum computers, setting an internationally-recognized standard aimed at helping organizations manage evolving cybersecurity threats. 
  • “The rollout of the standards will kick off “the transition to the next generation of cryptography,” White House deputy national security adviser Anne Neuberger told Bloomberg in Cambridge, England on Tuesday [May 21, 2024]. Breaking encryption not only threatens “national security secrets” but also the way we secure the internet, online payments and bank transactions, she added.”

• The National Institute of Standards and Technology (NIST), announced on May 20, 2024,
  • This week, NIST released Special Publication 800-229, Fiscal Year (FY) 2023 Cybersecurity and Privacy Annual Report. This publication shares key highlights of our major cybersecurity and privacy accomplishments as we wrapped up our celebration of NIST’s 50 years of work in the cybersecurity arena.

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive notes yesterday,
  • “On the eve of Memorial Day weekend, threat researchers and incident response teams are quietly preparing for the risk of malicious activity when staffing is minimal and millions of workers will be on the road. 
  • “Critical industries have faced a series of threats from criminal ransomware gangs or nation-state actors for much of 2024, and the unofficial summer kickoff weekend is a prime opportunity for malicious attacks. 
  • “We see attacks and attempted intrusions every day,” Scott Algeier, executive director of the IT-ISAC, said via email.
  • “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.
  • “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.”

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) has issued its April 2024 cybersecurity vulnerability bulletin.
  • In April 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Palo Alto, Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.

• HC3 also issued a useful PowerPoint presentation titled “Business Email Compromise (BEC) & Healthcare.”

• The Cybersecurity Infrastructure Security Administration added the following new known exploited vulnerabilities to its catalog:
  • May 20, 2024 —
    • CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability
    • CVE-2023-43208 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
  • May 23, 2024 —
    • CVE-2020-17519 Apache Flink Improper Access Control Vulnerability

• Dark Reading reports yesterday that “Google Discovers Fourth Zero-Day in Less Than a Month; The tech company has rolled out fixes for a type confusion vulnerability that has already been exploited by malicious actors.”

• Cyberscoop adds
  • “An aggressive, nebulous ring of young cybercriminals linked to a string of recent high-profile breaches is made up of approximately 1,000 people, a senior FBI official said Friday. 
  • “In remarks Friday at the cybercrime-focused Sleuthcon conference, Bryan Vorndran, assistant director of the FBI’s Cyber Division, described the group best known as Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” many of whom don’t know each other directly. 
  • “Scattered Spider emanates from an online community known as “the Com.” The group is also tracked by cybersecurity firms as “0ktapus” or UNC3944, and Vorndran’s remarks provide the best number yet for the total size of the hacking crew.  
  • “Scattered Spider has breached a who’s-who of big-name companies, including the casino giant MGM Resorts and the identity management company Okta. Made up of mostly native English speakers in the United States and the United Kingdom, Scattered Spider is classified as a top three cybersecurity threat, alongside China and Russia’s foreign intelligence agency, Vorndran said.” 

• NPR brings us up to date on Ascension Healthcare’s recovery from its cyberattack.

From the cybersecurity defenses front,

• Modern Healthcare lets us know
  • A recent string of massive healthcare cybersecurity breaches has put data security leaders on edge. 
  • Health system cybersecurity executives are looking at their biggest points of weakness in the aftermath of large-scale breaches at St. Louis-based health system Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital
  • Recent incidents have shined a light on some of the most significant vulnerabilities at health systems. Here are four of the biggest, according to experts.. 
    • Lack of Shared Organizational Goals
    • Third party Vendor Risks
    • Multi-factor Authentication Misses
    • Slow Response Time

• Similarly MedCity News points out,
  • “During a fireside chat at MedCity News’ INVEST conference, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — shared some key ideas that people need to understand about the current state of cybersecurity in the healthcare industry. For instance, he reminded us that things won’t get better overnight, and that cybersecurity requires an all-hands-on deck approach.”

• TechTarget offer ten cybersecurity best practices and cybersecurity market trends from AI to post-quantum crypto.

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The Biden administration plans to pursue a liability framework to hold the software industry accountable for insecure software, according to administration officials and documents released by the Office of the National Cyber Director this week. 
  • “Federal officials said they have taken steps toward a long-stated goal of shifting the security burden away from technology users and onto the industry. 
  • “The administration wants to pursue a plan to create incentives that will help enable long-term investment in cybersecurity and resilience, Nick Leiserson, assistant national cyber director for cyber policy and programs, said during a panel Monday [May 6] at the RSA Conference in San Francisco.
  • “Leiserson cautioned the objective was not to create a liability framework for the purposes of opening up the software industry to lawsuits.
  • “That’s not the point,” Leiserson said during the panel discussion. “The point is to secure investments in secure software development.”
• and
  • “The Biden administration plans to launch aggressive actions to enhance cyber resilience across key critical infrastructure sectors, including the healthcare and water sectors, which were the targets of significant threat activity in recent months, according to a report released Tuesday by the Office of the National Cyber Director.
  • “The U.S. wants to speed the flow of intelligence sharing and facilitate closer cooperation with the private sector. The administration also plans to enhance its ability to proactively disrupt threat activity and take down malicious actors. 
  • “We are in the midst of a fundamental transformation in our nation’s cybersecurity,” National Cyber Director Harry Coker Jr., said in a statement. “We have made progress in realizing an affirmative vision for a safe, prosperous and equitable digital future, but the threats we face remain daunting.”

• In that regard, Govinfosecurity adds,
  • “As the Department of Health and Human Services works on a proposed update to the HIPAA Security Rule this year, regulators are also ratcheting up enforcement efforts – including resuming long-dormant HITECH Act HIPAA audits, said Melanie Fontes Rainer, director of HHS’ Office for Civil Rights. * * *
  • “HHS OCR plans by the end of the year to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that’s occurred over the last two decades since the regulations were first issued, she said.
  • “The beauty of the HIPAA Security Rule is that it’s 20 years old – it is technology-neutral, and it’s scalable. So we’re still able to use it and enforce the law vigorously,” she said in a video interview with Information Security Media Group. 
  • “But at the same time, “the downside of the HIPAA Security Rule is that it’s 20 years old and doesn’t reflect how we receive healthcare today,” she adds. “That’s why we’re taking a look at it to make sure we’re building into it practices – like end-to-end encryption – and things like that.”

• Cyberscoop reports,
  • The U.S. and British governments on Tuesday [May 7] identified Dmitry Yuryevich Khoroshev as the leader, developer and administrator of the LockBit ransomware operation, one of the most prolific and profitable cybercriminal syndicates in recent years.
  • Khoroshev, a Russian national, has been LockBit’s main administrator and developer since at least September 2019 continuing through the present, U.S. federal prosecutors said in an indictment unsealed Tuesday. Since its inception, LockBit has been used in attacks against more than 2,500 targets in at least 120 countries, leading to at least $500 million in ransom payments to Khoroshev and his affiliates and “billions of dollars in broader losses, such as revenue, incident response, and recovery,” the Department of Justice said in a statement.

• Dark Reading points out that at the RSA Conference “CISA courted the private sector to get behind CIRCIA Reporting Rules. New regulations will require the private sector to turn over incident data to CISA within three days or face enforcement. Here’s how the agency is presenting this as a benefit to the entire private sector.”

From the cyber breaches and vulnerabilities front,

• Cyberscoop reports,
  • Ascension, a health care system with 140 hospitals in 19 states and Washington, D.C., and tens of thousands of employees and affiliated providers, detected a “cyber security event” Wednesday [May 8] that has caused a “disruption to clinical operations,” the company said. 
  • Major impacts to medical services have been reported in multiple states, including Kansas, Florida and Michigan, including some patients being diverted to other hospitals and lack of access to digital records.
  • “We have to write everything on paper,” one physician in Michigan told the Detroit Free Press. “It’s like the 1980s or 1990s.”

• Dark Reading adds,
  • “The provider has temporarily paused non-emergency medical procedures and appointments, and some hospitals are diverting emergency medical services. Patients were advised to bring relevant medical information to appointments due to system limitations.
  • “We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures,” a company statement said. “It is expected that we will be utilizing downtime procedures for some time.”
  • “The organization has tapped incident response help from Mandiant for investigation and remediation efforts. It is unknown if any patient data was exposed in the attack.
  • “We are working to fully investigate what information, if any, may have been affected by the situation,” Ascension said. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”

• Cybersecurity Dive tells us,
  • “The FBI and Cybersecurity and Infrastructure Security Agency urged software companies to eliminate directory traversal vulnerabilities from their products, citing a rise in attacks against critical industries, including hospitals and school operations, in a secure by design alert released Thursday. 
  • “The agencies are seeking industry action following two recent campaigns where threat groups engaged in extensive exploitation activity. The agencies referenced a path traversal vulnerability in ConnectWise ScreenConnect, listed as CVE-2024-1708, and a vulnerability in the file upload functionality of Cisco AppDynamics Controller, listed as CVE-2024-20345.
  • “In total, directory traversal or path traversal vulnerabilities were identified in 55 different cases listed on CISA’s Known Exploited Vulnerabilities catalog, according to the alert.”

From the ransomware front,

• American Hospital Association News informs us,
  • “The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center May 10 released a joint cybersecurity advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the health care and public health sector.”

• Bleeping Computer’s The Week in Ransomware is back this week.

• SC Media and HelpNetSecurity offer their observations on the state of the ransomware attacks and defenses.

From the cybersecurity defenses front,

• Cybersecurity Dive calls attention to the fact that “Officials see a real change in Microsoft’s security plans: financial accountability. CISA Director Jen Easterly pointed to Microsoft’s decision to link security to executive compensation as a meaningful signal of its priorities.”

• Tech Target offers “five tips for building a cybersecurity culture at your company.”

• Dark Reading considers the future path of CISOs while the ISACA Blog notes “A Better Path Forward for AI By Addressing Training, Governance and Risk Gaps.”

• Finally, SC Media dives into the cybersecurity insurance market.