From the cybersecurity policy front,

• On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.

• Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.

• Cybersecurity Dive reported on April 3,
  • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
  • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
  • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.

• Cybersecurity Dive added on April 5,
  • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
  • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
  • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
  • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 

• Federal News Network lets us know,
  • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
  • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
  • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”

• The National Institutes of Standards and Technology announced,
  • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
  • “The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”

• NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”

• NextGov tells us,
  • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
  • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
  • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
  • More on this threat can be found on the American Hospital Association news site.

• On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.
  • CVE-2024-29745 Android Pixel Information Disclosure Vulnerability
  • CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability

From the ransomware front,

• Bleeping Computer’s The Week in Ransomware is back at long last.

• Cyberscoop reports,
  • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
  • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
  • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
  • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
  • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
  • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
  • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

• Cybersecurity Dive relates,
  • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
  • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
  • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”

• Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”

• Security Week points out,
  • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
  • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
  • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
  • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”

• Per Tech Target,
  • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
  • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
  • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”

• HHS’s 405(d) Program now offers a
  • “New Resource: Healthcare Threat Identification Poster!
  • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

From the cybersecurity policy front,

• Cyberscoop tells us,
  • “A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
  • “The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.”

• Healthcare Dive informs us,
  • “In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
  • “The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
  • “Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.”
• The HIPAA privacy and security rules permit a covered entity health provider or health plan to treat healthcare claims clearinghouse as a fellow covered entity or a business associate. The article suggests that healthcare providers at least are treating Change Healthcare as a business associate. Of course, when Change Healthcare is provided services other than clearinghouse services to a healthcare provider or a health plan Change Healthcare would be acting as a business associate.

• Speaking of which, a colleague shared with the FEHBlog with this PowerPoint presentation of the HHS Office for Civil Rights Updates & 2024 Priorities presented at HIPAA Summit 41 on Feb. 27, 2024.

• Nextgov reports,
  • The federal government’s HR shop is pitching a legislative proposal to give federal agencies new authorities and flexibilities in how they hire and pay cybersecurity workers to members of Congress, but so far no member has stepped up to sponsor the bill.
  • The package is meant to allow agencies across the government to increase pay for in-demand cyber talent, as they look to recruit in a tight market. The Office of Personnel Management developed the proposal with the Office of Management and Budget and the Office of the National Cyber Director. 
  • The proposal is geared at solving the cyber workforce problem across the government so that hiring officials don’t have to seek agency-specific authorities to bring on such talent, OPM says. 

• The Cybersecurity and Infrastructure Security (CISA) announced on March 18, 2024,
  • “the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.  
  • “Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.”  

From the Change Healthcare situation front,

• United Healthcare Group offered a timeline for “key” product restoration on its Change Healthcare cyberattack website on March 22, 2024.

From the cyber vulnerabilites and breaches front,

• HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its report about February 2024 vulnerabilities of interest to the health sector on March 19, 2024.
  • “In February 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for February are from Ivanti, ConnectWise, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
  • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
  • “HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”

• Cybersecurity Dive notes,
  • “Threat actors are going after broadly deployed enterprise software and network infrastructure, exploiting vulnerabilities in file-transfer services and VPNs at a significantly higher rate, according to Recorded Future’s annual threat analysis report.
  • “The number of high-risk vulnerabilities exploited in attacks against enterprise software and network infrastructure approximately tripled from 2022 to 2023, analysts in the cybersecurity company’s threat research division Insikt Group said in the Thursday report. 
  • “Analysts warned that businesses’ ongoing efforts to increase virtualization and migrate workloads to the cloud are narrowing the supply chain of vendors they rely on, introducing new security risks to the enterprise environment.”
• and
  • Security researchers are warning about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia’s invasion of Ukraine, according to a blog post released Thursday by SentinelLabs. 
  • The discovery of the new variant, dubbed AcidPour, coincides with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.
  • The AcidPour variant has capabilities beyond that of AcidRain, raising fears that embedded devices are at risk, including IoT, networking, large storage and even industrial control systems devices running Linux x86 distributions, according to SentinelLabs.

• On March 19, 2024, “CISA, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other U.S. and international partners [issued] a joint fact sheet, People’s Republic of China State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders. 

• On March 21, 2024, “CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: 
  • “Volumetric, attacks aiming to consume available bandwidth. 
  • “Protocol, attacks which exploit vulnerabilities in network protocols. 
  • Application, attacks targeting vulnerabilities in specific applications or running services.” 

• Dark Reading lets us know, “Apple has released iOS 17.4.1, its latest security update, just weeks after releasing iOS 17.4, but is being intentionally vague about details surrounding the new release.” Keep your Apple devices updated.

From the cybersecurity defenses front,

• Tech Target discusses continuity / disaster planning best practices.

• Forbes interviews Tomer Weingarten, the founder and CEO of SentinelOne.
  • “Traditional cyber defense tools and tactics have increasingly fallen short in the face of sophisticated digital threats. This pivotal realization has spearheaded a dramatic shift towards AI-driven defense strategies, marking a significant departure from the conventional paradigms of cybersecurity.
  • “Central to this transformation is [Tomer Weingarten’s] pioneering work * * *. Artificial intelligence and generative AI are pervasive now, but SentinelOne is a company that has been at the forefront of integrating AI into cybersecurity from its inception.”

• SC Media explains why active adversaries requires dynamic defenses.
  • “In earlier posts, we covered how active adversaries’ attack tactics have evolved and shared specific response tactics to defend against them. This post will discuss the need for dynamic defenses and how to gain the insights necessary to change security policies as active adversaries persist in their attacks.
  • “This is vital because as attackers become more agile and adjust their tactics, enterprises need defenses that also actively adapt. This requires a governance policy that constantly re-evaluates risk and security processes that can adapt to changing threat contexts and attack techniques. That calls for threat intelligence that keeps up with a changing threat landscape and uses that insight to adapt.
  • “Threat intelligence is critical to keeping security defenses dynamic, providing context and actionable insights to help organizations proactively identify, prevent, and respond to cyber-attacks. The vital thing is to attain threat intelligence proactively and put that intelligence to use within the organization.”