From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
  • “Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
  • ‘On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.” * * *
  • “The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
  • “The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.”

• Federal News Network lets us know,
  • “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today [October 11], further paving the way for CMMC requirements to show up in contracts starting next year.
  • “The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.
  • “The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.”

• Per an October 3, 2024, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.
  • “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.” * * *
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html“
    
• Fedscoop notes,
  • “The Department of Health and Human Services is working on a new strategic plan for the use of artificial intelligence across the entire breadth of its mission, the department’s top AI official said Tuesday.
  • “Micky Tripathi — HHS’s acting chief AI officer and its assistant secretary for technology policy — said at the NVIDIA AI Summit in Washington, D.C., that the AI strategic plan should arrive sometime in January and that it will span “the entire, you know, sort of breadth of what the department covers.”
  • “During a panel discussion, Tripathi detailed the complex web of mission sets spanning “the value chain of life sciences and health care” that HHS oversees that the new strategic plan will attempt to wrap its arms around. Those include medical research and discovery, preclinical work, measuring the safety and effectiveness of medical products, health care delivery, health technology standards setting, human services, public health and more, he said.”

From the cybersecurity vulnerabilities and breaches front,

• Beckers Health IT informs us,
  • “In the past 12 months, 92% of healthcare organizations reported experiencing at least one cyberattack, up from 88% in 2023, an Oct. 8 survey from Proofpoint and Ponemon Institute found.
  • “Of those cyberattacks, 69% reported disruptions to patient care as a direct consequence.”

• The American Hospital Association News reports,
  • “The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint agency advisory on cyber operations by the Russian Federation’s Foreign Intelligence Service (SVR), also known as APT29, Midnight Blizzard, Cozy Bear, and the Dukes, targeting U.S. and global entities. The agencies recommend prioritizing rapid patch deployment and keeping software up to date to protect against cyberattacks.
  • “This alert highlights the SVR’s aggressive targeting of U.S. critical infrastructure for espionage and possible future offensive cyber operations,’ said John Riggi, AHA national advisor for cybersecurity and risk. “Although health care is not cited as being intentionally targeted by this SVR campaign, it is noted that any entity could become a target of opportunity if it has internet-facing vulnerabilities. The SVR takes advantage of opportunistic tactics to host malicious infrastructure, conduct follow-on operations from compromised accounts, or attempt to pivot to other networks on unprotected victim infrastructure. To mitigate this threat and other types of cyberattacks, such as ransomware attacks, it is imperative that health care entities prioritize patching internet-facing vulnerabilities, employ multi-factor authentication and follow the voluntary cybersecurity performance goals.”

• HHS’s Health Section Cybersecurity Coordination Center issued its September report on vulnerabilities of interest to the health sector.

• Cyberscoop points out,
  • “The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
  • “The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
  • “Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
  • “Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.”

• The Cybersecurity and Infrastructure Security Agency (CISA) alerted us on October 10,
  • CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.
  • CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.

• CISA added six more known exploited vulnerabilities to its catalog this week.
  • October 8, 2024
    • CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
    • CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
    • CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability
  • October 9, 2024
    • CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability
    • CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
    • CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

• Cybersecurity Dive adds,
  • “Ivanti released updates for three actively exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance, which hackers are chaining together with a previously disclosed path traversal vulnerability, the company said in a Tuesday blog post. 
  • “Successful exploitation of the flaws can allow an attacker to gain administrative privileges to bypass restrictions, obtain remote code execution or run arbitrary SQL statements. The vulnerabilities are listed as CVE-2024-9379, CVE-2024-9380, CVE-2024-9381. 
  • “Ivanti previously disclosed and issued a patch that would address the prior critical vulnerability, listed as CVE-2024-8963, on Sept. 10. The company said it discovered the path traversal vulnerability when it was investigating exploitation of an OS command injection vulnerability, listed as CVE-2024-8190.”

From the ransomware front,

• Tech Radar reports,
  • “The number of active ransomware groups over the last 12 months is on the rise as criminals look for more ways to target businesses, new research has claimed.
  • “The 2024 State of Threat Report from Secureworks has revealed a rise in the number of active ransomware groups over the last 12 months – identifying a 30% rise in the number of active groups.
  • “The figures represents a diversification of the landscape rather than a particularly drastic increase in criminals. Since the notorious Lockbit disruption, in which the most prolific group was briefly shut down, the ransomware ecosystem has evolved, with 31 new groups being established.” * * *
  • “One of the key findings from the report is that unpatched vulnerabilities remain the top Initial Access Vector (IAV) in ransomware attacks, making up almost 50% of all IAVs. This outlines more than ever the importance of staying on top of cybersecurity and software updates.”

• Per Security Affairs,
  • “Sophos researchers warn that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.
  • “In early September 2024, Veeam released security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
  • “The most severe flaw included in the September 2024 security bulletin is a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).”

• Palo Alto Networks Unit 24 tells us,
  • “In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.
  • “Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.”

From the cybersecurity defenses front,

• American Hospital Association cybersecurity expert John Riggi offers his perspective on this year’s cybersecurity challenges in the healthcare sector.

• “Moffitt Cancer Center was one of many health systems impacted by the Change Healthcare ransomware attack earlier this year. The organization’s VP of RCM operations [Lynn Ansley] explains [in Health Leaders] how she navigated the disaster.”

• Here is a link to Dark Reading’s CISO Corner.

• HHS’s 405(d) program shares an endpoints security poster with the public.

From the cybersecurity policy front,

• Healthcare Dive informs us,
  • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
  • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
  • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
  • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
  • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
  • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
• Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.

• Why? Beckers Health IT adds,
  • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
  • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”

• Cybersecurity Dive points out,
  • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
  • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
  • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”

• Per a NIST press release,
  • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
  • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

• Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

• Cybersecurity Dive lets us know,
  • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
  • “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
  • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”

• This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
  • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

• Cybersecurity Dive cautions,
  • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
  • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
  • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
  • “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

• Modern Healthcare tells us,
  • The number of healthcare providers affected by ransomware attacks is steadily growing. 
  • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.

• Bleeping Computer warns,
  • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
  • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
  • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”

• PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

• SC Media calls attention to “five ways to beef up network security and reduce data theft.”
  • “Rethink access control
  • “Raise the firewall game
  • “Take incident response seriously
  • “Tap into network visibility
  • “Segment the network
• “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  
• A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”

• Per a CISA press release,
  • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
  • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
  • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us
  • “A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.
  • “A total of 13 agencies [including the U.S. Office of Personnel Management] received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.
  • “Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.
  • “Agencies generally saw lower scores in the previous FITARA scorecard released in February.”

• KFF Health News gives low marks to the federal agencies responsible for protecting healthcare organizations against cyberattacks.

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
  • “Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.” * * *
  • “The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities. 
  • “The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.”

• Per a NIST press release,
  • “NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.
  • “The program will build on existing NIST expertise, research and publications such as:
    • “The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A); 
    • “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
    • “Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226); 
    • “Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
    • “Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
    • “A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

• Dark Reading reports,
  • “The Justice Department today [September 19] announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.
  • “According to unsealed documents, the botnet, known as Raptor Train, is operated by People’s Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.
  • A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “Ivanti warned Thursday of a critical path traversal vulnerability in Cloud Service Appliance, which is currently facing exploitation attempts by hackers. The vulnerability, listed as CVE-2024-8963, has a CVSS score of 9.4 and allows an unauthenticated hacker to gain access to restricted functionality.
  • “Ivanti previously issued a patch for CSA on Sept. 10., but the company said the path traversal vulnerability was discovered while investigating exploitation linked to an OS command injection vulnerability, listed as CVE-2024-8190. 
  • “The company warned that when the two vulnerabilities are used in conjunction with each other, a hacker can bypass admin authentication and execute arbitrary commands.” 

• Dark Reading tells us “Security Firm’s North Korean Hacker Hire was not an Isolated Incident; What happened to KnowBe4 also has happened to many other organizations, and it’s still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.” Check out the article.

• CISA added twelve known exploited vulnerabilities to its catalog this week.
  • “September 16, 2024
    • CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
    • CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability”
  • “September 17, 2024
    • CVE-2014-0497 Adobe Flash Player Integer Underflow Vulnerability
    • CVE-2013-0643 Adobe Flash Player Incorrect Default Permissions Vulnerability
    • CVE-2013-0648 Adobe Flash Player Code Execution Vulnerability
    • CVE-2014-0502 Adobe Flash Player Double Free Vulnerability”
  • “September 18, 2024
    • CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
    • CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution” Vulnerability
    • CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
    • CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
    • CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability”
  • “September 19, 2024
    • CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability”

From the ransomware front,

• Dark Reading informs us,
  • “Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
  • “Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
  • “In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group’s latest weapon: Inc ransomware.”

• Per Cybersecurity Dive,
  • “A special legislative committee in Suffolk County, New York, found officials ignored repeated warnings and failed to prepare ahead of a September 2022 ransomware attack that disrupted essential government services for months, in a report released last week.
  • “Officials blamed the ransomware attack on a failure of leadership, including the lack of an incident response plan and a failure to respond to FBI warnings of potential infiltration. 
  • “Suffolk County operated using a variety of IT teams and had no CISO, resulting in a lack of coordination on how to prepare for potential cyber threats. The attack has so far cost the county more than $25 million in remediation costs and other expenses.”

• Cyberscoop reports on a debate of experts at the 2024 mWISE conference about what more could be done to stop ransomware attacks in the wake of police action and tens of millions in ransom payments over the past year. 

From the cyber defenses front,

• Cyberscoop points out,
  • “UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems. 
  • “When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.” 

• Cybersecurity Dive adds,
  • “CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
  • “Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.” * * *
  • “Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
  • “The questions on Mandia’s CISO confidence test include:
    • How would you break into us? What is our weak spot?
    • What is our worst-case scenario?
    • What would you do if the worst-case scenario occurred?
    • How resilient are we? How long would it take to recover our systems and applications?
    • What do you need?
  • “Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
  • “I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.”

• Health Tech offers five steps to follow after a breach.

• Per Bleeping Computer,
  • “Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
  • “Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation.
  • “Among the benefits of Windows Hotpatching, Redmond highlights faster installs and reduced resource usage, lower workload impact because of fewer reboots over time, and improved security protection because it reduces the time exposed to security risks.
  • “Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month),” said Windows Server Director of Product Hari Pulapaka on Friday [September 20].”
    
    

From the cybersecurity policy front,

• Federal News Network tells us,
  • “White House officials are contemplating a new cybersecurity executive order that would focus on the use of artificial intelligence.
  • “Federal cybersecurity leaders, convening at the Billington Cybersecurity Conference in Washington this past week, described AI as both a major risk and a significant opportunity for cyber defenders.
  • ‘White House Deputy National Security Advisor Anne Neuberger called AI a “classic dual use technology.” But Neuberger is bullish on how it could improve cyber defenses, including analyzing logs for cyber threats, generating more secure software code, and patching existing vulnerabilities.
  • “We see a lot of promise in the AI space,” Neuberger said. “You saw it in the president’s first executive order. As we work on the Biden administration’s potentially second executive order on cybersecurity, we’re looking to incorporate some particular work in AI, so that we’re leaders in the federal government in breaking through in each of these three areas and making the tech real and proving out what’s possible.”

• Per a Labor Department Employee Benefit Security Administration press release,
  • “In its continuing effort to protect U.S. workers’ retirement and health benefits, the U.S. Department of Labor today updated current cybersecurity guidance confirming that it applies to all types of plans governed by the Employee Retirement Income Security Act, including health and welfare plans, and all employee retirement benefit plans.
    • “The new Compliance Assistance Release issued by the department’s Employee Benefits Security Administration provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants. The release updates EBSA’s 2021 guidance and includes the following:
    • “Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
    • “Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks. 
    • “Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.”

• Cybersecurity Dive lets us know,
  • “The White House Office of the National Cyber Director launched a program Wednesday to help fill the gap of about 500,000 available cybersecurity jobs across the country. 
  • “Service for America, a program developed alongside the Office of Management and Budget and the Office of Personnel Management, is a recruitment and hiring push that will help connect Americans with available jobs in cybersecurity, technology and artificial intelligence. 
  • “The program’s major emphasis is to reach job candidates without traditional qualifications, such as computer science or engineering backgrounds. 
  • “Many Americans do not realize that a cyber career is available to them,” National Cyber Director Harry Coker Jr. said in a blog post released Wednesday. “There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber.”
  • “In reality, Coker said people of all backgrounds can find well-paying jobs in cybersecurity, and the White House has been promoting efforts to connect a new generation of prospective candidates into those positions.”
• and
  • “Marsh McLennan and Zurich Insurance Group on Thursday [September 5] issued a call for government intervention to help resolve the growing risk of catastrophic cyber events and a multibillion dollar gap in terms of what the current insurance market can absorb. 
  • “The cyber insurance market has seen significant growth in recent years, and is expected to exceed $28 billion in gross written premiums in 2027, more than double the amount written in 2023, according to a whitepaper released by the firms Thursday.  
  • “However, the companies warn a risk protection gap of about $900 billion exists between insured losses and economic losses due to cyberattacks. Many small- to medium-sized businesses are either underinsured or carry no coverage to protect against such losses.” 

From the cyber vulnerabilities and breaches front,

• Per a Centers for Medicare Services press release,
  • “The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.  
  • “The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive health care services.
  • “CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response.”

• Cybersecurity Dive reports,
  • “Federal authorities in the U.S. and nine other countries warn that threat groups affiliated with Russia’s military intelligence service are targeting global critical infrastructure and key resource sectors, according to a joint cybersecurity advisory released Thursday. 
  • “Threat groups affiliated with a specialist unit of the Russian General Staff Main Intelligence Directorate have targeted government services, financial services, transportation systems, energy, and healthcare sectors of NATO members and countries in Europe, Central America and Asia, officials said in the advisory.
  • “To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional EU countries,” authorities said in the advisory. The attackers have defaced victim websites, scanned infrastructure, and exfiltrated and leaked stolen data.”

• The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog:
  • September 3, 2024
    • CVE-2021-20123 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability

• Dark Reading adds,
  • “This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.
  • “The vulnerabilities affect Baxter’s Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.”

• Per Cybersecurity Dive,
  • “Just over half of businesses in the U.S. and U.K. have been targets of a financial scam powered by “deepfake” technology, with 43% falling victim to such attacks, according to a survey by finance software provider Medius.
  • “Of the 1,533 U.S. and U.K. finance professionals polled by Medius, 85% viewed such scams as an “existential” threat to their organization’s financial security, according to a report on the findings published last month. Deepfakes are artificial intelligence-manipulated images, videos, or audio recordings that are bogus yet convincing.
  • “More and more criminals are seeing deepfake scams as an effective way to get money from businesses,” Ahmed Fessi, chief transformation and information officer at Medius, said in an interview. These scams “combine phishing techniques with social engineering, plus the power of AI.”

From the ransomware front,

• Tech Radar points out,
  • “Research from Searchlight Cyber has shown the number of ransomware groups that operated in the first half of 2024 rose to 73, up from 46 in the same period of 2023. The findings suggest law enforcement’s efforts to curb cyber criminal groups have seen some success, especially in disrupting the operations of notorious group BlackCat, which has since dissolved.
  • “Groups were targeted by law enforcement in ‘Operation Cronos’, which facilitated the arrests of two people, took down 28 servers, obtained 1,000 decryption keys, and froze 200 crypto accounts – all linked to the infamous LockBit organization.
  • “Although the number of groups has risen, the number of victims has fallen, which indicates a potential diversification rather than growth of ransomware groups. Other Ransomware as a Service (RaaS) groups such as RansomHub and BlackBasta have become more active, complicating the landscape for cyber security.

• Tripwire fills us in about Cicada ransomware.

• ‘Per Cybersecurity Dive,
  • “A previously disclosed cyberattack at Halliburton disrupted parts of its operations and information was stolen in connection with the incident, the company said in a filing with the Securities and Exchange Commission Tuesday. 
  • “Halliburton discovered the attack in late August and immediately shut off certain services as a proactive measure. It continues to offer its products and services across the globe, the company said.
  • “The Houston company has incurred and will continue to incur certain expenses related to the attack. However, it does not expect the attack to have a material impact on its financial condition or results of operations.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Cybersecurity professionals are reporting modest budget increases amid the need to defend against new hacking threats and secure emerging technologies such as artificial intelligence.
  • “Spending on cybersecurity is rising 8% this year, compared with 6% in 2023, according to a survey of chief information security officers published Thursday by cybersecurity consulting firm IANS and recruiting company Artico Search. The survey polled 755 CISOs from April into August, with 681 completing its budget section.
  • “Despite the small improvement, security spending is growing at a lower rate than the 17% increase in 2022. Still, the shift indicates a gradual recovery after companies slowed cyber spending and in some cases froze hiring after the pandemic, said Steve Martano, an Artico partner and IANS faculty member. 
  • “People are feeling more optimistic than they were six months ago,” Martano said, adding that more cybersecurity leaders are seeing small budget increases and there are signs the security job market will improve.”

• Dark Reading offers a commentary on “How CISOs Can Effectively Communicate Cyber-Risk. A proximity resilience graph offers a more accurate representation of risk than heat maps and risk registers,and allows CISOs to tell a complex story in a single visualization.”

• ISACA offers a commentary on “The Never-ending Quest: Why Continuous Monitoring is Crucial for Cybersecurity.”

• If you work for or represent a small or medium sized HIPAA covered entity or business associate, you may want to “register for an introductory webinar [to held on September 10 at noon ET and September 11 at 3 pm] on the free Security Risk Assessment Tool (SRA Tool) hosted by Altarum with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP). The webinar will also feature changes in SRA Tool version 3.5, available in September 2024.”

• Security Week shares a discussion between CSOs Jaya Baloo from Rapid7 and Jonathan Trull from Qualys about the route, role, and requirements in becoming and being a successful CISO.

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency introduced an online portal Thursday [August 29] for organizations to voluntarily report malicious cyberattacks, vulnerabilities and data breaches. 
  • “The CISA services portal is a secure platform that provides enhanced functionality and collaboration features, including the ability to save and update incident reports, share submitted reports with colleagues or clients and search for reports. Users can also have informal discussions with CISA through the portal.
  • “An organization experiencing a cyberattack or incident should report it — for its own benefit, and to help the broader community,” Jeff Greene, executive assistant director for cybersecurity at CISA, said in a statement. “CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident.”

• Per FedScoop,
  • “Federal agencies are counting down the days until September 30 to meet a combination of zero-trust cybersecurity requirements. The requirements are part of a multi-year strategy by the Office of Management and Budget (OMB) to apply various cybersecurity techniques to safeguard federal agency users, networks, devices and data.
  • “One of the more vexing requirements, according to a new report, includes provisions to inventory and monitor the increasingly complex IT landscape involving not just traditional IT but also an ever-expanding array of operating technologies (OT) and the Internet of Things (IoT). The convergence of data and applications linked to IT, OT and IoT devices has introduced a new era of security risks that OMB has tasked agencies to address.
  • “The widespread adoption of OT devices not only expands the number and diversity of assets agencies must manage but also the range of vulnerabilities they need to address,” explains a new report commissioned for FedScoop and underwritten by Asc3nd Technologies Group. “More to the point: Linking OT data and devices to IT systems creates new pathways for cyberattacks that adversaries are exploiting with increasing frequency.”
  • “To address those and related risks, OMB directive M-24-04 requires agencies, among other things, to put tools and measures in place that provide a comprehensive understanding of all devices connected to their networks. They must also be prepared to provide detailed asset reports to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours.”

• The Wall Street Journal adds,
  • As cyberattacks plague companies across all industries and cause headaches for consumers, regulators are demanding that victims report hacks in short time periods—and the rules are rarely consistent, creating a compliance nightmare.
  • In addition to widely publicized rules such as those brought into force by the U.S. Securities and Exchange Commission in December 2023, many companies must also comply with other federal demands, rules from state regulators and industry-specific requirements. * * *
  • “Health insurer Blue Cross Blue Shield Association, for instance, said in its response [to CISA proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule] that healthcare companies may need to report incidents under the Health Insurance Portability and Accountability Act, the Federal Trade Commission’s rules on data privacy, the SEC’s rules and CIRCIA, once that rule is final.  
  • “Four separate standards with similar but slightly different compliance expectations would impose an unreasonable burden with marginal benefit towards improving cybersecurity as compared to having a single, harmonized standard,” said Kris Haltmeyer, the association’s vice president of policy analysis.”

From the cyber vulnerabilities and breaches front,

• Dark Reading points out,
  • “Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and Midnight Blizzard) were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.
  • “According to Google’s Threat Analysis Group (TAG), the exploit campaigns were delivered “from a watering hole attack on Mongolian government websites,” and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same. * * *
  • “The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how exploits developed first by the commercial surveillance industry become even more of a threat as threat actors come across them.” 

• Cyberscoop adds,
  • “Online scam cycles have gotten significantly shorter and more effective over the past four years, as cybercriminals increasingly favor smaller, simpler, faster and more targeted campaigns that can yield higher revenues over the long term.
  • “The findings, from a mid-year cybercrime report released Thursday by Chainalysis, show that scammers are refreshing their online and blockchain-based infrastructure faster than ever before.
  • “For instance, a huge chunk of all scam revenues being tracked by Chainalysis on the blockchain (43%) were sent to wallets that only became active over the past year — something the company said suggests a surge of newly created scamming campaigns.
  • “That’s significantly larger than any other observed year — the previous high was 29.9% in 2022 — and it has coincided with what Chainalysis described as a concerted effort by criminals to dramatically shrink the time they spend on one spam campaign before moving onto another.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • August 26, 2024 — CVE-2024-7971 Google Chromium V8 Type Confusion Vulnerability
  • August 27, 2024 — CVE-2024-38856. Apache OFBiz Incorrect Authorization Vulnerability
  • August 28, 2024 — CVE-2024-7965. Google Chromium V8 Inappropriate Implementation Vulnerability

From the CrowdStrike outage front,

• Cybersecurity Dive informs us,
  • “The financial impact from last month’s ill-fated CrowdStrike Falcon sensor update that caused a global IT network outage will continue through the first half of 2025, company executives said Wednesday during an earnings call.
  • “Executives warned investors of temporary delays in its sales pipeline generation, longer sales cycles due to increased scrutiny from new and existing customers and muted upsell potential.
  • “CrowdStrike expects an impact of about $60 million in net new annual recurring revenue and subscription revenue due to what it dubbed its “customer commitment packages,” discounts it’s offering some customers through the second half of this year, CFO Burt Podbere said during the Wednesday earnings call for the company’s fiscal 2025 second quarter, which ended July 31. “When we get to the back half of next year, we’ll start to see an acceleration in the business.”

From the ransomware front,

• The American Hospital Association News reports,
  • “The FBI, Cybersecurity and Infrastructure Agency and the Department of Defense Cyber Crime Center Aug. 29 issued a joint advisory to warn of Iranian-based cyber actors leveraging unauthorized network access to U.S. organizations, including health care organizations, to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Government of Iran, has conducted a high volume of cyberattack attempts on U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors obtain network access for espionage reasons then collaborate with ransomware groups, including the notorious Russian-linked ransomware groups RansomHub and APLHV aka BlackCat, to execute ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate if the Iranian actors had any role in the Change Healthcare attack but does state that the Iranian group’s ransomware activities are not likely sanctioned by the Government of Iran.
  • “The joint advisory provides tactics, techniques, procedures, and indicators of compromise obtained from FBI investigations and third-party reporting. The federal agencies urge organizations to apply the recommendations in the mitigations section of the advisory to reduce the likelihood of compromise from these Iranian-based cyber actors and other ransomware attacks.
  • “This alert demonstrates the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the nation-state level sophistication and expertise of the ransomware groups that target U.S. health care. No health care organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers collaborating with sophisticated ransomware gangs. Clearly, the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, by policy and action, and impose significant risk and consequences on our cyber adversaries. Offense is the best defense.”
  • “Although there is no specific threat information at this time, the field is reminded to remain especially vigilant over the holiday weekend, as we have historically seen increased targeting of health care around the holidays.”

• Bleeping Computer adds,
  • “The RansomHub ransomware gang is behind the recent cyberattack on oil and gas services giant Halliburton, which disrupted the company’s IT systems and business operations.
  • “The attack caused widespread disruption, and Bleeping Computer was told that customers couldn’t generate invoices or purchase orders because the required systems were down.
  • “Halliburton disclosed the attack last Friday in an SEC filing, stating they suffered a cyberattack on August 21, 2024, by an unauthorized party.

• Cybersecurity Dive reports,
  • “Volt Typhoon, a prolific state-linked threat actor, is exploiting a zero-day vulnerability in Versa Director servers in a campaign targeting internet service providers, managed service providers and other technology firms, researchers from Black Lotus Labs warned in a blog post Tuesday.
  • “The vulnerability, listed as CVE-2024-39717, allows users to upload files that are potentially malicious and gives them advanced privileges. 
  • “Black Lotus Labs researchers identified a custom webshell, which they call VersaMem, that is designed to intercept and harvest credentials and allow an attacker to gain access to a downstream computer network as an authenticated user. 

From the cybersecurity defenses front,

• Per a NIST press release,
  • “[On August 29], the U.S. Artificial Intelligence Safety Institute at the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced agreements that enable formal collaboration on AI safety research, testing and evaluation with both Anthropic and OpenAI.
  • “Each company’s Memorandum of Understanding establishes the framework for the U.S. AI Safety Institute to receive access to major new models from each company prior to and following their public release. The agreements will enable collaborative research on how to evaluate capabilities and safety risks, as well as methods to mitigate those risks. 
  • “Safety is essential to fueling breakthrough technological innovation. With these agreements in place, we look forward to beginning our technical collaborations with Anthropic and OpenAI to advance the science of AI safety,” said Elizabeth Kelly, director of the U.S. AI Safety Institute. “These agreements are just the start, but they are an important milestone as we work to help responsibly steward the future of AI.”
  • “Additionally, the U.S. AI Safety Institute plans to provide feedback to Anthropic and OpenAI on potential safety improvements to their models, in close collaboration with its partners at the U.K. AI Safety Institute.” 

• Per Dark Reading, “Ransomware attacks and email-based fraud account for 80% to 90% of all claims processed by cyber insurers, but a handful of cybersecurity technologies can help prevent big damages.” Check it out.
  
  

From the CrowdStrike outage front,

• TechTarget offers lessons learned from the CrowdStrike outage.

• Cybersecurity Dive includes an opinion piece from Deepak Kumar, the founder and CEO of Adaptiva.
  • “Patching remains a top priority for every organization, but slow, manual, and reactive patching presents far more risk than benefit. Automated patching without the capability to pause, cancel, or roll back can be reckless and lead to disruptions or worse. 
  • “Automated patching, with the necessary controls, is undoubtedly the best path forward, offering the speed needed to thwart bad actors and the control required to prevent an errant update from causing widespread issues.”

From the cybersecurity policy front,

• Cyberscoop informs us,
  • “Federal contractors would be required to implement vulnerability disclosure policies that align with National Institute of Standards and Technology guidelines under a bipartisan Senate bill introduced last week.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., is a companion to legislation from Rep. Nancy Mace, R-S.C., which was advanced by the House Oversight Committee in May.
  • “The bill from Warner and Lankford on vulnerability disclosure policies (VDPs) aims to create a structure for contractors to receive reports of vulnerabilities in their products and then act against them before an attack occurs.
  • “VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Warner said in a statement. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”

• Cybersecurity Dive reports from the Black Hat cybersecurity conference held at Las Vegas in the first week of August,
  • Despite a stream of devastating cyberattacks or mistakes that halt or disrupt large swaths of the economy, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, says the war against malicious activity is not lost.
  • It is possible to elevate organizations’ ability to repel or mitigate attacks and place a greater emphasis on vendors’ responsibilities, Easterly said Wednesday during a media briefing at Black Hat. “We got ourselves into this, we have to get ourselves out,” she said.
  • Easterly’s optimism isn’t the result of blind trust. “We have made enormous progress, even just over the past several years,” she said.” * * *
  • “We have to recognize that the cybersecurity industry exists because technology vendors for decades have been allowed to create defective, flawed, insecure software that prioritizes speed to market features over security,” Easterly said. 
  • “There is more we can do but that’s where the war will be won,” Easterly said. “If we put aside the threat actors and we put aside the victims and we talk about the vendors.”
• and
  • It’s time to stop thinking of threat groups as supervillains, experts say
  • “These villains do not have superpowers. We should not treat them like they do,” * * *
  • “The vast majority of organizations don’t have the time or resources to keep up with the chaos of tracking cybercriminal groups, Andy Piazza, senior director of threat intel at Palo Alto Networks Unit 42, said in an interview at Black Hat.
  • “You as a defender shouldn’t care about that,” Piazza said. Defenders can better serve their organizations by developing capabilities to detect and respond to malicious tactics, techniques and procedures, Piazza said.
  • “It’s hard to ignore the drama when groups are given names like Scattered Spider, Midnight Blizzard and Fancy Bear, but mythologizing the criminals responsible for cyberattacks can diminish defenders’ ability to detect and thwart malicious activity.”
    
• FedScoop lets us know,
  • “The National Institute of Standards and Technology has officially released three new encryption standards that are designed to fortify cryptographic protections against future cyberattacks by quantum computers.
  • “The finalized standards come roughly eight years after NIST began efforts to prepare for a not-so-far-off future where quantum computing capabilities can crack current methods of encryption, jeopardizing crucial and sensitive information held by organizations and governments worldwide. Those quantum technologies could appear within a decade, according to a RAND Corp. article cited by NIST in the Tuesday announcement.
  • “Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” Laurie E. Locascio, director of the Department of Commerce’s NIST and undersecretary of commerce for standards and technology, said in a statement. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
  • “The new standards provide computer code and instructions for implementing algorithms for general encryption and digital signatures — algorithms that serve as authentication for an array of electronic messages, from emails to credit card transactions.”

• Federal News Network adds,
  • “CISA Director Jen Easterly said in a keynote at The White House Office of Management and Budget will soon direct agencies to map out plans for adopting post-quantum encryption to protect their most sensitive systems and data.
  • “Federal Chief Information Office Clare Martorana said the new guidance will help agencies begin to adopt new cryptographic standards from the National Institute of Standards and Technology.
  • “We will be releasing guidance directing agencies to develop a prioritized migration plan to ensure that the most sensitive systems come first,” Martorana said during an event hosted by the White House today. “We can’t do it alone. It’s critical that we continue to foster robust collaboration and knowledge sharing between public and private sectors, which is why conversations like the one we’re having today are so incredibly critical.”

From the cybersecurity vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Administration (CISA) added seven known exploited vulnerabilities (KEV) to its catalog this week. NIST initially identifies the KEVs, which explains the Senate bill discussed above, and then CISA publicizes those KEVs in its catalog
  • August 13, 2024,
    • CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
    • CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
    • CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
    • CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
    • CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
    • CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability
  • Security Week discusses these Microsoft KEVs.
  • August 15, 2024,
    • CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
  • Cybersecurity Dive adds,
    • SolarWinds is urging customers to patch a critical vulnerability in its Web Help Desk application, in a Tuesday advisory, which was last updated Friday.
    • The company disclosed a java deserialization remote code execution vulnerability that, if successfully exploited, could allow an attacker to run commands on a host machine. The vulnerability, listed as CVE-2024-28986, has a CVSS score of 9.8.
    • The Cybersecurity and Infrastructure Security Agency on Thursday added the CVE to its Known Exploited Vulnerabilities catalog. 

• Cybersecurity Dive notes,
  • “A vulnerability in the common log file system of Microsoft Windows can lead to the blue screen of death, impacting all versions of Windows 10 and Windows 11, researchers from Fortra said Monday.  
  • “The vulnerability, listed as CVE-2024- 6768, is caused by improper validation of specified quantities of input data, according to a report by Fortra. The vulnerability can result in an unrecoverable inconsistency and trigger a function called KeBugCheckEx, leading to the blue screen. 
  • “A malicious hacker can exploit the flaw to trigger repeated crashes, disrupting system operations and the potential loss of data, according to Fortra.”

• TechTarget explains why “recent cyberattacks against OneBlood and McLaren Health Care shed light on the operational challenges that targeted organizations face.”

From the ransomware front,

• A Dark Reading commentator explains that to avoid losing the ransomware battle, companies that are “institutionalizing and sustaining fundamental cybersecurity practices” also must “commit to ongoing vigilance, active management, and a comprehensive understanding of evolving threats.”
  • “The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first — such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.”

• Cybersecurity Dive points out,
  • “Cyber risk company Resilience said in a report unveiled Tuesday that ransomware has remained a top threat since January 2023, with 64% of related claims in its portfolio resulting in a loss during that period.
  • “Increased merger-and-acquisition activity and reliance on ubiquitous software vendors created new opportunities for threat actors to unleash widespread ransomware campaigns by exploiting a single point of failure, the report said.
  • “Now more than ever, we need to rethink how the C-suite approaches cyber risk,” Resilience CEO Vishaal Hariprasad said in a press release. “Businesses are interconnected like never before, and their resilience now depends on that of their partners and others in the industry.”

• Per Bleeping Computers,
  • “RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks.
  • “Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system.
  • “This technique is very popular among various threat actors, ranging from financially motivated ransomware gangs to state-backed hacking groups.”
• and
  • “Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. 
  • “The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.”

From the cybersecurity defenses front,

• The American Hospital Association’s National Advisor for Cybersecurity and Risk, John Riggi, explains how healthcare entities should prepare for third party cyber risk.

• The Wall Street Journal shares remarks from a June 2024 WSJ conference on what can be learned from the Change Healthcare cyber-attack. “Two security experts explain why the hack affected so many institutions and people—and what could be done to protect the healthcare system.”

• For several months, the FEHBlog has not been able to access the HHS 405(d) program website. Magically this week, he regained access. Here is a link to the program’s July 2024 post which concerns the urgent need for data security in healthcare AI.