From the CrowdStrike outage front,

• Dark Reading reports,
  • The CrowdStrike update that hobbled businesses, disrupted consumer travel plans, and took French and British broadcasters offline has predictably led to a host of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.
  • Yet the incident could lead to another destination: software liability.
  • The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as “the Channel File 291 Incident.” However, the fact that affected businesses and consumers have little recourse to recover damages will likely lend momentum to legislation and state regulations to hold firms responsible for such chaos, says Chinmayi Sharma, associate professor of law at Fordham University.

• Cybersecurity Dive lets us know,
  • “A mismatched software update in CrowdStrike’s Falcon sensor led to the crash that caused a global IT outage of millions of Microsoft Windows systems on July 19, the company said Tuesday. 
  • “CrowdStrike, in a root cause analysis report, said the Falcon sensor expected 20 input fields in a rapid response content update, but the software update actually provided 21 input fields. The mismatch resulted in an out-of-bounds memory read, leading to the system crash. 
  • “We are using lessons learned from this incident to better serve our customers,” CrowdStrike CEO George Kurtz said in a statement Tuesday. “To this end, we have already taken decisive steps to prevent this situation from repeating, and to help ensure that we – and you – become even more resilient.”
• and
  • “CrowdStrike is in talks to acquire Action1, a Houston-based patch management and vulnerability specialist. The agreement being discussed would value the company at nearly $1 billion, according to a memo sent to Action1 employees. 
  • “Action1 Co-Founder and CEO Alex Vovk sent a memo to employees Wednesday confirming the discussions, after speculation around the talks gained within the company. A spokesperson for Action1 confirmed the authenticity of the memo to Cybersecurity Dive Friday. 
  • “This proves that Action1 is in a rapidly growing market and explains why Action1 is experiencing hypergrowth and is on track to soon reach $100M AAR,” Vovk wrote in the memo.” 

From the cybersecurity policy front,

• Per Cybersecurity Dive,
  • “For Cybersecurity and Infrastructure Security Agency Director Jen Easterly the doomed CrowdStrike software update that took global IT systems and networks offline last month holds a “big lesson” for critical infrastructure.
  • “The CrowdStrike incident was such a terrible incident,” Easterly said Wednesday during a media briefing at Black Hat, but “it was a useful exercise, like a dress rehearsal for what China may want to do to us.”
  • “The outage was not the result of a malicious act, but rather a basic field input error that caused an out-of-bounds memory read. Yet, to Easterly, the widespread chaos it caused offers a clear example of what could occur if China-affiliated attackers make good on its efforts to cause systemic disruption to U.S. critical infrastructure.
  • “When Easterly learned of the outage, around 2 a.m. on July 19: “What was going through my mind was ‘oh, this is exactly what China wants to do.’”

• Per Cyberscoop,
  • “Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, told attendees at the Black Hat security conference on Thursday that delivering major improvements in computer security will require a sea change in how companies approach building software. 
  • “Amid an epidemic of breaches, Easterly laid the blame squarely at the feet of the technology industry. “We don’t have a cybersecurity problem. We have a software quality problem,” she said. 
  • “We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” Easterly said in her remarks.
  • “To address that issue, Easterly and CISA have launched a secure by design pledge, the signatories of which commit to a series of principles to improve the security of how products are developed and deployed. Easterly said 200 companies have now signed that pledge since its launch in March.”   

• To that end, this week, CISA and the FBI posted their “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” Here’s a link to the federal government’s Internet Complaint Center supplement guidance on this effort.

• Cyberscoop also tells us,
  • “A year after asking the hacker community how they can better help protect the open source software that is the foundation of the digital economy, the White House is looking to better secure the ecosystem through a new office dedicated to study such components in critical infrastructure.
  • “The Office of the National Cyber Director released new details Friday on several projects aimed at securing open source software. The report comes a year after the office asked attendees at DEF CON in 2023 to contribute to a request for information around how to better focus on securing open source software.
  • “The new office runs out of the Department of Homeland Security and will examine the prevalence of open source software present in critical infrastructure and how to secure it, said Nasreen Djouini, senior policy advisor at the Office of the National Cyber Director. The program will have the support of the Department of Energy’s national labs, including at Los Alamos and Lawrence Livermore.”

From the cybersecurity vulnerabilities and breaches front,

• Again, per Cyberscoop,
  • “An Israeli cybersecurity firm has identified a zero-day vulnerability affecting major web browsers that could allow attackers to bypass normal browser security measures and potentially breach local networks.
  • “The flaw, discovered by Oligo Security, was found in how browsers handle network requests. 
  • “In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private. 
  • “This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.
  • Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”

• Here are the known exploited vulnerabilities that CISA added to its catalog this week,
  • August 5, 2024: CVE-2018-0824 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
  • August 7, 2024, CVE-2024-36971 Android Kernel Remote Code Execution Vulnerability, and CVE-2024-32113 Apache OFBiz Path Traversal Vulnerability

• Security Week points out,
  • The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices.
  • The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature. 
  • This feature has been abused for years to take control of Cisco switches and this is not the first warning issued by the US government. 

From the ransomware front,

• Per a CISA press release,
  •  “CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit and legacy Royal activity. FBI investigations identified these TTPs and IOCs as recently as July 2024.
  • “BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing.
  • “CISA encourages network defenders to review the updated advisory and apply the recommended mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.”

• Per Bleeping Computer,
  • ‘​On Tuesday (August 6], IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.
  • “McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.
  • “While McLaren Health Care continues to investigate a disruption to our information technology system, we want to ensure our teams are as prepared as possible to care for patients when they arrive,” a statement on the health system’s website reads.”

From the cybersecurity defenses front,

• TechTarget identifies
  • Five key capabilities for effective cyber-risk management,
• and explains how
  • DSPM technologies have help organizations take a proactive approach to monitoring data stores continuously, and in the case of a breach, assess the magnitude quickly and accurately.

• Dark Reading writes about how
  • “Enterprises are implementing Microsoft’s Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. But at the same time, Copilot is also an ideal tool for threat actors.
  • “Security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity, says attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links.
  • The article explains how to avoid such attacks.

From the CrowdStrike front,

• Dark Reading explains why the CrowdStrike outage should be a wakeup call for cybersecurity experts. “The incident serves as a stark reminder of the fragility of our digital infrastructure. By adopting a diversified, resilient approach to cybersecurity, we can mitigate the risks and build a more secure digital future.”

• Cybersecurity Dive reports,
  • “After CrowdStrike outage, what will become of automatic IT updates? Blind enterprise trust in software updates is the latest symptom of a race toward IT automation.” FEHBlog observation: Good question.
• and
  • Federal officials said the global IT outage stemming from a faulty CrowdStrike software update is raising prior concerns about the security of the software supply chain. 
  • The U.S. Government Accountability Office released a report Tuesday [July 30] noting the July 19 outage, which led to the disruption of 8.5 million Microsoft Windows systems. The CrowdStrike incident resurrected concerns raised during the state-linked supply chain attack against SolarWinds in 2020, according to the GAO. 
  • The CrowdStrike incident highlights specific warnings about memory safety issues in software development, the White House said on Thursday. The remarks build on a February report that raised questions about the link between memory safety issues and software vulnerabilities. 
• and
  • “The global IT outage stemming from a faulty CrowdStrike software update will lead to cyber insurance losses primarily driven by business interruption claims, Moody’s Ratings said in a report released Monday. 
  • “Businesses are expected to make claims under “systems failure” provisions, coverage that is becoming standard for cyber insurance policies, because the incident was not considered a malicious attack. Moody’s said insured organizations will link claims to direct business losses as well as contingent losses of third-party vendors. 
  • “The outage is likely to spur larger reviews of underwriting, with a focus on systems failure, according to Moody’s. The outage has already raised concerns about the risk of single points of failure, as lone organizations with a vast footprint can bring down operations across so many critical industries.”

From the cybersecurity policy front,

• Cyberscoop lets us know,
  • “Cybersecurity legislation aimed at unscrambling regulations, strengthening health system protections and bolstering the federal workforce sailed through a key Senate committee Wednesday [July 31], moving the trio of bipartisan bills to future consideration before the full chamber.
  • “The Senate Homeland Security and Governmental Affairs Committee voted first on the Streamlining Federal Cybersecurity Regulations Act, a bill co-sponsored by committee Chair Gary Peters, D-Mich., and Sen. James Lankford, R-Okla., that seeks to streamline the country’s patchwork of federal cyber rules. 
  • “The bill would harmonize federal cyber requirements for the private sector, which has long been critical about conflicting rules imposed by agencies. A committee made up of the national cyber director, the chief of the Office of Management and Budget’s Office of Information and Regulatory Affairs, the heads of each federal regulatory agency and other government leaders as determined by the chair would be charged with identifying cyber regulations deemed “overly burdensome, inconsistent, or contradictory” and recommending updates accordingly.
  • “Also moving forward Wednesday was the Healthcare Cybersecurity Act from Sens. Jacky Rosen, D-Nev., Todd Young, R-Ind., and Angus King, I-Maine. The legislation, which came in the aftermath of the February ransomware attack on the payment processor Change Healthcare, calls on the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services on cyber defenses, providing resources to non-federal entities connected to threat indicators.” * * *
  • “The final cyber bill headed to the full Senate is the Federal Cyber Workforce Training Act, which tasks the national cyber director with coming up with a plan to create a centralized resource and training center for federal cybersecurity workforce development.” 

• Fedscoop tells us,
  • “Lisa Einstein, the Cybersecurity and Infrastructure Security Agency’s senior adviser for artificial intelligence, has been tapped to serve as the agency’s first chief AI officer.
  • “A Stanford and Princeton graduate who joined CISA in 2022 as executive director of its Cybersecurity Advisory Committee, Einstein will assume the CAIO role at a time when the agency is attempting to leverage the technology to advance cyber defenses and more effectively support critical infrastructure owners and operators.
  • “I care deeply about CISA’s mission — if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable. AI tools could accelerate our progress,” Einstein said in a statement. “But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools.” 
• and
  • “The White House issued final FedRAMP modernization guidance Friday [July 26, 2024] as a response to cloud market changes and agency needs for more diverse mission delivery.
  • “The final guidance, previewed by FedScoop before its official release, aims to reform the cloud security authorization program by increasing focus on several strategic goals, such as enabling FedRAMP to conduct “rigorous reviews” and requiring cloud service providers (CSPs) to quickly mitigate any security architecture weaknesses to protect federal agencies from the most “salient threats.” The Office of Management and Budget began accepting public comments on a draft version of the guidance last fall.
  • “The memo places particular emphasis on a program to establish an automated process for intaking, using and reusing security assessments and reviews to reduce the burden on participants and speed up the implementation process for cloud solutions.” 

• The National Institute of Standards and Technology published on July 30, 2024,
  • “NIST Special Publication (SP) 800-231, Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities, is now available. It presents an overview of the Bugs Framework (BF) systematic approach and methodologies for the classification of bugs and faults per orthogonal by operation software and hardware execution phases, formal specification of weaknesses and vulnerabilities, definition of secure coding principles, generation of comprehensively labeled weakness and vulnerability datasets and vulnerability classifications, and development of BF-based algorithms and systems.” * * *
  • Visit the Bugs Framework site at https://usnistgov.github.io/BF/.
• and announced on August 1, 2024,
  • “The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is now returning to Washington, D.C. at the HHS Headquarters.
  • “The conference will explore the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event will highlight the present state of healthcare cybersecurity, and practical strategies, tips, and techniques for implementing the HIPAA Security Rule. * * *
  • “Virtual registration for the event is now open and costs $50 per person. 
  • “Please visit the event web page for more details and to register for virtual attendance to the conference.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive points out,
  • “Data breaches are painfully expensive and the cost for impacted businesses has grown every year since 2020. The global average cost of a data breach is nearly $4.9 million this year, up nearly 10% from almost $4.5 million in 2023, IBM said Tuesday in its annual Cost of a Data Breach report.
  • “U.S. organizations led the world with the highest average data breach cost of almost $9.4 million, a dubious distinction it has earned for the 14th straight year. Businesses in the Middle East, the Benelux countries, Germany and Italy rounded out the top five.
  • “Healthcare was far and away the costliest industry for data breaches — as it’s been since 2011 — with an average breach cost of almost $9.8 million, the report found. That’s a decrease from last year’s $10.9 million for the sector.”  

• Security Weeks notes,
  • “HealthEquity is notifying 4.3 million individuals that their personal and health information was compromised in a data breach at a third-party vendor.
  • “The incident, the company said in a regulatory filing with the Maine Attorney General’s Office, was identified on March 25 and required an “extensive technical investigation”.
  • “Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” HealthEquity said.
  • “According to the company, the data was exposed after attackers compromised a vendor’s user accounts that had access to the online repository, gaining access to the information stored there.”

• Per Cybersecurity Dive,
  • “Microsoft said a DDoS attack led to an eight-hour outage Tuesday [July 30] involving its Azure portal, as well as some Microsoft 365 and Microsoft Purview services. 
  • “Microsoft said an unexpected spike in usage led to intermittent errors, spikes and timeouts in Azure Front Door and Azure Content Delivery Network. An initial investigation showed an error in the company’s security response may have compounded the impact of the outage. 
  • “Microsoft said it will have a preliminary review of the incident in 72 hours and a final review within two weeks, to see what went wrong and how to better respond.”

• CISA added the following known exploited vulnerabilities to its catalog this week.
  • “July 29, 2024
    • CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability
    • CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
    • CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
  • “July 30, 2024
    • CVE-2024-37085 VMware ESXi Authentication Bypass Vulnerability”

From the ransomware front,

• Cybersecurity Dive relates,
  • “Nearly one-third of companies that suffered a ransomware attack paid a ransom four or more times in the past 12 months to regain access to their systems, according to the 2024 Ransomware Risk Report released Tuesday by Semperis, a cybersecurity software company.
  • “This decision to pay multiple times involved 32% of attacked companies in France, Germany, the U.K. and U.S. across multiple industries, according to the survey of 900 IT and security executives.  
  • “Nearly half of the German companies queried paid four or more ransom payments, compared to one-fifth of companies in the U.S.
  • “More than a third of companies that paid the extortion demand either did not receive the decryption keys from attackers or were given corrupted keys, according to the report.”

• Per TechTarget,
  • “Blood donation nonprofit OneBlood is actively responding to a ransomware attack that is affecting its ability to operate and provide blood to hospitals at its typical volume. According to a notice posted on OneBlood’s website on July 31, 2024, the company is operating at a “significantly reduced capacity, which impacts inventory availability.”
  • “OneBlood provides blood to more than 250 hospitals in Alabama, Florida, North Carolina, South Carolina and Georgia.
  • “OneBlood is continuing to collect, test and distribute blood to hospitals at a reduced capacity. Due to these limitations, OneBlood urged eligible donors to donate blood immediately, with an urgent request for O positive, O negative and platelet donations.”

• Dark Reading notes,
  • “A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.
  • “Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.
  • “But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.”
• and considers whether making ransom payments illegal would result in fewer attacks?
  • “Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.

• Security Week alerted us on July 29, 2024,
  • “Less than a week after VMware shipped patches for a critical vulnerability in ESXi hypervisors, Microsoft’s threat intel team says the flaw is being exploited by ransomware groups to gain full administrative access on domain-joined systems. 
  • “The flaw, tagged as CVE-2024-37085 with a CVSS severity score of 6.8, has already been abused by multiple known ransomware groups to deploy data-extortion malware on enterprise networks, according to a new warning from Redmond’s threat hunting teams.
  • “Strangely, Broadcom-owned VMware did not mention in-the-wild exploitation when it released patches and workarounds last week alongside warnings that it could be used by hackers to gain unauthorized access and control over ESXi hosts.”

From the cybersecurity defenses front,

• An ISACA expert discusses “Navigating the Modern CISO Landscape: Practical Strategies for Cybersecurity Success.”

• Dark Reading explains how to implement identity continuity with the NIST Cybersecurity Framework. “Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.”

• McKinsey & Co. delves into “Generative AI in healthcare: Adoption trends and what’s next.”

From the cybersecurity policy front,

• Cybersecurity Dive lets us know,
  • “Microsoft President Brad Smith promised to move forward with significant culture changes at the tech giant as the company accepted full responsibility for its security failures, he said in testimony Thursday [June 13] before the House Committee on Homeland Security.
  • “Smith, who also serves as vice chair, testified before lawmakers Thursday in response to a blistering report from the U.S. Cyber Safety Review Board that analyzed Microsoft’s security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group. 
  • “Smith was asked repeatedly during the hearing about whether Microsoft is changing its culture to encourage workers to speak up about security concerns. 
  • “We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems and then learn from the problems,” Smith said during questioning.” 

• Cyberscoop tells us,
  • “A congressional watchdog is sending a reminder to the White House that it has a long laundry list of cybersecurity regulations to address as the 2024 election draws near.
  • “The Government Accountability Office is breaking biennial tradition with the latest update to its “high-risk list,” a term the watchdog uses to denote areas that are “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”
  • “Cybersecurity has been on the GAO’s high-risk list since 1997, Sarah Kaczmarek, acting managing director for GAO’s Office of Public Affairs, said during a call with reporters this week. * * *
  • “The more than 80-page report goes over four main areas: establishing a comprehensive cybersecurity strategy with effective oversight, securing federal systems and information, protecting critical infrastructure and protecting privacy and sensitive data.
  • “The White House has yet to implement 567 out of 1,610 cybersecurity-related recommendations the government watchdog has issued since 2010, according to the report.
  • “A lot of them are really, really critical to securing the cybersecurity of our nation,” said Marisol Cruz Cain, director of information technology and cybersecurity at the GAO.”

• Federal News Network adds,
  • “The number of cybersecurity incidents in 2023 grew by almost 10%. Agencies reported more than 32,000 cyber incidents to the Cybersecurity and Infrastructure Security Agency in fiscal 2023. The latest Federal Information Security Modernization Act (FISMA) report to Congress from the Office of Management and Budget showed an increase from more than 29,000 cyber incidents from the year before. Of those 32,000 incidents, 38% — or more than 12,000 — were due to improper usage, which means someone violated an agency’s acceptable use policy. The second biggest attack vector, once again, was email phishing, which saw more than a 50% increase in 2023 as compared to 2022. The good news, OMB said, is 99% of all incidents in 2023 were considered “unsubstantiated or inconsequential event[s].”(Most cyber events in 2023 were ‘unsubstantiated or inconsequential,’ OMB says – White House)”

• Per a Cybersecurity and Infrastructure Security Agency (CISA) press release,
  • “Yesterday [June 13], the Cybersecurity and Infrastructure Security Agency (CISA) conducted the federal government’s inaugural tabletop exercise with the private sector focused on effective and coordinated responses to artificial intelligence (AI) security incidents. This exercise brought together more than 50 AI experts from government agencies and industry partners at the Microsoft Corp. facility in Reston, Virginia.
  • “The four-hour exercise was led by the Joint Cyber Defense Collaborative (JCDC), a public-private partnership model established by CISA to undertake joint planning efforts and drive operational collaboration. This exercise simulated a cybersecurity incident involving an AI-enabled system and participants worked through operational collaboration and information sharing protocols for incident response across the represented organizations. CISA Director Jen Easterly and FBI Cyber Division Deputy Assistant Director Brett Leatherman delivered opening and closing remarks, respectively, emphasizing the need for advancing robust operational structures to address existing and potential security threats, while prioritizing secure-by-design AI development and deployment.
  • “This tabletop exercise is supporting the development of an AI Security Incident Collaboration Playbook spearheaded by JCDC.AI, a dedicated planning effort within JCDC focused on building an operational community of AI providers, AI security vendors, and other critical infrastructure owners/operators to address risks, threats, vulnerabilities, and mitigations concerning AI-enabled systems in national critical infrastructure. The playbook, slated for publication by year-end, will facilitate AI security incident response coordination efforts among government, industry, and global partners.”

From the cybersecurity vulnerabilities and breaches front,

• Modern Healthcare informs us,
  • “Ascension said Friday it has restored access across all markets to the core system for electronic health records and patient portals after a cyberattack.
  • “Patients should see a smoother process for scheduling appointments and filling prescriptions, plus improved wait times, Ascension said in a news release. Some information may be temporarily inaccessible as the system updates medical records collected in the last month, according to the health system. * * *
  • “Ascension did not provide further details on what additional systems still need to be restored and the expected timeline for restoration. Ascension set a June 14 deadline for restoring electronic medical records.”

• Cybersecurity Dive adds,
  • “Personally identifiable and protected health information may have been exposed during a cyberattack at Ascension last month, the Catholic health system said Wednesday. 
  • “Hackers were able to take files from seven servers used by Ascension for routine tasks. The provider said it has about 25,000 servers across its network.
  • “The attackers gained access to Ascension systems after a worker accidentally downloaded a malicious file, according to the health system.”

• HHS’s Health Sector Cybersecurity Coordination Center released its May 2024 report on vulnerabilities of interest to the health sector.

• CISA added the following known exploited vulnerabilities to its catalog last week
  • June 12, 2024
    • CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
    • CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability
  • June 13, 2024
    • CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability
    • CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability
    • CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

• Bleeping Computer adds,
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Windows vulnerability abused in ransomware attacks as a zero-day to its catalog of actively exploited security bugs [on June 13].
  • “Tracked as CVE-2024-26169, this security flaw is caused by an improper privilege management weakness in the Windows Error Reporting service. Successful exploitation lets local attackers gain SYSTEM permissions in low-complexity attacks that don’t require user interaction.
  • “Microsoft addressed the vulnerability on March 12, 2024, during its monthly Patch Tuesday updates. However, the company has yet to update its security advisory to tag the vulnerability as exploited in attacks.”

• CISA further warns the public,
  • “Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.
  • “If you suspect you are a target of an impersonation scammer claiming to be a CISA employee: 
    • Do not pay the caller.
    • Take note of the phone number calling you.
    • Hang up immediately.
    • Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.

• Per Cybersecurity Dive,
  • “More than 100 Snowflake customers are caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers, Mandiant said Monday in a threat intelligence report. The attacks were not caused by a breach of Snowflake’s systems, Mandiant said.
  • “Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants,” Mandiant Consulting CTO Charles Carmakal said Monday in a prepared statement. “The threat actor systematically compromised customer tenants, downloaded data, extorted victims and advertised victim data for sale on cybercriminal forums.”
  • “Snowflake first disclosed the attacks on May 30 and said it first became aware of the malicious activity on May 23. Snowflake was not immediately available to comment on Mandiant’s research. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation.”
• and
  • “Researchers on Friday [June 14] warned a critical vulnerability in the PHP programming language is under increased exploitation activity, as the TellYouThePass ransomware group is targeting vulnerable sites, according to a blog post from Censys. 
  • “The vulnerability, listed as CVE-2024-4577, has been under attack from the threat group since at least June 7, with about 1,000 infected hosts observed as of Thursday — they are mainly located in China. The number of observed infections is down from about 1,800 as of June 10. 
  • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday. [June 12]” 

From the cybersecurity defenses front,

• Health IT Security reports,
  • “Microsoft and Google have pledged to help rural hospitals prevent cyberattacks by offering free or discounted cybersecurity resources. The commitment from the tech giants is part of a White House-led initiative to bolster cybersecurity in the healthcare sector.”
  • “According to an announcement from the White House, Microsoft will extend its nonprofit program to provide grants to independent critical access hospitals and rural emergency hospitals. For these types of hospitals, the company will also offer a 75% discount on security products optimized for smaller organizations. Larger rural hospitals already using eligible Microsoft solutions will receive the company’s “most advanced security suite at no additional cost for one year.”
  • “The White House also said Microsoft will offer free cybersecurity assessments by technology security providers and free training for frontline and IT staff at eligible rural hospitals. The company also pledged to extend security updates for Windows 10 to participating hospitals for one year at no cost.”

• Here’s a link to Dark Reading’s CISO corner.

• Here ares links to an ISACA Blog article titled “Managing AI’s Transformative Impact on Business Strategy & Governance: Strategies for CISOs,” and a Tech Target article titled “How to craft a responsible generative AI strategy.”

From the cybersecurity policy front,

• Cybersecurity Dive tells us,
  • “An HHS agency revealed a new cybersecurity program Monday [May 20, 2024,] that aims to better safeguard hospitals as the healthcare sector faces increasing cyber threats that can derail patient care. 
  • “The initiative, which comes out of the Advanced Research Projects Agency for Health, will invest more than $50 million to build a software suite that could automatically scan model hospital environments for vulnerabilities that could be exploited by hackers and quickly develop and deploy fixes.
  • “The project seeks to help hospitals keep their vast array of internet-connected devices up to date, preventing attacks and subsequent technology outages that can last for weeks and threaten patient safety.”

• American Hospital News adds,
  • “The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program will proactively evaluate potential vulnerabilities by probing for weaknesses in software. When it detects a threat, a patch could be automatically developed, tested and deployed with minimal interruption to hospital devices. 
  • “We applaud HHS’ recognition of the unique challenges and systemic nature of vulnerability management in health care,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The research which will be empowered through the ARPA-H funding will yield technical solutions which should be applied strategically to help secure the entire sector. It is clear, health care is a critical infrastructure sector, which must not be left to defend itself on its own through uncoordinated and uneven capabilities. Continuing ransomware attacks on the health care sector represent an urgent national security, public health and safety issue. The UPGRADE program is an innovative and welcomed ‘whole of nation’ approach, which will combine the expertise of the health care sector and government experts.” 

• Cybersecurity Dive informs us,
  • Providers are still looking for clarification on whether they’ll have to report or notify patients about data breaches stemming from the cyberattack against Change Healthcare earlier this year.
  • In a letter sent to HHS Secretary Xavier Becerra Monday [May 20, 2024], more than 50 organizations — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association— urged the federal government to publicly confirm that Change could manage data breach reporting and notification requirements, since the technology firm and major claims processor experienced the breach. 
  • UnitedHealth Group, Change’s parent company, has previously said it would handle reporting for customers whose data may have been exposed — which could be a huge swath of Americans.

• Bloomberg Law reports,
  • “Companies working with the US government may be required to start protecting their data and technology from attacks by quantum computers as soon as July.
  • “The National Institute for Standards and Technology, part of the Department of Commerce, will in July stipulate three types of encryption algorithms the agency deems sufficient for protecting data from quantum computers, setting an internationally-recognized standard aimed at helping organizations manage evolving cybersecurity threats. 
  • “The rollout of the standards will kick off “the transition to the next generation of cryptography,” White House deputy national security adviser Anne Neuberger told Bloomberg in Cambridge, England on Tuesday [May 21, 2024]. Breaking encryption not only threatens “national security secrets” but also the way we secure the internet, online payments and bank transactions, she added.”

• The National Institute of Standards and Technology (NIST), announced on May 20, 2024,
  • This week, NIST released Special Publication 800-229, Fiscal Year (FY) 2023 Cybersecurity and Privacy Annual Report. This publication shares key highlights of our major cybersecurity and privacy accomplishments as we wrapped up our celebration of NIST’s 50 years of work in the cybersecurity arena.

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive notes yesterday,
  • “On the eve of Memorial Day weekend, threat researchers and incident response teams are quietly preparing for the risk of malicious activity when staffing is minimal and millions of workers will be on the road. 
  • “Critical industries have faced a series of threats from criminal ransomware gangs or nation-state actors for much of 2024, and the unofficial summer kickoff weekend is a prime opportunity for malicious attacks. 
  • “We see attacks and attempted intrusions every day,” Scott Algeier, executive director of the IT-ISAC, said via email.
  • “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.
  • “While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.”

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) has issued its April 2024 cybersecurity vulnerability bulletin.
  • In April 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Palo Alto, Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.

• HC3 also issued a useful PowerPoint presentation titled “Business Email Compromise (BEC) & Healthcare.”

• The Cybersecurity Infrastructure Security Administration added the following new known exploited vulnerabilities to its catalog:
  • May 20, 2024 —
    • CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability
    • CVE-2023-43208 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
  • May 23, 2024 —
    • CVE-2020-17519 Apache Flink Improper Access Control Vulnerability

• Dark Reading reports yesterday that “Google Discovers Fourth Zero-Day in Less Than a Month; The tech company has rolled out fixes for a type confusion vulnerability that has already been exploited by malicious actors.”

• Cyberscoop adds
  • “An aggressive, nebulous ring of young cybercriminals linked to a string of recent high-profile breaches is made up of approximately 1,000 people, a senior FBI official said Friday. 
  • “In remarks Friday at the cybercrime-focused Sleuthcon conference, Bryan Vorndran, assistant director of the FBI’s Cyber Division, described the group best known as Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” many of whom don’t know each other directly. 
  • “Scattered Spider emanates from an online community known as “the Com.” The group is also tracked by cybersecurity firms as “0ktapus” or UNC3944, and Vorndran’s remarks provide the best number yet for the total size of the hacking crew.  
  • “Scattered Spider has breached a who’s-who of big-name companies, including the casino giant MGM Resorts and the identity management company Okta. Made up of mostly native English speakers in the United States and the United Kingdom, Scattered Spider is classified as a top three cybersecurity threat, alongside China and Russia’s foreign intelligence agency, Vorndran said.” 

• NPR brings us up to date on Ascension Healthcare’s recovery from its cyberattack.

From the cybersecurity defenses front,

• Modern Healthcare lets us know
  • A recent string of massive healthcare cybersecurity breaches has put data security leaders on edge. 
  • Health system cybersecurity executives are looking at their biggest points of weakness in the aftermath of large-scale breaches at St. Louis-based health system Ascension, UnitedHealth Group’s Change Healthcare and Chicago-based Lurie Children’s Hospital
  • Recent incidents have shined a light on some of the most significant vulnerabilities at health systems. Here are four of the biggest, according to experts.. 
    • Lack of Shared Organizational Goals
    • Third party Vendor Risks
    • Multi-factor Authentication Misses
    • Slow Response Time

• Similarly MedCity News points out,
  • “During a fireside chat at MedCity News’ INVEST conference, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — shared some key ideas that people need to understand about the current state of cybersecurity in the healthcare industry. For instance, he reminded us that things won’t get better overnight, and that cybersecurity requires an all-hands-on deck approach.”

• TechTarget offer ten cybersecurity best practices and cybersecurity market trends from AI to post-quantum crypto.