From the cyberattack front, Federal News Network reports
A D.C. federal judge this week preliminarily approved a $63 million settlement as part of a class action lawsuit brought by victims of the breach into OPM databases. The breach was uncovered in 2015. By then, hackers had stolen the records of nearly 22 million current and former federal employees. The Chinese government is widely thought to be behind the attack. The proposed settlement would only compensate those who can prove they were financially affected by the breach. The court’s order set a Dec. 23 deadline to submit a claim.
Health IT Security adds “Shields Health Care Group reported a healthcare cyberattack to HHS impacting 2 million individuals. The Massachusetts-based healthcare group provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations.”
From the cybervulnerabilities front, Cyberscoop explains
When the Cybersecurity and Infrastructure Security Agency [CISA] debuted its list of known, exploited vulnerabilities in November, it was nearly 300 flaws long and came attached to an order for federal agencies to fix them quickly.
Now, as of this week, the catalog known as “KEV” or the “Must-Patch” list is well on its way to 800 listings, and it’s the “No. 1 topic” that CISA Executive Director for Cybersecurity Eric Goldstein says comes up in his frequent, daily meetings with businesses.
The reason, said Goldstein, is that the private sector has — without any order from his agency — adopted the KEV list as a guide for the vulnerabilities they focus on, rather than relying on the traditional open-source industry standard Common Vulnerability Scoring System for assessing the severity of software weaknesses.
This week, CISA first added 36 and then three more known, exploited vulnerabilities to its catalog.
The HHS Health Sector Cybersecurity Coordination Center posted its May report about vulnerabilities of interest to the health sector.
Cybersecurity Dive updates us on Microsoft’s Follina and Atlassian’s Confluence recent zero-day vulnerabilities.
CISA released a joint federal agency alert on People’s Republic of China-sponsored cyber actors.
From the ransomware front, Security Week reports
It doesn’t pay to pay [ransom]. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.
These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper.
It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.
Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.
Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.
Health IT Security adds
Healthcare ransomware attacks are not slowing down, prompting an increased demand for reliable cyber insurance policies. But as healthcare cyberattacks skyrocket, cyber insurers are pushing up prices or leaving the market altogether, Sophos stated in its “State of Ransomware in Healthcare 2022” report.
Sophos surveyed 5,600 IT professionals, including 381 in healthcare, to garner insights on how healthcare organizations are navigating the cyber threat landscape.
The report found that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021, up from just 34 percent in 2020. About 61 percent of those attacks resulted in data encryption. Survey results also revealed that healthcare was the most likely sector to pay a ransom. Just over 60 percent of respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.
Here is a link to Bleeping Computer’s Week in Ransomware.
From the cyber defense front, here are links to a Wall Street Journal report on personal password management and a CISA article on multi-factor authentication.