From the cyberpolicy front, Nextgov informs us that
The Federal Acquisition Regulatory Council will soon propose a rule requiring federal agencies to use a uniform, standard self-attestation form when seeking assurances from software vendors that their products were developed using guidance from the National Institute of Standards and Technology.
“Agencies are encouraged to use a standard self-attestation form, which will be made available,” in line with the new rule, according to a memo the Office of Management and Budget issued Wednesday [September 14].
From the cyberbreaches front, Cybersecurity Dive reports
Uber confirmed its systems were breached Thursday [September 15] in an attack that appears far reaching in scope. The rideshare and food delivery company said it alerted law enforcement to the incident in a Thursday statement.
The threat actor, who claims to be 18 years old, told The New York Times he duped an employee into providing their password via text message and compromised the worker’s Slack account. Slack’s high-level access to other third-party services allowed the attacker to gain access to additional Uber systems, including Amazon Web Services, Google Cloud, VMware virtual machines, OneLogin and other services, the attacker claimed.
The American Hospital Association tells us
The FBI has received multiple reports of cyber criminals increasingly targeting healthcare payment processors to redirect victim payments. In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites. In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.
Here’s a link to the FBI’s report.
From the cybervulernabilities front —
- Health IT Security calls our attention to an FBI warning of “Patient Safety, Security Risks Associated With Legacy Medical Devices.”
- This past week, CISA added two and then another six “new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”
- CISA also announced “Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s September 2022 Security Update Guide and Deployment Information and apply the necessary updates.”
From the ransomware front —
- CISA issued a readout of the “first meeting of the Joint Ransomware Task Force (JRTF), an interagency body established by Congress to unify and strengthen efforts against the ongoing threat of ransomware.” CISA and the FBI co-chair this group.
- CISA, the FBI, the National Security Agency and other U.S. and foreign intelligence operations released an updated warning on “Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations.”
- Cybersecurity Dive reports on ransomware issues discussed at Rubrik’s virtual Data Security Summit held last week.
- Here’s a link to the latest Bleeping Computers’ The Week in Ransomware.
From the cyberbusiness front, Cybersecurity Dive reports
Google completed its $5.4 billion acquisition of Mandiant on Monday and said it plans to retain the Mandiant brand under Google Cloud.
The deal for the incident response and threat intelligence firm, inked in March, marks Google’s largest cybersecurity acquisition to date and the second largest in the company’s history. Google announced a deal in early January to buy Siemplify, a security orchestration, automation and response technology provider.
Google in August 2021 pledged to invest $10 billion in cybersecurity over the next five years.
From the cyberdefenses front —
- Psychology Today features an article titled “The Cyber Security Head Game; Winning cyber wars means beating your adversary’s mind, not their technology.”
- The Department of Health and Human Services 405(d) Program released its September 2022 online newsletter.