From the cybersecurity policy front, Cybersecurity Dive informs us
National Cyber Director Chris Inglis will retire from his position Feb. 15, ending a more than four decade career in national security.
Kemba Walden, principal deputy national cyber director and a former legal executive at Microsoft, will become acting director until Biden names a nominee for the post. The NCD post requires Senate confirmation.
From the cyber vulnerabilities front —
- The Health Sector Cybersecurity Coordination Center (HC3) issued a PowerPoint presentation titled “2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead.”
- HC3 also released its January 2023 Cybersecurity Vulnerability Bulletin.
- The Cybersecurity and Infrastructure Agency (CISA) added three known exploited vulnerabilities to its catalog.
- The Government Accountability Office produced a report titled “Challenges in Protecting Cyber Critical Infrastructure.”
From the ransomware front —
CISA announced on February 8
CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. The ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.
As detailed in the advisory, CISA has created and released an ESXiArgs recovery script at https://github.com/cisagov/ESXiArgs-Recover. CISA and FBI encourage organizations that have fallen victim to ESXiArgs ransomware to consider using the script to attempt to recover their files.
Here’s a Cybersecurity Dive report on this topic.
CISA announced on February 9
CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.
The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:
- Train users to recognize and report phishing attempts.
- Enable and enforce phishing-resistant multifactor authentication.
- Install and regularly update antivirus and antimalware software on all hosts.
See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.
Bleeping Computer tells us
Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines.
BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.
Cyberscoop considers whether “After the Hive takedown, could the LockBit ransomware crew be the next to fall?”
Here is a link to Bleeping Computers The Week in Ransomware.
From the cyber defenses front —
- Health IT Security relates, “Duo, Imprivata, and Medigate by Claroty, were among the variety of vendors that achieved “Best in KLAS” status in the newly released 2023 Best in KLAS: Software & Services report.”
- The Wall Street Journal offers its quarterly cybersecurity insurance update.
- ZDNet reports, “Reddit was hit with a phishing attack. How it responded is a lesson for everyone. A quick and transparent response shows that there’s a correct way to respond to cybersecurity incidents.”
- An ISACA expert asks, “How does one fix people?” and answers, “Through governance, processes and planning. Governance, processes and planning are all essential components of effective cybersecurity management.”