From the cybersecurity policy front, the Cybersecurity and Infrastructure Security Agency (CISA) reflects on its activities over the year since “the President signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law—an act that is critical to improving America’s cybersecurity.” Here is CISA’s overview of that law which will be implemented by rulemaking. The proposed rule is expected soon.

The FEHBlog has been tracking two Federal Acquisition Regulation cybersecurity rulemakings:

• Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing, and

• Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems 

It turns out that on March 15, 2023, OMB’s Office of Information and Regulatory Affairs bounced those rules back to the FAR Council, which has gone back to the drawing board.

From the cyber vulnerabilities front –

• CISA added ten new known exploited vulnerabilities to its catalog. Bleeping Computer provides background on this action.

• CISA issued the following warning, for which Cybersecurity Dive provides background.
  • CISA is aware of open-source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.
  • CISA urges users and organizations to review the following reports for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:
  • CrowdStrike: Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
  • SentinelOne: SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
  • DesktopApp: 3CX DesktopApp Security Alert

• Venture Beat identifies eight ChatGPT cybersecurity vulnerabilities for this year.

• Bleeping Computer warns about an actively exploited bug affecting a WordPress page plug-in called Elementor Pro.

From the ransomware front, which is missing The Week in Ransomware (spring break?) Bleeping Computer, tells us,

Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid.

Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message. * * *

The attackers behind this activity use the name Midnight and started targeting companies in the U.S. since at least March 16.

Health IT Security reports

Thanks to a joint effort by the HHS Office of Inspector General (OIG) and the Federal Bureau of Investigation (FBI), a cybercriminal marketplace known as BreachForums was forced offline, the Department of Justice (DOJ) announced.

In addition, BreachForums founder Conor Brian Fitzpatrick, 20, of Peekskill, New York, was arrested in mid-March and made his first appearance in court on March 24. Fitzpatrick allegedly created and administered a major hacking forum that allowed its 340,000 members to buy, sell, and trade stolen data since March 2022.

The platform offered its users bank account information, hacking tools, Social Security numbers, breached databases, and account login information, along with other personally identifiable information (PII).