From the cybersecurity policy front, the Wall Street Journal offers its quarterly cyber regulations update for June 2023.

From the cybersecurity vulnerabilities and breaches front —

• On June 16, HHS’s health sector Cybersecurity Coordination Center (HC3) announced
  • “On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. As of June 15, 2023, the vulnerability has been serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036. The updates can be found on the Progress Security Center webpage.”

• HC3 also released its May 2023 Cybersecurity Vulnerabilities Bulletin.

• The Cybersecurity and Infrastructure Security Agency (CISA) added one more known exploited vulnerability to its catalog.

• On June 15, CISA, the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released an update for joint Cybersecurity Advisory (CSA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server. 

• Health IT Security reports
  • “Johns Hopkins University and Johns Hopkins Health are actively investigating a cyberattack and data breach that occurred on May 31. Johns Hopkins said that the attack involved a “widely used software tool” and impacted “thousands of other large organizations across the world.”
  • “While the notice does not explicitly mention MOVEit, the timeline of the attack lines up with the discovery of a critical vulnerability in Progress Software’s MOVEit Transfer software, a widely used software tool.
  • “As previously reported, Clop ransomware has taken a special interest in this vulnerability and began exploiting the previously unknown SQL injection vulnerability on May 27.”

• The Associated Press adds
  • “The Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments [MOVEit], but the impact was not expected to be great, Homeland Security officials said Thursday.
  • “But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts. 
  • “Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly. 
  • “Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.”

From the cybersecurity threat actors front —

• HC3 issued a threat actor profile on FIN11
  • “FIN11 is a cybercriminal group that has been active since at least 2016, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, the group has shifted towards other initial access vectors. FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP). The group has targeted pharmaceutical companies and other health care targets during the COVID-19 pandemic and continues to target the health sector. The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture. This Threat Actor Profile provides information associated with FIN11, including recent campaigns, associated malware, CVEs exploited, and TTPs.”

• HHS’s Administration for Strategic Preparedness and Response released a TimisoaraHackerTeam analysis.

• On June 13, “CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents.”

• On June 15 Cybersecurity Dive reported
  • “A suspected threat actor affiliated with China is exploiting a subset of compromised Barracuda Email Security Gateway SG devices to launch a widespread espionage campaign in support of the People’s Republic of China, according to a report released Thursday by Mandiant. 
  • “The threat actor, tracked as UNC4841, has been sending emails with malicious attachments since October 2022, in order to exploit the zero-day vulnerability disclosed in May. The hackers used a variety of custom malware to maintain a presence in targeted systems, and most of the exploitation taking place in the Americas. 
  • “This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in 2021,” Charles Carmakal, CTO of Mandiant Consulting, Google Cloud said in a statement. “In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations.”

From the ransomware front, we have the latest Week in Ransomware from the Bleeping Computer.

From the cybersecurity defenses front

• Cybersecurity Dive tells us “LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack; Karim Toubba is ready to talk nearly a year after LastPass suffered a cyberattack that became one of the biggest security blunders of 2022.”

• On June 13,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
  • “Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.”

• On June 14,
  •  CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. 
  • “BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential.  
  • “CISA and NSA encourage all organizations managing servers to apply the recommended actions in this CSI.”

• On June 15,
  • “Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately. 
  • “CISA urges organizations to review the Barracuda advisory and for all impacted customers to follow the mitigation steps as well as hunt for the listed indicators of compromise (IOCs) to uncover any malicious activity. For more information, see Mandiant’s advisory on Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.”

• Also on June 15,
  • “Progress Software has released a security advisory for a privilege escalation vulnerability (CVE-2023-35708) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take control of an affected system.
  • “CISA urges users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.”