From the cybersecurity policy front,
- The FAR Council extended the public comment deadline for its October 3, 2023, proposed cybersecurity rules from December 4, 2023, to February 2, 2024. The FEHBlog noticed that the proposed rules (cited in the link) would be added to FAR Part 39 captioned “Acquisition of Information Technology.” In contrast, the FAR cybersecurity rules already found in the FEHB contract are found in FAR Part 4, captioned “Administrative and Information Matters.” For this reason, the FEHBlog has formed the opinion that these rules would not apply to FEHB plan contracts. In any event, the OPM FEHB contracts already include requirements for reporting data breaches and cyber incidents (Section 1.37).
- Health IT Security tells us,
- “HITRUST issued a response to the White House’s request for information (RFI) on the harmonization of cybersecurity regulations, suggesting that regulation alone is not a fix to the ongoing cyber challenges that critical infrastructure entities face.
- “Rather, HITRUST recommended a shift away from further regulations in favor of a renewed focus on accountability and reciprocity within existing standards. Additionally, HITRUST emphasized the importance of reliable cybersecurity assessments and assurances.”
- and
- “The HHS Office for Civil Rights (OCR) released an educational video to help covered entities understand how the HIPAA Security Rule can help them defend against cyberattacks. The video was produced in recognition of National Cybersecurity Month.
- “Hosted by Nick Heesters, senior advisor for cybersecurity at OCR, the 43-minute video explores cyberattack trends gleaned from OCR breach reports and discusses how Security Rule compliance can help covered entities combat these threats.”
- Cyberscoop informs us,
- “The White House announced a long-awaited executive order on Monday that attempts to mitigate the security risks of artificial intelligence while harnessing the potential benefits of the technology.
- “Coming nearly a year after the release of ChatGPT — the viral chatbot that captured public attention and kicked off the current wave of AI frenzy — Monday’s executive order aims to walk a fine line between over-regulating a new and potentially groundbreaking technology and addressing its risks.
- “The order directs leading AI labs to notify the U.S. government of training runs that produce models with potential national security risks, instructs the National Institutes of Standards and Technology to develop frameworks for how to adversarially test AI models, and establishes an initiative to harness AI to automatically find and fix software vulnerabilities, among other measures.
- “Addressing questions of privacy, fairness and existential risks associated with AI models, Monday’s order is a sweeping attempt to lay the groundwork for a regulatory regime at a time when policymakers around the world are scrambling to write rules for AI. A White House fact sheet describes the order as containing “the most sweeping actions ever taken to protect Americans from the potential risks of AI systems.”
From the cyber vulnerabilities and breaches front,
- Per Cybersecurity Dive,
- “The Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020.
- “The SEC on Monday [October 29] alleged the company overstated its cybersecurity practices and failed to disclose known risks from October 2018, when the company went public, up to at least the Sunburst attack.
- “Public statements from the company contradicted internal assessments, including a 2018 assessment by a company engineer, shared with Brown and others, showing the company’s remote access setup was “not very secure,” the SEC complaint said.
- “SEC officials allege SolarWinds and Brown ignored repeated red flag warning signs that put the company’s cybersecurity at risk.
- Security Week offers industry reaction to the lawsuit.
- “It remains to be seen how the lawsuit against the SolarWinds CISO will unfold and what implications it will have for the cybersecurity industry as a whole. Regardless of the outcome, it serves as a stark reminder that the role of CISOs is continually evolving, and they must navigate a complex landscape of legal and regulatory challenges.”
- HHS’s Heath Sector Cybersecurity Coordination Center (HC3) issued its October vulnerability bulletin.
- “In October 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for October are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, SolarWinds, NextGen Healthcare, and F5. A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
- Cyberscoop points out
- “The exploitation of zero-day vulnerabilities is on the rise globally and directly impacting federal agencies, part of what a senior Cybersecurity and Infrastructure Security Agency official called a “very eventful past six months” in the cyber threat landscape.
- “Michael Duffy, the associate director for capacity building within CISA’s cybersecurity division, said that in the past month or so, the agency has seen “a really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks throughout the federal government.”
- “Duffy’s comments, made during a cybersecurity governance panel this week at ACT-IAC’s Imagine Nation ELC conference in Hershey, Pa., come following a notable decline in so-called in-the-wild zero days last year. According to a July report from Google’s Threat Analysis Group, 41 zero days were detected and disclosed in 2022, down from 69 in 2021.
- “Despite the decline, the number of zero-day exploits observed in the wild remained the second-highest number since TAG started tracking such exploits in 2014. U.S. government officials recently have described a tendency toward growing sophistication in the state-backed hacking campaigns, one hallmark of which is the use of the previously unknown vulnerabilities known as zero days.”
- The Cybersecurity and Infrastructure added two known exploited vulnerabilities to its catalog on Tuesday, October 31, and another on Thursday, November 2.
From the ransomware front,
- Health IT Security reports,
- “The International Counter Ransomware Initiative (CRI) held its third summit in Washington, DC, with representatives from 50 countries joining together to build upon counter-ransomware projects and announce new focus areas. Among the commitments announced, at least 40 of the member countries agreed not to pay ransoms to cybercriminals, Reuters first reported.
- “As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow,” said Anne Neuberger, US deputy national security adviser for cyber and emerging technology in the Biden Administration. [see The Week in Ransomware’s observation below.]
- “The Federal Bureau of Investigation (FBI) has long encouraged ransomware victims to avoid paying the ransom when faced with a ransomware attack. Paying the ransom can embolden cybercriminals to continue targeting other victims and does not guarantee the safe return of data. * * *
- “In addition to the pledge, CRI members continued to expand upon the commitments they made at last year’s summit. Key deliverables at the 2023 summit were centered around “developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against ransomware actors,” the White House noted in a press release.”
- and
- “The HHS Office for Civil Rights (OCR) announced a $100,000 settlement to resolve a data breach investigation with Doctors’ Management Services, a Massachusetts-based medical management company and healthcare business associate that suffered a ransomware attack in 2018. The settlement marks the first-ever ransomware agreement that OCR has reached.
- “In April 2019, Doctors’ Management Services filed a breach report with HHS, acknowledging that 206,695 individuals were impacted by a cyberattack carried out by GandCrab ransomware actors. Although the report was filed in 2019, the initial intrusion occurred in 2017. Doctors’ Management Services only detected the breach in December 2018, when ransomware was used to encrypt its files.”
- HC3 released an analyst note about 8Base ransomware.
- A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors, primarily across the United States.
- This surge in operational activity included the group’s engagement in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups against mostly small- to medium-sized companies.
- While similarities exist between 8Base and other ransomware gangs, the group’s identity, methods, and motivations remain largely unknown. What follows is an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the group.
- Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.
- “Due to the increasing number of attacks, an alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying the ransom demanded.
- “However, this may be an empty pledge, as federal governments typically do not pay ransomware demands, and it does not prevent local governments from giving into extortion demands. * * *
- “[N]ew research was released this week about ransomware, including:
- A report on GhostSec, who is now using a ransomware encryptor in attacks.
- Threat actors are exploiting Apache ActiveMQ flaws to deploy HelloKitty ransomware.
- Sophos walked us through a step-by-step MoneyMessage attack.
- A new BiBi-Linux wiper was spotted used in attacks on Israeli orgs.
- Finally, we released a report on the new Hunters International ransomware gang, which is believed to be a rebrand of Hive.
From the cybersecurity defenses front,
- Per Cybersecurity Dive,
- “Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services.
- “The plan follows a massive government and industry backlash to Microsoft after the state-linked email theft from the U.S. State Department. Microsoft came under fierce criticism from key members of Congress and federal officials who were concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features to protect against sophisticated attackers.
- “The pushback related to the State Department case was that Microsoft was upcharging customers for additional, important security features.
- “Microsoft plans to enable secure default settings out of the box, so customers will not have to engage with multiple configurations to make sure a product is protected against hackers.
- For example, Microsoft will implement Azure baseline controls, which include 99 controls across nine security domains by default.
- Dark Reading offers articles about tailored ransomware readiness assessments and the need for the IT team to collaborate with the security team.
- An ISACA expert explains how to craft a corporate generative AI policy.
- The Wall Street Journal reports,
- “Economic uncertainty continues to chip away at corporate cybersecurity.
- “Layoffs, budget cuts and general skimping are putting more pressure on cybersecurity teams, which, in some cases, are pausing hiring and technology investment.
- “Because of the economic pressure, there are more questions being asked about backfills or head counts,” said Diego Souza, chief information security officer at engine and generator manufacturer Cummins.
- “Of 14,865 cyber professionals asked, 47% said there had been some form of cutbacks in cybersecurity—layoffs, budget cuts, hiring or promotion freezes—in the past 12 months, according to a survey by trade group ISC2 in collaboration with Forrester Research. Of that group, 22% said there had been layoffs on their teams, while 53% saw delays in buying or implementing technology, according to the study published Tuesday [October 31].