Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Fedscoop reports,
- “Chris DeRusha is exiting his role as federal chief information security officer after more than three years on the job, the Office of Management and Budget confirmed Tuesday [May 14].
- “DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurityand the corresponding national cybersecurity strategy and implementation plan. * * *
- “As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director.
- “DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.”

Cyberscoop adds,
- “[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.”[T]op official at the Cybersecurity and Infrastructure Security Agency, Eric Goldstein, is stepping down from his role at the agency next month.
- “As executive assistant director for cybersecurity, Goldstein has had his hands in many of CISA’s major undertakings, from its goal of pressuring companies into making their products secure during the design process to issuing emergency directives for agencies to shoring up defenses against vulnerabilities.”
Cyberscoop also offers an interview with Mr. Goldstein.

The CISA Director Jen Easterly discusses the “ninth iteration of the national cyber exercise, Cyber Storm. The planners, representing private industry, federal, state, and international government partners, managed an exercise that spanned across the globe to simulate a coordinated cyberattack targeting critical infrastructure. * * * Outcomes from Cyber Storm IX will be published later this year at Cyber Storm: Securing Cyber Space | CISA.

From the cyber vulnerabilities front,

Cybersecurity Dive reports,
- The threat from nation state cyber adversaries with ties to Russia and China is growing more sophisticated and dangerous, National Cyber Director Harry Coker Jr. warned Tuesday [May 14]. International cooperation is required to defend common economic and national security interests, he said in a keynote speech at CyberUK 2024 in Birmingham, England.
- Coker said Russia has enhanced its capabilities since the beginning of the Ukraine invasion in 2022, which has helped it gain success on the battlefield.
- “The Russian cyber threat in 2024 marks a new standard of aggression, persistence and operational agility,” Coker said.

The Cybersecurity and Infrastructure Security Agency (CISA) added six known exploited vulnerabilities to its catalog this week.
- On May 13 —
  - CVE-2024-4671 Google Chromium in Visuals Use-After-Free Vulnerability
- On May 14 —
  - CVE-2024-30051 Microsoft DWM Core Library Privilege Escalation Vulnerability
  - CVE-2024-30040 Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability
- On May 15 —
  - CVE-2014-100005 D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability
  - CVE-2021-40655 D-Link DIR-605 Router Information Disclosure Vulnerability
  - CVE-2024-4761 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability

From the Ascension Healthcare breach front,

Here’s a link to the Ascension website about its May 8 “cybersecurity event.”

Cybersecurity Dive tracks the state by state impact of the event here.

The hospital community is praising Ascension for its transparency per Beckers Hospital Review.

Notwithstanding the kudos, Healthcare Dive reports,
- “Ascension is staring down two proposed class-action lawsuits just one week after a cyberattack took systems offline across its 140-hospital portfolio, forcing the nonprofit system to divert ambulances and pause elective care.
- “In complaints filed in the District Courts of Illinois and Texas plaintiffs allege Ascension acted negligently by failing to encrypt patient data and said the attack leaves them “at a heightened risk of identity theft for years to come.”
- “Ascension has not said the attack compromised patient data. However, an investigation remains ongoing.

From the ransomware front,

IT Pro examines the Black Basta ransomware variant.
- “CNN reported that Black Basta was the variant of ransomware used [against Ascension] while Healthcare IT security group Health-ISAC said the group has recently accelerated attacks against the healthcare sector.
- “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions. Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector,” it said.

Cybersecurity Dive adds,
- Microsoft researchers warn that a financially-motivated hacker has misused the company’s Quick Assist client management tool since mid-April in social-engineering attacks, ultimately leading to the deployment of Black Basta ransomware, according to a blog post released Wednesday [May 15]. With Quick Assist, users can remotely connect Windows or macOS with another person.
- The attacks began using voice phishing, also known as vishing, and led to malicious use of remote-monitoring tools like ScreenConnect or NetSupport Manager, according to Microsoft. The hackers also deployed malware, including Cobalt Strike or Qakbot, before launching the Black Basta ransomware.
- The disclosure came less than a week after the FBI and Cybersecurity and Infrastructure Security Agency warned about Black Basta ransomware being deployed in hundreds of attacks against critical infrastructure and healthcare worldwide.

Cybersecurity Dive further notes,
- “Remote-access tools were the primary intrusion point for ransomware attacks, accounting for 3 in 5 attacks last year, cybersecurity insurance firm At-Bay said Wednesday [May 15] in a report.
- “Attackers primarily targeted perimeter-access tools in 2023, but shifted their focus from remote desktop protocol to targeting self-managed VPNs. These on-premises VPNs were linked to more than 3 in 5 ransomware attacks where remote access was the initial entry vector, according to At-Bay.
- “Attackers go after the same things. If you have a city that has walls around it, you’re going to go after the gate because the gate is a weaker point than the actual wall,” Rotem Iram, At-Bay founder and CEO, said last week at an Axios event on the sidelines of the RSA Conference in San Francisco.”

Tech Target offers National Security Agency views on the ransomware front while Politico reports on what happens after a ransomware attack is discovered.

Here’s a link to Bleeping Computer’s The Week in Ransomware.
- “Ransomware phishing attacks also took front stage this week, with the Phorpiex botnet sending millions of emails that led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit’s leaked source code.
- “BlackBasta was also found mailbombing employees in targeted organizations by subscribing their email addresses to various subscription services. They then contacted the target as IT support from their company to conduct a social engineering attack that let them gain access to the victim’s computer.”

From the cybersecurity defenses front,

Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Dive reports,
- “A once volatile cyber insurance market has stabilized considerably as new companies have entered an increasingly competitive market, helping lower premium costs and raise coverage limits, according to S&P Global Ratings research released last week.
- “Insurance companies have evolved underwriting methods by incorporating sophisticated tools to assess potential cyber risk with more flexibility and personalization, according to S&P.
- “Municipal governments have made significant advances in their ability to manage cyber risk and respond to malicious attacks, too, S&P found. After years of foregoing expensive commercial policies, these local organizations are now incorporating cyber risk coverage, while smaller governments in many cases are joining cyber risk pools.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog