Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • The Wall Street Journal makes available an interview with an assistant U.S. attorney general in a 10-minute-long podcast.
    • “The U.S. government has delayed public disclosures of cyber incidents several times since new rules came into force last December, according to Matthew Olsen, assistant attorney general at the U.S. Department of Justice. He spoke with WSJ reporter Dustin Volz at WSJ Tech Live: Cybersecurity on June 6 about the government’s reason for granting companies exemption to delay disclosing hacks. They also discussed the heightened risk of cyber-attacks. Zoe Thomas hosts.”
  • The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, announced on Monday July 1, “a settlement with Heritage Valley Health System (Heritage Valley), which provides care in Pennsylvania, Ohio and West Virginia, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, following a ransomware attack.”
  • Cybersecurity Dive reports
    • “The U.S. Supreme Court ruling Friday [June 28] to overturn the Chevron doctrine could have major implications on the cybersecurity regulatory landscape at a time when federal agencies have enacted significant requirements designed to strengthen incident reporting and meet baseline security standards.” * * * 
    • “Legal and cybersecurity experts are still evaluating what the impact of the Chevron doctrine ruling will be on future regulations. However, Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink how they approach future cyber regulations to make sure they don’t create an overly burdensome environment for critical infrastructure and industry partners. 
    • “I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity,” Pugh said in an interview.”

From the cybersecurity vulnerabilities and breaches front,

  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on July 2.
  • Cybersecurity Dive provides background on the KEV.
    • “A suspected threat actor with ties to China is actively exploiting a zero-day vulnerability in Cisco NX-OS software, researchers said Monday [July 1].
    • “The suspected actor, dubbed Velvet Ant, is exploiting a command injection vulnerability, identified as CVE-2024-20399, which impacts a wide range of Cisco Nexus devices, according to researchers at Sygnia. The vulnerability has a CVSS score of 6.0, however researchers warn the threat actor is highly sophisticated and is deploying custom malware, Sygnia. 
    • “Cisco on Monday released software updates for some NX-OS hardware platforms, and will continue to release additional fixes when they are ready. The company said there are no other workarounds to address the flaw.”
  • Cybersecurity Dive further reported on July 1,
    • “At least 700,000 OpenSSH servers are at risk of exploit from a remote code execution vulnerability, CVE-2024-6387, Qualys said Monday. Researchers at Qualys, which discovered the vulnerability, dubbed it “regreSSHion.”
    • “Though Qualys researchers have not yet scored the CVE, they describe it as critical, presenting a significant security risk. The signal handler race condition in OpenSSH’s server allows unauthenticated remote code execution as root on glibc-based Linux systems.
    • “This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in complete system takeover, installation of malware, data manipulation and the creation of backdoors for persistent access,” Bharat Jogi, senior director of Qualys threat research unit, said in the report.”
  • Cybersecurity Dive let us know on July 2,
    • “Microsoft researchers on Tuesday warned that critical vulnerabilities in Rockwell Automation PanelView Plus can be exploited by unauthenticated hackers, putting the devices at risk for remote code execution and denial of service. The vulnerabilities were initially disclosed and patched in late 2023.
    • “PanelView Plus devices are human-machine interfaces that are widely used in industrial settings, and malicious control of these devices can lead to disruptive attacks. The remote code execution vulnerability, listed as CVE-2023-2071, has a CVSS score of 9.8. The denial of service vulnerability, listed as CVE-2023-29464, has a CVSS score of 8.2. 
    • “Microsoft initially discovered the vulnerabilities and shared its findings with Rockwell Automation in May and July 2023. Rockwell Automation released security advisories and patches for the CVEs in September and October 2023. Microsoft researchers urged users to patch and apply other mitigation steps.”

From the ransomware front,

  • SC Media reported on July 2,
    • “Operations at Northern California’s Patelco Credit Union have been disrupted by a ransomware attack over the weekend, hindering banking service access to nearly 500,000 individuals, according to CBS Bay Area.
    • “Despite the attack prompting the immediate shutdown of Patelco’s banking systems, its ATMs, branches, and call centers continued operating regular hours although individual account information was inaccessible to employees, said a Patelco spokesperson. Other services affected by the outage included the credit union’s website and mobile app, electronic transactions, and online bill payments, as well as portions of its debit and credit card transactions.
  • Bleeping Computer reports,
    • “A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows.
    • “The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors.
    • “Researchers at cybersecurity company Group-IB monitored the Eldorado’s activity and noticed its operators promoting the malicious service on RAMP forums and seeking skilled affiliates to join the program.”
  • and
    • “Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner’s account was compromised and used to access the Company’s systems to steal protected health information.
    • “The Company says it detected the compromise after detecting ‘anomalous behavior’ from a partner’s personal device and launched an investigation into the incident.
    • “The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity’s systems and, later, exfiltrate sensitive health data.”
  • The Record notes,
    • “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. “Researchers say they have discovered a new ransomware group named Volcano Demon that has carried out at least two successful attacks in the past two weeks. 
    • “The group’s targets were companies in the manufacturing and logistics industries, said Tim West, an analyst at the cybersecurity firm Halcyon, in a comment to Recorded Future News. He declined to provide further information about the targets. 
    • “What’s interesting about this ransomware group, Halcyon researchers said, is that it has no public leaks website but instead uses phone calls to intimidate and negotiate payments with leadership at victim organizations. These calls originate from unidentified numbers and often carry a threatening tone, the researchers said.

From the cybersecurity defenses front,

  • The FEHBlog got a kick out of title of the third article because as a young lawyer his go to assurance to clients was “I’ll get you out even if takes me 20 years.”