Cybersecurity Saturday - Ermer and Suter PLLC

From the CrowdStrike front,

The Wall Street Journal summarizes for us,
- “CrowdStrike said over 97% of Microsoft Windows sensors were back online as of Thursday, nearly a week after a global tech outage snarled businesses, government agencies and air travel worldwide.
- “CrowdStrike Chief Executive George Kurtz said the company still has more work to do to address the fallout from last Friday’s disruption.
- “To our customers still affected, please know we will not rest until we achieve full recovery,” Kurtz said Thursday in a post on LinkedIn.
- “Kurtz again apologized for the outage. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency,” he said.
- “CrowdStrike said in an incident report earlier this week that a bug in a quality-control tool it uses to check system updates for mistakes allowed a critical flaw to be pushed to millions of machines running Microsoft Windows.
- “About 8.5 million devices were affected by the outage, CrowdStrike said Monday. Many of those machines were part of wider corporate IT systems, meaning the impact was felt more widely.”

ABC News adds,
- “An outage caused by a software update distributed by cybersecurity firm CrowdStrike triggered a wave of flight cancellations at several major U.S. airlines – but the disruption was most severe and prolonged at Delta Airlines.
- “In all, the carrier canceled more than 2,500 flights over a period that stretched from last Friday, when the outage began, into the middle of this week.” * * *
- “For a company such as Delta, they rely on countless partner services for everything from scheduling pilots and planes to providing meal service and snacks to allowing customers to select their seats,” David Bader, a professor of cybersecurity and the director of the Institute of Data Science at the New Jersey Institute of Technology, told ABC News.” * * *
- “The reason for the prolonged recovery from the outage was because the CrowdStrike update disruption required a manual fix at each individual computer system, experts told ABC News. While each fix can be completed in no more than 10 minutes, the vast number of Delta’s digital terminals required significant manpower to address,” Mark Lanterman, the chief technology officer at the cybersecurity firm Computer Forensic Services, said.”

Per Cybersecurity Dive,
- “Parametrix said the global IT outage linked to Crowdstrike will likely cost the Fortune 500, excluding Microsoft, at least $5.4 billion in direct financial losses, in a report released Wednesday [July 24].
- “Cyber insurance will only cover 10% to 20% of the losses, based on large risk retentions and policy limits at many companies, according to Parametrix. CyberCube estimates the cyber insurance market will face preliminary insured losses of between $400 million and $1.5 billion, potentially the single worst loss in the cyber insurance sector over 20 years.
- “Parametrix expects the healthcare sector to see the biggest impact among industries with $1.94 billion in losses after three-quarters Fortune 500 healthcare companies were impacted. Though banking was also hard-hit, with an estimated $1.15 billion in direct losses, airlines are expected to have the highest per company costs.”

Dark Reading points out unexpected lessons to be gained from the CrowdStrike outage.
- “In the wake of global IT issues caused by a defect in a content update for CrowdStrike’s Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it’s easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.”

Here is a link to CISA’s regularly updated website about the outage.

From the cybersecurity policy front,

Per an HHS press release on Thursday July 25,
- “The U.S. Department of Health and Human Services (HHS) today announced a reorganization that will streamline and bolster technology, cybersecurity, data, and artificial intelligence (AI) strategy and policy functions.
- “Opportunities in data and technology in healthcare and human services have grown significantly in recent years. Historically, responsibility for policy and operations has been distributed across the Office of the National Coordinator for Health Information Technology (ONC), the Assistant Secretary for Administration (ASA), and the Administration for Strategic Preparedness and Response (ASPR). This reorganization will clarify and consolidate these critical functions, as follows:
  - “ONC will be renamed the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC);
  - “Oversight over technology, data, and AI policy and strategy will move from ASA to ASTP/ONC, including the HHS-wide roles of Chief Technology Officer, Chief Data Officer, and Chief AI Officer; and
  - “The public-private effort between the health sector and the federal government on cybersecurity (“405(d) Program”) will move from ASA to ASPR, joining the other health sector cybersecurity activities already located in ASPR’s Office of Critical Infrastructure Protection, and advancing the Department’s one-stop-shop approach to healthcare cybersecurity.” * * *
- “National Coordinator Micky Tripathi will be named Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.”

Cybersecurity Dive reported yesterday,
- “The White House and the Cybersecurity and Infrastructure Security Agency disclosed key personnel decisions this week as the administration continues efforts to improve the nation’s resilience and cybersecurity posture.
- “The White House Office of the National Cyber Director named Harry Wingo the new deputy national cyber director.
- “Wingo, an assistant professor at the National Defense University College of Information and Cyberspace and former U.S. Navy Seal officer, will begin his new role next week, according to the White House.” * * *
- “The appointment comes as CISA named Bridget Bean, assistant director of integrated operations, the new executive director of the agency. Bean will succeed Brandon Wales, who is stepping down as the agency’s first executive director next month.”

Here is link to CISA Director Jen Easterly’s comments on these personnel changes.

On Monday July 22, the HHS Inspector General posted a report titled “HHS Office of the Secretary Needs to Improve Key Security Controls to Better Protect Certain Cloud Information Systems.” TechTarget discusses the report here.

Per Help Net Security, here is a link to
- [A] Help Net Security interview [with] Ava Chawla, Head of Cloud Security at AlgoSec, discusses the most significant cloud security threats CISOs must be aware of in 2024. These threats include data breaches, misconfiguration, insider threats, advanced persistent threats, ransomware, API vulnerabilities, and supply chain vulnerabilities.

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop reports,
- “Stepped-up activity from a North Korean hacking group is prompting Mandiant to upgrade it to a top-tier hacking threat and the FBI to issue an alert about the outfit, which the company and agency say has long sought to obtain intelligence about defense and research and development but has since expanded to other targets.
- “Mandiant, a cybersecurity arm of Google Cloud, said in a report it released Thursday [July 25] that the newly labeled APT45 has broadened its ransomware operations — rare for North Korean groups — to target health care providers, financial institutions and energy companies.
- “The FBI is set to follow with an advisory and news conference Thursday about the hackers.”

Here is a link to a CISA press release about Thursday’s advisory and a link to a Dark Reading article on the press conference.

Dark Reading adds,
- “The US Department of Justice has unsealed an indictment of a North Korean military intelligence operative targeting US critical infrastructure.
- “The individual, Rom Jong Hyok, allegedly carried out ransomware attacks against healthcare facilities and funneled the ransom payments to arrange other breaches into defense, technology, and government organizations globally, in violation of the Computer Fraud and Abuse Act, according to the indictment.
- “The ransom payments were laundered through Hong Kong, where they were converted into Chinese yuan, withdrawn from an ATM, and then used to purchase virtual private servers in order to exfiltrate sensitive defense and technology information.”

Here is a link to the Justice Department’s press release on this action.

Bleeping Computer warns,
- “American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices.
- “The firm detected and stopped the malicious actions in time, so no data breach occurred. However, the case highlights the continued threat posed by North Korean threat actors posing as IT staff, something that the FBI has warned about repeatedly since 2023.
- “The DPRK maintains a highly organized army of IT workers who obscure their true identities to get hired by hundreds of American firms.”

CISA added two known exploited vulnerabilities to its catalog this week.
- July 23, 2024,
  - CVE-2012-4792 Microsoft Internet Explorer Use-After-Free Vulnerability
  - CVE-2024-39891 Twilio Authy Information Disclosure Vulnerability

In other ransomware news,

Cybersecurity Dive reports why healthcare entities can be an easy mark for ransomware gangs.

Bleeping Computer tells us,
- “Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000.
- “This number is from TRM Labs, a blockchain intelligence and analytics firm specializing in crypto-assisted money laundering and financial crime.
- “North Korea is the leader in stealing cryptocurrency through exploits and breaches, having stolen over a billion dollars in 2023. Asia also remains the leader in scams and investment fraud.
- “However, Russians reportedly dominate all other malicious activity involving crypto.”

Silicon Angle offers a 20-minute-long interview with folks from VEEAM which recently issued its “third Ransomware Trends Report, not of Veeam customers, but of the whole industry. There were 1,200 organizations that were hit with ransomware.”

From the cybersecurity defenses front,

The Wall Street Journal reports on July 23,
- “Alphabet unit Google’s talks to acquire the cybersecurity startup Wiz for a planned $23 billion have fallen apart, according to a person with knowledge of the discussions.
- “In an email to employees sent Monday and viewed by The Wall Street Journal, Wiz Chief Executive Assaf Rappaport said the company is now aiming for an initial public offering.”

Forbes offers “A CISO’s Guide to Fortifying Your Cybersecurity Posture.”

Tech Target shares a guide to cybersecurity planning for businesses and identifies “16 common types of cyberattacks and how to prevent them.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog