Cybersecurity Saturday

David ErmerCybersecurity

October is Cybersecurity Awareness Month.

  • Here is an excerpt from CISA’s October 1 announcement,
    • Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the kickoff of the 21stCybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online.  
    • This October and year-round, CISA challenges everyone to help secure our world by adopting four simple steps that everyone can take to stay safe online:  
      • Use strong passwords that are long, random, and unique to each account, and use a password manager to generate them and to save them.
      • Turn on multifactor authentication on all accounts that offer it. We need more than a password on our most important accounts, like email, social media, and financial accounts. 
      • Recognize and report phishing, as we like to say, think before you click. Be cautious of unsolicited emails or texts or calls asking you for personal information, and don’t click on links or open attachments from unknown sources.
      • Update software. In fact, enable automatic updates on software so the latest security patches keep devices we are connected to continuously up to date.
  • Here are links to CISA’s Cybersecurity Awareness Month website, the HHS Section 405(d) program’s poster and NIST staff reflections.

From the cybersecurity policy and law enforcement front,

  • Federal News Network lets us know,
    • “The Department of Health and Human Service’s Administration for Strategic Preparedness and Response is considered HHS’ “one stop shop” for working on cyber issues facing the healthcare and public health sector.
    • “But Brian Mazanec , deputy director in ASPR’s Center for Preparedness, said that doesn’t mean his organization is handling every health sector cybersecurity issue at HHS.” * * *
    • “But even before the Change Healthcare ransomware attack, HHS had already laid out plans to expand ASPR and its role as the “sector risk management agency” for healthcare.
    • “ASPR has since established a cybersecurity division within its Office of Critical Infrastructure Protection. Mazanec said the division is the focal point for ASPR’s cyber work with the sector. The division has hired an “initial tranche” of federal staff, he said.
    • “One of the cyber division’s core responsibilities will be incident response, Mazanec said. When a cyber attack hits a major hospital, for instance, ASPR’s team will work with the FBI and the Cybersecurity and Infrastructure Security Agency to help respond and offer support.
    • “Mazanec said ASPR can help hospitals grapple with how to address the fallout from a cyber incident, like the potential diversion of patients to other facilities.” * * *
    • In addition to hospitals, Mazanec said ASPR is focused on third-party risks, such as the dangers posed by relying on large providers like Change Healthcare. He said ASPR is currently working on a new sector risk assessment as part of a new national security memorandum on critical infrastructure. 
    • “A key part of that is going to is looking at that systemic and third party risk,” Mazenec said. “And the NSM also directs us to develop a sector specific plan informed by that risk assessment . . .  That’s where we’ll grapple with, ‘OK, here’s what the risk posture looks like. What can we do to hit those critical entities and help them better, to make sure we’re as secure and resilient as possible across the ecosystem?’”
  • Cyberscoop reports,
    • Microsoft and the U.S. Department of Justice on Thursday [October 3] announced the seizure of more than 100 domains used by a Russian-backed hacking unit to target more than two dozen civil society organizations between January 2023 and August 2024.
    • Microsoft’s Digital Crimes Unit filed a lawsuit with the NGO Information Sharing and Analysis Center (NGO-ISAC) to seize 66 unique domains used by a hacking group Microsoft tracks as Star Blizzard, but which the U.S.British, and other western governments have attributed to the Russian Federal Security Service, more commonly known as the FSB.
    • The Department of Justice simultaneously seized 41 additional domains used by the same group, which it described as an operational unit within the FSB’s Center 18. The U.S. government indicted two Russian nationals working with the group in December 2023, levied sanctions against them and offered a $10 million reward for information on their location.
    • “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “By collaborating with DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard.” 
  • Per a Justice Department press release,
    • The Justice Department today [October 1] unsealed an indictment charging Russian national Aleksandr Viktorovich Ryzhenkov (Александр Викторович Рыженков) with using the BitPaymer ransomware variant to attack numerous victims in Texas and throughout the United States and hold their sensitive data for ransom.
    • According to the indictment, beginning in at least June 2017, Ryzhenkov allegedly gained unauthorized access to the information stored on victims’ computer networks. Ryzhenkov and his conspirators then allegedly deployed the strain of ransomware known as BitPaymer and used it to encrypt the files of the victim companies, rendering them inaccessible. An electronic note left on the victims’ systems contained a ransom demand and instructions on how to contact the attackers to begin ransom negotiations. Ryzhenkov and his conspirators allegedly demanded that victims pay a ransom to obtain a decryption key and prevent their sensitive information from being made public online.
    • The indictment further alleges that Ryzhenkov and others used a variety of methods to intrude into computer systems, including phishing campaigns, malware, and taking advantage of vulnerabilities in computer hardware and software. Ryzhenkov and coconspirators used this access to demand millions of dollars in ransom. Ryzhenkov is believed to be in Russia. View the FBI’s wanted poster for him here.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “Phishing is the leading initial-access vector for attacks in cloud environments, IBM X-Force said Tuesday in its latest Cloud Threat Landscape Report. IBM’s latest findings are in line with a collection of other recent research from incident response firms and cybersecurity vendors about the prevalence and impact of phishing.
    • “The mode of attack, which threat groups use to harvest credentials for systems and network access, accounted for one-third of all cloud-related incidents IBM X-Force responded to during the two-year period ending in June.
    • “Threat groups most often use phishing emails to trick recipients into entering login information on malicious sites for adversary-in-the-middle attacks, IBM X-Fource found. AITM phishing is a more sophisticated form of a phishing attack that can bypass some forms of multifactor authentication, the report found.”
  • and
    • “Threat actors are actively exploiting a critical vulnerability in Ivanti Endpoint Manager that was previously disclosed by the company in May.
    • “The SQL injection vulnerability in the core server of Ivanti EPM 2022 SU5 and prior versions can permit an attacker to execute arbitrary code, according to an advisory from the company updated Wednesday. The vulnerability, listed as CVE-2024-29824, has a CVSS score of 9.6.
    • “The Cybersecurity and Infrastructure Security Agency on Wednesday added the CVE to its known exploited vulnerabilities catalog. Ivanti updated a previously issued advisory on the CVE and confirmed a limited number of customers have been impacted.”
  • Dark Reading informs us,
    • “Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.
    • “The first — an issue with Apple’s VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.
    • “New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.”
  • Cybersecurity Dive adds,
    • “Federal civilian agencies triaged more than 7,000 vulnerabilities submitted to the Vulnerability Disclosure Policy Platform in 2023, the Cybersecurity and Infrastructure Security Agency said Monday in an annual report on the program.
    • “Federal agencies remediated 872 vulnerabilities last year, a 78% increase from 2022, CISA said in the report. The federal government determined 15% of the vulnerabilities submitted to the VDP Platform last year were valid.
    • “The program consistently sorts through an increase in critical vulnerabilities. The VDP Platform identified 250 critical vulnerabilities in 2023, a 130% jump from 2022.”
  • Per Cyberscoop,
    • Researchers uncovered 14 vulnerabilities, one of them the most severe kind, that left more than 700,000 routers made by Taiwan-based DrayTek exposed to the public internet, but that the company has since patched.
    • ForeScout’s Vedere Labs revealed the vulnerabilities Wednesday and urged security pros to make sure they implemented the fixes, adding that 75% of the routers are used in commercial settings.
    • “These devices are not just hardware; they represent potential entry points for devastating attacks,” ForeScout said. “Our research shows these vulnerabilities could be used in espionage, data exfiltration, ransomware, and denial of service (DoS) attacks.”
    • More than half of the routers at risk (approximately 425,000) are in the European Union and United Kingdom, followed by Asia (190,000), Australia and New Zealand (37,000), the Middle East (30,000), Latin America (15,000) and North America (7,200).

From the ransomware front,

  • The Record points out,
    • “Insurance companies must stop issuing policies that incentivize making extortion payments in ransomware attacks, a senior White House official said on Friday.
    • “The call for the practice to end, which was made without any indication the White House was formally proposing to ban the practice, follows the fourth annual International Counter Ransomware Initiative (CRI) summit in the United States this week, where the 68 members of the CRI discussed tackling the problem.
    • “Writing an opinion piece in the Financial Times newspaper, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, warned that ransomware was “wreaking havoc around the world.”
    • “She wrote: “Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end.” 
  • The Health Sector Cybersecurity Coordination Center posted a threat actor profile about a relatively new actor, Trinity Ransomware.
  • Per Cyberscoop,
    • “A new ‘FakeUpdate’ campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie backdoor.
    • “FakeUpdate is a cyberattack strategy used by a threat group known as ‘SocGolish’ who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN.
    • “When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealerscryptocurrency drainers, RATs, and even ransomware.
    • “The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates.”

From the cybersecurity defenses front,

  • An ISACA commentator discusses “The Hidden Culture Crisis and Human Burden Undermining Cybersecurity Resilience.”
  • Here’s a link to Dark Reading’s informative CISO Corner.
  • The Wall Street Journal reports,
    • “Cybersecurity executives now earn an average of $565,000, reflecting a moderate increase at a time when cyber threats are growing and regulatory pressure is adding stress to the role.
    • “Corporate chief information security officers are on the hook for defending their companies against cyberattacks, as well as handling breach response, participating in regulatory inquiries and, at times, supplying information during litigation. Pay is rising as the job evolves, but not at the pace of change. 
    • “The scope of the role and the demands of the CISO are increasing at a much faster rate than the rewards and compensation,” said Nick Kakolowski, senior research director at cybersecurity firm IANS.
    • “Average compensation for cyber leaders in the U.S. in 2024 is $565,000, according to a survey from IANS and recruiting company Artico Search published Wednesday. Last year, average CISO compensation was $550,000 and $495,000 in 2022. The survey polled 755 security executives between April and August.”

Leave a Reply

Your email address will not be published. Required fields are marked *