Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Federal News Network tells us,
- “The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).
- “The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.
- The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.
- “OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.”

Here’s the entry in reginfo.gov
- AGENCY: HHS-OCR. RIN: 0945-AA22. Status: Pending Review. Request EO Meeting
  TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
  STAGE: Proposed Rule. SECTION 3(f)(1) SIGNIFICANT: Yes. RECEIVED DATE: 10/18/2024
  LEGAL DEADLINE: None
Fedscoop tells us,
- “The Biden administration published its anticipated national security memo on artificial intelligence Thursday, establishing a roadmap that aims to ensure U.S. competitiveness with adversaries on the technology, while still upholding democratic values in its deployment.
- “Specifically, the memo details more responsibilities for the Department of Commerce’s AI Safety Institute, directs agencies to evaluate models for risks and identify areas in which the AI supply chain could be disrupted, outlines actions to streamline acquisition of AI used for national security, and defines new governance practices for federal agencies through a new framework.
- “In remarks on the memo delivered Thursday at National Defense University, National Security Advisor Jake Sullivan highlighted the potential AI has for the country’s national security advantage but spoke in dire terms about taking action.
- “The stakes are high,” Sullivan said. “If we don’t act more intentionally to seize our advantages, if we don’t deploy AI more quickly and more comprehensively to strengthen our national security, we risk squandering our hard-earned lead.”

Per a NIST announcement,
- “NIST has released an initial public draft (ipd) revision of Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths.
- “NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance on transitioning to the use of stronger cryptographic keys and more robust algorithms.
- “This revision proposes a) the retirement of ECB as a confidentiality mode of operation and the use of DSA for digital signature generation and b) a schedule for the retirement of SHA-1 and the 224-bit hash functions. This draft also discusses the transition from a security strength of 112 bits to a 128-bit security strength and to quantum-resistant algorithms for digital signatures and key establishment.
- “The public comment period is open through December 4, 2024. See the publication details for a copy of the draft and instructions for submitting comments.”

The Wall Street Journal reports,
- “Four tech companies settled federal cases over allegations they misled investors about the extent to which they were compromised in the 2020 SolarWinds hack.
- “Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys didn’t admit wrongdoing in separate deals with the U.S. Securities and Exchange Commission, which found their financial disclosures played down what the companies knew about how their systems were affected by breached SolarWinds software.
- “Unisys agreed to pay a penalty of $4 million, and the other three companies will pay about $1 million each.
- “In a breach disclosed in 2020, which the U.S. later attributed to Russia, hackers slipped malicious code into software from Austin, Texas-based SolarWinds. Thousands of customers inadvertently downloaded the malware. Moscow has denied involvement.”

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop lets us know,
- “The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.
- “The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.
- “Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.
- “The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.”

The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
October 21, 2024
- CVE-2024-9537. ScienceLogic SL1 Unspecified Vulnerability
October 22, 2024
- CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability
October 23, 2024
- CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability
October 24, 2024
- CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
- CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Cybersecurity Dive adds,
- “Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
- “Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
- “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”

Dark Reading informs us,
- “Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
- “APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world’s most notorious threat actor. An arm of the Russian Federation’s Foreign Intelligence Service (SVR), it’s best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft’s codebase and political targets across Europe, Africa, and beyond. Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
- “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior staff research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

Per Bleeping Computer,
- “Cisco fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.
- ‘The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.
- “A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 security advisory.”

From the ransomware front,

Dark Reading points out,
- “Nearly 400 US healthcare organizations have been infected with ransomwarethis fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.
- “The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware’s most lucrative target sectors.
- “The disruption that healthcare operations face when hit with ransomware attacks doesn’t just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.” * * *
- According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.
Cyberscoop relates,
- “Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
- “That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant.
- “Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
- “Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.”

Per Cybersecurity Dive,
- “Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
- “SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
- “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.”

Bleeping Computer alerts us,
- “The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
  “Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
  “After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.”

From the cybersecurity defenses front,

Cybersecurity Dive reports,
- “Microsoft Chair and CEO Satya Nadella asked for the board to reduce part of his annual compensation package to account for his role in how the company prepared for malicious cyberattacks that led to an overhaul of its internal security culture.
- “Nadella received more than $79 million in total compensation in fiscal 2024, which included a base salary of $2.5 million, about $71.2 million in stock awards and $5.2 million in non-equity incentive plan compensation, according to a filing with the Securities and Exchange Commission. The total included almost $170,000 classified as other compensation.
- “However, Nadella “asked the board to consider departing from the established performance metrics and reduce his cash incentive to reflect his personal accountability for the focus and speed required for the changes that today’s cybersecurity threat landscape showed were necessary,” according to a letter included in the filing from the compensation committee at Microsoft.”

Per Bleeping Computer,
- Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.
- The company also seeks to improve the system’s security and has expanded its security bounty program to include rewards of up to $1 million for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC.”
- Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy.
Cybersecurity Dive shares Gartner’s four ways AI could impact employees, workflows.

Here is a link to Dark Reading’s CISO Corner.

An ISACA commentator discusses “How the Emerging Technology Landscape is Impacting Cybersecurity Audits.”

“In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.”

Tripwire shares “Advanced Tips for Leveraging the NIST Cybersecurity Framework for Compliance.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog