Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
    • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
    • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”
  • NextGov/FCW tells us,
    • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
    • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
    • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
    • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
  • and
    • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
    • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
    • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
    • “Second up is facilitating an effective transition for the incoming Trump administration 
    • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
    • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 
  • The Government Accountability Office released a report highlighting that
    • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”
  • The National Institute for Standards and Technology announced,
    • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
    • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
    • The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
  • FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

  • From a November 12, 2024, CISA press release
    • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
    • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
  • Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.
  • CISA added seven known exploited vulnerabilities to its catalog this week.
  • Per Cybersecurity Dive,
    • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
    • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation
    • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”
  • Per Dark Reading,
    • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
    • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
    • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
  • and
    • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
    • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
    • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
    • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”
  • Per AI Business,
    • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
    • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
    • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
    • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
    • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

  • On November 13, the Register reported,
    • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
    • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
    • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
    • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
  • Bleeping Computer informs us,
    • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
    • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
    • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
    • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
  • Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
    • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
    • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
    • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
    • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
    • “S3 buckets are one of the most referenced targets of malicious activity.
    • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
    • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
    • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”
  • HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.
  • Here is a link to Dark Reading’s CISO Corner.
  • Bleeping Computer lets us know,
    • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
    • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
    • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”