Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.
    • “The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.
    • “Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  
    • “In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 
  • and
    • “A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.
    • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.
    • “The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
    • “Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.”
  • and
    • “A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
    • “South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
    • “The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.”

From the cybersecurity vulnerabilities and breaches front,

  • Per a Cybersecurity and Infrastructure Security Agency press release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
    • “Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
  • CISA added eight known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive adds,
    • “Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
    • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
    • “The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9.” 
  • Security Week adds,
    • “Apple has rushed out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.
    • “The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday.
    • “As is customary, Apple’s security response team did not provide any details on the reported attacks or indicators of compromise (IOCs) to help defenders hunt for signs of infections.
    • “Raw details on the patched vulnerabilities:
      • CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
      • CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
    • “The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1macOS Sequoia 15.1.1 and the older iOS 17.7.2.”
  • Cybersecurity Dive lets us know,
    • “Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
    • “The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
    • “Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.”
  • HHS Health Sector Cybersecurity Coordination Center offers an alert discussing a widespread phishing campaign abusing DocuSign software by impersonating well-known brands. The alert offers tips for avoiding this scam.
  • Dark Reading lets us know,
    • “Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-serviceplatform that enabled its customers to target companies and individuals since 2017.
    • “ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft’s “Digital Defense Report 2024,” with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.”

From the ransomware front,

  • The American Hospital Association News reports,
    • joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of cybercriminal activity by the BianLian ransomware group. The agencies said actions by BianLian actors have impacted multiple sectors across the U.S. since 2022. They operate by gaining access to victims’ systems through valid remote desktop protocol credentials and use open-source tools and command-line scripting for finding and stealing credentials. The actors then extort money from victims by threatening to release the stolen data. 
    • “The BianLian group has been listed as one of the most active groups over the last several years, and they have been known to attack the health care sector,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The group often uses RDP for access, which serves as a reminder to ensure that hospitals strictly limit the use of RDP and similar services to help mitigate this threat and the many others which use RDP as part of their initial access to penetrate networks. They do not appear to be encrypting networks and disrupting hospital operations. In the event that anyone’s personally identifiable information is stolen and think they may be a victim of identity theft, an excellent resource to help assist them is identitytheft.gov.” 
       
  • Hacker News informs us,
    • “Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
    • “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
    • “Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
    • “Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.”
  • Per Dark Reading,
    • “The Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.
    • “The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.
    • “Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.
    • “The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other affected sectors include manufacturing, construction, retail, technology, education, and critical infrastructure.” 
  • Security Intelligence tells us,
    • “Any good news is welcomed when evaluating cybercrime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.
    • “Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.”

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Artificial intelligence could ease pernicious labor challenges facing the healthcare sector, but health systems will need to boost their cybersecurity spending to manage increased risks, according to a report by Moody’s Ratings. 
    • “The emerging technology could help recruit and retain staff through tools that help nurses pick more flexible schedules or assist clinicians documenting clinical care, according to the credit ratings agency. 
    • “But new technology also brings more vulnerabilities for hackers to exploit — already a challenge for the healthcare industry, which is dependent on IT systems that house sensitive and valuable patient data.”
  • and
    • “Microsoft unveiled the Windows Resiliency Initiative Tuesday, which follows the July global IT outage linked to a faulty CrowdStrike software update, according to a blog post from David Weston, VP of enterprise and OS security at Microsoft. The effort is intended to advance the company’s prior efforts to overhaul its security culture.
    • “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers,” Weston said in the blog. 
    • “Microsoft will allow IT administrators to make changes to Windows Update on PCs, even if the machines are unable to boot up. Administrators will not require physical access to the machines to make the necessary changes. 
    • “The service will be available to the Windows Insider Program community starting in early 2025.”
  • Cyberscoop reports,
    • “Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 
    • “New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 
    • “Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 
    • “CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional [professional liability] insurance policies.”
  • Here is a link to Dark Reading’s CISO Corner.
  • An ISACA commentator explains how to grow cyber defenses from seed to system using a plant pathology approach.
  • Dark Reading offers a commentary on the importance of learning from cybersecurity mistakes.
    • “Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM “Cost of a Data Breach Report 2024” estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it’s about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It’s time to shift the mindset: Every breach is an opportunity to innovate.”