Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Fedscoop reports,
    • “Legislation to improve federal agency oversight and management of software purchases passed the House on Wednesday [December 4], keeping top IT and software trade groups’ hopes alive that the bill will get through the Senate and become law before this congressional term is up.
    • “The Strengthening Agency Management and Oversight of Software Assets Act (H.R.1695) was introduced by Rep. Matt Cartwright, D-Pa., last year and co-sponsored by a bipartisan group of 20 House lawmakers. 
    • “Calling the rooting out of waste, fraud and abuse a “signal mission” of the House Oversight Committee, Cartwight said the bill would ensure that federal agencies are required to conduct a “comprehensive assessment of their current software assets and restructure their operations to reduce unnecessary costs.” 
    • “Our federal government spends billions of taxpayer dollars every year on software licenses alone. Most of these software license purchases are purposeful, but some are redundant, duplicative, simply unnecessary,” he said. “This commonsense bill will reduce waste, strengthen cybersecurity and modernize government operations.”
  • Cyberscoop adds,
    • “Private-sector tech leaders told House lawmakers Thursday [December 5] that the Cybersecurity and Infrastructure Security Agency’s [CISA] secure-by-design push may benefit from more of an incentive structure, but poorly trained developers remain “a real problem” for the nearly two-year-old initiative.
    • “The four witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection all characterized CISA’s voluntary secure-by-design pledge as a net positive that has resulted in significant industry-wide progress. The question posed by subcommittee Chair Andrew Garbarino, R-N.Y., and ranking member Eric Swalwell, D-Calif., was how the initiative could level up and better enhance cybersecurity across more U.S. sectors.
    • “Shane Fry, chief technology officer at RunSafe Security, acknowledged that CISA’s secure-by-design program — which now counts over 250 companies as signees — “is making a lot of waves.” But there’s a missing piece, Fry said, in limiting the program to IT systems and not addressing operational technology device manufacturers.
    • “Let’s work with Congress and find a good way, or CISA to find a good way, to incentivize these companies to actually secure their systems,” Fry said. “Because I think limiting it to just IT systems is a little bit short-sighted.”
  • Cybersecurity Dive lets us know,
    • Federal Communications Commission Chair Jessica Rosenworcel on Thursday [December 5] proposed stronger rules requiring telecom operators to secure their networks from intrusions, in response to the wave of China-linked attacks on U.S. carriers’ infrastructure.
    • The measure has two parts. Rosenworcel proposed a declaratory ruling to clarify telecom operators are legally obligated to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act. The second lever, a notice of proposed rulemaking, includes an annual certification requirement for telecom providers to maintain cybersecurity risk management plans.
    • “While the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future,” Rosenworcel said in a statement Thursday.
  • Dark Reading tells us,
    • “Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he’s talking.
    • “Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.
    • “He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.”

From the cybersecurity vulnerabilities and breaches front,

  • STAT News reports,
    • “As many as 172 million individuals — more than half the population of the United States — may have been impacted by large health data breaches reported to the Department of Health and Human Services in 2024, according to a STAT analysis of records from HHS’ Office for Civil Rights. It’s a new record for the scale of large health care breaches, breaking one set just last year
    • “The vast majority of those health data breaches — 532 of the 656 reported as of December 4 — have resulted from hacks and ransomware attacks, continuing a years-long trend. Since 2018, HHS has reported, it has seen a 264% increase in large ransomware breaches, and seven health systems have been fined up to $950,000 for failing to protect patients’ protected health information from ransomware attacks.” * * *
    • “It’s unlikely that 172 million Americans had their health data exposed in breaches reported this year. There are overlaps in the individuals included in each breach. And after an attack, covered entities have to report that individual data was compromised unless they can actively prove that it wasn’t. “In ransomware, it’s hard to prove that the data was not exfiltrated,” said Jigar Kadakia, chief information security and privacy officer for Atlanta-based Emory Healthcare. “That’s where the escalation has been probably in the last three years.” 
  • The Wall Street Journal adds,
    • “Data breaches at healthcare organizations have become common in recent years. But what do hackers want with your health information, anyway?
    • “Usually, hackers break into providers’ networks looking for a ransom, doing things like locking the provider out of its own computer systems or threatening to release its data online. But they are also looking for patient data.
    • “Healthcare records have personal information that hackers are always eager to grab, like addresses and credit-card numbers. But the records also hold an array of private information about patients, ranging from insurance-policy numbers to medical conditions to medications—data that lets crooks scam insurance companies and Medicare and Medicaid, leaving patients exposed to steep financial and medical risk.
    • “They give hackers a full picture to commit insurance fraud, identity theft or other malicious activity in the future,” says John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, a trade organization that represents 90% of the hospitals in the U.S.
    • “What’s more, the theft of health records can have a longer-lasting impact on victims than regular financial fraud or identity theft, because the information in those records is harder to detect and more challenging to correct when misused.
  • Per the Wall Street Journal,
    • “Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign that has affected dozens of countries, a top U.S. security official said Wednesday.
    • “Speaking during a press briefing Wednesday, Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached.
    • “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” Neuberger said.”
  • Cybersecurity Dive adds,
    • “Multiple government authorities and security researchers are warning about a directory traversal vulnerability in Zyxel Networks firewalls that threat actors are actively exploiting to deploy Helldown ransomware.
    • “The vulnerability, listed as CVE-2024-11667, with a CVSS score of 7.5, is located in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38, and could allow an attacker to download or upload files through a crafted URL. The Cybersecurity and Infrastructure Security Agency on Tuesday added the CVE to its known exploited vulnerabilities catalog.
    • “Zyxel, in a blog post, confirmed it is aware of recent attempts to exploit the vulnerability, following disclosures from security researchers at Sekoia. The company is urging users to immediately update their firmware and change their admin passwords.”

From the ransomware front,

  • CBS News reported on December 4,
    • PIH Health [located in southern California] was targeted in a ransomware attack, forcing officials to completely shut their network offline and leaving millions in the dark when it comes to healthcare. 
    • Families are being told that they can either wait it out for systems to turn back online, or to go to another hospital for treatment because of the issue, which happened over the weekend. 
    • Officials say that they were targeted on Sunday by a “criminal act” that “compromised their network.” In turn, network services were turned off at their hospitals in Downey, Whittier and downtown LA. 
    • While urgent care centers and emergency room remained open, patients and physicians were left without access to health records, laboratory systems, pharmacy orders and radiation access. On top of that, internet access and phone lines were completely turned off. 
  • Cybersecurity News informs us,
    • “Black Basta ransomware operators have improved their tactics, leveraging Microsoft Teams to deploy Zbot, DarkGate, and Custom Malware.
    • “The ongoing social engineering campaign comprises a threat actor flooding a user’s inbox with junk and contacting the user to offer assistance. 
    • “Researchers observed that threat actors used Microsoft Teams as their primary medium for initial communication with the target.
    • ‘Suppose the user responds to the lure by answering the call or sending a message. In that case, the threat actor will try to persuade them to install or run a remote management (RMM) program, such as QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect, among others.
    • “After establishing a remote connection, the threat actor proceeds to download payloads from their infrastructure to obtain the credentials of the affected users and continue to persistently target their assets.
    • “The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. Operators will still attempt to steal any available VPN configuration files, when possible,” Rapid7 said in a report shared with Cyber Security News.”

From the cybersecurity defenses front,

  • Techradar tells us,
    • “US authorities are urging Americans to use encrypted messaging apps to secure their sensitive data against foreign attackers.
    • “The security call comes in the wake of an “unprecedented cyberattack” on the countries’ telecoms companies, NBC News reported. The attack is considered among the largest intelligence compromises in US history and isn’t yet fully fixed.
    • “The China-linked Salt Typhoon group was first spotted targeting US telecoms with a new backdoor malware a few months ago. It has reportedly hacked the likes of AT&T, Verizon, and Lumen Technologies to spy on their customers’ activities.”
  • Cybersecurity Dive adds, “T-Mobile undeterred as telecom sector reels from attack campaign. Cybersecurity Dive spoke with CSO Jeff Simon about how the carrier says it thwarted a threat group resembling Salt Typhoon despite its past security failures.”
  • The Wall Street Journal asks, “Do Your Passwords Meet the Proposed New Federal Guidelines? New standards want to make passwords secure—but also more user-friendly.”
    • “The key to password security, the standards institute emphasizes, is length rather than special characters. The guidelines recommend passwords be at least eight characters long while suggesting organizations push for a minimum of 15 characters. The shorter minimum is acceptable when combined with multifactor authentication, Regenscheid says, which most federal websites now require when accessing personal information. That means having two different ways to confirm identity, not just the password itself.
    • “The institute also suggested a maximum length of at least 64 characters, a number Regenscheid calls “fairly arbitrary” but sufficient for security needs. Systems need some upper limit to prevent malicious users from trying to overwhelm servers with extremely long passwords, he says, and do things like download sensitive data from databases. 
    • “The emphasis on length over complexity reflects decades of research showing longer passwords are significantly harder to crack. “A truly randomly chosen 24-character password is not going to be broken,” says Stuart Schechter, an associate at Harvard’s School of Engineering and Applied Sciences. “That’s long enough that it’s not likely to be broken in the lifespan of the universe.
    • “When it comes to creating long, strong passwords, research shows that both random strings of characters and random sequences of words can work well. “People’s brains work differently, and our tech should be designed to help you achieve your desired level of security with the option that works best for you,” Schechter says. His research found most people can memorize either type effectively.
    • “But it is a time-consuming process, and it isn’t clear how many passwords people can remember, Schechter says, so he uses the password manager built into his browser, an option available in browsers like Safari and Chrome. While some security experts push for stand-alone password managers that must be purchased separately, Schechter argues that built-in browser options are a good solution for most people’s needs and are very secure.”
  • Per a CISA press release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. The SCC was recently updated based on the new National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Version 2.0 mapping updates. 
    • “The TIC 3.0 SCC provides a list of deployable security controls, security capabilities, and best practices. The catalog is intended to guide secure implementations and help agencies satisfy program requirements within discrete networking environments. 
    • “Further, the SCC helps agencies to apply risk management principles and best practices to protect federal information in various computing scenarios. The trust considerations presented in the TIC 3.0 Reference Architecture can be further applied to an agency’s implementation of a given use case to determine the level of rigor required for each security capability. In some cases, the security capabilities may not adequately address residual risks necessary to protect information and systems; agencies are obligated to identify and apply compensating controls or alternatives that provide commensurate protections. Additional collaboration with vendors is necessary to ensure security requirements are adequately fulfilled, configured, and maintained.”
  • Per Cybersecurity Dive,
    • “Protecting the cloud: combating credential abuse and misconfigurations. To defend again two of today’s biggest cloud security threats, organizations must adapt and develop proactive strategies, Google Cloud’s Brian Roddy writes [in an opinion piece],
  • and
    • “For IT pros, the CrowdStrike crisis was a ‘call to arms’. The global outage triggered investments in people, processes and technologies to beef up enterprise resilience, Adaptavist research found.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *