Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front

Cyberscoop reports,
- “The $3 billion that Congress folded into the annual defense policy bill to remove Chinese-made telecommunications technology from U.S. networks would be a huge start to defending against breaches like the Salt Typhoon espionage campaign, senators and hearing witnesses said Wednesday.
- “Federal Communications Commission Chairwoman Jessica Rosenworcel recently told Hill leaders that the $1.9 billion Congress had devoted to the “rip and replace” program to get rid of Huawei and ZTE equipment left the agency with a $3.08 billion hole to reimburse 126 carriers for eliminating use of that tech, “putting our national security and the connectivity of rural consumers who depend on these networks at risk.”
- “The fiscal 2025 National Defense Authorization Act (NDAA), which passed the House by a 281-140 vote Wednesday, contains language authorizing funds to fill that gap. Sen. Ben Ray Luján, the New Mexico Democrat who chairs the Commerce Subcommittee on Communications, Media and Broadband, said at Wednesday’s hearing of his panel that Congress should approve that funding even though there’s much still unknown about the attacks from the Chinese government hackers known as Salt Typhoon.
- “What we do know is that more must be done to prevent attacks like this in the future,” he said. “One obvious thing we can do today is get equipment manufactured by companies that collaborate with our foreign adversaries out of our American networks. … I’m hopeful that there’s strong bipartisan agreement to fully fund this program through this year’s National Defense Authorization Act and address one of the major known vulnerabilities facing our networks every day once and for all.”

Federal News Network discusses the Defense Department cybersecurity provisions found in the Fiscal Tear 2025 NDAA which is expected to clear the Senate next week.

Per a December 10, 2024, press release,
- [T]he U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the internet. * * *
- “In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.” * * *
- “Under the terms of the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement – PDF with 33 states that includes corrective actions that address OCR’s findings in this matter.” * * *
- “The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html“

Cyberscoop tells us,
- “A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.
- “The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment.
- “When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday [December 12].
- “The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.
and
- The Justice Department announced Thursday [December 12] that it had participated in a coordinated effort to seize and dismantle Rydox, an online marketplace for stolen personal information and cybercrime tools. The operation led to the arrest of three individuals alleged to be the site’s administrators.
- Rydox has been linked to over 7,600 illicit sales and generated substantial profits since its inception in 2016. Authorities reported the site’s revenue exceeded $230,000, primarily sourced from selling sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The site has offered for sale at least 321,372 cybercrime products to over 18,000 users.
- The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.
- Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo. They will be extradited to the Western District of Pennsylvania to face multiple charges, including identity theft and money laundering. A third man, Shpend Sokoli, also from Kosovo, was detained in Albania. Sokoli will be prosecuted in Albania.

From the cyber vulnerabilities and breaches,

HHS’s Heath Sector Cybersecurity Coordination Center released on December 9 its bulletin about November vulnerabilities of interest to the health sector.

Bleeping Computer informs us,
- “Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks.
- “In March, Cisco reported that threat actors were conducting password spray attacks on the Cisco VPN devices. In some cases, these attacks caused a denial-of-service state, allowing the company to find a DDoS vulnerability they fixed in October.
- “In October, Microsoft warned that the Quad7 botnet was abusing compromised TP-Link, Asus, Ruckus, Axentra, and Zyxel networking devices to perform password spray attacks on cloud services. * * *
- “Today [December 13], Citrix released a security bulletin warning of the uptick in password spray attacks on Netscaler devices and provided mitigations on how to reduce their impact.”

The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
- December 10, 2024
  - CVE-2024-49138. Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
- December 13, 2024
  - CVE-2024-50623. Cleo Multiple Products Unrestricted File Upload Vulnerability

Bleeping Computer adds,
- “CISA confirmed today [December 13] that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks.
- “This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online.
- “Cleo released security updates to fix it in October and warned all customers to “immediately upgrade instances” to additional potential attack vectors.
- The company has not disclosed that CVE-2024-50623 was targeted in the wild; however, on Friday, CISA added the security bug to its catalog of known exploited vulnerabilities, tagging it as being used in ransomware campaigns.” * * *
- “While the cybersecurity agency didn’t provide any other information regarding the ransomware campaign targeting Cleo servers left vulnerable to CVE-2024-50623 exploits, these attacks are uncannily similar to previous Clop data theft attacks that exploited zero-days in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in recent years.
- “Some also believe the flaw was exploited by the Termite ransomware operation. However, it is believed that this link was only made because Blue Yonder had an exposed Cleo software server, and they were breached in a cyberattack claimed by the ransomware gang.”

From the ransomware front,

Oh, the humanity! The Wall Street Journal reports,
- “Doughnut maker Krispy Kreme said a cyberattack detected in late November is still disrupting its online ordering. The attack, which happened shortly before a big annual holiday promotion, comes as other hacks have snarled supply chains in the retail industry.
- “The company said it is working with outside experts to restore online capabilities and it expects the attack to have a short-term material impact on its business. Krispy Kreme’s physical locations remain open.”

In that regard, InfoSecurity Magazine points out,
- “Ransomware claims reached an all-time high in November 2024, with Corvus Insurance reporting 632 victims claimed on ransomware groups’ data leak sites (DLS).
- “More than double the monthly average of 307 victims, the November count exceeds the previous peak of 527 victims recorded in May 2024.
- “According to a December 11 report by Corvus, these record numbers can be attributed to heightened activity by several ransomware groups, especially RansomHub and Akira.”

Forbes reports,
- “Although little is known, in truth, about a cybercriminal actor employing what has become known as the Cloak ransomware threat, the group has risen rapidly to gain status as a significant player in the ransomware landscape since first emerging in 2022.
- “Threat researchers at Halcyon have now analyzed the Cloak ransomware threat and uncovered a new and worrying variant that not only displays “sophisticated extraction and privilege escalation mechanisms” but also terminates processes related to both security and data backup tools. This new Cloak variant, Halcyon warned, can spread by way of dangerous drive-by downloads disguised as legitimate updates like Microsoft Windows installers.”

From the cybersecurity defenses front,

HP shares ransomware prevention tips.

An ISACA commentator examines approaches to mitigating human cybersecurity risks.

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog