Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the retrospection front,

  • Bleeping Computer reflects on the fourteen “biggest cybersecurity and cyberattack stories of 2024.
  • Dark Reading queries “What Security Lessons Did We Learn in 2024?”

From the cybersecurity policy and law enforcement front.

  • Beckers Hospital Review highlights
    • “six things the proposed changes to HIPAA would require of [HIPAA covered entities and business associates:
      • 1. “Encrypt electronic protected health information “with limited exceptions.”
      • 2. “Implement multifactor authentication “with limited exceptions.”
      • 3. “Deploy antimalware software.
      • 4. “Establish written procedures to restore EHR systems and data within 72 hours of a cyberattack.
      • 5. “Notify certain regulators within 24 hours when an employee’s electronic access to EHR data or systems is changed or terminated.
      • 6. “Develop and revise an inventory and network map that illustrates the movement of EHR data through the organization’s systems at least once every 12 months.”
  • Dark Reading summarizes themes of the proposed HIPAA Security Rule amendments (some of which are overkill in the FEHBlog’s opinion) and notes
    • “The changes to the security rule will cost approximately $9 billion in the first year and $6 billion for years two to five, said Anne Neuberger, deputy national security adviser for cyber and emerging technology, during a Dec. 27 press briefing.
    • “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger said.
    • “Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterward, although a specific date has not yet been set, followed by a compliance date of 180 days. It is also not clear whether work on the changes will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare.”
  • Another Dark Reading article goes into more detail about proposed rule which is fitting for a “nearly 400-page proposal.”
  • Dark Reading also reports,
    • “A US Army soldier was reportedly arrested Dec. 20 in Texas and charged with two counts of unlawful transfer of confidential phone records.  
    • “Cameron John Wagenius, 20, is suspected of leaking presidential call logs belonging to AT&T and Verizon under an online alias of “Kiberphant0m.”

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “The Treasury Department told lawmakers Monday [December 30, 2024] that a state-sponsored actor in China hacked its systems, accessing several user workstations and certain unclassified documents.
    • “The Treasury was informed on Dec. 8 by a third-party software service provider, BeyondTrust, that a threat actor used a stolen key to remotely access certain workstations and unclassified documents, according to a letter reviewed by The Wall Street Journal.
    • “Once alerted, the department said it immediately contacted the Cybersecurity and Infrastructure Security Agency and has since worked with law enforcement partners across the government to assess the incident.
    • “The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information,” a spokesperson said.
    • “In response, the Chinese embassy in Washington, D.C., denied the Treasury Department’s allegations, and said that its government opposes what it described as U.S. smear tactics without any factual basis.”
  • Per Cybersecurity Dive,
    • “Weeks after BeyondTrust disclosed an attack spree against a limited number of customers, more than 8,600 instances of the company’s Privileged Remote Access and Remote Support products remain exposed, according to a blog post released Thursday [January 2, 2025] by Censys
    • “BeyondTrust in December warned that an attacker gained access to a limited number of Remote Support SaaS instances utilizing a compromised API key. This week, the U.S. Department of Treasury said a suspected state-linked attacker gained access to a number of workstations and stole unclassified information using a BeyondTrust key.
    • “Censys researchers, in the Thursday [January 2, 2025] blog, indicated that not all of the exposed instances are considered vulnerable, because the firm does not have access to the versions involved.”
  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability its catalog this week.
  • Palo Alto Network offers details on this CVS at this link.
  • An ISACA commentator cautions “Overreliance on Automated Tooling is A Big Cybersecurity Mistake.”
  • A Dark Reading commentator warns,
    • “Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.
    • “There was a time when “trust but verify” made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.”

From the ransomware front,

  • Cybersecurity Dive lets us know,
    • “Rhode Island officials said a ransomware group has begun to leak stolen information from a state social services database following a December attack. 
    • “In a Monday [December 30, 2024] press conference, Rhode Island Gov. Daniel McKee said the state was informed by Deloitte, which manages the RIBridges program, that hackers had begun to release data on a dark web leak site. 
    • “The contents of those files are still being analyzed by experts,” McKeetold reporters during the briefing. “Identifying what is in those files is a complex process, but they’re working right now to make those identifications.”
    • “RIBridges is a state program that administers several social services programs, including Medicaid, Temporary Assistance for Needy Families and other programs.”  * * *
    • “A threat group called Brain Cipher previously claimed credit for the attack, which was disclosed Dec. 5. The group has been active since June 2024 and leverages the LockBit 3.0 payload for their ransomware payloads, SentinelOne previously told Cybersecurity Dive.
    • “The group often uses phishing campaigns to gain initial access to targeted organizations, thus tricking users into downloading malicious files, according to Jon Miller, co-founder and CEO of Halcyon. 
    • “Once inside, they leverage tools and exploits to move laterally across networks, frequently targeting Windows domain administrator credentials to maximize their reach,” Miller said via email.
    • “Researchers from Sophos confirmed Brain Cipher posted detailed information on a leak site claiming credit for the RIBridges database incident.”
  • Per Security Week,
    • “The Richmond University Medical Center in New York has been investigating a ransomware attack since May 2023 and it recently determined that the incident resulted in a data breach affecting more than 670,000 people. 
    • “The healthcare facility, which serves residents in Staten Island, New York, suffered significant disruptions in May 2023 after being targeted in a ransomware attack. It took the organization several weeks to restore impacted services.
    • “An initial forensic investigation showed that the hospital’s electronic health record systems were not compromised, but it was later determined that other files may have been accessed or exfiltrated from Richmond University Medical Center’s network in early May. 
    • “Once the investigation determined what files may have been accessed or removed from our network, we located a copy of each file and then undertook a manual review process of those files to determine whether they contained any sensitive personal information or personal health information,” the hospital said in a security incident notice.”
  • Healthcare IT News adds,
    • “Ransomware attacks are having a severe impact on U.S. healthcare organizations, with an alarming escalation in incidents and their consequences, according to a Comparitech report.
    • “The study found that, since 2018, 654 ransomware attacks have targeted healthcare providers, with 2023 standing out as a record-breaking year, logging 143 incidents.
    • “These attacks compromised over 88.7 million patient records during this period, with more than 26.2 million breached in 2023 alone.
    • “Each day of downtime due to ransomware costs healthcare organizations an average of $1.9 million, culminating in an estimated $21.9 billion in downtime losses over six years.
    • “On average, medical organizations experienced 17 days of downtime per incident, with the highest disruptions reported in 2022, averaging 27 days.”

From the cybersecurity defenses front,

  • A Dark Reading commentator explains how to get the most out of your cybersecurity insurance policy.
    • “As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.
    • “Prepare for increasingly rigorous risk assessments from [insurance] providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.
    • “Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.”
  • Cybersecurity Dive informs us,
    • “Most cyber leaders are bullish on generative AI despite governance concerns, according to a CrowdStrike survey published in December. Nearly two-thirds say their organization would overhaul tooling in order to leverage better generative AI capabilities. 
    • “Leaders expect generative AI adoption to bring ROI through cost optimization, easier tool management, reduced incidents and shorter training cycles, according to the survey of more than 1,000 cybersecurity leaders and practitioners. 
    • “Respondents said the leading concern when weighing a generative AI purchase is how applications or services integrate with current tools. Around 70% intend to purchase access to the technology in the next year.”
  • Dark Reading discusses “6 AI-Related Security Trends to Watch in 2025. AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *