Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity history, policy, and law enforcement fronts,

American Hospital Association (AHA) News reminds us,
- “Nearly one year after the cyberattack on Change Healthcare, the AHA released a report highlighting the continued need for health care organizations to strengthen cybersecurity efforts and mitigate risk.
- “The cyberattack on Change Healthcare in February 2024 disrupted health care operations on an unprecedented national scale, endangering patients’ access to care, disrupting critical clinical and eligibility operations, and threatening the solvency of the nation’s provider network,” the report said.
- “Among other areas, the report highlights lessons learned, including how third-party cyber risk is the most significant and disruptive cyber threat to health care; actions health care organizations can take to mitigate cyber risk; and resources from the AHA and federal government that can assist organizations with strengthening cybersecurity efforts.”

Cyberscoop lets us know,
- “Republican leaders on a key House committee are canvassing the public for input on how best to move forward in Congress’ longstanding quest to tackle national data privacy and security standards.
- “House Energy and Commerce Committee Chair Brett Guthrie, R-Ky., and Vice Chair John Joyce, R-Pa., issued a Request for Information on Friday that seeks guidance on how to best develop legislation to protect the digital data of Americans across an ever-widening range of essential services.
- “Leadership in digital technologies, including artificial intelligence, underpins U.S. economic and national security, provides American consumers with access to lower cost goods and services, and enables small businesses to reach markets around the world,” Guthrie and Joyce said in a statement. “However, the challenge of providing clear digital protections for Americans is compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws, which in some cases create conflicting legal requirements.”
- “Both Guthrie and Joyce are part of a Republican committee working group on data privacy, and the request includes questions that could guide lawmakers as they eye potential legislation. They include how to account for different roles and services that collect personal data, when a company should disclose the collection, processing, or transfer of user data, and what lessons can be learned from existing privacy frameworks in other countries.”
and
- “One of the most notable elements of the monumental hack of major telecommunications companies is just how “indiscriminate” it was in its pursuit of data, a top FBI official said Wednesday.
- “The FBI has been investigating the breach, which it has blamed on Chinese government hackers commonly known as Salt Typhoon.
- “What we found particularly remarkable in our investigation is the gigantic and seemingly indiscriminate collection of call records and data about American people, like your friends, your family, people in your community,” Cynthia Kaiser, deputy assistant director in the bureau’s cyber division, said at the 2025 Zero Trust Summit, presented by CyberScoop.
- “Kaiser characterized the breach as “a different level of insidiousness” from Beijing, one that reflects its “ambition and reckless aggression in cyberspace.”

Cybersecurity Dive tells us,
- “The Securities and Exchange Commission on Thursday unveiled a revamped anti-fraud unit to protect retail investors in emerging technologies, reflecting the Trump administration’s evolving approach to cryptocurrency and cybersecurity.
- “The Cyber and Emerging Technologies Unit, led by Laura D’Allaird, will have about 30 fraud specialists from across the agency and replaces the Crypto Assets and Cyber Unit. The revised CETU will complement a crypto task force launched in January under the leadership of Commissioner Hester Peirce.
- “The unit will not only protect investors, but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow,” Acting SEC Chairman Mark Uyeda said in a statement. “It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies.”

Per a Justice Department news release,
- Health Net Federal Services Inc. (HNFS) of Rancho Cordova, California and its corporate parent, St. Louis-based Centene Corporation, have agreed to pay $11,253,400 to resolve [government] claims [under the federal False Claims Act] that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (DoD) to administer the Defense Health Agency’s (DHA) TRICARE health benefits program for servicemembers and their families. In 2016, Centene acquired all of the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS.

Per an HHS news release,
- “Today [February 20], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1,500,000 civil money penalty against Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of a breach report regarding the unauthorized access by one or more third parties to customer accounts.” * * *
- “OCR’s investigation found evidence of three violations of the HIPAA Security Rule, including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.” * * *
- “The Notice of Proposed Determination may be found at: https://www.hhs.gov/sites/default/files/ocr-warby-parker-npd.pdf – PDF
- “The Notice of Final Determination may be found at: https://www.hhs.gov/sites/default/files/ocr-warby-parker-nfd.pdf – PDF“

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop lets us know,
- “Salt Typhoon gained initial access to Cisco devices as part of the Chinese nation-state threat group’s sweeping attacks on U.S. telecom networks, the company confirmed Thursday [February 20] in a threat intelligence report.
- “Cisco Talos, the networking vendor’s threat intelligence unit, said it observed one instance where Salt Typhoon likely exploited a seven-year-old critical vulnerability in Cisco IOS XE (CVE-2018-0171). Yet, researchers asserted Salt Typhoon gained initial access to Cisco devices with legitimate login credentials in all other incidents it’s investigated to date.
- “The report marks the first time Cisco acknowledged the role its equipment played in Salt Typhoon’s attack spree on telecom networks. Recorded Future last week said five additional telecom networks were hit by Salt Typhoon via a pair of other vulnerabilities in Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) between early December and late January.
- “Cisco Talos said it hasn’t identified any evidence to confirm Salt Typhoon’s exploitation of other known Cisco vulnerabilities. The company declined to answer questions.”

The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
- February 18, 2025
  - CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
  - CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
  - The Palo Alto KVE is discussed here, and the Sonicwall KVE is discussed here.
- February 20, 2025
  - CVE-2025-23209 Craft CMS Code Injection Vulnerability
  - CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
  - The Craft KVE is discussed here, and the Palo Alto KVE is discussed here.
- February 21, 2025
  - CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability
  - The Microsoft KVE is discussed here.

Cybersecurity Dive informs us
- “Horizon3.ai researchers on Wednesday released technical details and a proof-of-concept (PoC) exploit for four critical Ivanti vulnerabilities that were first disclosed and patched last month.
- “The absolute patch-traversal flaws impact Ivanti Endpoint Manager and, according to Horizon3.ai, could allow unauthenticated attackers to manipulate the Ivanti EPM machine account credential into being deployed in relay attacks, potentially leading to server compromise.
- “Ivanti products have become popular targets for attackers in recent years, as a wide range of cyber threat actors have exploited both zero-day and known vulnerabilities to compromise devices at the network edge and gain access to victim.”

Security Week relates,
- In a fresh report published Wednesday, Mandiant threat hunter Dan Black warns that several APT groups have perfected the abuse of Signal’s “linked devices” feature that enables the privacy-themed chat and voice messenger to be used on multiple devices concurrently.
- By tricking users into scanning malicious QR codes embedded in phishing pages or disguised as group invite links, Mandiant says APT groups linked to the Kremlin are secretly adding their own device as a linked endpoint.
- Once this connection is established, every message sent by the user is duplicated to the attacker’s device in real time, effectively bypassing Signal’s heralded end-to-end encryption without having to break the underlying cryptography.

Dark Reading offers an oddball article about state-of-the-art phishing software Darcula version 3 that can be purchased.

From the ransomware front,

AHA News reports,
- “A joint advisory released Feb. 19 by the FBI, Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center warns of cybercriminal activity by the Ghost ransomware group. The agencies identified actions as recently as last month by the group, which originates from China.
- “Since 2021, Ghost actors have targeted victims with outdated software and firmware, compromising organizations in more than 70 countries. Their victims include critical infrastructure, health care, schools and technology companies, among other organizations.
- “Ghost actors exploit well-known vulnerabilities and target networks where available patches have not been applied,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They simply ‘hack before we patch.’ This group is also leveraging legitimate cybersecurity tools such as Cobalt Strike to enable access and other tools for privilege escalation. It is recommended that patching policies be reviewed to achieve maximum efficiency and speed. It is also recommended that network security tools be set to alert for activation of Cobalt Strike and privilege escalation applications.”

Bleeping Computer reports,
- “An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation.
- “ExploitWhispers, the individual who previously uploaded the stolen messages to the MEGA file-sharing platform, which are now removed, has uploaded it to a dedicated Telegram channel.
- I”t’s not yet clear if ExploitWhispers is a security researcher who gained access to the gang’s internal chat server or a disgruntled member.
- “While they never shared the reason behind this move, cyber threat intelligence company PRODAFT said today that the leak could directly result from the ransomware gang’s alleged attacks targeting Russian banks.
- “As part of our continuous monitoring, we’ve observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors,” PRODAFT said.”

From the cybersecurity defenses front,

Security Week shares a conversation with Kevin Winter, Global CISO at Deloitte, and Richard Marcus, CISO at AuditBoard.

Here’s a link to Dark Reading’s CISO Corner.

HelpNet Security points out cyber hygiene habits that many still ignore.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog