Cybersecurity Saturday

From the cybersecurity policy front —

  • The Wall Street Journal reports,
    • “Companies shouldn’t wait for new rules around cybersecurity, privacy and emerging technologies to be finalized before preparing for them, lawyers say, particularly as senior executives with the right experience can be hard to come by.
    • “Proposed cybersecurity rules from the Securities and Exchange Commission would require public companies to disclose which board members have security knowledge or experience, along with details about the board’s approach to cyber oversight. The SEC published draft rules in March 2022 and is expected to finalize them in the coming months.” 
  • Nextgov tells us,
    • A federal council tasked with harmonizing future cyber incident reporting requirements is set to release proposed recommendations on how to develop an incident-reporting framework across key agencies and regulatory bodies, according to the chair of the council.
    • Department of Homeland Security Under Secretary for Policy Robert Silvers said the Cyber Incident Reporting Council is expecting to submit its report to Congress “in the next month or two” during a panel discussion Thursday at the Center for Strategic and International Studies, a nonprofit think tank.
    • The council was established under the Cyber Incident Reporting for Critical Infrastructure Act last year with the goal of minimizing industry burden while ensuring timely awareness of cyber incidents impacting critical infrastructure sectors across all required federal components. 
    • The Cybersecurity and Infrastructure Security Agency is currently developing regulations as required under the law for critical infrastructure owners and operators to report cyber incidents within 72 hours and has led a series of listening sessions with sector-specific industries to aid its rule-making process. 
    • “CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements,” CISA’s Executive Director Brandon Wales wrote in a March blog post reflecting on his agency’s implementation of the bill a year after it was signed into law. 
    • CISA also issued a request for information from key stakeholders on the proposed regulations and said it was specifically interested in “definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content and procedures for submission of reports required under CIRCIA.”

From the cybersecurity reports front —

  • The OPM Inspector General released its latest semi-annual report to Congress. That report includes a section on cybersecurity audits of FEHB plans.
  • The National Institutes of Standards and Technology issued its Fiscal Year 2022 Cybersecurity and Privacy Annual Report.

From the cybersecurity vulnerabilities front —

  • Cybersecurity Dive reports
    • “A zero-day vulnerability first disclosed by Barracuda last week was actively exploited up to seven months ago, the security vendor said in an updated incident report Tuesday [May 30].
    • “The sizable time gap between the first known active exploitation of CVE-2023-2868 in October and Barracuda’s disclosure increases the potential for widespread compromise for customers using the security vendor’s email security gateway appliances.
    • “Malware was identified on a subset of appliances allowing for persistent backdoor access,” the company said. Data exfiltration was also identified on a subset of impacted appliances.
    • “Barracuda did not respond to questions about how many customers use its ESG appliances nor how many customers are potentially compromised and had data stolen.”
  • On June 2, 2023, HHS’s health sector Cybersecurity Coordination Center issued a sector alert titled “Healthcare Sector Potentially at Risk from Critical Vulnerability in MOVEit Transfer Software.”
    • “On May 31, 2023, Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. As of May 31, 2023, the vulnerability does not have a CVE. File transfer solutions are frequently targeted by multiple threat actors, including ransomware groups. Progress Software has yet to report any attempts of extortion due to exposure to the vulnerability, nor is there any attribution to any specific threat actors. However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers. Both of these products are managed on file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.”
    • The Cybersecurity and Infrastructure Security Agency (CISA) released a corollary alert.
      • “Progress Software has released a security advisory for a SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take over an affected system.
      • “CISA urges users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.”
  • CISA announced on May 31, 2023, adding one more known exploited vulnerability to its catalog and another on June 2, 2023.

From the ransomware front, we have Bleeping Computer’s The Week in Ransomware.

  • “There have been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said they share very strong similarities.
  • “While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.
  • “Finally, IBM released a report about BlackCat/ALPHV’s new ‘Sphynx’ encryptor and other tools used by the operation that is a worthwhile read.”

From the cybersecurity defenses front —

  • The Wall Street Journal reports
    • “Retail giant Walmart said artificial intelligence is helping it to make sense of the data its security systems generate and to spot patterns that its analysts might miss. Generative AI systems like ChatGPT might enhance that ability further.
    • “Rob Duhart, Walmart’s deputy chief information security officer, said the sheer amount of information the company handles means that some form of automation is essential.
    • “There’s scale, and then there’s Walmart scale,” he said, speaking at the WSJ Pro Cybersecurity Forum held virtually Wednesday.
    • “With around 10,500 stores globally and 2.3 million employees, the company scans around 11 billion lines of code each year, Duhart said. Its cybersecurity tools generate around 6 trillion data points annually, and it blocks 8.5 billion malicious bots a month.
    • “Walmart has developed a number of AI tools in-house, given that off-the-shelf products typically can’t handle the vast body of data it needs to analyze, Duhart said. It’s also a problem for human analysts, who can’t comb through the information they need quickly enough.”
  • Health IT Security adds
    • “With recent economic trends pointing toward a recession, companies are bracing for the downturn and slashing resources in anticipation of financial turmoil.  
    • “Yet, cybersecurity budgets remain resilient. A recent survey revealed that most IT security decision-makers, including those in healthcare, have ramped up their 2023 cybersecurity spending to strengthen programs. 
    • “Nuspire’s Second Annual CISO Research Report on Challenges and Buying Trends surveyed 200 CISOs across various sectors. The results showed that 58 percent had increased their budgets in 2023, with 42 percent planning to pour more even funding into cybersecurity within the following year. 
    • “This uptick in budget allocation speaks volumes as leaders recognize the importance of a strong landscape
    • “As we’ve seen in previous years, the current economic conditions have shown how resilient cybersecurity budgets are in the face of business cost reductions,” said Lewie Dunsworth, CEO of Nuspire.”