Cybersecurity Saturday

From the cybersecurity policy front,

  • Fedscoop lets us know,
    • “Five of the country’s leading software and tech advocacy organizations are urging Senate and House leadership to pass bipartisan, bicameral legislation aimed at improving federal agency oversight and management of software purchases before this congressional term comes to a close.
    • “In a letter sent Wednesday [August 21] and shared exclusively with FedScoop, the tech groups urged Senate Majority Leader Chuck Schumer, D-N.Y., Minority Leader Mitch McConnell, R-Ky., House Speaker Mike Johnson, R-La., and Minority Leader Hakeem Jeffries, D-N.Y., to take action on the Strengthening Agency Management and Oversight of Software Assets Act by the end of this session, referring to the bill to bolster transparency and communication in IT spending across federal agencies as “must-pass legislation.”
  • and
    • “The National Institute of Standards and Technology is again seeking comment on draft guidance for digital identities following updates responsive to the first round of public comments.
    • “A second version of the draft guidance, posted Wednesday [August 21], provides additional detail for passkeys — or syncable authenticators — and digital wallets after commenters on the first draft asked for those areas to be expanded, according to a release from the agency. The new draft also adds to guidance on more traditional identification methods.
    • “The draft guidelines and corresponding companion publications are aimed at providing direction to ensure various methods that people use to prove who they are when accessing government services — such as digital wallets, passkeys, and physical ID cards — stay secure, private and accessible, according to the release.”
    • The public comment deadline is October 7, 2024.
  • ArsTechnica reports,
    • Dr. Emmanouil “Manos” Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects like “Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition.”
    • “The government yesterday [August 22] sued Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway. (Read the complaint.) The government claims this is fraud under the federal False Claims Act.
      • At bottom, DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised. What DoD received for its funds was of diminished or no value, not the benefit of its bargain.
    • The Justice Department intervened in a qui tam action.

From the cyber vulnerabilities and breaches front,

  • Per Security Week,
    • “SolarWinds on Wednesday announced a second hotfix for an exploited Web Help Desk vulnerability, which also removes hardcoded credentials introduced in the first hotfix.
    • “The enterprise software maker warns that the hardcoded credential blunder, which was assigned CVE-2024-28987, with a CVSS score of 9.1, could allow a “remote unauthenticated user to access internal functionality and modify data”.
    • ‘Released for Web Help Desk 12.8.3.1813 or 12.8.3 HF1, the new hotfix not only removes the inadvertently leaked secrets, but also adds more patterns to fix an SSO issue and resolves the critical-severity remote code execution (RCE) bug that the initial hotfix was meant to address.
    • “This hotfix addresses the SolarWinds Web Help Desk broken access control remote code execution vulnerability fixed in WHD 12.8.3 Hotfix 1, as well as fixing the SolarWinds Web Help Desk hardcoded credential vulnerability, and restoring the affected product functionality found in WHD 12.8.3 Hotfix 1,” the company notes in its advisory.”
  • Bleeping Computer tells us,
    • “Halliburton, one of the world’s largest providers of services to the energy industry, has confirmed a cyberattack that forced it to shut down some of its systems earlier this week.
    • “On August 21, 2024, Halliburton Company (the “Company”) became aware that an unauthorized third party gained access to certain of its systems,” the oil services giant said in a filing with the U.S. Securities and Exchange Commission (SEC).
    • “When the Company learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity.
    • “The company added that the incident (first reported by Reuters on Wednesday [August 21]) based on information provided by anonymous sources) prompted it to shut down some systems to contain the breach.
    • Halliburton also reported the breach to relevant law enforcement agencies, and its IT experts are now working on restoring affected devices and assessing the attack’s impact.”
  • and
    • A stealthy Linux malware named ‘sedexp’ has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework.
    • The malware was discovered by risk management firm Stroz Friedberg, an Aon Insurance company, and enables its operators to create reverse shells for remote access and to further the the attack.
    • “At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain sight.

From the ransomware front,

  • The Wall Street Journal reports,
    • “A cyberattack on the city administration of North Miami, Fla., this month took down public services and is now serving as an early test of policies that outlaw ransom payments.
    • “Hackers attacked the small city north of Miami on Aug. 4, leading officials to close City Hall and police officers to use old-fashioned radio communication instead of newer digital systems. Two weeks later, some services are still down, said Scott Galvin, a city councilman.
    • “Galvin said hackers demanded the city pay a ransom of several million dollars. Attorneys quickly informed lawmakers and city officials that was out of the question because of a 2022 ban on ransom payments from government entities enacted by the state legislature, he said.” * * *
    • “In a survey of 5,000 IT professionals published last week by cybersecurity firm Sophos, 34% of those working in state and local governments said they were hit with a ransomware attack this year, down from 69% in 2023. Among the state and local governments that were hacked, 54% said they paid a ransom to retrieve encrypted data this year, compared with 34% last year.
    • “Legal bans on ransom payments could eventually dissuade hackers, said J. Michael Daniel, president and chief executive of the Cyber Threat Alliance, a nonprofit that shares information about hacks among cybersecurity companies.”
    • “Bans that are too rigid can have negative effects, said Jordan Rae Kelly, senior managing director at FTI Consulting. If a blanket ban on ransom payments is in place, hackers might turn to more extreme methods, like shutting down critical hospital services to force victims to pay, she said.
    • “The risk of these bans being escalatory is what I worry about,” she said.”

From the cyber defenses front,

  • Per Cybersecurity Dive,
    • “The FBI, Cybersecurity and Infrastructure Security Agency — along with international partners led by Australia — advised network defenders to adopt event logging policies. Event logs are critical to help organizations defend against the rising use of living-off-the-land techniques designed to conceal threat activity using ordinary security tools, the agencies said Wednesday. 
    • “The group of more than a dozen agencies released a guide on event logging and threat detection practices that can pinpoint a growing number of sophisticated attacks via privately-owned routers or other tools threat groups use to launch attacks that cannot be detected by normal endpoint protection. 
    • “Living-off-the-land techniques have been employed by sophisticated state-linked hackers like Volt Typhoon and ransomware groups like Medusa to mask their presence inside network computing environments and move undetected for long periods of time.”
  • and
    • “Companies with cyber insurance coverage are reducing risk and are more likely to detect, respond and recover from data breaches and malicious attacks, compared to organizations without coverage, according to two reports released this week.
    • “An At-Bay commissioned survey conducted by Omdia shows cyber insurance is helping to drive proactive security measures, mitigation strategies and targeted spending. More than 7 in 10 respondents said they view cyber coverage as important or critical to their company and reported increased spending on proactive security solutions over the past 12 months.
    • “A separate report from Forrester showed 1 in 4 global companies with standalone cyber insurance coverage were able to detect and respond to incidents in seven days or less, compared with 19% of businesses with no coverage or 18% with cyber coverage bundled into another policy.”
  • A Dark Reading commentator advises cybersecurity experts pay attention to software that is reaching the end-of-life status.
    • “Looking ahead, managing long-term risk around end-of-life software or assets has to go hand in hand with planning migrations. The results have to demonstrate business value, so that there is a business case for making the changes. Starting earlier and getting collaborative with business application owners can deliver on both counts.”
  • HHS’s Office for Civil Rights issued an August 2024 Cybersecurity Newsletter concerning “HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?”