Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Cybersecurity Dive reports,
- “The Cybersecurity and Infrastructure Security Agency introduced an online portal Thursday [August 29] for organizations to voluntarily report malicious cyberattacks, vulnerabilities and data breaches.
- “The CISA services portal is a secure platform that provides enhanced functionality and collaboration features, including the ability to save and update incident reports, share submitted reports with colleagues or clients and search for reports. Users can also have informal discussions with CISA through the portal.
- “An organization experiencing a cyberattack or incident should report it — for its own benefit, and to help the broader community,” Jeff Greene, executive assistant director for cybersecurity at CISA, said in a statement. “CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident.”

Per FedScoop,
- “Federal agencies are counting down the days until September 30 to meet a combination of zero-trust cybersecurity requirements. The requirements are part of a multi-year strategy by the Office of Management and Budget (OMB) to apply various cybersecurity techniques to safeguard federal agency users, networks, devices and data.
- “One of the more vexing requirements, according to a new report, includes provisions to inventory and monitor the increasingly complex IT landscape involving not just traditional IT but also an ever-expanding array of operating technologies (OT) and the Internet of Things (IoT). The convergence of data and applications linked to IT, OT and IoT devices has introduced a new era of security risks that OMB has tasked agencies to address.
- “The widespread adoption of OT devices not only expands the number and diversity of assets agencies must manage but also the range of vulnerabilities they need to address,” explains a new report commissioned for FedScoop and underwritten by Asc3nd Technologies Group. “More to the point: Linking OT data and devices to IT systems creates new pathways for cyberattacks that adversaries are exploiting with increasing frequency.”
- “To address those and related risks, OMB directive M-24-04 requires agencies, among other things, to put tools and measures in place that provide a comprehensive understanding of all devices connected to their networks. They must also be prepared to provide detailed asset reports to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours.”

The Wall Street Journal adds,
- As cyberattacks plague companies across all industries and cause headaches for consumers, regulators are demanding that victims report hacks in short time periods—and the rules are rarely consistent, creating a compliance nightmare.
- In addition to widely publicized rules such as those brought into force by the U.S. Securities and Exchange Commission in December 2023, many companies must also comply with other federal demands, rules from state regulators and industry-specific requirements. * * *
- “Health insurer Blue Cross Blue Shield Association, for instance, said in its response [to CISA proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule] that healthcare companies may need to report incidents under the Health Insurance Portability and Accountability Act, the Federal Trade Commission’s rules on data privacy, the SEC’s rules and CIRCIA, once that rule is final.
- “Four separate standards with similar but slightly different compliance expectations would impose an unreasonable burden with marginal benefit towards improving cybersecurity as compared to having a single, harmonized standard,” said Kris Haltmeyer, the association’s vice president of policy analysis.”

From the cyber vulnerabilities and breaches front,

Dark Reading points out,
- “Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and Midnight Blizzard) were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.
- “According to Google’s Threat Analysis Group (TAG), the exploit campaigns were delivered “from a watering hole attack on Mongolian government websites,” and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same. * * *
- “The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how exploits developed first by the commercial surveillance industry become even more of a threat as threat actors come across them.”

Cyberscoop adds,
- “Online scam cycles have gotten significantly shorter and more effective over the past four years, as cybercriminals increasingly favor smaller, simpler, faster and more targeted campaigns that can yield higher revenues over the long term.
- “The findings, from a mid-year cybercrime report released Thursday by Chainalysis, show that scammers are refreshing their online and blockchain-based infrastructure faster than ever before.
- “For instance, a huge chunk of all scam revenues being tracked by Chainalysis on the blockchain (43%) were sent to wallets that only became active over the past year — something the company said suggests a surge of newly created scamming campaigns.
- “That’s significantly larger than any other observed year — the previous high was 29.9% in 2022 — and it has coincided with what Chainalysis described as a concerted effort by criminals to dramatically shrink the time they spend on one spam campaign before moving onto another.”

CISA added three known exploited vulnerabilities to its catalog this week.
- August 26, 2024 — CVE-2024-7971 Google Chromium V8 Type Confusion Vulnerability
- August 27, 2024 — CVE-2024-38856. Apache OFBiz Incorrect Authorization Vulnerability
- August 28, 2024 — CVE-2024-7965. Google Chromium V8 Inappropriate Implementation Vulnerability

From the CrowdStrike outage front,

Cybersecurity Dive informs us,
- “The financial impact from last month’s ill-fated CrowdStrike Falcon sensor update that caused a global IT network outage will continue through the first half of 2025, company executives said Wednesday during an earnings call.
- “Executives warned investors of temporary delays in its sales pipeline generation, longer sales cycles due to increased scrutiny from new and existing customers and muted upsell potential.
- “CrowdStrike expects an impact of about $60 million in net new annual recurring revenue and subscription revenue due to what it dubbed its “customer commitment packages,” discounts it’s offering some customers through the second half of this year, CFO Burt Podbere said during the Wednesday earnings call for the company’s fiscal 2025 second quarter, which ended July 31. “When we get to the back half of next year, we’ll start to see an acceleration in the business.”

From the ransomware front,

The American Hospital Association News reports,
- “The FBI, Cybersecurity and Infrastructure Agency and the Department of Defense Cyber Crime Center Aug. 29 issued a joint advisory to warn of Iranian-based cyber actors leveraging unauthorized network access to U.S. organizations, including health care organizations, to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Government of Iran, has conducted a high volume of cyberattack attempts on U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors obtain network access for espionage reasons then collaborate with ransomware groups, including the notorious Russian-linked ransomware groups RansomHub and APLHV aka BlackCat, to execute ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate if the Iranian actors had any role in the Change Healthcare attack but does state that the Iranian group’s ransomware activities are not likely sanctioned by the Government of Iran.
- “The joint advisory provides tactics, techniques, procedures, and indicators of compromise obtained from FBI investigations and third-party reporting. The federal agencies urge organizations to apply the recommendations in the mitigations section of the advisory to reduce the likelihood of compromise from these Iranian-based cyber actors and other ransomware attacks.
- “This alert demonstrates the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the nation-state level sophistication and expertise of the ransomware groups that target U.S. health care. No health care organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers collaborating with sophisticated ransomware gangs. Clearly, the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, by policy and action, and impose significant risk and consequences on our cyber adversaries. Offense is the best defense.”
- “Although there is no specific threat information at this time, the field is reminded to remain especially vigilant over the holiday weekend, as we have historically seen increased targeting of health care around the holidays.”

Bleeping Computer adds,
- “The RansomHub ransomware gang is behind the recent cyberattack on oil and gas services giant Halliburton, which disrupted the company’s IT systems and business operations.
- “The attack caused widespread disruption, and Bleeping Computer was told that customers couldn’t generate invoices or purchase orders because the required systems were down.
- “Halliburton disclosed the attack last Friday in an SEC filing, stating they suffered a cyberattack on August 21, 2024, by an unauthorized party.

Cybersecurity Dive reports,
- “Volt Typhoon, a prolific state-linked threat actor, is exploiting a zero-day vulnerability in Versa Director servers in a campaign targeting internet service providers, managed service providers and other technology firms, researchers from Black Lotus Labs warned in a blog post Tuesday.
- “The vulnerability, listed as CVE-2024-39717, allows users to upload files that are potentially malicious and gives them advanced privileges.
- “Black Lotus Labs researchers identified a custom webshell, which they call VersaMem, that is designed to intercept and harvest credentials and allow an attacker to gain access to a downstream computer network as an authenticated user.

From the cybersecurity defenses front,

Per a NIST press release,
- “[On August 29], the U.S. Artificial Intelligence Safety Institute at the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced agreements that enable formal collaboration on AI safety research, testing and evaluation with both Anthropic and OpenAI.
- “Each company’s Memorandum of Understanding establishes the framework for the U.S. AI Safety Institute to receive access to major new models from each company prior to and following their public release. The agreements will enable collaborative research on how to evaluate capabilities and safety risks, as well as methods to mitigate those risks.
- “Safety is essential to fueling breakthrough technological innovation. With these agreements in place, we look forward to beginning our technical collaborations with Anthropic and OpenAI to advance the science of AI safety,” said Elizabeth Kelly, director of the U.S. AI Safety Institute. “These agreements are just the start, but they are an important milestone as we work to help responsibly steward the future of AI.”
- “Additionally, the U.S. AI Safety Institute plans to provide feedback to Anthropic and OpenAI on potential safety improvements to their models, in close collaboration with its partners at the U.K. AI Safety Institute.”

Per Dark Reading, “Ransomware attacks and email-based fraud account for 80% to 90% of all claims processed by cyber insurers, but a handful of cybersecurity technologies can help prevent big damages.” Check it out.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog