Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Security Week tells us,
    • “The US cybersecurity agency CISA and the FBI have released new guidance on security bad practices for software manufacturers and are inviting the public to provide feedback on it.
    • “The guidance urges the makers of software and services for the critical infrastructure or national critical functions (NCFs) to prioritize security throughout the development process and reduce customer security risks.
    • “It offers an overview of product security bad practices considered exceptionally risky and provides recommendations for mitigating them, in line with CISA’s Secure by Design initiative.
    • “The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so,” the agency notes.”
  • Cybersecurity Dive informs us,
    • “A federal grand jury on Wednesday unsealed charges and announced a prior operation to disrupt Anonymous Sudan, a prolific hacktivist group that was linked to some of the biggest DDoS attacks in the world, including a 2023 attack against Microsoft
    • “Federal officials indicted two Sudanese nationals, Ahmed Salah Yousif Omer, 22 and Alaa Salah Yusuuf Omer, 27, on charges of conspiracy to damage computers. Ahmed Salah was also charged with three counts of damaging protected computers. 
    • “In March, the FBI and U.S. Attorney’s Office, pursuant to a warrant, disabled and seized a DDoS tool the group used to conduct attacks against the U.S. State Department, the Department of Defense, the FBI, Microsoft, Riot Games, Cedars-Sinai Medical Center in Los Angeles and other organizations. The group also allegedly sold the DDoS tool to other threat actors.”
  • Per Fedscoop,
    • “National Institute of Standards and Technology Director Laurie Locascio will leave the administration in January after more than two-and-a-half years leading the standard-setting agency.
    • “Following her departure, Locascio will join the American National Standards Institute as its president and CEO. She has served as director of NIST and undersecretary of commerce for standards and technology at the Department of Commerce since April 2022. 
    • “In the meantime, Locascio “will continue to serve as Under Secretary of Commerce for Standards and Technology and NIST Director until then, providing leadership for important programs such as the CHIPS for America program and NIST’s extensive work in AI, including the U.S. AI Safety Institute,” a spokesperson for the Department of Commerce said in an emailed statement.”
  • Federal News Network lets us know,
    • “A new survey of federal cyber experts has found most agencies are mapping out their journey to post-quantum cryptography, but many feel hamstrung by a lack of formal guidance on an initiative that’s expected to cost billions of dollars in the coming decade.
    • “In a study released today, General Dynamics Information Technology found 50% of federal cyber experts have a strategy for post-quantum cryptography readiness, while 22% are engaged in pilot projects and 12% are preparing their workforce for a post-quantum future.
    • “Only 17% of those surveyed responded that they had “no defined strategy” and “PQC initiatives are not currently a priority.”
    • “But 37% of respondents also said a “lack of planning, guidance and strategy” poses a critical challenge to the post-quantum cryptographic transition.”

From the cyber vulnerabilities and breaches front,

  • Per a National Security Agency press release,
    • “The National Security Agency (NSA) is joining the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and others in releasing a Cybersecurity Advisory (CSA), “Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations,” to warn network defenders of malicious activity that can enable persistent access in sensitive systems.
    • ‘Since October 2023, Iranian cyber actors have used a technique known as brute force to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access. 
    • “Our agencies are sharing detailed insight into this malicious cyber activity and what organizations can do to shore up their defenses,” said Dave Luber, NSA Cybersecurity Director. “We explain the tactics, techniques, and procedures used by the Iranian actors, as well as indicators of compromise.”  
  • Beckers Health IT notes,
    • “The costs of the Change Healthcare cyberattack continue to grow for parent company UnitedHealth Group.
    • “UnitedHealth estimated the company would absorb about an additional 10 cents a share in costs for the February ransomware attack that disrupted claims processing and breached patient data across the nation, bringing the total to 75 cents a share, according to a third-quarter earnings report.
    • “The healthcare conglomerate now estimates it will take a $2.87 billion hit from the cyberattack in 2024, after originally anticipating $1.6 billion in costs.
    • “After the cyberattack, we prioritized devoting resources to support care providers, over some activities such as share repurchase,” President and CFO John Rex said in an Oct. 15 earnings call.
    • “UnitedHealth has disbursed $8.9 billion in loans to providers affected by the IT outage, with $3.2 billion having been paid back.”
  • Cybersecurity Dive reports,
    • “Microsoft said it mitigated an issue that led to the partial loss of more than two weeks of security log data during September. 
    • “The company previously notified customers that some security logs were lost due to a bug in the company’s internal monitoring agents. The security logs provide critical information to Microsoft customers as they can be used to flag evidence of a malicious attack. 
    • ‘The lost security data impacted several Microsoft platforms, including Microsoft Entra, Sentinel, Purview and Defender for Cloud.” 
  • Furthermore,
    • Cybersecurity Dive adds,
      • “The Cybersecurity and Infrastructure Security Agency added a critical hardcoded credentials flaw in SolarWinds Web Help Desk to its known exploited vulnerabilities catalog on Tuesday, marking the second actively exploited CVE in the same product since August.
      • “The vulnerability, listed as CVE-2024-28987, allows a remote, unauthenticated attacker to access internal functionality and potentially modify data. The software defect has a CVSS score of 9.1.
      • “SolarWinds previously said the vulnerability impacted customers using Web Help Desk 12.8.3 HF1 and all prior versions, in an August security advisory. The company told customers to upgrade to the fixed version at that time.”  * * *
      • “It is not immediately clear what specific threat activity led CISA to add CVE-2024-28987 to the KEV catalog, however the listing requires federal civilian executive branch agencies to take mitigation steps to protect their systems from exploitation.” 
    • and
      • “Hackers are actively exploiting a critical format string vulnerability in four Fortinet products, federal authorities and security researchers said last week. 
      • “The Cybersecurity and Infrastructure Security Agency added the vulnerability, listed as CVE-2024-23113, to its known exploited vulnerabilities catalog on Wednesday. The vulnerability, originally disclosed in February, has a CVSS score of 9.8. 
      • “Exploitation of the vulnerability in FortiOS could allow a remote, unauthenticated hacker to execute arbitrary code or commands on a system, FortiGuard Labs said in a Friday blog post.”
    • The Record adds,
      • “The nation’s top cybersecurity agency has confirmed that ransomware gangs are using a vulnerability found last month in products from software company Veeam.  
      • “For weeks, experts have expressed alarm about CVE-2024-40711 — a bug Veeam rated critical and gave a severity score of 9.8 when it was disclosed in September.  
      • “CVE-2024-40711 could “allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors,” according to researchers at Censys.  
      • “The Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday that the vulnerability has been exploited and took the rare step of specifying that it was being used in ransomware attacks.  
      • “Veeam released a fix on September 4 after the bug was discovered by Code White security researcher Florian Hauser. By September 15, proof-of-concept exploit code was released by watchTowr Labs. Veaam specializes in software for system backups and disaster recovery. 
      • “CISA gave federal civilian agencies until November 7 to patch the bug.  
      • “CISA added the “Known To Be Used in Ransomware Campaigns?” tab in the Known Exploited Vulnerabilities (KEV) Catalog almost exactly a year ago but has rarely used it.”

Also from the ransomware front,

  • The HHS Office for Civil Rights posted on You Tube a 45-minute-long video on Ransomware and the HIPAA Security Rule.
  • Hacker News reports,
    • “Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group’s affiliate panel on the dark web.
    • “Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an advertisement, calling for new partners into its affiliate program.
    • “Within the dashboard of the Affiliates’ panel of Cicada3301 ransomware group contained sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out,” researchers Nikolay Kichatov and Sharmine Low said in a new analysis published today.”
  • Tripwire assesses the current ransomware landscape.

From the cybersecurity defenses front,

  • Cybersecurity Dive points out,
    • “More than 4 in 5 CISOs believe their role needs to be split into two separate positions, as regulatory and financial risks consume a greater part of their job responsibilities, according to a report released Tuesday by Trellix and Vanson Bourne
    • “A majority of CISOs are calling for the job to be separated into a technical, hands-on-keyboard security role and another position that focuses on regulatory compliance and boardroom disclosure. 
    • “Regulatory changes from the Securities and Exchange Commission and other bodies have been a mixed blessing for CISOs, according to Harold Rivas, CISO at Trellix.”
  • Cyberscoop mentions that “SecureWorks has released research that dives into the tell-tale behaviors behind remote employees that may be working on behalf of North Korea.”
  • Dark Reading notes that “A survey shows three-quarters of CISOs are drowning in threat detections put out by a sprawling stack of tools, yet still lack the basic visibility necessary to identify breaches,” and shares “four ways to address Zero-Days in AI/ML security. As the unique challenges of AI zero-days emerge, the approach to managing the accompanying risks needs to follow traditional security best practices but be adapted for AI.”
  • Here’s a link to Dark Reading’s CISO corner.
  • Security Week asks us to “be aware of eight underrated phishing techniques. There are a number of lesser-known phishing techniques that are often overlooked or underestimated yet increasingly being employed by attackers.”

Leave a Reply

Your email address will not be published. Required fields are marked *