Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Cyberscoop tells us,
    • “The White House is close to finalizing a second executive order on cybersecurity that covers a wide range of subjects for federal agencies to address, including artificial intelligence, secure software, cloud security, identity credentialing and post-quantum cryptography, according to sources familiar with work on the document.
    • ‘The executive order, a follow-up to the sweeping cybersecurity executive order President Joe Biden signed in his first year in office, had been working its way through the interagency process, during which agencies give feedback on the draft, sources said.
    • “According to one source familiar with the order, the interagency process has wrapped up and a draft is “95%” of the way toward its final incarnation. The target is to get something signed in early December, subject to the president’s review and approval. But another source recently told CyberScoop that the executive order is viewed as “pretty aspirational to get it done.”
  • and
    • “A coalition of influential infrastructure trade groups and associations want to change key definitions around an incoming cyber reporting mandate, citing long-standing “concerns” around the Cybersecurity and Infrastructure Security Agency’s engagement process and existing regulatory requirements.
    • “In a letter to CISA Director Jen Easterly this week, 21 organizations from the communications, energy, aviation, IT, and transportation sectors, among others, asked the cyber agency to start an “ex parte” process that would apply the critical infrastructure cyber reporting mandate “in a manner consistent with congressional intent.”
    • “Simply put, the public record to date is insufficient, and a single round of comments in response to CISA’s [Notice of Proposed Rulemaking] will not allow the agency to effectively capture and leverage stakeholder feedback,” the letter states. “Absent increased industry engagement, CISA’s proposed regulation may inadvertently impose requirements that hinder rather than help our sectors maintain security and operational efficiency.”
  • Per Fedscoop,
    • “A week before a deadline for federal agencies to submit to the White House their updated zero-trust implementation plans, a coalition of government IT leaders released a guide intended to strengthen data security practices.
    • “The 42-page Federal Zero Trust Data Security Guide, spearheaded by the Federal Chief Data Officers and Federal Chief Information Security Officers councils, zeroes in on “securing the data itself, rather than the perimeter protecting it,” part of what a Thursday press release termed “a foundational pillar of effective” zero-trust implementation.
    • “By Nov. 7, federal agencies must provide their updated plans for zero-trust implementation to the Office of the National Cyber Director and the Office of Management and Budget.
    • “This guide represents insights from agency practitioners who are in the trenches working to implement zero trust and secure their organization’s data,” Kirsten Dalboe, the Federal Energy Regulatory Commission’s CDO and chair of the CDO Council, said in a statement. “We’re building a cooperative relationship between data and cyber to tackle this government-wide challenge and ultimately ensure the public’s data is secured.” 
  • Per October 31, 2024, HHS press releases,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Plastic Surgery Associates of South Dakota in Sioux Falls, for several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following its investigation into a ransomware attack breach by OCR. Ransomware and hacking are the primary cyber-threats in health care.” * * *
    • “OCR initiated an investigation following the receipt of a breach report filed by Plastic Surgery Associates of South Dakota in July 2017, which reported that it discovered that nine workstations and two servers were infected with ransomware, affecting the protected health information of 10,229 individuals. The credentials the hacker(s) used to access Plastic Surgery Associates of South Dakota’s network were obtained through a brute force attack (hacking method that uses trial and error to guess passwords, login information, encryption keys, etc.) to their remote desktop protocol. After discovering the breach, Plastic Surgery Associates of South Dakota was unable to restore the affected servers from backup.
    • “OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; implement procedures to regularly review records of information system activity; and implement policies and procedures to address security incidents.” * * *
    • “Under the terms of the settlement, Plastic Surgery Associates of South Dakota paid $500,000 to OCR and agreed to implement a corrective action plan that requires them to take steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/psa-ra-cap/index.html .”
  • and
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Bryan County Ambulance Authority (BCAA), a provider of emergency medical services in Oklahoma for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on BCAA’s information systems.” * * *
    • “In May 2022, OCR received a breach report concerning a ransomware incident that encrypted files on BCAA’s network. BCAA determined that the encrypted files affected the protected health information of 14,273 patients. OCR’s investigation determined that BCAA had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.
    • “Under the terms of the resolution agreement, BCAA agreed to pay $90,000 and to implement a corrective action plan that will be monitored by OCR for three years. Under the corrective action plan, BCAA will take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI * * * . * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bcaa-ra-cap/index.html .

From the cybersecurity vulnerabilities and breaches front,

  • Infor Security lets us know,
    • “Cybersecurity firm Sophos has detailed evolving tactics by Chinese advanced persistent threat (APT) groups following five years of collecting telemetry on campaigns targeting its customers.
    • “Working with other cybersecurity vendors, governments and law enforcement agencies, the researchers were able to attribute specific clusters of observed activity from December 2018 to November 2023 to the groups Volt TyphoonAPT31 and APT41/Winnti.
    • “A notable shift from widespread, indiscriminate attacks towards narrow targeting of high value organizations was observed over the period.
    • “Sophos assessed with high confidence that exploits developed by the threat actors were shared with multiple Chinese state-sponsored frontline groups, which have differing objectives, capabilities, and post-exploitation tooling.
    • ‘The analysis was conducted in response to calls from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) for technology developers to provide transparency around the scale of exploitation of edge network devices by state-sponsored adversaries.
    • “In the interests of our collective resilience, we encourage other vendors to follow our lead,” Sophos wrote in a blog dated October 31, 2024.”
  • Cybersecurity Dive alerts us on October 31,
    • “Fortinet alerted customers to four new indicators of compromise for a widely exploited zero-day vulnerability in its network and security management tool FortiManager in an updated security advisory on Wednesday.
    • “The cybersecurity vendor said the situation is evolving and the updates don’t reflect any major changes. “Since we worked with the hosting provider to take down the actor infrastructure, some IP IoCs have changed,” a Fortinet spokesperson said Wednesday in an email.
    • “Fortinet initially disclosed active exploitation of CVE-2024-47575, a missing authentication for critical function vulnerability which has a CVSS score of 9.8, last week. Mandiant said at least 50 organizations across various industries were impacted by a spree of attacks it described as a “mass exploitation” event.”
  • Cybersecurity Dive adds,
    • “Enterprise modernization initiatives are too often threatened by aging infrastructure and systems that have run out of technical support, according to a recent Kyndryl report. The IT services firm surveyed 3,200 C-suite executives and collected anonymized customer data from its Kyndryl Bridge platform.
    • “While 9 in 10 executives said their company’s technology is best-in-class, nearly two-thirds acknowledged that outdated systems present a major concern. Data indicating 44% of mission-critical enterprise IT infrastructure is approaching or at end-of-life confirmed the apparent paradox.
    • “If a company lacks comprehensive IT asset and configuration management, locating tech debt is a challenge, according to Michael Bradshaw, Kyndryl’s SVP and global practice leader for applications, data and AI. “It’s almost like an archaeological dig,” he said. “You don’t know where the problems are unless you stub your toe on something that’s reached end-of-support.”
  • CISA did not add known exploited vulnerabilities to its catalog this week.

From the ransomware front,

  • The American Hospital Association reports,
    • “The Cybersecurity and Infrastructure Security Agency Oct. 31 issued an alert on a large-scale spear-phishing campaign targeting organizations in several sectors. The agency received multiple reports on the matter. According to the agency, the foreign threat actor, often posing as a trusted entity, sends spear-phishing emails with malicious remote desktop protocol files to targeted organizations to connect to and access files stored on the target’s network. If the threat actor gains access, it could perform additional activities, such as deploying malicious code to achieve persistent access to the target’s network. CISA, other federal agencies and partners are coordinating and assessing the impact of the campaign and urged organizations to take proactive measures to protect their data and systems. 
    • “The malicious use of RDP to conduct cyberattacks, including highly disruptive ransomware attacks, continues to be a significant attack vector used by foreign cybercriminals, ransomware gangs and spies,” said John Riggi, AHA national advisor for cybersecurity and risk. “To help mitigate this type of cyberattack risk, it is strongly recommended health care organizations restrict outbound RDP connections, block RDP connections in communication platforms, prevent execution of RDP files and use phishing-resistant multi-factor authentication for all remote access. Please review the alert for additional recommendations.” 
  • Info Security reports,
    • “A North Korean-backed hacking group has engaged in a ransomware campaign for the first time, according to Palo Alto Networks.
    • “Jumpy Pisces, a hacking group tied to the Reconnaissance General Bureau of the Korean People’s Army, has been involved in a recent ransomware incident, according to a new report by Palo Alto’s threat intelligence team, Unit 42, published on October 30.
    • “This marks a shift in the nation-state group’s tactics and the first time they have been involved with financially motivated cyber threat actors.”

From the cyber defenses front,

  • Cybersecurity Dive relates
    • “UnitedHealth Group appointed Tim McKnight to CISO, marking a change in the company’s security leadership eight months after a ransomware attack on subsidiary Change Healthcare led to sustained nationwide disruptions. McKnight shared the news on LinkedIn this week
    • “McKnight replaces Steven Martin, who became CISO in May 2023, nine months before the ransomware attack. As part of the change, Martin shifted to a new role at UnitedHealth as chief restoration officer. Martin previously served as CIO and CTO at Change Healthcare and Optum, another subsidiary of UnitedHealth Group.
    • “Earlier this month, UnitedHealth Group confirmed the cyberattack, which involved compromised credentials to a remote access Citrix portal, compromised data on at least 100 million people, the largest healthcare data breach ever reported to federal regulators. The attack also hinged on a consequential mistake the healthcare giant made in failing to protect a critical system: it did not turn on multifactor authentication.”
  • Here is a link to Dark Reading’s CISO Corner.