Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Cyberscoop tells us
    • “Cybersecurity is set to get a decidedly South Dakotan bent in 2025.
    • “Three Republican South Dakota politicians are in line to take on more prominent roles to influence cyber policy next year: Gov. Kristi Noem is president-elect Donald Trump’s pick to lead the Homeland Security Department, Sen. Mike Rounds is poised to seize the gavel of a key cybersecurity subcommittee and John Thune will become Senate majority leader.
    • Cyberscoop interviews “José-Marie Griffiths, [the] president of Dakota State University, a school that has put a big focus on cybersecurity and tech, [who] has worked with all three of them closely on cyber issues — testifying before their committees, consulting them on legislation, being appointed to national commissions by them and more.”
  • HHS Office of Inspector General criticized the HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, for inadequately conducting routine Security Rule audits of HIPAA covered entities and business associates. According to an OIG news release,
    • “We made a series of recommendations to OCR to enhance its HIPAA audit program, including that it expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the HIPAA Security Rule, document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner, and define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited covered entities and business associates’ protections over ePHI and periodically review whether these metrics should be refined. The full recommendations are in the report.
    • “OCR did not concur with one recommendation but concurred with our three other recommendations and detailed steps it has taken and plans to take in response.”
  • Per an HHS press release, the Office of Civil Rights announced
    • “a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, concerning an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule due to an impermissible disclosure of a female patient’s protected health information, including information related to reproductive health care.”
    • The Hospital had mistakenly sent the woman’s entire medical record to the patient’s prospective employer instead of sending a specific test result as requested.
    • OCR evidently spends more time on enforcement than on routine audits.
  • The Wall Street Journal considers the pros and cons of creating a cybersecurity branch of the U.S. armed forces.
    • “The idea of creating a military branch dedicated to cybersecurity has been floated before. Last year, an independent study of the idea was initially included in—but then dropped from—Congress’s annual National Defense Authorization Act, legislation that specifies the annual budget and expenditures of the Defense Department. This year’s version of the bill currently includes the study, but that could change before it comes to a vote. 
    • “Rep. Morgan Luttrell (R., Texas) says a study would provide significant data to understand what more, if anything, needs to be done to increase the country’s cybersecurity. “That’s fair” as a way to address conflicting views about a Cyber Force, says Luttrell, who is a member of the House Armed Services Committee and is one of the representatives who proposed including a study in this year’s spending bill. “It gives us the ability to negotiate and debate,” he says.”
  • Bleeping Computer reports,
    • “Russian law enforcement has arrested and indicted notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for developing malware and his involvement in several hacking groups.
    • “While the prosecutor’s office has yet to release any details on the individual’s identity (described as a “programmer” in court documents), the individual is Matveev, according to an anonymous source of the Russian state-owned news agency RIA Novosti.
    • “At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor has been sent to the Central District Court of the city of Kaliningrad for consideration on the merits,” the Russian Ministry of Internal Affairs said in a statement.” * * *
    • “Last year, in May 2023, the U.S. Justice Department also filed charges against Matveev for his involvement in the Hive and LockBit ransomware operations that targeted victims across the United States.”

From the cyber vulnerabilities and breaches front,

  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog this week.
  • Hacker News adds,
    • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
    • “The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023.” * * *
    • “The inclusion to KEV catalog comes shortly after cybersecurity company Trend Micro revealed that a China-linked cyber espionage group dubbed Earth Kasha (aka MirrorFace) has been exploiting security flaws in public-facing enterprise products, such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997), for initial access.”
  • Cybersecurity Dive warns,
    • “The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday [November 26] warned businesses to protect themselves against cybercriminals trying to fraudulently divert payments during the holiday season.
    • “Threat activity involving fraudulent third parties usually accelerates during the holiday season, the agencies said. Businesses need to be aware of emails from alleged vendors or retailers claiming to change their account numbers. 
    • “Officials urged businesses and individuals that are targeted to promptly report the incidents to IC3, which has an asset recovery unit that can help intercept fraudulent payment activity and return those payments back to the victim.”
  • Cyberscoop informs us,
    • “Those with firsthand knowledge of Salt Typhoon’s hack of several U.S. telecommunications companies have called the group’s actions some of the most sophisticated cyber-espionage efforts they have ever seen. A prominent security vendor may have unearthed some malware that shows why. 
    • “Trend Micro released a report Monday that gives details on the tactics, techniques and procedures used by Salt Typhoon, which the company referred to as one of “the most aggressive Chinese advanced persistent threat (APT) groups” currently in operation. 
    • “While the company explicitly states that it does not have any evidence the malware detailed in the report was used in the telecom hacks, Trend Micro researchers write that several pieces of malware used by the group have been used to infiltrate other telecommunications companies and government entities around the world. Tracked as “Earth Estries,” Trend Micro says this group, which is also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the U.S., Asia-Pacific, Middle East, and South Africa.”

From the ransomware front,

  • Cybersecurity Dive relates,
    • “Just ahead of the holiday season, U.S. companies and critical infrastructure providers are once again bracing for the potential risk of cyberattack, as threat groups look to exploit distracted IT security teams for maximum leverage.
    • “The vast majority of organizations — nearly 9 in 10 — hit by ransomware over the past 12 months were targeted at night or over a weekend period, when IT security staffing was low, a November report from Semperis shows. 
    • “Nearly two-thirds of organizations said they were targeted by ransomware after a major corporate event when employees could be distracted, such as a restructuring or major layoff announcement, an initial public offering or a corporate merger. 
    • “The report, conducted in partnership with Censuswide, is based on a survey of more than 900 IT security professionals in the U.S., U.K., France and Germany.”
  • The Wall Street Journal reported on November 25,
    • “A ransomware attack against a major supply chain technology provider left retailers including Starbucks and U.K. grocery chain Sainsbury’s triggering backup plans to manage operations including scheduling and handling inventories.
    • “Blue Yonder, one of the world’s largest supply chain software providers, said Monday it was working to restore services after the attack last week disrupted systems it hosts for customers.
    • “Blue Yonder said it didn’t have a timeline for when services would be restored. The company said the attack didn’t affect systems that run on public cloud-based platforms.
    • “Starbucks said Monday the ransomware attack affected company-owned stores in its network of around 11,000 sites in North America. It disrupted the coffee chain’s ability to pay baristas and manage their schedules, leaving cafe managers to manually calculate employees’ pay. * * *
    • “The incident is the latest cyberattack to disrupt grocery supply chains this month as companies prepare for the busy holiday shopping season.
    • “Dutch supermarket conglomerate Ahold Delhaize, which owns Stop & Shop, Food Lion, Hannaford and other grocery chains, on Nov. 8 reported a “cybersecurity issue” within its U.S. network. The incident caused nearly two weeks of product shortages at Stop & Shop stores across the Northeast U.S.”
    • P.S. The FEHBlog could not find any articles closing the loop on the Blue Yonder attack.
  • SC Media added yesterday,
    • “Both Texas’ City of Coppell and the Minneapolis Park and Recreation Board were admitted having been compromised by the RansomHub ransomware operation, which also claimed to target two U.S. schools, according to The Record, a news site by cybersecurity firm Recorded Future.”

From the cybersecurity defenses front,

  • CISA gives advice on “Shop[ping] Safely Online This Holiday Season with Tips from Secure Our World.”
  • Federal New Network reports,
    • The Cybersecurity and Infrastructure Security Agency is rolling out a new education platform that the agency says will offer a more modern cyber training environment for CISA staff, the broader federal workforce, veterans and other users.
    • The new platform, CISA Learning, debuted this month. It serves up cybersecurity classes ranging from cloud security and ethical hacking to risk management and malware analysis.
    • The new platform is replacing both CISA’s internal education platform, as well as the Federal Virtual Training Environment, known as FedVTE, which had been used by users from across the federal government and other external organizations.
  • Dark Reading reports,
    • “A data-focused approach to tackling phishing and business fraud promises significant reductions in the amount of phishing and phone-based fraud that companies — and their customers — face but worries remain over whether fraudsters will adapt.
    • “The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled its Phishing Prevention Framework on Nov. 19, a program consisting of best practices in data collection, defense, and customer communications that has already reduced the volume of phishing incidents — as measured by abuse complaints — in a pilot program with three banks. The framework cut the incidence of abuse complaints for those financial services firms in half and promises significant benefits for any business targeted by cybercriminals, if they implement certain best practices — such as security education and intelligence collection — included in the framework.
    • “While FS-ISAC has released the framework for the financial services sector — where phishing is a pernicious problem — the techniques are broadly applicable, says Linda Betz, executive vice president of global community engagement at the organization.”
  • SC Media offers “Five steps to better cyber risk assessments via autonomous pentesting.”
  • Dark Reading adds,
    • “Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.
    • “In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its “Q3 SASE Threat Report.” In the past, the firm’s threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.
    • “The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.”
  • Finally, here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *