FEHBlog

• The Wall Street Journal reports,
  • “Hemant Rathod, an Indian executive, was sipping tea in a conference room Friday morning in Delhi, about to send a long email to his team, when his computer went haywire.
  • “The HP laptop suddenly said it needed to restart. Then the screen turned blue. He tried in vain to reboot. Within 10 minutes, the screens of three other colleagues in the room turned blue too.
  • “I had taken so much time to draft that email,” Rathod, a senior vice president at Pidilite Industries, a construction-materials company, said by phone half a day later, still carrying his dead laptop with him. “I really hope it’s still there so I don’t have to write it again.”
  • “The outage, one of the most momentous in recent memory, crippled computers worldwide and drove home the brittleness of the interlaced global software systems that we rely on.  * * *
  • “Adding to the chaos—and further underlining the vulnerability of the global IT system—a separate problem hit Microsoft’s Azure cloud computing system on Thursday shortly before the CrowdStrike glitch, causing an outage for customers including some U.S. airlines and users of Xbox and Microsoft 365.
  • The CrowdStrike problem laid bare the risks of a world in which IT systems are increasingly intertwined and dependent on myriad software companies—many not household names. That can cause huge problems when their technology malfunctions or is compromised. The software operates on our laptops and within corporate IT setups, where, unknown to most users, they are automatically updated for enhancements or new security protections.

• The irony lies in the fact that
  • “The global outage began with an update of a so-called “channel file,” a file containing data that helps CrowdStrike’s software neutralize cyber threats, CrowdStrike said. The update was timestamped 4:09 a.m. UTC—just after midnight in New York and around 9:30 a.m. in India.
  • “That update caused CrowdStrike’s software to crash the brains of the Windows operating system, known as the kernel. Restarting the computer simply caused it to crash again, meaning that many users had to surgically remove the offending file from each affected computer.”

From the cybersecurity policy front,

• Cybersecurity Dive informs us,
  • “A U.S. District Court judge dismissed most of the charges in a civil fraud case filed against SolarWinds by the Securities and Exchange Commission Thursday.
  • “The SEC filed suit in October alleging SolarWinds misled investors about the company’s cybersecurity practices leading up to the Sunburst supply chain hack, which was disclosed in December 2020. The attack that targeted SolarWinds Orion platform impacted thousands of customers, including major U.S. companies and government agencies that used the platform. 
  • “Judge Paul Engelmayer of the U.S. District Court Southern District of New York sustained the SEC’s claims of securities fraud based on SolarWinds’ security statement. However, the court dismissed other claims, including all claims involving post-Sunburst disclosures. * * *
  • “Allegations related to a 2017 statement made about the company’s security capabilities on the “trust center” page of its website will continue to be litigated.” 

• The Wall Street Journal points out,
  • “A spokesman said SolarWinds is pleased with the judge’s ruling. “We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,” he said. * * *
  • “David Shargel, a partner at law firm Bracewell, said the dismissal of part of the SEC’s claims was a victory for SolarWinds “by any measure.” Companies rarely defeat the SEC’s lawsuits so early in the litigation process.”
  • “It’s definitely a serious charge that remains, and it serves as a reminder that, as with any public-facing statement, companies need to ensure that their disclosures are accurate and not misleading,” he said.” * * *
  • Notably, Engelmayer also dismissed the SEC’s claim that SolarWinds violated rules that govern how companies guard against accounting errors. The judge said cybersecurity controls aren’t part of that process. “That reading is not tenable,” the judge wrote, saying the controls clearly apply only to financial accounting. 
  • “I think that might give some compliance departments some comfort going forward in terms of the parameters of the disclosure requirements,” Shargel said.

• The National Institute of Standards and Technology issued a special publication concerning Personal Identity Verification (PIV). Experience-rated FEHB carriers must employ PIV for their employees who access OPM’s letter of credit system.

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us that “The massive AT&T breach has been linked to an American hacker living in Turkey and reports say the telecom giant paid a $370,000 ransom.”

• Cybersecurity Dive lets us know,
  • “Weak credentials and misconfigurations across cloud systems were at the root of 3 in 4 network intrusions during the first half of 2024, Google Cloud said Wednesday in its latest Threat Horizons Report.
  • “Google Cloud said systems with weak or no credentials were the top initial access vector, accounting for 47% of cloud environment attacks during the first six months of the year. That’s a slight decrease from the second half of 2023 when weak or no credentials were at the root of 51% of attacks, according to Google Cloud.
  • “Misconfigurations were the initial access vector for 30% of all cloud environment attacks during the first half of 2024, marking a significant jump from 17% in the second half of 2023.”

• The Cybersecurity and Infrastructure Security Agency added four known exploited vulnerabilities to its catalog this week:
  • July 15, 2024, CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability
  • July 17, 2024,
    • CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
    • CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
    • CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability

From the ransomware front,

• Per Cybersecurity Dive,
  • “Ransomware activity jumped in the second quarter as threat groups listed 1,237 organizations on data leak sites during the period, marking a 20% increase from Q1, Reliaquest said in a Tuesday report. 
  • “May was an especially active month due to a spike in posts from the ransomware group LockBit, which accounted for 36% of the month’s alleged victims, the report found. Yet, an abnormally slow June dragged the total count of alleged ransomware victims down 13% year over year, according to Reliaquest.
  • “U.S.-based businesses bore the brunt of ransomware attacks during Q2, composing more than half of all claimed ransomware victims listed on data leak sites during the period. Sectors targeted most heavily by cybercriminals during the quarter included manufacturing and professional, scientific and technical services, the report found.”

• The Wall Street Journal notes,
  • “Rite Aid disclosed customer data was accessed in a June cybersecurity breach.
  • “The drugstore operator said an unknown third-party impersonated a company employee on June 6. It detected the incident within 12 hours and launched an investigation and reported it to law enforcement.
  • “Rite Aid said by June 17 it determined the party acquired certain data associated with the purchase or attempted purchase of specific retail products, including purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at purchase between June 6, 2017, and July 30, 2018.”

• Dark Reading adds on July 15,
  • “[Rite Aid] has not released an official statement revealing who the threat actors are, but the RansomHub gang has claimed that it breached the company’s systems.
  • “While having access to the Rite-Aid network, we obtained over 10GB of customer information equating to around 45 million lines of people’s personal information,” the ransomware group said on its Dark Web leak site. “This information includes name, address, dl_id number, DoB, Rite Aid rewards number.”
  • “Rite Aid reportedly stopped negotiating a ransom, prompting the ransomware group to share snippets of what it claims is stolen data as proof and add a two-week deadline before more information will be leaked.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Google parent Alphabet is in advanced talks to acquire cybersecurity startup Wiz for roughly $23 billion, according to people familiar with the matter, in what would be its largest acquisition ever. 
  • “A deal could come together soon, assuming the talks don’t fall apart, the people said. 
  • “Alphabet is eyeing the deal at a time of intense antitrust scrutiny of the search company and other tech giants. The acquisition could also help boost Alphabet’s efforts in cloud computing, an important and growing business but one where it has lagged behind peers. * * *
  • “Google has been working to bulk up its cybersecurity business, focused on the cloud. Its biggest recent acquisition—and second largest ever—is the nearly $5.4 billion purchase two years ago of another security company, Mandiant.” 

• TechTarget shares “best practices for protection from ransomware in cloud storage” and advises “CISOs on how to improve cyberthreat intelligence programs.”

• Dark Reading explains why “In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training.”

From the cybersecurity policy front –

• The Wall Street Journal reports,
  • “[On July 9, 2024,] Australia, the U.S. and six other allies warned that a Chinese state-sponsored hacking group poses a threat to their networks, in an unusual, coordinated move by Western governments to call out a global hacking operation they say is directed by Beijing’s intelligence services.
  • “Tuesday’s advisory was a rare instance of Washington’s major allies in the Pacific and elsewhere joining to sound the alarm on China’s cyber activity. Australia led and published the advisory. It was joined by the U.S., U.K., Canada and New Zealand, which along with Australia are part of an intelligence-sharing group of countries known as the Five Eyes. Germany, Japan and South Korea also signed on.” * * *
  • “The technical advisory detailed a group known in cybersecurity circles as Advanced Persistent Threat 40, or APT40, which conducts cybersecurity operations for China’s Ministry of State Security and has been based in the southern island province of Hainan. The advisory detailed how the group targeted two networks in 2022—though it didn’t identify the organizations—and said the threat is continuing.”

• Federal News Network informs us,
  • “A top Department of Homeland Security official says DHS is working to harmonize new cyber incident reporting rules, as industry and even some lawmakers criticize the draft rule’s scope and potential duplicative requirements.
  • “The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.
  • “Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.
  • “We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”
  • “He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”
  • “We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so, you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”

• The FEHBlog finds it interesting that recent cyberbreach news articles rely on Securities and Exchange Commission 8-K reports from public companies.

• Cyberscoop summarizes a variety of criticisms levelled against the CIRCIA proposed rule in the public comments.

• Cyberscoop adds,
  • “New legislation from a bipartisan pair of senators would create an interagency committee tasked with streamlining the country’s patchwork system of cybersecurity regulations if signed into law.
  • “The Streamlining Federal Cybersecurity Regulations Act [S. 4630] from Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., calls on the White House’s national cyber director to create a committee that would harmonize the myriad cyber requirements imposed on companies by federal regulatory agencies, according to bill text shared with CyberScoop.
  • “The introduction of the bill comes a month after a Senate hearing in which Nicholas Leiserson, the assistant national cyber director for cyber policy and programs, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. “It is a problem that requires leadership from ONCD and Congress informed by the private sector,” he said.”

• Cybersecurity Dive tells us,
  • “The Cybersecurity and Infrastructure Security Agency and FBI advised software vendors to eliminate operating system command injection vulnerabilities from products before they ship. The agencies issued the advisory Wednesday [July 10, 2024] as part of their secure-by-design alert series.
  • “Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs and CVE-2024-3400 in Palo Alto Networks firewalls. 
  • “OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA and the FBI said in the advisory.” 

• Per the HeathIT.gov website,
  • “ONC’s HTI-2 proposed rule [released July 10] implements provisions of the 21st Century Cures Act and reflects ONC’s focused efforts to advance interoperability and improve information sharing among patients, providers, payers, and public health authorities.
  • “Key proposals include:
    • “Two sets of new certification criteria, designed to enable health IT for public health as well as health IT for payers to be certified under the ONC Health IT Certification Program. Both sets of certification criteria focus heavily on standards-based application programming interfaces to improve end-to-end interoperability between data exchange partners (health care providers to public health and to payers, respectively).
    • “Technology and standards updates that build on the HTI-1 final rule, ranging from the capability to exchange clinical images (e.g., X-rays) to the addition of multi-factor authentication support.
    • “Requiring the adoption of United States Core Data for Interoperability (USCDI) version 4 by January 1, 2028.
    • “Adjustments to certain “exceptions” to the information blocking regulations to cover additional practices that have recently been identified by the regulated community, including a new “Protecting Care Access” exception, which would cover practices an actor takes in certain circumstances to reduce its risk of legal exposure stemming from sharing information.
    • “Establishing certain Trusted Exchange Framework and Common Agreement^TM (TEFCA^TM) governance rules, which include requirements that implement section 4003 of the 21st Century Cures Act.”
  • The public comment deadline will end in early September, depending on the date of the proposed rule’s publication in the Federal Register.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “A cyberattack targeting AT&T’s Snowflake environment compromised data on nearly all of the telecom provider’s wireless customers, the company said in a Friday filing with the Securities and Exchange Commission. Nearly 110 million customers are impacted, according to AT&T’s annual report for the period of compromised data.
  • “Data stolen during the intrusion includes records of AT&T customers’ calls and text messages spanning a six-month period ending Oct. 31, 2022, and records from Jan. 2, 2023, the company said in the SEC filing. 
  • “The attack did not expose the content of calls or text messages, customer names or personally identifiable information, according to AT&T. Yet, the stolen records include the phone numbers AT&T wireless customers interacted with, counts of those interactions and aggregate call duration for a day or month.”

• Dark Reading adds,
  • “Nearly all” of AT&T’s wireless customers are affected, the company admitted, as well as customers of mobile virtual network operators (MVNOs) using AT&T’s network. According to public resources, those MVNOs likely include popular wireless service providers like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless.” * * *
  • “Earlier this year, data belonging to more than 70 million AT&T customers leaked to the Dark Web. The trove included all the hallmark personally identifying information (PII) types, like Social Security numbers, mailing addresses, and dates of birth.
  • “This time, none of the stolen data has as yet been observed on the public web, and customers’ most sensitive PII has remained untouched. [FEHBlog note the theft occurred in April — the public notice was delayed with Justice Department approval.]
  • Still, AT&T warned, “There are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

• Cyberscoop notes that Snowflake “announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users.”  

• On a related note, Help Net Security discloses,
  • “On July 1, Twilio – the company that develops the Authy MFA mobile app – shared with the public that attackers have leveraged one of its unauthenticated API endpoints to compile a list of phone numbers and other data belonging to Authy users.
  • “Company systems were not breached, Twilio said, and Authy accounts have not been compromised, but the company warned that “threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.”
  • “The list, which apparently holds data of 33 million Authy users, has been offered for sale by ShinyHunters, a threat actor that specializes in breaching companies and stealing their customers data, then holding it for ransom and/or selling it to the highest bidder on forums and markets frequented by cybercriminals.”

• Cybersecurity Dive calls attention to a recent survey,
  • “Almost 60% of organizations can’t track what happens to their information once it goes out in an email or through another communication channel, a survey by data security company Kiteworks finds. 
  • “That’s a risk management problem because data breaches are correlated with how information leaves an organization. 
  • “The more communication tools an organization uses — email, file sharing, managed file transfer, secure file transfer protocol, web forms, among others — the higher the risk of information ending up where it wasn’t intended, the survey finds. 
  • “Respondents with over seven communication tools experienced 10-plus data breaches — 3.55x higher than the aggregate,” the survey report says. “

• On July 9, 2024 —
  • “CISA added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
    • “CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
    • “CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability”
    • “CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability”
  • Health IT Security pointed out recent breaches involving healthcare entities.
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted its bulletin on June 2024 vulnerabilities of interest to the health sector.

• Health IT Security alerts us,
  • “Change Healthcare published a substitute data breach notice on its website [earlier this week] to inform affected individuals of the breach that resulted from the February 2024 cyberattack against the company. Change has publicly stated that the cyberattack involved the data of approximately one-third of Americans.
  • “Change Healthcare said that it would begin mailing written letters to affected individuals on June 20, once it completed its data review. Additional customers may be identified as impacted as the review continues.
  • “The company provided a brief timeline of events in its substitute notice, which was published on its website. Although the cyberattack began on February 21, it was not until March 13 that Change was able to obtain a dataset of exfiltrated files that was safe to investigate. * * *
  • “Any individual who believes that their information has been impacted by the data breach can enroll in two years of complimentary credit monitoring and identity theft protection services. Ahead of the breach notice, state attorneys general encouraged consumers to take advantage of these free resources.”

From the ransomware front,

• Cyberscoop reports,
  • “The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop. 
  • “A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoins on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop. 
  • “The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.”

• SC Media and Bleeping Computer discuss RansomHub attacks on the Florida Department of Health and the Rite Aid pharmacy chain.

• Dark Reading reports,
  • “Akira ransomware actors are now capable of squirreling away data from victims in just over two hours, marking a significant shift in the average time it takes for a cybercriminal to move from initial access to information exfiltration.
  • “That’s the word from the BlackBerry Threat Research and Intelligence Team, which today released a breakdown of a June Akira ransomware attack on a Latin American airline. According to BlackBerry’s anatomy of the attack, the threat actor, using Secure Shell (SSH) protocol, gained initial access via an unpatched Veeam backup server, and immediately set about heisting information before deploying the Akira ransomware the next day.
  • “The likely culprit is Storm-1567 (aka Punk Spider and Gold Sahara), a prolific user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, according to the report. The gang is known for using double-extortion tactics and has attacked more than 250 organizations across numerous industry verticals globally since emerging from the shadows in March 2023. It mainly sets its sites on Windows systems, but has developed Linux/VMware ESXi variants as well, and has consistently shown a high level of technical prowess.”

• The Register (UK) tells us,
  • “As ransomware crews increasingly shift beyond just encrypting victims’ files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the more mature crime organizations are developing custom malware for their data theft.
  • “In a report published on Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs). Talos selected the 14 based on volume and impact of attacks and “atypical threat actor behavior,” using data from the criminals’ leak sites, internal tracking, and other open-source reporting.
  • “The 14, listed here by number of victims on their respective shaming sites, are the ones you’d likely expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona. 
  • “Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” the report’s authors note.”

From the cybersecurity defenses front,

• Cybersecurity Dive discusses “What does your CEO need to know about cybersecurity? CEOs don’t necessarily have to become experts in the technical aspects of cybersecurity to be prepared in case of an attack or — hopefully — stop one before it starts.”

• Per a July 11, 2024, CISA press release,
  • “CISA released CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth in coordination with the assessed organization. This Cybersecurity Advisory (CSA) details key findings and lessons learned from a 2023 assessment, along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.
  • “The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.
  • “CISA encourages all organizations review the advisory and apply the recommendations and mitigations within, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication.”