From the cybersecurity policy front —

• Defense One reports,
  • “By November, Pentagon cybersecurity leaders aim to lay out just how private contractors will be expected to work with government agencies to safeguard data and ward off attacks.
  • “We are working on a strategy—a [defense industrial base] cybersecurity strategy—that we hope to have out later this year,” David McKeown, DOD’s chief information and security officer, said at GovExec’s Cyber Summit event Thursday. “Our strategy is bringing all of the pieces and parts within the department together…laying it out who’s going to be doing what, and we overlay everything on top of the NIST cybersecurity framework.”
  • “Lawmakers requested the strategy as a step toward reducing the vulnerabilities created by doing sensitive business with hundreds of thousands of private contractors.”

• Cyberscoop tells us,
  • “Lawmakers on Wednesday [May 17, 2023] passed a series of bills to give the Cybersecurity and Infrastructure Security Agency new responsibilities when it comes to safeguarding open source software, protecting U.S. critical infrastructure and expanding the cybersecurity workforce. 
  • “The Senate Homeland Security and Governmental Affairs Committee advanced a bill that would require CISA to maintain a commercial public satellite system clearinghouse and create voluntary cybersecurity recommendations for the space sector. Additionally, the committee advanced legislation requiring CISA to create a pilot civilian cyber reserve program to respond to incidents.
  • “The House Homeland Security Committee advanced legislation that would require CISA to work with the open source community to better secure it as well as create a framework to assess the general risks of open source components for federal agencies. The House advanced another bill that would give CISA the authority to train employees at DHS that aren’t currently in cybersecurity positions to move to such a role.”

• Health IT Security adds,
  • “At a House Committee on Energy and Commerce hearing held on May 16, 2023, experts from the energy, water, and healthcare sectors testified on how sector-specific agencies within critical infrastructure are taking steps to protect their industries from cyberattacks.
  • “Each of the 16 critical infrastructure sectors has a designated Sector Risk Management Agency (SRMA) that is responsible for managing threats faced by each sector. The hearing gave committee members a chance to explore how various federal agencies work to secure critical infrastructure against cyber threats, assess their responses to emerging threats, and learn more about the roles and responsibilities of each agency.
  • “Brian Mazanec, PhD, deputy director at the HHS Administration for Strategic Preparedness and Response (ASPR) Office of Preparedness, delivered both a spoken and written testimony to the committee on the growing threats facing the healthcare sector and the role of HHS in mitigating these threats.
    • HHS is working diligently to strengthen cybersecurity and address the impacts of cyberattacks on the healthcare system. As we move forward, there are additional authorities and resources that would advance ASPR’s ability to fully implement its plan to bolster HHS’s Cyber Sector Risk Management Agency (SRMA) activities. For example, we are in the process of establishing a dedicated Cyber Division within ASPR’s Office of Critical Infrastructure Protection. If ASPR is granted direct hire authority, as requested through the Pandemic and All-Hazards Preparedness Act (PAHPA) reauthorization process, we would be able to bring critical staff with cyber expertise into the organization more quickly and move forward to address challenges without delay. We would also be better positioned to immediately expand and enhance our efforts as the SRMA lead for the HPH sector. Additionally, we are looking to establish a new HHS cyber incident ticketing system to better track incidents and strengthen threat intelligence sharing through embedded liaisons within CISA and the FBI. Dedicated resources are needed to implement and operate supporting systems, as included in the FY 2024 President’s Budget request. We continually assess and identify whether any additional authorities are needed to support our 

From the cyber vulnerabilities and breaches front —

• The Health Sector Cybersecurity Coordination Center issued its April 2023 Cybersecurity Vulnerability report.
  • In April 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for April are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

• Dark Reading points out three ways hackers use ChatGPT to cause security headaches.

• MeriTalk informs us
  • “The Department of Transportation (DoT) is investigating a data breach affecting administrative systems at the department, an agency spokesperson confirmed to MeriTalk today.
  • “According to a Reuters report, DoT notified Congress of the data breach on Friday, which exposed the personal information of about 237,000 current and former Federal government employees. * * *
  • “DoT did not say when the hack was first discovered or who might be responsible for it.
  • “DoT is the latest agency to face a data breach after the U.S. Marshals Service (USMS) responded to a ransomware attack and data breach in February that compromised sensitive law enforcement information.”

• Dark Reading adds
  • “PharMerica Healthcare has disclosed that its systems were breached earlier this year by an unauthorized third party, which resulted in the leak of the personal details of more than 5.8 million deceased people.
  • “PharMerica provides pharmacy services for patients under long-term care, including those in senior living facilities, hospice care, and using behavioral health services.”

From the ransomware front,

• Cyberscoop and Healthcare Dive reports
  • “A new and highly active ransomware threat actor, RA Group, is targeting organizations in the manufacturing, finance, insurance and pharmaceuticals sectors, researchers at Cisco Talos said Monday.
  • “Within a week of its emergence on April 22, RA Group compromised three organizations in the U.S. and one in South Korea. The group listed its first three victims on its leak site on April 27 and added a fourth victim on April 28, according to Cisco Talos.
  • “Initial victim organizations have had their data encrypted and stolen, a form of double extortion designed to increase pressure on the organizations to pay the ransom.

• CISA announced
  • CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory.
    To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

• Here’s this week’s link to Bleeping Computers Week in Ransomware.

• Cybersecurity Dive provides guidance on why and how to report a ransomware attack.

From the cyber defenses front —

• The Wall Street Journal reports on how tabletop exercises can improve cyber preparedness, while Cybersecurity Dive tells us,
  • Corporate programs designed to boost the cyber resilience of employees are falling short on their goals, with more than half of cybersecurity leaders saying their workforce is not prepared for an attack, according to an Osterman Research report sponsored by Immersive Labs. 
  • At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack. Priority tasks might include operating without core IT systems and switching to manual processes to get important tasks completed. 
  • “There is an unfortunate disconnect between leaders’ confidence in team preparedness and real cyber resilience,” Max Vetter, VP of cyber at Immersive Labs, said via email. “This is because legacy training measures attendance, not real capabilities.”

From the cybersecurity policy front —

• On May 10, 2023, the National Institute of Standards and Technology posted “revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3).”
  • “Notable updates in the draft include: 
    • “Changes to reflect the state-of-practice cybersecurity controls;
    • “Revised criteria used by NIST to develop security requirements;
    • “Increased specificity and alignment of the security requirements in SP 800-171 Rev. 3 with SP 800-53 Rev. 5, to aid in implementation and assessment; and
    • “Additional resources to help implementers understand and analyze the proposed updates.”
  • “NIST is requesting public comments on the draft guidelines by July 14, 2023.”
  • “NIST anticipates releasing at least one more draft version of SP 800-171 Rev. 3 before publishing the final in early 2024. Following the publication of the final version, the authors plan to revise the set of supporting NIST publications on protecting controlled unclassified information, including SPs 800-171A (security requirement assessment), SP 800-172 (enhanced security requirements) and SP 800-172A (enhanced security requirement assessment).” 
  • “NIST is planning a webinar for June 6, 2023, to introduce the changes made to SP 800-171. Registration information will be posted next week on the Protecting CUI project site.” 

• Cybersecurity Dive reports, “White House considers ban on ransom payments, with caveats. Experts suggest the effort, a reversal from the administration’s previous stance, is fraught with complications that could cause unintended consequences.”
  • Cybersecurity Dive adds,
    • “As the White House floats the possibility of a ban on ransom payments, the number of organizations hit by ransomware that ultimately pay a ransom remains high. 
    • “Nearly half, 46%, of organizations hit by ransomware during the past year paid a ransom to recover data, according to research Sophos released Wednesday [May 10].”
    • “The survey also found that cybersecurity insurance plays a direct role in the likelihood of an organization making a ransom payment. Nearly 3 in 5 organizations with a standalone cyber insurance policy paid the ransom, compared to the 15% of uninsured organizations that paid the ransom.”
  • Cybersecurity Dive points out,
    • “The number of ransomware claims filed by U.S. clients of insurance broker Marsh spiked 77% in the first quarter of the year compared with the prior three-month period, the company told CFO Dive.
    • “Marsh saw 55 ransomware claims from U.S. clients in the first quarter of the year versus 31 claims in the fourth quarter. The figures, which are expected to be published in an upcoming report, follow a downward trend in 2022 that had been credited with helping to moderate skyrocketing premiums in the cyber insurance market.
    • “I do think that we can still continue to see a deceleration of rate increases for those companies that have an optimal cyber risk maturity profile and have not suffered significant events that have caused the carriers to make claim payments,” Meredith Schnur, Marsh’s U.S. and Canada cyber brokerage leader, said in an interview.”

• Cybersecurity Dive reports,
  • “Acting National Cyber Director Kemba Walden said the national cybersecurity strategy has been well received, however, acknowledged there were areas of disagreement. 
  • “Walden speaking Tuesday [May 9, 2023] at a forum hosted by The Software Alliance, also known as BSA, said there are two major areas of common ground that form the basis of the policy. Individual technology users, small businesses, local governments and small infrastructure providers like schools and hospitals are currently bearing the brunt of the cybersecurity risk — and that needs to change. 
  • “Cybersecurity risk is in the wrong place,” Walden said. “I think that’s an area of common ground.”
  • “Secondly, the U.S. is currently engaged in a game of Whac-A-Mole with malicious actors and the country needs to work together to make sure systems can be properly defended.
  • “Walden said her main concern regarding the national cyber strategy is to make sure the U.S. can build a more resilient digital ecosystem.”

From the cyber vulnerabilities front —

• Health IT Security informs us,
  • “The Health Sector Cybersecurity Coordination Center’s (HC3) latest alert [dated May 10, 2023] details the growing trend of threat actors targeting a known vulnerability in Veeam Backup & Replication (VBR) software. VBR is a popular software product that can be used to back up, replicate, and restore data on virtual machines (VMs).
  • The vulnerability, known as CVE-2023-27532, is a high-severity vulnerability with a CVSS score of 7.5 that exposes encrypted credentials stored in the VBR configuration to unauthenticated users. If successfully exploited, threat actors may be able to gain access to the backup infrastructure hosts and could steal data or deploy ransomware.”

• Health IT Security further tells us,
  • “The internet has a bot problem, cybersecurity company Imperva suggested in its 2023 Bad Bot Report. Nearly half of all internet traffic came from bots in 2022, while human traffic dipped to its lowest level in eight years.
  • “Bots are not inherently bad – they can help automate select tasks, measure customer engagement, or simulate conversations. However, malicious bots can help threat actors launch denial-of-service attacks, distribute malware, or crack passwords. Imperva observed an uptick in bad bot traffic volume for the fourth consecutive year, growing to 30.2 percent in 2022, compared to 27.7 percent in 2021.
  • “Bad bots interact with applications like legitimate users would, making them harder to detect and block. They abuse business logic by exploiting the way a business operates, rather than exploiting technical vulnerabilities,” the report stated. * * *
  • “Imperva suggested that businesses begin mitigating risk by protecting exposed APIs and mobile apps, monitor traffic, and remain aware of data breaches and leaks occurring across the industry.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added one and then seven more known exploited vulnerabilities to its catalog.

From the ransomware front —

• Cyberscoop calls our attention to “The Ransomware Malicious Quadrant, published Wednesday by ransomware-focused cybersecurity firm Halcyon and first shared with CyberScoop, takes a range of the most consequential and effective ransomware groups over the past year and gathers the most critical datapoints on each, and categorizes them.”

• Silicon Angle tells us,
  • “A new ransomware group targeting vulnerabilities in virtual private network appliances has been found that has a unique twist: The ransomware encrypts itself to avoid detection by security software.
  • “Discovered by security researchers at Kroll LLC, the ransomware, dubbed “Cactus,” is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet Inc. VPN appliances to gain access to major organizations before getting to work.”

• “CISA and FBI have released [on May 11, 2023] a joint Cybersecurity Advisory (CSA), Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG. This joint advisory provides details related to an exploitation of PaperCut MF/NG vulnerability (CVE-2023-27350). FBI observed malicious actors exploit CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, the FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity. CISA encourages network defenders to review and apply the recommendations in the Detection Methods and Mitigations sections of this CSA.”

• Here’s the latest’s Bleeping Computer Week in Ransomware report.

From the cyberdefenses front —

• The Washington Post reports,
  • “The Justice Department announced on Tuesday [May 9] that it disrupted Russian government cyberespionage malware that has infected targets in at least 50 countries. The U.S. government had been investigating it for more than 20 years.
  • “On the same day, a coalition of U.S. and U.S.-allied cyber agencies released technical details on the malware, known as Snake, to help industry and governments to shut it down.”

• The Washington Post also discusses the growing use of artificial intelligence as a hacking tool, adding,
  • AI will help defenders as well, scanning reams of network traffic logs for anomalies, making routine programming tasks much faster, and seeking out known and unknown vulnerabilities that need to be patched, experts said in interviews.
  • Some companies have added AI tools to their defensive products or released them for others to use freely. Microsoft, which was the first big company to release a chat-based AI for the public, announced Microsoft Security Copilot in March. It said users could ask questions of the service about attacks picked up by Microsoft’s collection of trillions of daily signals as well as outside threat intelligence.
  • [However, b]y multiplying the powers of both sides, AI will give far more juice to the attackers for the foreseeable future, defenders said at the RSA conference.”

From the cybersecurity policy front —

Cybersecurity Dive reports

• “The White House is crafting a roadmap to guide the implementation of the national cybersecurity strategy that it is set to release early this summer, Acting National Cyber Director Kemba Walden said Tuesday during a discussion with journalists at the RSA Conference.
• “The strategy, framed around principles, was developed to have a 10-year shelf life. The dynamic and evolving nature of cybersecurity requires flexibility as new threats or technologies emerge, Walden said.
• “The devil’s in the implementation planning process,” Walden said. “It’s really going to be who’s accountable for what, who’s responsible for what in the policymaking process, in the sort of sausage factory of the government.”

Cyberscoop informs us that “US cybersecurity officials are stepping up their push for tech companies to adopt secure by-design practices. Efforts at CISA and the Department of Energy are both meant to encourage the practice of building in better security protections.

• “Small and medium businesses, local school districts, water utilities, local hospitals, are not going to be successful in managing cybersecurity risk alone if they ever get in the crosshairs of a ransomware gang or an APT actor,” said Eric Goldstein on Wednesday during the annual RSA Conference here that brings together government officials and industry executive. “Those who can bear the burden are held accountable for providing services that are safe and secure by design by default.” 
• Jack Cable, a senior technical adviser at CISA, told CyberScoop that CISA held two listening sessions recently with industry partners as well as one with the open-source community. He said the agency plans to build on secure by design principles recently outlined in a white paper the agency published. “This is the first chapter of the story here and we want to work closely with industry and governmental partners with this.”

The Cybersecurity and Infrastructure Security Agency (CISA) tells us,

• “In line with the theme for this year’s RSA Conference, Stronger Together, Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Army Maj. Gen. William J. Hartman, U.S. Cyber Command’s Cyber National Mission Force commander, delivered a presentation on the importance of partnership in defending America’s critical infrastructure while holding malicious cyber actors accountable.
• “Goldstein and Hartman shared newly-declassified details of interagency responses to cyber attacks from nation-state actors and cybercriminals, including how CNMF shares information from foreign operations to enable CISA’s domestic defensive mission. They also discussed how CISA shares information from domestic cyber incidents to enable CNMF’s operations to impose costs on foreign malicious cyber actors. Goldstein and Hartman discussed case studies, including the “SolarWinds” campaign, the mitigation of Chinese hacking of Microsoft Exchange, the disruption of Iranian targeting of an election reporting website, and ongoing data-sharing from cyber criminal targeting of federal agencies and educational institutions to enable CNMF operations.
• “As our nation’s cyber defense agency, CISA recognizes that we must leverage all tools and capabilities to increase costs against our adversaries. Our work with CNMF enables us to not only more effectively defend our nation’s critical infrastructure from cyberattacks but also clearly demonstrate to our adversaries that there is a price to pay if you decide to attack American infrastructure,” said CISA EAD Goldstein. “Our presentation demonstrated for the first time how this partnership yields real-world operational benefits and how we rely upon collaboration with, and incident reporting from, the private sector to catalyze this work.”

NIST’s Computer Security Resource Center announced

• “For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.
• “Thank you to all who provided feedback during the open comment period; in total, over 250  unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. NIST agrees… and anticipates follow-on work in this area—but NIST can’t do it alone and plans to work collaboratively with other agencies, entities, and colleagues to produce useful resources. Stay tuned for more information about this in the coming months.
• “NIST and OCR are still in the process of adjudicating the received comments carefully. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 r2 (with the goal being to publish a final version of SP 800-66 r2 later this year).Thank you for the opportunity to share this update. Feel free to reach out with any questions or comments to sp800-66-comments@nist.gov (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).”

From the cyber vulnerabilities front -=

Bloomberg points out

• “As hacking has gotten more destructive and pervasive, a powerful type of tool from companies including CrowdStrike Holdings Inc. and Microsoft Corp. has become a boon for the cybersecurity industry.
• “Called endpoint detection and response software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices – “endpoints” on a computer network — and block them before intruders can steal data or lock the machines. 
• “But experts say that hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems. 
• “Investigators from multiple cybersecurity firms said the number of attacks where EDR is disabled or bypassed is small but growing, and that hackers are getting more resourceful in finding ways to circumvent the stronger protections it provides. * * *
• “Security software cannot stand alone — you need eyes on-screen combined with technology,” [an investigator] said. EDR “is much better than antivirus software. So for sure you need it. It’s just not the silver bullet that some think it is.”

CISA relates

• “The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
• “CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks.”

From the ransomware front —

HHS’s Healthcare Sector Cybersecurity Coordination Center issued a sector alert yesterday

• “Ransomware-as-a-service (RaaS) groups Cl0p and Lockbit recently conducted several distinct attacks, exploiting three known vulnerabilities (CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669). The Cybersecurity and Infrastructure Security Agency (CISA) added the latter two vulnerabilities to its Known Exploited Vulnerabilities Catalog but has not yet added the first. This Sector Alert follows previous HC3 products on Cl0p (Cl0p Allegedly Targeting Healthcare Industry and Cl0p Ransomware) and Lockbit (Lockbit Ransomware, LockBit 3.0, and LockBit 2.0 IOCs), and provides an update on the recent attacks, and recommendations to detect and protect against future ransomware attacks.”

Here is the latest Bleeping Computers’ Week in Ransomware.

From the cybersecurity defenses front

Health IT Security reports, “KLAS, the American Hospital Association (AHA) and healthcare risk management solutions company Censinet released the much-anticipated first wave of results of its Healthcare Cybersecurity Benchmarking Study.”

Cybersecurity Dive calls attention to “Mandiant CEO Jack Mandia’s seven tips for cyber defense; Organizations’ institutional knowledge is an advantage that no adversary can match, Kevin Mandia told RSA Conference attendees.” The FEHBlog’s favorites are

2. Lean on multifactor authentication

“The biggest bang for the buck against any impactful attack is multifactor authentication period,” Mandia said. “Figuring out a way to get it everywhere and know that you have it everywhere with some sort of validation is critical.”

3. Build honeypots

Honeypots, or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can’t stop, Mandia said.

The FEHBlog uses multifactor authentication but had not heard of honeypots.

Tech Radar reports

• “A new prototype technology has the potential to revolutionize cybersecurity, making it possible for businesses to prevent the majority of cyberattacks with ease.
• “In a joint project developed by ARM and the University of Cambridge, world-renowned for its computer science pedigree, the prototype processor was used in experiments by various companies for six months as part of the Technology Access Programme, courtesy of Digital Catapult with support from the University of Cambridge and Arm.
• “As a result of this programme, 27 of the participating companies gathered Digital Catapult’s London HQ to demonstrate their findings, and many were impressed it seems with the prototype’s ability to defend against memory-related cyberattacks. * * *
• “Although it is still in the research phase, the prototype is claimed to have the potential to help protect industries and firms. already, the programme has racked up over a thousand days in development work wot other 13 million lines of code being experimented with.”

From the cyber breaches front —

• Health IT Security reports that the recent DC Healthlink data breach resulted from unspecified human error.

• Cybersecurity Dive informs us,
  • “NCR, a payments processor that offers point-of-sale systems to restaurants and retailers, digital banking and ATM services, is still responding to and recovering from a ransomware attack that began impacting systems on April 12.
  • “The cyberattack caused a data center outage that is impacting some functionality in Aloha, a POS used by restaurants, and Counterpoint, which integrates front- and back-office management systems for retailers, NCR said in an incident report update Monday. The company first publicly disclosed it was hit by a ransomware attack on April 15.”

• Health IT Security adds,
  • The average cost of a healthcare ransomware attack was $4.82 million in 2021, according to IBM Security’s “Cost of a Data Breach Report.” In a new report by ThreatConnect, the cyber threat intelligence company suggested that there is more to be discovered about the true cost of a ransomware attack.
  • “[T]hat average attack figure takes into account a large number of incidents that cost relatively little (less than $25k) and a few that cost a lot,” the report stated. “The question is—does the average apply to you?”
  • “ThreatConnect analyzed thousands of companies in the manufacturing, healthcare, and utility industries in order to estimate median losses to operating incomes.”

• According to Cybersecurity Dive,
  • “Premiums for stand-alone cyber insurance rose by 62% in 2022 following a 91% increase in the prior year, according to a recent report by Fitch Ratings.
  • “The deceleration was driven by a moderation of ransomware incidents, a heightened level of cyber risk awareness among corporate executives, and more strict enforcement of cyber hygiene standards by insurance companies, according to Fitch.
  • “You will likely see rates decelerate further,” Gerald Glombicki, a senior director in Fitch Ratings insurance group, said in an interview.”

From the cyber vulnerabilities front —

• The Health Sector Cybersecurity Coordination Center released its March 2023 vulnerabilities report.
  • “In March 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Administration (CISA) added two, one, and three known exploited vulnerabilities to its catalog.

• CISA and other federal agencies issued a joint advisory about “APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy), a highly skilled threat actor” that “accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. “

• Cybersecurity Dive tells us,
  • “Threat actors can use ChatGPT to sharpen cyberthreats, but no need to panic yet
  • “Startling dangers, such as autonomous attack mechanisms and sophisticated malware coding, have yet to materialize. For now, the threat is more specific.”

From the ransomware front

• CISA issued
  • “a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CX’s Desktop App.
  • “CISA recommends users and administrators to review the following resources for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:
  • “MAR-10435108.r1.v1 – ICONICSTEALER
  • “Supply Chain Attack Against 3CXDesktopApp“

• Here’s a link to the latest Bleeping Computer Week in Ransomware.

From the cyber defenses front —

• The Department of Health and Human Services announced
  • “On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector:
  • “Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
  • “Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
  • “Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).”

• Forbes points out
  • “Cyber investments have become table stakes for businesses around the world. Cybercrime is increasing, with 91% of organizations reporting at least one cyber incident in the past year. Not only are they growing in numbers, but they are becoming more sophisticated and diverse, with new threats constantly emerging. According to the 2023 Deloitte Global Future of Cyber survey, in this environment, business leaders are changing how they think of cyber, and it’s emerging as a larger strategic discussion tied to an organization’s long-term success.
  • “Today, leaders should consider how to work cyber into every part of their business—from operations to the employee and the consumer. By creating business strategies that embed cyber, improve employee training, and build cyber into digital transformation initiatives; businesses can stay ahead of the curve and better protect their organizations. [The linked article explains] how some leaders are rethinking their approaches to cyber to help drive long-term growth for their companies.”

• Cyberscoop reports
  • “Some of the biggest names in modern computing — including a winner of the prestigious Turing Award — are betting on a new type of operating system they say will be resilient against common cyberattacks and bounce back from ransomware infections within minutes. 
  • “Those are bold claims. But the people behind the project include Michael Stonebraker, a serial tech entrepreneur and computer scientist at the Massachusetts Institute of Technology whose groundbreaking work on database systems earned him the Turing honor in 2015. He’s teaming up with Matei Zaharia, an associate professor at Stanford University and creator of the Apache Spark project, and Jeremy Kepnew, head of the MIT Lincoln Laboratory Supercomputing Center.
  • “It’s a total new paradigm,” said Michael Coden, associate director of cybersecurity at MIT Sloan School of Management, who took a part-time position at Boston Consulting Group as senior adviser in order to help lead the database-oriented operating system, or “DBOS” for short. “
  • “Stonebraker and Coden plan on demonstrating the open-source operating systems during the RSA Conference, the annual cybersecurity gathering San Francisco, next week and show in real time how it will bounce back from a simulated ransomware attack.”

• The NIST Cybersecurity and Privacy Program made available,
  • “The initial public draft of NIST Special Publication (SP) 800-207A, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments, is now available for public comment.
  • “Enterprise application environments consist of geographically distributed and loosely coupled microservices that span multiple cloud and on-premises environments. They are accessed by a userbase from different locations through different devices. This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.”
  • The public comment deadline is June 7, 2023.

From the cybersecurity policy front

Harvard Business Review explains what U.S. business needs to know about the new U.S. cybersecurity policy.

• “While the 39-page document features bureaucratic buzzwords like “harmonize”, “stakeholders,” and “multilateral,” we’ve identified three concrete things business leaders should know about the new strategy.
  • “First, every company needs to identify their distinct vulnerabilities and risks.
  • “Second, companies then need to adopt measures that address those supply chain vulnerabilities, and
  • “Third, companies need to recognize that one size will not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger business, critical infrastructure, and software providers.”

Dark Reading adds

• “In order for cybersecurity initiatives to be effective in reducing security failures, Gartner, a research and consulting firm, finds that it will be essential for security and risk management leaders to turn to a human-centered approach.
• “A human-centric approach in cybersecurity practices prioritizes the individual employee and their experience, which ultimately encourages better practices while also reducing friction and risk. 
• In the past, there has been a focus in improving the technology or the many different processes that uphold security practices. Going forward, having a “human-centric talent management approach” means focusing on the employees that require these kinds of updates to technology and program processes to be made in the first place, and shifting from external hiring to internal or “quiet hiring,” according to Gartner.”

FedScoop reports

• “The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and cybersecurity authorities of other international allies on Thursday published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products. 
• “The cybersecurity guidance is the first of its kind, and is intended to speed up cultural shifts within the technology industry that are needed to achieve a safe and secure future online. 
• “Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security.
• “Publication of the secure-by-design principles follows the publication in March of a new national cybersecurity strategy by the Biden administration, which sought to shift the responsibility for maintaining the security of computer systems further towards larger software makers.”

From the cyber vulnerabilities front

Healthcare Dive tells us

• “The healthcare industry is “cyber poor” and the most targeted sector for data breaches over the past four years, according to a Moody’s Investors Service report from this week.
• “Moody’s said healthcare’s vulnerable state makes it “target rich,” which could bring service disruptions and personal data disclosures.
• “Nonprofit healthcare organizations received a “very high risk” rating, while corporate healthcare was deemed “high risk.” Providers must ramp up investment in cybersecurity to protect patient data and avoid interruption of critical operations, the report said.”

The Cybersecurity and Infrastructure Security Agency added to its catalog two known exploited vulnerabilities on April 10, one more on April 11, and two more on April 13.

From the ransomware front

• Cybersecurity Dive relates, “Rorschach ransomware, with a rare encryption speed, makes it even harder for companies to respond. The potential impact and victims claimed by Rorschach remain unknown, but one expert said some yet-undetected attacks are likely underway.”

• Cyberscoop informs us “Ransomware gangs increasingly deploy zero-days to maximize attacks; Microsoft issued a patch for a zero-day that researchers at Kaspersky said was used to deliver Nokoyawa ransomware.

• The Bleeping Computer’s Week in Ransomware is back.

From the cyber defenses front

• CISA released
  • “an update to the Zero Trust Maturity Model (ZTMM), superseding the initial version released in September 2021. ZTMM provides a roadmap for agencies to reference as they transition towards a zero-trust architecture. ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.
  • “The objective of this update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture.”

• An ISACA expert points out “Five Key Considerations When Developing a Collaboration Strategy for Information Risk and Security.”

In cybersecurity news —

• Cyberscoop offers a commentary on Russian hackers — and how to stop them — after a year of cyberwar in Ukraine

• The Health Sector Cybersecurity Coordination Center (HC3) released its first quarter 2023 healthcare cybersecurity bulletin.
  • “In Q1 of 2023, HC3 observed a continuation of many ongoing trends with regard to cyber threats to the Healthcare and Public Health community. Ransomware attacks, data breaches and often both together continued to be prevalent in attacks against the health sector. Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”

• The Cybersecurity and Infrastructure Security Agency launched National Supply Chain Integrity Month.

From the cyber vulnerabilities front —

• Health IT Security tells us
  • “Threat actors are increasingly abusing cloud apps to deliver malware in healthcare settings, Netskope revealed in its latest Threat Labs Report. Cloud-delivered malware increased from 38 percent to 42 percent in the past 12 months, researchers found.”
  • “Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps,” the report stated. “Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.”

• HC3 released a sector alert about “DNS NXDOMAIN Attacks.”
  • “Through a trusted third party, information was shared with HC3 regarding a distributed denial-of-service (DDoS) attack, which has been tracked since November 2022. These attacks are flooding targeted networks and servers with a fake Domain Name Server (DNS) request for non-existent domains (NXDOMAINs).”
  • Health IT Security provides more background on these attacks.
    • “Their signature DDoS attacks on critical infrastructure sectors typically only cause service outages lasting several hours or even days,” HC3 noted. “However, the range of consequences from these attacks on the United States health and public health (HPH) sector can be significant, threatening routine to critical day-to-day operations.”

• HC3 also released a presentation explaining “why electronic health records are still a top target for cyber threat actors.”

• The Cybersecurity and Infrastructure Security Administration added five known exploited vulnerabilities. Bleeping Computer explains the action.

From the ransomware front —

• Cybersecurity Dive reports
  • “Researchers at Check Point detected a highly sophisticated – and previously unnamed – ransomware strain which the company says may be the fastest ever, with an encryption speed almost twice as fast as LockBit. The ransomware, which Check Point dubbed “Rorschach,” was used in an attack against a U.S. company.
  • “The ransomware was deployed using a DLL-sideloading technique using Palo Alto Network’s Cortex XDR, which is a signed commercial security product. This technique has not commonly been used for ransomware. 
  • “Check Point has disclosed the information to Palo Alto, which will release new versions of Cortex XDR Agent next week to prevent misuse of the software.” 

• Cybersecurity Dive adds
  • “Corporate leaders would be mistaken to interpret reports of fewer ransomware-related cyber insurance claims and decelerating premiums in 2022 as evidence of a diminished threat level, according to cybersecurity experts.”
  • “While the private sector and government have made some progress in the fight against ransomware, the threat is still serious and evolving, the experts warned.”
  • “I think hackers are always going to evolve, so we can’t rest on the laurels of 2022,” John Farley, managing director of the cyber practice at Gallagher, an insurance brokerage firm based in Rolling Meadows, Ill., told CFO Dive. “We have to be able to adapt quickly to this ever-evolving threat.”

From the cyberdefenses front —

• Cybersecurity Dive informs us
  • Organizations that implement automated hardening techniques will have the best opportunity to prevent cyberattacks, according to a report released Thursday by Marsh McLennan. Those that apply baseline security techniques to servers, operating systems and other components are six times less likely to suffer a security breach.
  • Insurers have historically recommended three major controls to reduce cyber risk: endpoint detection and response, multifactor authentication and privileged access management. 
  • However, the report shows multifactor authentication only works when it is implemented across all access points for critical and sensitive data, including remote access and administrator account access points. 
  • Organizations using these methods are 1.4 times less likely to suffer damage from an attack. 
  • Another key control is patching highly-severity vulnerabilities within seven days of the initial patch release. More than half of organizations are patching critical vulnerabilities within the first seven days, but only 24% of organizations are patching high-severity vulnerabilities — rated with a CVSS score of 7.0 to 8.9 — in that same time period.

• Beckers Hospital Review reports 
  • “Software giant Microsoft received a court order from the U.S. District Court for the Eastern District of New York that will allow the company to disrupt infrastructure used by ransomware gangs during hospital attacks.
  • “The court order allows Microsoft to cut off communication between hackers and a fake version of the cybersecurity software Cobalt Strike, used by hackers to breach hospital systems.
  • “The abuse of the cybersecurity software is a tactic used by Russian-speaking ransomware gangs Conti and LockBit, according to an April 6 Microsoft news release.”

From the cybersecurity policy front, the Cybersecurity and Infrastructure Security Agency (CISA) reflects on its activities over the year since “the President signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law—an act that is critical to improving America’s cybersecurity.” Here is CISA’s overview of that law which will be implemented by rulemaking. The proposed rule is expected soon.

The FEHBlog has been tracking two Federal Acquisition Regulation cybersecurity rulemakings:

• Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing, and

• Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems 

It turns out that on March 15, 2023, OMB’s Office of Information and Regulatory Affairs bounced those rules back to the FAR Council, which has gone back to the drawing board.

From the cyber vulnerabilities front –

• CISA added ten new known exploited vulnerabilities to its catalog. Bleeping Computer provides background on this action.

• CISA issued the following warning, for which Cybersecurity Dive provides background.
  • CISA is aware of open-source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.
  • CISA urges users and organizations to review the following reports for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:
  • CrowdStrike: Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
  • SentinelOne: SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
  • DesktopApp: 3CX DesktopApp Security Alert

• Venture Beat identifies eight ChatGPT cybersecurity vulnerabilities for this year.

• Bleeping Computer warns about an actively exploited bug affecting a WordPress page plug-in called Elementor Pro.

From the ransomware front, which is missing The Week in Ransomware (spring break?) Bleeping Computer, tells us,

Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening U.S. companies with publishing or selling allegedly stolen data unless they get paid.

Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the message. * * *

The attackers behind this activity use the name Midnight and started targeting companies in the U.S. since at least March 16.

Health IT Security reports

Thanks to a joint effort by the HHS Office of Inspector General (OIG) and the Federal Bureau of Investigation (FBI), a cybercriminal marketplace known as BreachForums was forced offline, the Department of Justice (DOJ) announced.

In addition, BreachForums founder Conor Brian Fitzpatrick, 20, of Peekskill, New York, was arrested in mid-March and made his first appearance in court on March 24. Fitzpatrick allegedly created and administered a major hacking forum that allowed its 340,000 members to buy, sell, and trade stolen data since March 2022.

The platform offered its users bank account information, hacking tools, Social Security numbers, breached databases, and account login information, along with other personally identifiable information (PII).

From the cybersecurity policy front —

Cybersecurity Dive tells us

U.S. corporate leaders need to embrace cybersecurity as an issue of central importance to the success of their businesses, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said.

Easterly, in a Thursday appearance before the Economic Club of New York, told attendees that top corporate executives, including CEOs and corporate board members, need to understand the risks posed by cybersecurity and take an active role in. 

Speaking just weeks after the Biden administration unveiled the national cybersecurity strategy, Easterly said this is not an issue the government can fix on its own, but businesses will need to play an important role in solving.  

Nextgov adds

[T]he House Committee of Oversight and Accountability heard testimony from Acting National Cyber Director Kemba Walden on how to implement the National Cybersecurity Strategy.

In opening statements, Walden outlined several pillars the national strategy plans to rely on when incorporating stronger defenses into U.S. digital networks. These include forming international partnerships, investing in a workforce, incentivizing stronger cybersecurity requirements, disrupting threat actors, and implementing stronger security measures. 

The paramount principle guiding the strategy, however, iealth s imparting more responsibility on the federal government and Big Tech players to safeguard U.S. networks.

“The biggest, most capable and best positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe––and that includes the federal government,” Walden said.

Health IT Security informs us

The Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of its Cybersecurity Performance Goals (CPGs), a set of voluntary practices that critical infrastructure organizations may adopt to mitigate cyber risk.

CISA initially released the CPGs in October 2022 in response to President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The updated version has been reorganized according to stakeholder feedback.

The CPGs are now more closely aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily navigate the CPGs and prioritize investments accordingly.

From the cyber breaches front —

Health IT Security highlights

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued its 2022 Internet Crime Report, which revealed key trends that emerged in the cyber threat landscape last year. The IC3 received 800,944 complaints in 2022, signifying a 5 percent decrease from 2021.

Despite this decrease, the potential total loss grew from $6.9 billion in 2021 to more than $10.2 billion in 2022. Ransomware alone racked up $34.3 million in losses in 2022.

“While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3,” the report noted.

“As such, we assess ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity.”

The healthcare sector reported the most ransomware attacks to IC3 in 2022 compared to any other critical infrastructure, accounting for 210 of the 870 complaints tied to critical infrastructure. IC3 data shows that 14 of the 16 critical infrastructures had at least one member that fell victim to a ransomware attack last year.

CBS News brings us up to date on the recent DC Health Link breach.

Cybersecurity Dive relates

• Exploits of zero-day vulnerabilities fell by almost a third in 2022, but it was still the second highest year on record, according to Mandiant research released Monday.
• Mandiant tracked 55 zero-day vulnerabilities that were exploited in 2022, including three instances linked to financially motivated ransomware threat actors. 
• Products from the three largest vendors — Microsoft, Google and Apple — were the most commonly exploited for the third year in a row, according to Mandiant.

Health IT Security adds

Microsoft has observed an increase in distributed denial of service (DDoS) attacks against healthcare organizations in recent months, a blog post by the Azure Network Security Team explained. Microsoft observed an increase from 10-20 DDoS attacks against healthcare applications hosted in Azure in November 2022 to 40-60 attacks daily in February 2023.

As previously reported, HHS warned the healthcare sector earlier this year about pro-Russian hacktivist group KillNet, a threat group known to target the sector with DDoS attacks.

“While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days,” HHS stated at the time.

From the ransomware / data retrieval and extortion front

Tech Republic reports

Ransomware groups are pulling no punches in their attempts to force compromised organizations to pay up. A report released Tuesday by Unit 42, a Palo Alto Networks threat intelligence team, found that attackers are increasingly harassing victims and associated parties to make sure their ransom demands are met.

For its new 2023 Ransomware and Extortion Threat Report, Unit 42 analyzed approximately 1,000 incidents that the team investigated between May 2021 and October 2022. Around 100 cases were analyzed for insight into ransomware and extortion negotiations. Most of the cases were based in the U.S., but the observed cybercriminals conducted attacks against businesses and organizations around the world.

By the end of 2022, harassment was a factor in 20% of the ransomware cases investigated by Unit 42, a significant jump from less than 1% in mid 2021.

Bleeping Computer’s The Week in Ransonware tells us

This week’s news has been dominated by the Clop ransomware gang extorting companies whose GoAnywhere services were breached using a zero-day vulnerability.

Over the past month, one hundred new companies have been added to Clop’s data leak site, with the extortion gang threatening to leak data if a ransom is not paid.

From the cybersecurity defenses front —

The Healthcare Cybersecurity Coordination Center released a mobile device security checklist.

Mobile devices are prevalent in the health sector, and due to their storage and processing of private health information (PHI) as well as other sensitive data, these devices can be a critical part of healthcare operations. As such, their data and functionality must be protected. This document represents a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself.\

CISA “released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.” 

CISA also announced

In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.

The pre-ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies.

For more information, visit #StopRansomware. To report early-stage ransomware activity, visit Report Ransomware. CISA also encourages stakeholders and network defenders to review associate director Romans’ post, Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs, to learn more about CISA’s Pre-Ransomware Notification Initiative.

Cyberscoop explains how “the FBI Breachforum’s bust is causing chaos in the cybercrime underground. The dramatic fall of one of the preeminent cybercrime communities on the web will have major implications for the cybercrime markets.”