From the cyber policy front —

Cybersecurity Dive reports

National Cyber Director Chris Inglis said the Biden administration’s long-anticipated national cybersecurity strategy could be ready as early as late November but may take a couple of additional months for final completion. 

Inglis, speaking at the mWISE conference in Washington D.C. Wednesday, said the strategy would focus heavily on international cybersecurity issues as well as workforce development concerns, a major issue for the information security industry.

Officials have made considerable outreach to the private sector in terms of developing the strategy, with two-thirds of about 300 engagements being made with private industry officials.

and

Water, hospitals and K-12 schools will be the primary area of focus for the Cybersecurity and Infrastructure Security Agency over the next year, CISA Director Jen Easterly said Thursday at Mandiant’s mWISE Conference. 

Healthcare and water are among 16 critical infrastructure sectors CISA and other federal agencies have identified as “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” While schools are not considered critical infrastructure, they represent a soft target that is frequently hit by debilitating ransomware attacks.

CISA, in a bid to prioritize risk management and cyber resilience guidance across critical services, is placing higher emphasis, at least initially, on what Easterly describes as “target-rich, resource-poor entities.”

Health IT Security adds

For healthcare, further federal security guidance could help the sector manage risk amid an increasingly complex and active cyber threat landscape. In 2021, the healthcare sector fell victim to ransomware more than any other critical infrastructure sector, the Federal Bureau of Investigation found.

“We unfortunately continue to see ransomware attacks against hospitals, which could be helped if hospitals had a baseline to establish, maintain, and measure their cyber security hygiene and level of preparedness,” Stacy O’Mara, senior director of government affairs at Mandiant, told HealthITSecurity.* * * *

A streamlined approach could help to ease the burden on individual entities.

“While all of these existing regulations are helpful to the healthcare sector – and should evolve to account for evolving threats to patients’ medical records, medical devices, and hospitals’ networks and systems – the federal government needs to continue its efforts to harmonize and streamline regulatory requirements,” O’Mara suggested.

Amen to that suggestion.

From the cyber breach front, Fierce Healthcare tells us

Advocate Aurora Health gave notice to patients that their health data may have been exposed through tracking technology. 

Up to 3 million patients may have been impacted in the breach against the health system, which is one of the Chicago area’s largest healthcare providers.

Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications.

“These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population,” the health system said in the online statement. “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors. * * *

Advocate Aurora had advised patients to use browser tracker-blocking features or incognito mode when logging into medical portals. It also suggests that those Facebook or Google accounts examine their privacy settings.

Wow.

Cybersecurity Dive discusses a former Uber chief security officer conviction stemming from the handling of a ransomware incident.

Sullivan was convicted of obstructing a Federal Trade Commission probe, which had been investigating a prior breach at Uber. He was also convicted of a rarely charged crime called misprision, which involves knowing concealment of a crime.

Following the verdict, U.S. Attorney Stephanie Hinds said federal authorities expect companies to promptly alert customers and appropriate authorities when such data is stolen by hackers. 

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said in the announcement of the verdict by the Department of Justice. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers, than in protecting users.”

Sullivan faces up to five years in prison for obstruction and up to three years in prison for misprision of a felony. 

From the cyber vulnerabilities front —

Cybersecurity Dive informs us

The Apache Commons Text team is urging users to upgrade to version v1.10.0, which disables faulty interpolators at the center of a critical vulnerability that some security researchers have now dubbed “Text4Shell.” 

Those using an earlier version of commons text are considered safe from the vulnerability. Apache says users are only affected when using a stringsubstitutor API without properly sanitizing untrusted input, according to a blog post released Tuesday. 

The upgrade to v1.10.0 will serve as a quick workaround, however the best option is to properly validate and sanitize any untrusted input.

CSO Online reports

Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.

“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.

The Cybersecurity Intelligence and Security Agency “released a security update to address vulnerabilities affecting Cisco Identity Services Engine (ISE). A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing high and low severity vulnerabilities, see the Cisco Security Advisories page.”

From the ransomware front, the American Hospital Association reports

The FBI, Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services today [October 21] alerted U.S. organizations to a cybercrime group targeting the health care sector with ransomware and data extortion operations. The group has attacked multiple organizations since June, deploying ransomware to encrypt servers responsible for health care services, exfiltrating personal identifiable information and patient health information, and threatening to release the information if a ransom is not paid. The advisory includes indicators of compromise and recommended actions to protect against these attacks.

“This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The report also contains actionable indicators of compromise, malware signatures that should be loaded into network defense and intrusion detection systems. If there is any indication of this ransomware being present on hospital or health system networks, it is recommended that immediate steps be taken to contain, isolate and remediate. It is also strongly recommended that local FBI and CISA field offices be contacted immediately.”

Here’s the latest Bleeping Computer Week in Ransomware.

From the cyber defenses’ front —

Health IT Security informs us

Enabling multi-factor authentication (MFA) is “the single most important thing Americans can do to stay safe online,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wrote in a CISA blog post.

But Easterly encouraged businesses and technology vendors in particular to go one step further and ensure that FIDO authentication is part of their MFA implementation plans.

“We’ve known for years that any form of MFA is better than no MFA. That’s still true, but we’ve also known that at some point ‘traditional MFA’ would become ‘legacy MFA’ and need to be reassessed or even replaced,” Easterly wrote.

“Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA.”

According to its website, the FIDO Alliance is an open industry association united by the goal of reducing “the world’s over-reliance on passwords.”

The FIDO Alliance has globally available technical specifications and industry certification programs that make authentication simpler and more secure.

Security Magazine provides an overview of cyber defenses drawn from an IBM report.

From the cyber breach front, Federal News Network informs us

Victims of one of the largest data breaches to ever hit the federal government are one step closer to a payout, more than seven years later.

A federal judge on Friday finalized the Office of Personnel Management’s settlement agreement with current and former federal employees, as well as federal job applicants, impacted by a major data breach in 2015.

District Judge Amy Berman Jackson, in a fairness hearing at the U.S. District Court for the District of Columbia, said the $63 million settlement for breach victims was “fair, reasonable and adequate.” * * *

Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit, but individuals breach have until Dec. 23 to submit a claim to join the class-action lawsuit.

The law firm Girard Sharp, which represents plaintiffs in the lawsuit, said in June that the settlement will provide a minimum payment of $700 for individuals who suffered a financial loss as a result of the hack, “even for those with minor expenses.”

Reuters adds

[District Judge Amy Berman Jackson] on Friday said she will slash thousands of dollars in proposed “incentive” awards for plaintiffs who settled data-breach claims against the U.S. Office of Personnel Management, as the court prepares to issue a final order approving the $63 million deal.

U.S. District Judge Amy Berman Jackson in Washington, D.C., at a hearing said she will approve a “nominal” amount of $1,000 for 36 named plaintiffs who led the privacy case against the Office of Personnel Management (OPM), the primary human resources agency in the federal government.

From the cyberpolicy front —

This coming week is

Cybersecurity Career Awareness Week, a week-long campaign in the middle of Cybersecurity Awareness Month focused on raising awareness around cybersecurity job opportunities and how building a cyber workforce enhances our nation’s security.  Hosted by National Institute of Standards and Technology (NIST), this week runs from October 17-22 this year.

CyberScoop informs us

The White House National Security Council will announce plans Tuesday for a consumer products cybersecurity labeling program intended to improve digital safeguards on internet-connected devices, a senior White House official told CyberScoop. 

About 50 representatives from consumer product associations, manufacturing companies and technology think tanks will convene at the White House on Oct. 19 for a workshop on the voluntary effort ahead of an expected spring 2023 launch.

The White House briefly described the effort in a document it released Tuesday outlining various cybersecurity initiatives. The administration plans to start with recommending three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks associated with using so-called internet of things devices.

The FEHBlog ran across CISA’s 2023 to 2025 Strategic Plan that was released in September. Here is a Homeland Security Today article on the new plan.

Health IT Analytics reports

The White House [earlier this month] unveiled its Blueprint for an AI Bill of Rights earlier this week, which identifies five guidelines for the design, use, and deployment of automated and artificial intelligence (AI)-based tools to protect Americans from harm as the use of these technologies continues to grow in multiple industries.

The blueprint outlines five core principles: safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation, and human alternatives, consideration, and fallback. These are intended to serve as practical guidance for the US government, tech companies, researchers, and other stakeholders, but the blueprint is nonbinding and does not constitute regulatory policy.

The guidelines apply to AI and automated tools across industries, including healthcare, and are part of a larger conversation around the ethical use of AI.

From the cyber vulnerabilities front

Cybersecurity Dive tells us

The Cybersecurity and Infrastructure Security Agency on Tuesday added multiple Fortinet products to its Known Exploited Vulnerabilities Catalog, one day after the company warned an authentication bypass vulnerability was being actively exploited. 

The vulnerabilities, listed as CVE-2022-40684, allow for authentication bypass, which enables an attacker to perform operations on the administrative interface. The vulnerability, which has a CVSS score of 9.6, involved FortiOS, FortiProxy and FortiSwitchManager. 

The company initially disclosed the vulnerability on Oct. 3 and urged customers to immediately perform a software upgrade. Late last week, Fortinet sent an internal email to select customers providing a confidential warning along with mitigation advice. 

Security Week reported last Tuesday

Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.

The exploited vulnerability – documented as CVE-2022-41033 – affects the Windows COM+ event system service and has been exploited in elevation of privilege attacks, suggesting it was used as part of an exploit chain detected in the wild.

The latest zero-day was reported anonymously to Microsoft.

The new warning comes less than a month after Microsoft’s security response team scrambled to issue mitigations for a pair of Exchange Server flaws targeted by a nation state-level threat actor.

Those two Exchange Server vulnerabilities – CVE-2022-41040 and CVE-2022-21082 — remain unpatched.

From the ransomware front, Health IT Security relates “As suspected and validated by local news reports, the CommonSpirit “IT issue” was in fact a ransomware attack. CommonSpirit confirmed the nature of the attack in a recent update posted on its website. Hospitals across the country are still feeling the impacts of the attack that began as early as October 3.”

Cybersecurity Dive adds

CommonSpirit has [informed law enforcement and] launched a forensics investigation to determine the data impacts and said it tapped leading cybersecurity specialists to help.

“The fact that this has turned out to be a ransomware incident is not at all surprising,” Brett Callow, a threat analyst at security firm Emsisoft, said. “What remains to be seen is how quickly CommunitySpirit can recover its systems and resume normal operations and whether or not any data was stolen during the attack. If data was stolen, the attackers will likely use the threat of releasing it online as additional leverage to try to extort payment.”

Here’s the latest Bleeping Computer “The Week in Ransomware.“

From the cyber defenses front

• Cybersecurity Dive considers phishing resistant mult-factor authentication and offers “four tips to protect IT employees from phishing attacks.”

• CISA suggests actions to help prevent against advanced persistent threat cyber activity.

From the cybersecurity policy front, Cyberscoop reports

The Cybersecurity and Infrastructure Security Agency announced a Binding Operational Directive on Monday ordering federal civilian agencies to enhance efforts to detect vulnerabilities in their networks, a move that CISA Director Jen Easterly hopes the private sector will emulate.

The Improving Asset Visibility and Vulnerability Detection on Federal Networks, or BOD 23-01, directive is designed to improve “asset visibility and vulnerability detection on federal networks,” Easterly told reporters during a CISA roundtable discussion on Monday. Federal civilian agencies now will be expected to report detailed data about vulnerabilities to CISA at timed intervals using automated tools, she said.

“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” Easterly told reporters. “This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”

Cyberscoop adds

The congressional commission charged with bolstering U.S. cyber defenses has already seen plenty of its recommendations realized: the appointment of a national cyber director, increased CISA funding and a State Department cyber ambassador.

And a new report released Wednesday shows the Cyberspace Solarium Commission is on track to have 85% of all of its recommendations implemented with the remaining either facing some hurdles or “significant barriers.”

The commission progress report shows that nearly 60% of its original 82 recommendations have been fully or nearly implemented and more than 25% are on track to be realized.

From the cyber breaches and vulnerability front

Cybersecurity Dive reports

An “IT security incident” reported this week by CommonSpirit Health, one of the nation’s largest health systems, is likely a cyberattack, security experts said.

CommonSpirit announced on Tuesday that an unspecified security incident was affecting multiple regions and interrupting access to electronic health records. As a precautionary step, some systems were taken offline as a result of the incident, the system said. * * *

While few details have left some to speculate on the nature of security incident at Chicago-based CommonSpirit Health, moving systems offline and interrupting access to electronic health records is viewed as a defensive move, security experts told Healthcare Dive. 

It’s possible that an “an attacker has access or is trying to get access to their system and they want to do whatever they can to prevent that. So what’s the easiest way to do that? Unplug everything,” said Allie Mellen, senior analyst of security and risk at Forrester, a research and advisory firm for various industries. 

The Health Sector Cybersecurity Coordination Center released a presentation on “Abuse of Legitimate Security Tools and Health Sector Cybersecurity.” The presentation discusses how bad actors can turn “tools used to operate, maintain and secure healthcare systems and networks ” against that infrastructure.”

From the ransomware front

• The Government Accountability Office released a report on the topic. “Homeland Security, FBI, and Secret Service help state, local, and other governments prevent or respond to ransomware attacks on systems like emergency services. Most government entities said they were satisfied with the agencies’ prevention and response efforts. But many cited inconsistent communication during attacks as a problem. We recommended that the federal agencies address cited issues and follow key practices for better collaboration.”

• ZDNet informs us, “Over half of ransomware attacks now begin with criminals exploiting vulnerabilities in remote and internet-facing systems as hackers look to take advantage of unpatched cybersecurity issues. According to the analysis of ransomware incidents during the past year by researchers at security company Secureworks, 52% of attacks started with malicious hackers exploiting remote services.”

• As almost always, Bleeping Computer offers us The Week in Ransomware.

From the cyber defenses front

• CISA kicked off National Cybersecurity Awareness Month last Monday. “This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” Here’s CISA’s event page.

• The National Cybersecurity Alliance joins CISA in sponsoring this awareness event. The Alliance shared four points (plus one) on staying safe online.

• Cybersecurity Dive cautions that multifactor authentication is a cybersecurity tool, not a solution.

From the cyberpolicy front, let’s remember, “Cybersecurity Awareness Month, every October, is a collaboration between government and private industry to raise awareness about digital security and empower everyone to protect their data from digital forms of crime.”

CISA adds that the agency “postpone[d] the 5th Annual National Cybersecurity Summit due to the mission-critical work of preparing for the potential impact of Hurricane Ian in the region. The summit was originally scheduled to occur on October 4. Visit CISA’s National Cybersecurity Summit webpage and follow CISA on social media for the latest news and updated registration information when it’s available.”

From the cyber vulnerabilities front —

Cybersecurity Dive informs us in an article posted on September 30

Microsoft is investigating reports of two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019, according to a blog post issued Friday. The vulnerabilities do not affect Microsoft Exchange Online Customers.

The first vulnerability, CVE-2022-41040, is a server-side request forgery vulnerability, Microsoft said. The second, CVE-2022-41082, allows remote-code execution when a threat actor has access to PowerShell. 

Microsoft confirmed it was aware of limited targeted incidents with attackers using the two vulnerabilities to compromise systems. During the incidents, an attacker can use CVE-2022-41040 to allow an authenticated attacker to remotely trigger CVE-2022-41082.

The Health Sector Cybersecurity Coordination Center issued an alert on the Microsoft zero day vulnerabilities.

Currently, the full impact to the Healthcare and public health (HPH) sector is unknown; however, the threat actors actively exploiting these vulnerabilities make the HPH sector a potential target.

CISA issued an alert titled “Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server.”

CISA’s other vulnerability advisories issued last week include the following

• On September 27, CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

• On September 29, “VMWare Releases Guidance for VirtualPITA, VirtualPIE, and VirtualGATE Malware Targeting vSphere.”

• On September 30, Cisco Releases Security Updates for Multiple Products

What’s more, CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. 

From the ransomware front, Cybersecurity Dive reports

U.S. businesses were targeted by nearly half of all publicly acknowledged ransomware attacks globally between January 2020 and July 2022, according to data collected by NordLocker and published Tuesday in a report. 

Of the 5,200 cases recorded on ransomware groups’ sites, U.S. organizations accounted for almost 2,400 incidents. Businesses in California, Texas, Florida and New York suffered the greatest number of ransomware attacks, but Michigan businesses were hit hardest when the rate is adjusted by the number of active businesses in each state.

Small- and medium-sized businesses with two to 200 employees suffered the most attacks during the period, accounting for 46%, or 2,300 ransomware attacks total, according to the report.

And here’s the September 30 “The Week in Ransomware“, from the Bleeping Computer.

This week’s news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.

As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business.

Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers.

Another interesting research is the prediction that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate.

From the cyberdefenses front —

• Health IT Security offers six healthcare cybersecurity strategies for successful CISOs; Mastering effective communication, implementing a risk-based healthcare cybersecurity approach, and attracting top cyber talent are all parts of a CISO’s job description.”

• The Wall Street Journal reports “Heightened Cyber Threat Brings CIOs, CISOs Closer; The work dynamic between IT and cyber leaders is changing as digital fortification becomes more urgent. ‘Everybody’s top of mind is cybersecurity,’ says one CISO.”

• The Journal adds “A mix of regulation, investor demands and insurance requirements is pushing companies to elevate the oversight of cybersecurity, officials from the U.S. and other countries say.”

• Cybersecurity Dive tells us about “six things that businesses need to know about the changing privacy landscape. New bills are proposed every day, and while only a few will become official policy, there may be important trends that impact businesses.”

From the cybersecurity policy front, CISA announced the speakers scheduled for its Fifth National Cybersecurity Summit to be held in Atlanta, GA, on October 4, 2022. You may attend in person or virtually. You can register here: CISA’s 5th Annual National Cybersecurity Summit Tickets | Eventbrite There’s no charge to attend this summit.

From the cyberbreach front, Cybersecurity Dive reports “Uber details how it got hacked, claims limited damage; While there’s no evidence the rideshare company’s codebase was altered, the attacker did gain access to Slack, vulnerability reports and financial data.” The FEHBlog called attention to the Uber breach in last week’s post.

From the cybervulnerability front

• Health IT Security informs us, “The Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare sector of a new monkeypox-themed phishing scheme targeting healthcare providers.”

• HC3 also released a PowerPoint presentation on a Chinese State-Sponsored Threat Act APT41 and recent activity.

• CISA added another known exploited vulnerability to its catalog.

• Vulture Beat discusses “Keeper Security[‘s] * * * second annual 2022 U.S. Cybersecurity Census Report, which maps the transforming landscape of cybersecurity based on expert insights from 500+ IT decision-makers in U.S. businesses. This year’s findings clearly show that while cybersecurity is a key priority, staying a step ahead of bad actors is a continuous challenge -– and many businesses are not keeping pace. According to survey respondents, U.S. businesses experience 42 cyberattacks each year. Of those, about three cyberattacks are successful. The overwhelming majority of respondents expect the total number of attacks will increase over the next year, with 39% predicting the number of successful cyberattacks will also increase.

• CISA announced that “Microsoft has released a security update to address a vulnerability in Microsoft Endpoint Configuration Manager, versions 2103-2207. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Microsoft’s Security Advisory for CVE-2022-37972 and apply the necessary updates.

From the ransomware front, all we have this week is the Bleeping Computer’s reliable and comprehensive The Week in Ransomware.

From the cyberdefenses front, the FEHBlog was very impressed by the Wall Street Journal article about zero-trust architecture.

The companies that should know best how to fight hackers, tech firms, have reached an arresting conclusion: The weakest link in security, as it’s been since the Trojan War, is humans.

Increasingly, they are taking a new approach: Trust no one.

The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in. So companies need to make sure that even users inside a network can’t do serious damage. * * *

“Zero trust is based on the idea that you don’t trust anything in your system anymore,” says Anshu Sharma, chief executive of Skyflow, a startup that uses zero-trust principles to safeguard personal data for other companies. “Just because you’re in the building, you don’t get access to important stuff.” 

Many of the design principles that guide engineers building zero-trust systems are easy to understand. If you’ve found yourself having to log back into corporate systems or your bank’s website more often of late, that’s a version of the zero-trust tactic of regularly “rotating” the credentials that allow people and computers to access other systems. The idea is that even if attackers got in with your account, they’d have limited time to do damage.

Another zero-trust principle, known as behavioral analysis, is that software should monitor the behavior of those on a network and flag anyone doing something unusual, like trying to make an extra-large bank withdrawal. (This is the same kind of analysis that leads your bank to send you a text if you make an out-of-character credit-card purchase, for example, when you’re traveling to a new city.)

The consistent theme is that every component of a system should be skeptical, even if you’ve identified yourself and gained access, that you are who you say you are and are doing what you should be doing.

From the cyberpolicy front, Nextgov informs us that

The Federal Acquisition Regulatory Council will soon propose a rule requiring federal agencies to use a uniform, standard self-attestation form when seeking assurances from software vendors that their products were developed using guidance from the National Institute of Standards and Technology.  

“Agencies are encouraged to use a standard self-attestation form, which will be made available,” in line with the new rule, according to a memo the Office of Management and Budget issued Wednesday [September 14]. 

From the cyberbreaches front, Cybersecurity Dive reports

Uber confirmed its systems were breached Thursday [September 15] in an attack that appears far reaching in scope. The rideshare and food delivery company said it alerted law enforcement to the incident in a Thursday statement.

The threat actor, who claims to be 18 years old, told The New York Times he duped an employee into providing their password via text message and compromised the worker’s Slack account. Slack’s high-level access to other third-party services allowed the attacker to gain access to additional Uber systems, including Amazon Web Services, Google Cloud, VMware virtual machines, OneLogin and other services, the attacker claimed.

The American Hospital Association tells us

The FBI has received multiple reports of cyber criminals increasingly targeting healthcare payment processors to redirect victim payments. In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites. In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.

Here’s a link to the FBI’s report.

From the cybervulernabilities front —

• Health IT Security calls our attention to an FBI warning of “Patient Safety, Security Risks Associated With Legacy Medical Devices.”

• This past week, CISA added two and then another six “new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

• CISA also announced “Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s September 2022 Security Update Guide and Deployment Information and apply the necessary updates.”

From the ransomware front —

• CISA issued a readout of the “first meeting of the Joint Ransomware Task Force (JRTF), an interagency body established by Congress to unify and strengthen efforts against the ongoing threat of ransomware.” CISA and the FBI co-chair this group.

• CISA, the FBI, the National Security Agency and other U.S. and foreign intelligence operations released an updated warning on “Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations.”

• Cybersecurity Dive reports on ransomware issues discussed at Rubrik’s virtual Data Security Summit held last week.

• Here’s a link to the latest Bleeping Computers’ The Week in Ransomware.

From the cyberbusiness front, Cybersecurity Dive reports

Google completed its $5.4 billion acquisition of Mandiant on Monday and said it plans to retain the Mandiant brand under Google Cloud.

The deal for the incident response and threat intelligence firm, inked in March, marks Google’s largest cybersecurity acquisition to date and the second largest in the company’s history. Google announced a deal in early January to buy Siemplify, a security orchestration, automation and response technology provider. 

Google in August 2021 pledged to invest $10 billion in cybersecurity over the next five years.

From the cyberdefenses front —

• Psychology Today features an article titled “The Cyber Security Head Game; Winning cyber wars means beating your adversary’s mind, not their technology.”

• The Department of Health and Human Services 405(d) Program released its September 2022 online newsletter.

From the cyberpolicy front, Cyberscoop reports

Federal cyber officials will formally ask industry leaders “in the next couple of days” to help shape the regulatory structure for cybersecurity incident reporting, Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Wednesday.

The incident reporting framework follows the new law that President Biden signed in March requiring that critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.

CISA has said that it will use the reports to rapidly deploy resources to victims under attack and share information with network defenders. Easterly, who spent four years working on cyber defense at Morgan Stanley prior to coming to CISA, emphasized that she wants to work with industry to create a smart regulatory apparatus that doesn’t create problems for the private sector.

“This will finally allow us a much better understanding what’s going on across the ecosystem,” Easterly said at the Billington Cybersecurity Summit in Washington. “We don’t want to burden industry and we don’t want to burden the federal government with noise either.”

Easterly said that after CISA issues a request for information from the private sector, she intends to also host several listening sessions with industry to ensure the rule-making process is “consultative.”

From the cyberbreach front —

Health IT Security reports

Healthcare data breaches are continuing to impact the healthcare sector at alarming rates, even as more organizations adopt updated security solutions in an attempt to keep pace with the influx of new cyber threats.

The healthcare sector suffered about 337 breaches in the first half of 2022 alone, according to Fortified Health Security’s mid-year report. More than 19 million records were implicated in healthcare data breaches in the first six months of the year.

What’s more, IBM’s annual “Cost of a Data Breach” report showed that the average cost of a healthcare data breach is now $10.1 million per incident, signifying a 9.4 percent increase from its 2021 report.

Cyberscoop adds

Nearly 90% of information technology professionals working in health care said their facilities suffered a cyberattack in the past year, according to a report out Thursday from the research organization Ponemon Institute. 

Many of them said the attacks, which averaged 43 at various types of health care organizations including hospitals and insurance providers, increasingly affected patient care.

More than 600 IT and IT security practitioners responded to the survey sponsored by the cybersecurity firm Proofpoint. The report comes amid frequent warnings from federal cybersecurity officials about ransomware and other cyberattacks on health care organizations.

Fifty-three percent of the respondents said their organization had experienced at least one ransomware incident over the past two years, while a third said they’d suffered between two and five. Nine percent of respondents said their organizations suffered six to 10 incidents.

The findings mark an increase from a year ago when Ponemon conducted a similar survey commissioned by cybersecurity firm Censinet. That survey found that just over 40% of respondents suffered a ransomware attack in the previous year.

From the cybervulnerability front —

This past week, HHS’s Health Sector Cybersecurity Coordination Council (HC3) released its August 2022 Cybersecurity Vulnerability Bulletin and a PowerPoint presentation about emerging technology and security implications for the health sector.

Security Week adds “Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices. Dubbed Shikitega, the threat is delivered as part of a multi-stage infection chain, where each step is responsible for a part of the payload and fetches and executes the next module.”

From the ransomware front —

Cybersecurity Dive reports

Barely one in five organizations consider their organization as prepared as possible for a potential ransomware attack, according to a survey of 400 IT leaders and professionals involved in their company’s cybersecurity strategy. Almost 15% said they are very or somewhat unprepared for an attack.

The majority of respondents said they spend less than five hours per week on ransomware preparedness. Almost one-third invest less than an hour per week on the matter.

Organizations’ perceived state of preparedness and time spent bolstering defenses against ransomware stands out considering how many have already been hit. More than four out of 10 respondents said they’ve had a ransomware attack that resulted in infiltration or data encryption.

Here’s a link to the latest Bleeping Computer’s Week in Ransomware for your reading pleasure.

In cybersecurity leadership news —

• Cybersecurity Dive discusses “Today’s top cybersecurity concerns and what comes next; CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.

• The Wall Street Journal reflects on “Why Companies Need to Think About Cyber Resilience, Not Just Cybersecurity; Cyber resilience concedes that breaches are inevitable, and it makes minimizing risk or loss in the event of an attack the end goal.”

From the cyber threats and concerns front —

Health IT Security reports

The Health Sector Cybersecurity Coordination Center (HC3) issued a threat profile about Evil Corp and warned that the prolific group could threaten healthcare cybersecurity.

The Russian-based cybercriminal syndicate has been operational since 2009 and is responsible for creating some of the most powerful ransomware and malware variants. The group maintains strong connections to the Russian government and other cybercriminal gangs.

HC3 described the group as “exceptionally aggressive and capable.” Considering the group’s past crimes, this description seems highly accurate. In 2019, Evil Corp used Dridex malware to harvest login credentials from hundreds of banks, raking in more than $100 million in stolen funds.

The HC3 threat profile points out

Evil Corp should be considered a significant threat to the U.S. health sector based on several factors. Ransomware is one of their primary modus operandis as they have developed and maintained many strains. Many ransomware operators have found the health sector to be an enticing target as, due to the nature of their operations, they are likely to pay some form of ransom to restor operations. Healthcare organizations are particularly suceptible to data theft as personal health information (PHI) is often sold on the dark web to those looking to leverage it for fraudulent purposes. Foreign governments often find it to be more cost effective to steal research and intelliectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves. This includes intellectual property related to the health sector. It is entirely plausable that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government.

Bleeping Computer, which is not offering the Week in Ransomware this holiday weekend, delves into the Lockbit ransomware gang.

Cybersecurity Dive informs us

A critical, but long-anticipated decision by Lloyd’s last week to phase out coverage for state-sponsored cyberattacks illustrates an insurance market that has been under increasing financial pressure for years. It also raises questions for U.S. companies about their preparedness and long-term risks amid more dangerous and sophisticated threats. 

“Cyber remains a priority area for Lloyd’s,” a spokesman said in an emailed statement. This month’s advisory guidance, “following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires.” 

The company said it will continue to take a pragmatic and innovative approach to supporting the growth of cyber. 

Lloyd’s policy says the company’s role is to support a competitive and resilient cyber insurance market, but the bulletin has not mandated clauses for managing agents. Instead of applying a one-size-fits-all approach, the new guidance encourages managing agents to apply due diligence to the specific complexities of state-sponsored attacks. 

From the cyber defenses front —

• Cybersecurity Dive discusses best practices for getting full value out of multi-factor authentication and a city for a passwordless future.

• Health IT Security says, “When properly implemented, zero trust security strategies can help healthcare organizations bolster their security efforts. However, the sector faces unique challenges surrounding IoT devices and identity and access management that are worth considering when contemplating zero trust in healthcare. In a new white paper, Health-ISAC provided guidance for healthcare CISOs to help them understand and implement zero trust security strategies.”

• ZDNet offers Microsoft guidance on how to reduce exposure to ransomware attacks.

• CISA calls attention to necessary updates to certain Apple products.

• Fortune lists “five free online cybersecurity courses hosted by top universities.”

From the cyber breach front —

Cybersecurity Dive reports

LastPass, a password manager used by more than 33 million registered users, said an authorized actor was able to breach its systems, taking portions of its source code and some proprietary technical information, CEO Karim Toubba said Thursday. 

LastPass said the incident was detected about two weeks ago after it identified unusual activity in the company’s development environment. However, after an investigation, it was determined no customer data or encrypted vaults were accessed. 

The company, which has more than 100,000 business customers, deployed containment and mitigation measures and hired a leading cybersecurity and forensics firm to help determine what happened. 

“While our investigation is ongoing, we have achieved a state of containment, implemented enhanced security measures, and see no further evidence of unauthorized activity,” Toubba said. 

The company is currently evaluating further mitigation measures.

Healthcare Dive adds

Cyberattacks are increasingly being focused on smaller healthcare companies and specialty clinics without the resources to protect themselves, instead of larger health systems that — despite being treasure troves of personal and medical data — generally have more sophisticated security, according to a new report from Critical Insight.

Cybercriminals hit the jackpot this year with the Eye Care Leaders electronic medical records breach, which exposed more than 2 million records. Other major attacks include those against revenue cycle management vendor Practice Resources, printing services vendor OneTouchPoint and accounts receivable firm Professional Financial Company that exposed the data of about 940,000 individuals, 1.1 million individuals and 1.9 million individuals respectively.

Overall breaches are steadily declining from their peak in the second half of 2020. But the trend of focusing on a systemic technology used across most providers is one the cybersecurity firm expects to continue throughout the remainder of the year, the report, which analyzes breach data reported to the HHS, said.

From the cyber vulnerabilities front —

CISA announced on August 24, 2022

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the Mozilla security advisories for Firefox 104, Firefox ESR 91.13, Firefox ESR 102.2 and Thunderbird 91.13, Thunderbird 102.2 and apply the necessary updates.

On August 23, 2022, CISA updated its August 16, 2022, alert on “Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite.”

From the ransomware front —

Cyberscoop tells us

Ransomware cases jumped 47 percent amid a rise in attacks involving newer strains of malicious software infecting targets, according to the cybersecurity firm NCC Group.

Reported incidents increased to 198 in July from 135 in June, according to the firm that issues semi-regular reports on ransomware activity by tracking websites that post victims’ details.

The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst’s note on the Karakut threat profile.

Karakurt ransomware group, also known as the Karakurt Team and Karakurt Lair, is a relatively new cybercrime group, with researchers reporting its first emergence in late 2021. Karakurt actors claim to steal data and then threaten to auction it off or release it to the public unless they receive payment of the demanded ransom, which have been known to range from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. The group likely has ties to the Conti ransomware group, either as a business relationship or as a side business with Conti. Karakurt is also known for extensive harassment campaigns against victims to shame them. HC3 recommends the Healthcare and Public Health Sector (HPH) be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Here’s a link to the latest Week in Ransomware from the Bleeping Computer, which has the following lead —

We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.

From the cyber defenses front —

Security Intelligence offers businesses advice on creating and improving a Ransomware Playbook.

Cybersecurity Dive tells us

With all the uncertainty around the economy — and recession fears — organizations have to make some tough decisions as they plan 2023 budgets. 

IT budgets are expected to take a hit, as Gartner predicts that, while organizations will continue spending on IT, it will be at a much slower pace than in recent years.

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? The answer is probably not. Gartner predicts that the end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years, and many security professionals agree with that assessment.

That’s the way it should be, according to Bob Stevens, VP of public sector at GitLab.

“If it isn’t already, I foresee security becoming one of the top investment areas for companies and government agencies in the coming year – especially in the form of DevSecOps,” said Stevens. 

In fact, cybersecurity is now one of the top spending considerations for government and private sector leaders, according to GitLab’s 2022 Global DevSecOps Survey. 

Health IT Security reports

More healthcare organizations are engaging with healthcare cybersecurity and data privacy consulting vendors to help mitigate risk and avoid the numerous repercussions of healthcare cyberattacks, data breaches, and HIPAA violations, a new KLAS reportnoted.

Researchers asked healthcare professionals about the security and privacy consulting vendors that their organizations worked with and how satisfied they were with vendor relationships, services, operations, and value.

Respondents reported being highly satisfied with First Health Advisory and Impact Advisors in particular. Healthcare professionals also reported improved executive involvement within Clearwater and CynergisTek, the latter of which recently entered 

Other assessed vendors included tw-Security, Intraprise Health, Guidehouse, Fortified Health Security, and Meditology Services.

From the cyber policy front —

Cybersecurity Dive reports

Cybersecurity and Infrastructure Security Agency Director Jen Easterly praised the efforts of the Joint Cyber Defense Collaborative (JCDC) following its one-year anniversary, saying in a blog post the public-private partnership has helped limit cyber risk at scale. 

JCDC helped federal agencies and private sector partners mitigate some major cybersecurity threats, Easterly said, including the Log4Shell crisis from December 2021; the development of the Shields Up campaign related to the Russia invasion of Ukraine; and the Daxin malware discovery from February. 

JCDC recently expanded to include industrial control partners. The change comes at a time when sophisticated malware threatens major critical infrastructure targets in the U.S. JCDC is also working to protect the nation’s election infrastructure from nation-state threats ahead of the November midterm elections.

and

U.S. executives now consider cyberattacks the No. 1 risk companies are confronting, according to a PwC Pulse survey released Thursday. The study shows 40% of top business executives consider cyberattack risk their top concern, followed by talent acquisition at 38%. 

Cybersecurity concerns have moved well beyond the office of the CISO or cyber risk officer, as the entire C-suite and corporate boards are focused on the risks of cyberattack. 

Almost half of all corporate executives said they are making additional investments in cybersecurity, while slightly more than half of executives said they are increasing investments in digital transformation.

Health IT Security adds

US Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), both co-chairs of the Cyberspace Solarium Commission (CSC), wrote a letter to HHS Secretary Xavier Becerra asking about the current status of HHS’ healthcare cybersecurity efforts.

King and Gallagher, who also authored the Sector Risk Management Agency (SRMA) legislation, urged HHS and the Biden administration to bolster cybersecurity efforts and called on HHS to hold an urgent briefing on the administration’s current cybersecurity posture and plans for improvement.

From the cyber vulnerabilities front —

The Wall Street Journal reports

All companies should be using two-factor authentication at least to secure their systems, but relying on text messages alone is foolish, cybersecurity experts say.

The process, known as 2FA, adds another level of protection to systems by requiring users to verify their identity through more than just a password. Often, this takes the form of a verification code sent by text message—or SMS—or voice calls, but experts warn that these systems are becoming increasingly out of date.

“SMS was never designed to be a 2FA method,” said Jamie Boote, associate principal consultant at cybersecurity company Synopsys Software Integrity Group. “Originally, it was a maintenance communication channel between cell towers and phones. It only became a consumer-centric communications channel after users discovered they could send text messages to one another.”

The widespread use of SMS as a security mechanism has also increased hackers’ focus on compromising the technology, Mr. Boote said. Hackers also use SMS as an avenue to launch other attacks, he said. Common methods include phishing attacks by text message, known as smishing, and SIM-swapping, in which a cellphone is cloned, meaning attackers can read messages sent to a device. * * *

Mobile security specialists say the best forms of protection for 2FA are security tokens such as those developed by the Fast Identity Online Alliance, or FIDO, a consortium including Apple Inc., MicrosoftCorp. and Alphabet Inc.’s Google that is creating open security standards. The general lack of security in mobile phones means they are often easy targets for hackers without the added protection that more advanced security technologies such as those developed by FIDO provide, said Hank Schless, senior manager of security solutions at cyber company Lookout Inc.

ZDNet adds

Using [Multi factor authorization] MFA protects against the vast majority of attempted account takeovers, but recently there’s been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organizations have been targeted in this way during the last year. 

One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they’re trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit – in this case to steal email. The user simply thinks they have logged into their account as usual.

“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” as Microsoft notes of that particular campaign. * * *

While it isn’t totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cybercriminals get smarter they’re increasingly going to go after it – and that requires extra levels of defense, particularly from those responsible for securing networks. 

“It’s good it’s recommended because you won’t be the lower hanging fruit. But you definitely need to augment it with additional layers of security because, just like any other siloed security solution, it can be circumvented and you can’t think everything is secure, just because of one security layer,” says Etay Maor, senior director of security strategy at Cato Networks.  

and

There’s been a big rise in cybercriminals combining fraudulent emails and telephone calls to trick victims into disclosing sensitive information like passwords and bank details.

Known as vishing attacks, criminals and scammers telephone victims and attempt to use social engineering to trick them into giving up personal data.  

Researchers warn that vishing and other email-based phishing attacks will continue to be a problem – but there are steps with organisations can take to help prevent attacks. 

“Capabilities to automatically detect and remove threats from all infected employee inboxes before users can interact with them also plays a critical role, as well as a proper security training regimen, to prepare users to be on the lookout for such threats,” said John Wilson, the senior fellow responsible for threat research at Agari. 

The Health Sector Cybersecurity Coordination Center (HC3) issued an analysts note on vishing this week.

This week

• CISA “and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform.

• CISA also added seven known exploited vulnerabilities to its catalog.

• HC3 issued a Sector Alert on Apple fixes to two Zero Day Exploits.

• HC3 also released its vulnerability bulletin concerning “July Vulnerabilities of Interest to the Health Sector.”

HC3 posted a PowerPoint presentation on the impact of social engineering on healthcare.

From the ransomware front, here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the Cyber defenses front —

Cybersecurity Dive reports

A fundamental shift in information security practices is underway, as 55% of organizations now have a zero trust initiative in place, more than double the 24% totals from a year ago, according to the State of Zero Trust report from Okta released Tuesday. 

The report shows almost universal adoption of zero-trust principles, as 97% of businesses either have a zero trust initiative in place or will adopt one in the next 12-18 months. 

“Today we’ve seen that zero trust is no longer a theoretical idea — it’s an active initiative that almost every organization across [every] industry is implementing,” Christopher Niggel, regional chief security officer for the Americas at Okta, said via email.

Security Week offers expert opinions on prevention being the future of cybersecurity and the future of endpoint management.