From the cybersecurity policy front,

• The National Institutes of Standards and Technology (NIST) announced,
  • “NIST is issuing one new proposed control and two control enhancements with corresponding assessment procedures for an expedited 2-week public comment period for October 17–31, 2023. All interested users are invited to provide real-time input to SP 800-53 controls, participate in public comment periods, and plan for future changes to the catalog at the website for Public Comments on SP 800-53 Controls. Review and submit comments on the proposed new control and enhancements by selecting the “Candidates” button. 
  • “NIST will also issue a patch release — SP 800-53 Release 5.1.1 — in early November 2023 via the Cybersecurity and Privacy Reference Tool to help organizations better manage cybersecurity and privacy risks to identity and access management systems. The changes included will not be issued as a new PDF publication at this time, and organizations will have the option to defer implementing the changes included in Patch Release 5.1.1 until SP 800-53, Release 6.0.0 is issued. 
  • “For more information, see the News Item and FAQ about SP 800-53 Comment Period Release 5.1.1.”

• Yesterday, “the Cybersecurity and Infrastructure Security Agency (CISA) announced next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). As directed by the President’s 2023 National Cybersecurity Strategy, CISA, in close coordination with the Office of the National Cyber Director, is embarking on a process to gather input from public and private sector partners– including the federal interagency, Sector Risk Management Agencies (SRMAs), regulators, and critical infrastructure organizations, to identify key changes for incorporation into the updated NCIRP.”
  • Here is a link to the related CISA fact sheet. “CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.”

• The American Hospital Association News adds that federal agencies this week issued “updated guidance to help software manufacturers demonstrate their commitment to secure by design principles and customers ask for products that are secure by design.”

From the cybervulnerabilities and breaches front,

• Dark Reading tells us,
  • “Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.
  • “As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.
  • “So, admins should take note that on Thursday [October 19], Trend Micro’s Zero Day Initiative (ZDI) revealed a series of “High” and “Critical”-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, “The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets.”

• Per Cybersecurity Dive,
  • Cisco will release a security fix Sunday [October 22] to address a critical zero-day vulnerability in Cisco IOS XE software, a spokesperson told Cybersecurity Dive, citing an updated bulletin from the company. 
  • An unidentified hacker exploited the web user interface in Cisco IOS XE and installed malicious backdoors in about 42,000 devices worldwide, security researchers estimate.

• American Hospital News informs us,
  • The CISA, FBI and Multi-State Information Sharing and Analysis Center this week alerted organizations to a critical vulnerability affecting certain versions of the Atlassian Confluence Data Center and Server that enables malicious actors to obtain access to victim systems and continue active exploitation post-patch. The agencies strongly encourage network administrators to immediately apply the recommended upgrades and recommended responses to indicators of compromise.”

• CISA added one more known exploited vulnerability to its catalog on October 16 and two more on October 19.

• HHS’s Health Sector Cybersecurity Coordination Center issued on October 18 an Analyst Note titled “Summary of Findings on Potential ServiceNow Vulnerability.”
  • “On October 14, 2023, a cybersecurity researcher claimed that there is a potential data exposure issue within ServiceNow’s built-in capability that could allow unauthenticated users to extract data from records.
  • “ServiceNow is a cloud computing platform to help companies manage digital workflows for enterprise operations, including the Healthcare and Public Health (HPH) sector. Types of data likely exposed include names, e-mail addresses, and internal documents from potentially thousands of companies.
  • “One cybersecurity company stated that around 70% of total instances seem to be affected in ServiceNow’s capability. The vulnerability has yet to be exploited by threat actors, but the likelihood that it will be is probable.”

• Bleeping Computer reports,
  • “Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
  • “Out of more than 1.8 million administrator credentials analyzed, over 40,000 entries were “admin,” showing that the default password is widely accepted by IT administrators.”

From the ransomware front,

• On October 19,
  • “CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated version of the joint #StopRansomware Guide. The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights.
  • “Developed through the U.S. Joint Ransomware Task Force (JRTF), #StopRansomware Guide is designed to be a one-stop resource to help organizations minimize the risks posed by ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
  • “CISA and its partners encourage organizations to implement the recommendations in the guide to reduce the likelihood and impact of ransomware incidents. For more information, visit CISA’s Stop Ransomware page.”

• Here’s a link to Bleeping Computer’s The Week in Ransomware.
  • “Cybersecurity researchers released interesting reports on ransomware, including:
    • “A new GhostLocker ransomware-as-a-service run by GhostSec.
    • “BlackCat ransomware use of a new ‘Munchkin’ Linux virtual machine in attacks.
    • “More ransomware gangs targeting Confluence servers.
    • “Analysis of Akira’s MegaZord encryptor variant.”

From the cybersecurity defenses front,

• The FEHBlog noticed that Security Week published a series of articles on this topic in October.
  • “Lost and Stolen Devices: A Gateway to Data Breaches and Leaks; By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.
  • Applying AI to API Security; While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs.
  • Addressing the People Problem in Cybersecurity; Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.

• HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rule, released its October 2023 Cybersecurity Newsletter, which concerns how sanctions policies can support HIPAA compliance.

• NIST “interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.”

• On October 18, CISA “National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.”  

• Dark Reading discusses “Change From Within: 3 Cybersecurity Transformation Traps for CISOs to Avoid.”

From the cybersecurity policy front,

• Per Cybersecurity Dive,
  • Federal authorities are trying to strengthen the security of open-source software used by critical infrastructure providers in a bid to improve risk management, particularly across operational technology and industrial control system vendors. 
  • Critical infrastructure providers have faced heightened risks of malicious attack in recent years, both from nation-state threat actors and criminal ransomware groups, the Cybersecurity and Infrastructure Security Agency and other federal agencies said Tuesday in an open-source security guide.   

• Forbes tells us about the top ten cybersecurity trends In 2024 that everyone must be ready for now.

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Distributed denial of service attacks just keep getting bigger. On Tuesday, a coalition of tech giants revealed the biggest one yet, a DDoS campaign from August that compressed a month’s worth of Wikipedia traffic into a two-minute deluge and exploited a flaw in the fundamental technology powering the internet to do it. 
  • “At its peak, the DDoS campaign described by Google, Cloudflare and Amazon AWS reached more than 398 million requests per second (RPS) — more than eight times larger than the biggest DDoS attack previously observed by Google, which clocked in at 46 million RPS, according to the firm. The new attack uses a novel method that exploits a zero-day vulnerability dubbed “HTTP/2 Rapid Reset,” which takes advantage of the protocol that manages how computers request data from websites.
  • “For a sense of scale, this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google said Tuesday.
  • “The DDoS attacks using the vulnerability have been ongoing since August and have targeted major infrastructure providers like Google Cloud, Cloudflare and Amazon Web Services.”

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog on Tuesday, October 10, 2023.

From the ransomware front,

• Per Cybersecurity Dive,
  • “Threat actors can break into an organization’s infrastructure to initiate ransomware attacks in many ways, but vulnerability exploits remain an effective and productive tool for financially-motivated cybercriminals, data from the Cybersecurity and Infrastructure Security Agency shared Thursday illustrates.
  • “Nearly 1 in 5 exploited common vulnerabilities and exposures (CVE) are also known to be used in ransomware attacks, according to CISA’s Known Exploited Vulnerabilities Catalog.
  • “The database of 1,019 exploited CVEs, some dating back to 2002, was updated Thursday to include those with known ransomware exploits. At least 184 CVEs have known use in ransomware attacks, according to CISA.
  • “Of those, more than 2 in 5 of the vulnerabilities exploited by threat actors to conduct ransomware are linked to Microsoft products, which are ubiquitous in the enterprise.”

• Here’s a link to the referenced CISA report, which was released on October 12, 2023.

• CISA “released [on October 11, 2023] a joint Cybersecurity Advisory (CSA), #StopRansomware: AvosLocker Ransomware (Update) to disseminate known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.”

• HHS’s Healthsector Cybersecurity Coordination Center (HC3) issued an Analyst Note on NoEscape Ransomware on October 12.
  • “A relatively new threat actor and ransomware to the cybercriminal community, NoEscape ransomware emerged in May 2023, but is believed to be a rebrand of Avaddon, a now-defunct ransomware group shut down in 2021. Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch. Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the Healthcare and Public Health (HPH) sector. Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group. What follows is an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, and recommended defense and mitigations against the ransomware.”

• Bleeping Computer’s The Week in Ransomware” returned this week.
  • Researchers and government agencies released some interesting news this week:
    • “A new Q3 2023 Ransomware Trends Summary shows that ransomware continues to explode, with Q3 being the most successful quarter ever recorded.
    • “The FBI shared technical details, defense tips, and IOCs for the AvosLocker ransomware, which has not been active lately.
    • “Ransomware attacks have now started to target unpatched WS_FTP servers. However, these attacks are more encryption-focused rather than for data theft.”

From the cybersecurity defenses front.

• HC3 offers a PowerPoint on cybersecurity incident response plans.

• Forbes points out the top 10 cybersecurity trends to prepare you for next year and explains why 18 factors and metrics can prove the value of cybersecurity initiatives.

• Health IT Security reports on three best practices for maturing healthcare third party risk management.

• An ISACA expert delves into “Quantum-Resistant Cryptography.”
  • “Crypto-agility was introduced in this year’s Gartner Hype Cycle, an annual analysis released for data security and emerging technologies. Gartner added both crypto-agility and post-quantum cryptography for the first time this year. The presence of data-in-use technologies in the Hype Cycle reflects the focus on data-in-transit security.
  • “It is imperative that organizations watch this space closely and upgrade encryption algorithms used in real time, because sovereign data strategies and digital communications governance are crucial areas to develop. In fact, CISA (Cybersecurity and Infrastructure Security Agency) was already urging organizations to prepare for the dawn of this new age in August.”

From the cybersecurity policy front,

• The Federal Employees Health Benefits Program has two sets of regulations — OPM’s rules found at 5 CFR Part 890 and because federal procurement contracts create FEHB plans, the Federal Acquisition Regulation (FAR) at 48 CFR Chap. 1 and OPM’s implementing FEHB Acquisition Regulation (FEHBAR)found at 48 CFR Chap. 16. It’s worth noting that the FAR was first issued forty years ago.
• The Holland and Knight law firm discusses two proposed FAR cybersecurity rules published on October 3, 2023. The first one (FAR Case No. 2021-17) captioned “Cyber Threat and Incident Reporting and Information Sharing will apply to the FEHB Program as it generally imposes obligations on federal contractors. The other rule (FAR Case No. 2021-19 captioned “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” will not apply to the FEHB because carrier systems are not federal information systems. The public comment deadline for the two proposed rules is December 4, 2023.  

• The National Security Agency announced on October 5, 2023,
  • “The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint Cybersecurity Advisory (CSA) highlighting the top ten most common cybersecurity misconfigurations found in large organizations’ networks. The CSA details tactics, techniques, and procedures (TTPs) that cyber actors could use to compromise these networks, as well as mitigations to defend against this threat. * * *
  • “As indicated in the CSA, these most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise.
  • “Some of the misconfigurations mentioned in the CSA include default configurations of software and applications, weak or misconfigured multifactor authentication (MFA) methods, and unrestricted code execution.
  • “NSA and CISA encourage network defenders and software manufacturers to implement the recommendations found within the Mitigations section of this advisory to reduce the risk of compromise. The agencies also recommend network owners and operators examine their networks for similar misconfigurations even when running other software not specifically mentioned in the advisory.”

• The Cybersecurity and Infrastructure Security Agency (CISA) announced on October 4, 2023,
  • “CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.
  • “This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.
  • “Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.”

• The Health Sector Cybersecurity Coordination Center (HC3) released on October 4, 2023, a sector alert about securing remote access and management software.
  • “Cybersecurity and law enforcement agencies such as CISA, MS-ISAC, CIS, and the FBI have been reporting on increased misuse of remote access software to target organizations and critical infrastructure sectors.
  • “For implications to the Healthcare and Public Health (HPH) sector, remote access solutions keep healthcare professionals connected while also providing increased flexibility and convenience. But the same solutions used to operate, maintain, and secure healthcare systems and networks can also be turned against their own infrastructure. Mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application.”

• The Health Sector Council released an updated Health Industry Cybersecurity Supply Chain Risk Management Guide – Version 2023 (HIC-SCRiM-v2)
  • The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.

From the cybersecurity breaches and vulnerabilities front,

• HC3 announced on October 6, 2023,
  • “Cisco recently released an update that fixes a critical vulnerability in their Emergency Responder communications platform, a system that is utilized in the health sector. The exploitation of this vulnerability allows for a cyberattacker to completely compromise a vulnerable system and then utilize it for further cyberattacks across an enterprise network. HC3 recommends healthcare organizations identify vulnerable systems in their infrastructure and prioritize the implementation of this update.”

• HC3 posted its report on September vulnerabilities of interest to the health sector on October 5, 2023.
  • In September 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for September are from Microsoft, Google/Android, Cisco, Apple, Mozilla, SAP, Fortinet, VMWare, Progress Software, and Adobe.
  • A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
  • HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

• CISA added one known exploited vulnerability to its catalog on October 2, another one on October 3, two more on October 4 (and deleted five catalog entries) and three more on October 5, 2023.

From the cybersecurity defenses front,

• Cybersecurity Dive discusses what to consider when choosing cybersecurity providers.

• Dark Reading proposes “five steps [by which] organizations can develop stronger security practices and make the inevitable breaches inconsequential.

• An ISACA expert explains how to comply with multiple security standards and frameworks.

• Another ISACA expert discusses common privacy dark patterns and ways to improve digital trust.

From the cybersecurity policy front,

• The Cybersecurity and Infrastructure Security Agency announced
  • “[T]he kickoff of the 20th Cybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online. “Secure Our World” will also be the enduring theme for throughout the year as we work to drive behavioral change around core cybersecurity habits by providing everyone with the knowledge and tools they need. 
  • “As cyber threats become more sophisticated, individuals and families, small and medium businesses, and large companies all have an important role to play to in keeping our digital world safe and secure,” said CISA Director Jen Easterly. “This Cybersecurity Awareness Month we are asking everyone to do their part to ‘Secure Our World’ by adopting key behaviors that promote online safety and security.” * * *
  • “CISA encourages everyone to explore the resources on our Cybersecurity Awareness Month website, which includes a toolkit, tip sheets, and animated videos.”

• Cyberscoop also reports on CISA’s campaign.

• The National Institutes of Standards and Technology tells us
  • “The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.   
  • “Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology. We seek to better understand and improve people’s interactions with cybersecurity systems, products, and services. 
  • “To learn more about our latest projects, watch our latest videos, meet the team, or to view our publications, visit our revamped website https://csrc.nist.gov/projects/human-centered-cybersecurity.” 

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Progress Software quietly alerted customers to eight vulnerabilities in WS_FTP Server, another file-transfer service from the company behind MOVEit.
  • “The company shared the news the day after its fiscal third-quarter earnings call.
  • “Two of the eight vulnerabilities are critical, with CVSS scores of 10 and 9.9 out of 10, CVE-2023-40044 and CVE-2023-42657, respectively. All versions of the file-transfer service, which allows customers to remotely manage their service from any internet connection, are impacted, the company said Wednesday. Thousands of IT teams use WS_FTP Server, according to a product page.
  • “There’s no indication any of the vulnerabilities in WS_FTP Server have been exploited, a Progress Software spokesperson told Cybersecurity Dive.”

• Yesterday, the Health Sector Cybersecurity Coordination Center (HC3) issued a related Sector Alert.
  • “Progress Software, the maker of the MOVEit file transfer software, which was widely exploited by the CL0P ransomware-as-a-service (Raas) group, has released a new advisory regarding multiple vulnerabilities in the WS_FTP Server, a file transfer product. Two of the vulnerabilities were rated as critical and are being tracked as CVE-2023-40044, which can allow an attacker to execute remote commands, and as CVE- 2023-4265, which is a directory traversal vulnerability. Due to the recent and malicious targeting of Progress Software’s products to compromise Healthcare and Public Health (HPH) sector entities, HC3 strongly encourages patching and upgrading these devices to prevent serious damage to the HPH sector.”

• Dark Reading also discusses this development.

• Also on Friday, HC3 issued an Analyst Note on LokiBot malware.
  • “Active since 2015 and among the most prevalent and persistent strains of malware families since 2018, LokiBot has matured to target multi-sector industries. Despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the Healthcare and Public Health (HPH) sector shows its reach.
  • “In March 2020, a multi-threat actor spearphishing campaign to spread LokiBot malware with a false World Health Organization trademark image solidified its threat to the HPH sector. In addition to other malware analyses, HC3 reported this specific cyberattack in a 2020 HC3 Sector Note on LokiBot. The malware has been widely used for years, and it takes a lot of effort to monitor because of behavior changes. However, some best practices exist for protecting against LokiBot and managing its impact.
  • “What follows [in the analyst note] is an update to the previous HC3 analysis of LokiBot, a timeline of multi-sector targeted applications, detection strategies, sample MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the malware.”

• According to a post on Wednesday,
  • “[T]he U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA) People’s Republic of China-Linked Cyber Actors Hide in Router Firmware. The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
  • “BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets.
  • “CISA strongly recommends organizations review the advisory and implement the detection and mitigation techniques described to protect devices and networks. For additional guidance, see People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices and visit CISA’s China Cyber Threat Overview and Advisories page.”

• Cyberscoop lets us know,
  • North Korean cyberespionage operation targeted employees of an aerospace company in Spain using a previously unreported backdoor and a creative phishing campaign featuring a phony Silicon Valley recruiter, demonstrating a “significant advancement in malicious capabilities,” researchers with the cybersecurity firm ESET said Friday. 
  • Hackers linked with North Korea’s Lazarus Group — an umbrella term for a collection of North Korean cyber units — posed as a recruiter for Meta and contacted employees of the unnamed company via LinkedIn and sent two coding challenges supposedly part of the hiring process but which were in fact laced with malware, Peter Kálnai, an ESET researcher, wrote in a report published Friday.
  • The operation, carried out some time last year, is just the latest example of North Korean-linked cyber operations using phony job opportunities to target various professionals, including journalists, security researchers and software developers, among others. 

• Over the past week, CISA added three known exploited vulnerabilities to its catalog on Monday and another on Thursday.

• Per Health IT Security,
  • Advanced email attacks remain a top threat to organizations around the world, including those in the healthcare sector, Abnormal Security observed in its latest blog post. Abnormal saw a 167 percent increase in advanced email attacks in 2023, which included business email compromise (BEC), malware, credential phishing, and extortion.

From the ransomware front,

• BitDefender reported on Thursday,
  • “Johnson Controls, a multinational conglomerate that secures industrial control systems, security equipment, fire safety and air conditioning systems, has been hit by a massive cyber attack.
  • “The company, which employs over 100,000 people around the world, suffered a ransomware attack over the weekend which left data encrypted and caused it to shut down sections of its IT infrastructure.
  • “The Dark Angels ransomware group has claimed responsibility for the attack and claims to have exfiltrated over 25 TB of data from the organization.  The threat?  If a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the “Dunghill Leaks” site.

• Here’s a link to Bleeping Computer’s Week in Ransomware. On top of the Johnson Control’s attack, Bleeping tells us
  • We also continue to see the effects of Clop’s massive MOVEit data-theft attacks, with the National Student Clearinghouse warning of a data breach that impacted 890 schools and the BORN Ontario child registry breach impacting 3.4 million people, including patients at the Hospital for Sick Children (SickKids).
  • Cybersecurity firms, journalists, and law enforcement also released interesting reports this week:
    • A threat actor named ShadowSyndicate is linked to 7 ransomware operations.
    • Hackers are actively exploiting OpenFire flaws to encrypt servers.
    • The Snatch extortion gang left their server status page open, allowing anyone to see who was connecting to the server.
    • The FBI warned that ransomware affiliates are accelerating double-encryption attacks.
    • A look at Akira’s new PowerRanges variant, internally called Megazord.

From the cybersecurity defenses front,

• An ISACA expert discusses lessons learned from Microsoft’s “massive” data exposure incident.

• CIO explores the changing face of cybersecurity threats this year.

• The Wall Street Journal looks into why employees ignore workplace cybersecurity rules.
  • “People are able to justify their bad behavior with rationalizations. Companies need to tackle the lies we tell ourselves head on.”

• The GAO issued
  • “A Cybersecurity Program Audit Guide (CPAG) to be used in conducting cybersecurity performance audits. The intent of the guide is to arm cyber analysts and auditors with a set of methodologies, techniques, and audit procedures to evaluate components of agency cybersecurity programs and systems. GAO welcomes federal and other governmental organizations to use this guide to assess their cybersecurity programs.”

• The Wall Street Journal reports,
  • “It’s telling that, in a year that was pretty economically challenging, security didn’t plummet in terms of spending,” said Nick Kakolowski, director of research at IANS Research, a cybersecurity advisory group.
  • “Cyber budgets grew this year for the most part, but modestly, IANS found in a study with recruiting company Artico Search. After double-digit increases in 2020 and 2021, the average growth in cybersecurity budgets for 2023 was 6%, according to the survey of 550 security executives. As a portion of overall technology budgets, cyber accounted for 11.6%, the study found. Around 37% of respondents to the survey said their cyber budgets were flat or reduced, the survey found.”

From Washington, DC —

• Health IT Security reports,
  • “The Department of Homeland Security (DHS) issued recommendations to Congress about how the federal government could improve critical infrastructure cyber incident reporting in a new report. Notable recommendations include streamlining the reporting process by establishing a single reporting web portal, as well as creating a model incident report form that federal agencies can adopt.
  • “The report, aptly titled “Harmonization of Cyber Incident Reporting to the Federal Government,” was a deliverable required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March of last year. CIRCIA enabled the creation of the Cyber Incident Reporting Council (CIRC), which took the lead on the report and represents leaders from 33 federal agencies.
  • “The report acknowledged ongoing challenges that stem from duplicative federal cyber incident reporting requirements. Currently, there are 52 cyber incident reporting requirements either in effect or proposed across the federal government.”
• FEHBlog note – At least 53 cyber incident reporting requirements exist as the DHS report overlooks OPM’s requirements for FEHB plan carriers.

• What’s more,
  • SUMMARY: The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy. ONCD seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity (the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements) in regulator acceptance of other regulators’ recognition of compliance with baseline requirements.
  • DATES: The original comment deadline for this RFI was 5 p.m. EDT September 15, 2023. ONCD has extended the deadline for comments to be received to 5 p.m. EDT October 31, 2023.
  • ADDRESSES: Interested parties may submit comments through www.regulations.gov
  • Cyberscoop discusses this initiative here.

• Per Cybersecurity Dive,
  • “FBI Director Christopher Wray urged private sector organizations to help the agency by coming forward with information regarding malicious cyber activity. 
  • “Wray told attendees at Mandiant’s annual mWISE 2023 conference Monday that many of the agency’s successful cyber operations in recent years were accomplished with the assistance of private sector partners. He emphasized organizations would be treated properly as victims of malicious actors and not punished for their cooperation.
  • “We know the private sector hasn’t always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won’t be showing up in raid jackets,” Wray told conference attendees. “Instead, we’ll treat you like the victims you are – just like we treat all victims of crimes.”

• and
  • The U.S. has made significant progress towards developing a more resilient cybersecurity infrastructure after implementing about 70% the Cyberspace Solarium Commission’s recommendations, according to a report from CSC 2.0. 
  • CSC co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., praised the launch and implementation of the National Cybersecurity Strategy during a presentation Tuesday in Washington D.C., but said more work needed to be done on deterrence. 
  • Key gaps remain in the nation’s cybersecurity posture, including the need to create more resilient federal networks and strengthen key critical infrastructure sectors, such as healthcare, agriculture and water.

From the cybersecurity business front,

• Cybersecurity Dive reports
  • “Cisco reached a deal valued at $28 billion in cash, or $157 per share, to buy software observability firm Splunk, the companies announced Thursday. The deal, which marks Cisco’s largest-ever acquisition, is built around the “complementary capabilities” across AI, security and observability between Cisco and Splunk. 
  • “Cisco expects the deal to become cash flow positive and gross margin accretive within the first fiscal year after the deal closes, which is expected in Q3 2024. The agreement, which has been unanimously approved by the board of directors at Cisco and Splunk, remains subject to regulatory approval.
  • “Splunk President and CEO Gary Steele will join the executive leadership team at Cisco, reporting directly to Chair and CEO Chuck Robbins.”

From the cybersecurity breaches and vulnerabilities front,

• HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its August 2023 cybersecurity vulnerability bulletin.
  • “In August 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for August are from Microsoft, Google/Android, Cisco, Apple, Mozilla, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”

• HC3 also pointed out last week,
  • “Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations. HC3 strongly encourages organizations to update these systems.”

• HC3 posted a PowerPoint on Chinese and North Korean cybercrime. In sum,
  • “Chinese and North Korean “cybercriminal groups” act as unique threats to the U.S. health sector.
  • “China and North Korea are significant cyber powers–China in absolute terms and North Korea in relative terms.
  • “Domestic politics in both organizations has created a unique cybercriminal ecosystem, where the only significant cybercriminals threatening the U.S. health sector are state-sponsored.
  • “Most significant criminal gangs (i.e., are financially motivated) have all the sophistication of many other cybercriminal gangs but also have the resources (technological, financial and diplomatic) of a state behind them.”
    • “They are state-backed criminals, and they target a number of industries, including the U.S. health sector.”

• This week, CISA added eight known exploited vulnerabilities to its catalog on September 18, another on September 19, and one more on September 21.

• SecurityWeek calls attention to
  • “Apple’s announcement on Thursday [September 20] that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.”

From the ransomware front,

• On September 20,
  • “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.
  • “Snatch threat actors operate a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.

• From Dark Reading,
  • “Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).
  • “An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 
  • “The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.
  • “As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.”

From the cyberdefenses front,

• Cybersecurity Dive explains why,
  • “Security has an underlying defect: passwords and authentication; Cyberattacks are fueled by the shortcomings of business authentication controls. Bad things happen when access falls apart and credentials land in the wrong hands.”

• An ISACA expert discusses how to mitigate emerging technology risks.

From the cybersecurity policy front,

• Cyberscoop tells us,
  • “An advisory committee to the Cybersecurity and Infrastructure Security Agency [CISA] delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance. 
  • “These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
  • “The recommendations of CISA’s Cybersecurity Advisory Committee will need to be made into policy by Easterly, but in the past, she has mostly embraced the recommendations of the committee, which is made up of former top-ranking officials, executives and lawmakers, such as former National Cyber Director Chris Inglis, former Rep. Jim Langevin and Southern Company CEO Tom Fanning, who chairs the panel.” 

• Per Health IT Security,
  • “Healthcare stakeholders have an opportunity to provide feedback to the Senate on improving health data privacy in the US, thanks to a request from US Senator Bill Cassidy (R-LA), a ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee.  
  • “Cassidy issued a request for information (RFI) from stakeholders to gain insights into improving health data privacy and modernizing HIPAA. The deadline to submit feedback to Cassidy’s team is September 28.”

• Cybersecurity Dive points out,
  • “The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors. 
  • “However, Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during the Billington Cybersecurity Summit in Washington D.C., raised the possibility of a letter grade rating that would hold key providers accountable for maintaining a certain level of cyber resilience. 
  • “As good as public-private partnerships are, the administration sees additional enforcement ability as necessary.” 

• The Wall Street Journal offers its September 2023 cybersecurity regulatory update.
  • “In this quarter’s edition: updates on recently passed regulations from the U.S. Securities and Exchange Commission and the New York Department of Financial Services, new regulatory measures introduced by the California Privacy Protection Agency, the new cybersecurity strategy in New York state, and expert commentary on the draft regulations recently published by CPPA.”

From the cybersecurity breaches and vulnerabilities front,

• Per Cybersecurity Dive,
  • “The dark web marketplaces dedicated to the trade of credentials and vulnerabilities boasts some big names in enterprise compromises, Flashpoint research released Tuesday [September 12] shows.
  • “Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high profile, actively exploited CVEs, according to the threat intelligence firm.
  • “The remote code execution vulnerability in Barracuda’s email security gateway appliances, CVE-2023-2868, was purchased for $15,000 during Q2. Barracuda disclosed and attempted to patch the actively exploited zero-day vulnerability in May, but the patches failed, and exploits are still underway.
  • “Flashpoint said its threat intelligence analysts observed a post expressing interest in the exploit on June 16, and another user offered help in response two days later.”

• Dark Reading informs us,
  • “A global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm (aka Holmium) has successfully plucked targets in the satellite, defense, and pharmaceutical sectors, Microsoft is warning. 
  • “The cyber offensive has been active since February, according to a blog post from Microsoft Threat Intelligence, which concluded that the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
  • “The password spray method of attack is a type of brute-force method used by hackers to gain unauthorized access to user accounts and systems. Password spraying involves attempting to access multiple accounts using common passwords, reducing the risk of account lockouts.”

• Tripwire reports
  • “Apple has released emergency security updates for the flaws found in macOS, iOS, iPadOS, and watchOS used in the BLASTPASS exploit chain. As Bleeping Computer reports, Citizen Lab has warned Apple customers to apply the updates immediately and consider turning on Lockdown Mode if they suspect they’re particularly vulnerable to being targeted by sophisticated hackers. CISA has added the flaws to its catalog of known exploited vulnerabilities, saying that they pose “significant risks to the federal enterprise” and ordered all federal agencies to patch against them by October 2, 2023.”

• Security Week notes
  • “Deepfake is a term used to describe synthetic media — typically fake images and videos. Deepfakes have been around for a long time, but advancements in artificial intelligence (AI) and machine learning (ML) have made it easier and less costly to create highly realistic deepfakes. 
  • “Deepfakes can be useful for propaganda and misinformation operations. For example, deepfakes of both Russia’s president, Vladimir Putin, and his Ukrainian counterpart, Volodymyr Zelensky, have emerged since the start of the war.
  • “However, in their new report, the FBI, NSA and CISA warn that deepfakes can also pose a significant threat to organizations, including government, national security, defense, and critical infrastructure organizations.” 

• HelpNetSecurity warns
  • “Your security solutions might stave off a LockBit infection, but you might still end up with encrypted files: according to Symantec’s threat researchers, some affiliates are using the 3AM ransomware as a fallback option in case LockBit gets flagged and blocked.”

• CISA added a bunch of known exploited vulnerabilities to its catalog this week: two on Monday, two more on Tuesday, three on Wednesday, and another to top off Thursday.

From the ransomware front,

• The Healthcare Sector Cybersecurity Coordination Center provides us with a sector alert on Akira Ransomware.
  • “Akira is a Ransomware-as-a-Service (RaaS) group that started operations in March 2023. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale. Akira has garnered attention for a couple of reasons, such as their retro 1980s-themed website and the considerable demands for ransom payments ranging from $200,000 to $4 million. Akira has been observed obtaining initial malware delivery through several methods, such as leveraging compromised credentials and exploiting weaknesses in virtual private networks (VPN), typically where multi-factor authentication (MFA) is not being used. Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption. It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets. The group has targeted multiple sectors, including finance, real estate, manufacturing, and healthcare.”

• Here is a link to the latest Bleeping Computer Week in Ransomware, which features an attack on Las Vegas.

From the cybersecurity defenses front,

• Health IT Security calls our attention to
  • The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announce[ing] the release of version 3.4 of the Security Risk Assessment (SRA) Tool, further enhancing the user experience and helping covered entities navigate risk assessment requirements under the HIPAA Security Rule.
  • “OCR and ONC developed the SRA Tool to help small- and medium-sized healthcare providers identify and assess risks and vulnerabilities to electronic protected health information (ePHI). The tool is a software application that organizations can download at no cost.”

• Check out the 405(d) Post, which offers “Five Key Insights from The Healthcare Cybersecurity Benchmarking Study.”

• An ISACA expert explores risk assessment in a rapidly changing threat landscape.

• CSO offers “Ten principles to ensure strong cybersecurity in agile development.”

From the cybersecurity policy front,

• We learn from Cybersecurity Dive that
  • Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
  • “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said. 
  • Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.

• Per Fedscoop,
  • “New policy guidance is coming soon to help agencies comply with the Federal Risk and Authorization Management Program (FedRAMP) as the cloud landscape evolves, according to the federal government’s No. 2 IT official.
  • “Drew Myklegard, deputy federal CIO, said Thursday at FedScoop’s FedTalks that the forthcoming guidance comes as the federal cloud marketplace has evolved to be more dominated by software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings. 
  • “The landscape has changed. SaaS — and now it’s heavy, heavy SaaS — and a lot of PaaS providers really need access to the government and their mission. So now we’re pivoting and it takes a couple of years to do that, but we’re pivoting towards that market,” Myklegard said.
  • “He continued: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “A record year for cyberattacks on U.S. hospitals is putting patients in danger, as hospitals struggle to cope with disabled equipment and frozen data, an official from the American Hospital Association warned Thursday.
  • “Hackers, especially ransomware groups, are routinely taking down medical applications and internet connections, and freezing up patient and operations data, John Riggi, national adviser for cybersecurity and risk at the AHA, said, speaking at a meeting of the Healthcare Information and Management Systems Society. 
  • “Email and phones go down. Backup computers generally don’t work or have only about three days of data on them,” Riggi said. “We have seen this consistently,” he told the audience of healthcare technology and cyber leaders.”

• The American Hospital Association adds,
  • “The U.S. Treasury Department, in coordination with the United Kingdom, Sept. 7 sanctioned 11 individuals who are part of the Russia-based Trickbot cybercrime group, whose targets have included hospitals and other critical infrastructure organizations. The Department of Justice also unsealed indictments against nine individuals in connection with Trickbot malware and Conti ransomware, including seven of the sanctioned individuals. According to the agencies, the Trickbot group in 2020 launched a wave of ransomware disruptions against U.S. hospitals and health care facilities, in one case deploying ransomware that disrupted computer networks and telephones at three Minnesota facilities and caused them to divert ambulances.”  

• Last week, the Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog

• Cybersecurity Dive points out
  • “A consumer signing key that caused security headaches for Microsoft earlier this year was exposed in an April 2021 crash dump, the company said Wednesday. A China-based threat group behind attacks later used the key to compromise more than two dozen customers, including U.S. State Department emails earlier this year. 
  • “Microsoft disclosed the crash dump, which redacts sensitive information, as part of an internal investigation into how the consumer signing key was left exposed. The threat group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer following the crash dump,
  • “The threat group stole sensitive emails from the State Department and reportedly U.S. Commerce Secretary Gina Raimondo.”

• Per Krebs on Security, “Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach.”

From the ransomware front,

• Security Week reports,
  • “Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.
  • “Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks. 
  • “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory.”

• Bleeping Computer’s :The Week in Ransomware” is back after a two week long vacation.

From the cybersecurity defenses front,

• Cybersecurity Dive identifies the top five behaviors of successful CISOs thanks to Gartner Research.

• Dark Reading discusses three strategies to defending against “resurgent info stealers.”

• An ISACA experts explores using near-miss incidents are risk indicators.

From the cybersecurity policy front,

• Federal News Network informs us
  • “Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.
  • “Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
  • “The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy. * * *
  • “Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.
  • “In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

From the cybersecurity vulnerabilities and breaches front,

• HHS’s Health Sector Cybersecurity Coordination Center released its July 2023 report on vulnerabilities of interest to the health sector.
  • “In July 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for July are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, MOVEit, Oracle, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Administration added a new known exploited vulnerability to its catalog on August 21; two more on August 22, and another two on August 24.

• Per Health IT Security,
  • “Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.
  • “While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.”

In HIPAA Privacy Rule news,

• Health IT Security says,
  • “The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.
  • “The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.
  • “The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.”

From the ransomware front,

• Cybersecurity Dive reports
  • “The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
  • “The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
  • “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”

• and
  • “Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.
  • “Clop’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service rapidly catapulted the group to the head of the global ransomware threat actor pack.
  • “The threat actor has compromised more than 730 organizations as part of this campaign, according to the latest figures tracked by Emsisoft and KonBriefing Research.”
• and
  • “The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
  • “The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web. 
  • “Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday [August 24].”

• Bleeping Computers’ The Week in Ransomware is on summer vacation this week.

From the cybersecurity defenses front,

• Per CISA,
  • “[On August 21,] the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
  • “CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources about CISA’s PQC work, visit the Post-Quantum Cryptography Initiative.”

• Per Health IT Security,
  • “The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.
  • “Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC), the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.
  • “The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information-sharing entities.”

• Dark Reading identifies five best practices for implementing Risk-First Cybersecurity.
  • “Organizations face an uphill battle to safeguard hybrid cloud assets and sensitive data from evolving cyber threats in an increasingly interconnected and digitized world. While the security-first approach is essential, it has limitations in addressing the dynamic nature of these threats. The risks resulting from these threats are multifaceted and sophisticated, encompassing cybersecurity, compliance, privacy, business continuity, and financial implications. Therefore, a shift toward a risk-first approach is necessary.”

• ISACA shares an executive view of key cybersecurity trends in 2023.
  • “2023 has further proven that the state of cybersecurity is constantly evolving. New technologies are emerging and increasingly being adopted for purposes of enhancing threat detection, analyzing large volumes of data for anomalies and automating security processes. Meanwhile, cyber threats are becoming increasingly sophisticated. In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected.¹ To more effectively defend against such attacks, it is important for cyber professionals to understand current trends and challenges that exist in the field of cybersecurity.”

• The Wall Street Journal offers its quarterly cyber insurance update.
  • In this quarter’s update, we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors, how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile, and whether having a cyber insurance policy increases the likelihood of being a victim of a ransomware attack?