Cybersecurity Dive

Cybersecurity

Cybersecurity Dive

David ErmerCybersecurity

From the cybersecurity policy front —

  • Ars Technica reports
    • The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to healthcare systems, hospitals and clinics, and health-related devices.
  • FedScoop tells us,
    • Federal agencies got a reminder from the White House yesterday [August 16] of the need to firm up their cybersecurity in compliance with a Biden executive order.
    • The National Security Advisor Jake Sullivan sent a memo to departments and agencies Wednesday morning “to ensure their cyber infrastructure is compliant with” a May 2021 cybersecurity executive order on improving U.S. agencies’ cyber defense, a National Security Council spokesperson said in an emailed statement. 
  • Per NextGov,
    • “The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation’s cyber posture, a top official said Tuesday.
    • “Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year. 
    • “We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW’sIdentity Security Workshop. “Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems.”
  • NIST released a summary of public comments received on draft Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. FEHB claims data falls within the scope of this SP.
    • “NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171r3 security requirements. NIST anticipates releasing SP 800-171r3 fpd and SP 800-171A ipd for public comment in Q1 of FY 2024 (October – December 2023) and looks forward to ongoing engagement with users during the comment period.” 
  • Per Cybersecurity Dive,
    • Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.
    • The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency [CISA] said.

From the cybersecurity vulnerabilities and breaches front,

  • The Health Sector Cybersecurity Coordination Center released a threat analysis of China-based threat actors.
    • “This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.”
  • CISA added one more known exploited vulnerability to its catalog on August 16, 2023.
  • Dark Reading reports
    • “Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
    • “Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.”
  • Bloomberg Technology examines a larger email hack of Microsoft.
    • “No one likes losing their keys. But after a single Microsoft Corp. key fell into the hands of Chinese hackers, it’s going to take more than changing the locks to restore its reputation. 
    • “The consumer signing key was used to forge authentication tokens — which are meant to verify a user’s identity — and access emails, including the accounts of Commerce Secretary Gina Raimondo and State Department officials, shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping in June.
    • “The world’s largest software maker is now facing increasing criticism from computer security experts and government officials alike over the hack, among the more embarrassing breaches of US government networks since the so-called SolarWinds attack was disclosed in 2020. Russian state-sponsored hackers also abused Microsoft’s software as part of that attack.
    • “Senator Ron Wyden, in a blistering letter last month about the lapse, called for multiple investigations. Shortly after, a US cybersecurity advisory panel opened a probe into the risks of cloud computing, and it is also looking at Microsoft’s role in the email hack.”
  • Health IT Security brings us up to date on the hack that keeps on giving – the MoveIT transfer hack.
    • Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.
    • Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.
    • MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

From the cybersecurity defenses front,

  • Cybersecurity Dive explains why
    • “Security basics aren’t so basic — they’re hard; Lax security controls cause heavy damages, and security experts warn how unmet basics turn up, time and again, when things go wrong” and
  • identifies
    • AWS customers’ most common security mistake; All too often organizations are not doing least-privilege work with identity systems, AWS’ Mark Ryland told Cybersecurity Dive,” and
  • discusses how to take advantage of sometimes disjointed threat intelligence.
  • The Wall Street Journal reports
    • “Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors, resulting in potentially damaging targeted and untargeted attacks.
    • “Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk, though some threats are nearly impossible to mitigate.
    • “Multiple internal stakeholders working together with technology solutions and consultancy expertise can significantly reduce the risk of, or impact from, supply chain attacks[, e.g., the MoveIT transfer hack].”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive informs us,
    • “The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday,  the first major update of the agency’s risk guidance since 2014. 
    • “After originally focusing risk guidance on critical infrastructure, the updated framework includes a wider array of organizations, including small- and medium-sized businesses, local schools and other entities. 
    • “The revised framework also addresses the role of corporate governance and the growing risks to digital networks via third-party relationships. * * *
    • “NIST will release a CSF 2.0 reference tool in a few weeks to help users browse, search and export data in a format that is machine-readable. It will also hold a workshop in the fall for additional public comments. 
    • “The deadline for public comments is Nov. 4, and NIST plans to publish a final version of CSF 2.0 in early 2024.”
  • Health IT Security adds,
    • As previously reported, the NIST CSF can be an asset to healthcare organizations looking to bolster their cybersecurity programs. Alongside other voluntary frameworks and HIPAA compliance actions, healthcare organizations can leverage the NIST framework to enhance privacy and security protections.
  • Politico updates us on the Federal Trade Commission’s proposed health data breach rule.
    •  In May, the Federal Trade Commission proposed a sweeping expansion of health data privacy rules, and now, the period for the public to weigh in has ended.
    • “While many comments were supportive, others were concerned that the FTC was overstepping its authority, opening itself up to litigation, and urged more clarity.” * * *
    • “The proposal would clarify that health app developers would be subject to regulations requiring them to notify customers if their identifiable data is accessed by hackers or business partners or shared for marketing without patient approval. The rule would include those offering health services and supplies — broadly defined to include fitness, sleep, diet and mental health products and services, among a laundry list of categories.”
  • The Wall Street Journal summarizes the Security and Exchange Commission’s final cyber rule:
    • The U.S. Securities and Exchange Commission has approved new regulations requiring public companies to disclose cybersecurity breaches within four business days of becoming aware of a material impact resulting from the incident.
    • The regulations dropped the requirement for companies to disclose the names of cybersecurity experts on company boards and the nature of their expertise..
    • Companies are now required to report information regarding their cybersecurity risk management, strategy and governance annually.
    • Despite the SEC not requiring cyber expertise, experts believe having cyber oversight on the board is still beneficial and a priority.

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us,
    • “The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.
    • “The victim pool represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.
    • “The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized. * * *
    • “The widespread attack against MOVEit and its customers was “highly creative, well-planned, organized by multiple groups and executed well since they were able to poach records at scale,” independent analyst Michael Diamond said via email.
    • “Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” Diamond said. “My impression is that this is only going to get worse over time.”
    • “Diamond isn’t alone in forecasting the worst is yet to come.”
  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog on August 7 and another one on August 9.
  • The Wall Street Journal reports that “AI Is Generating Security Risks Faster Than Companies Can Keep Up: Rapid growth of generative AI-based software is challenging business technology leaders to keep potential cybersecurity issues in check.”
  • The Healthcare Sector Cybersecurity Coordination Center released a threat analysis on multifactor authentication (good) and smishing (bad).

From the ransomware front,

  • Cybersecurity Dive pointed out on August 7, 2023,
    • “A ransomware attack against Prospect Medical Holdings disrupted healthcare services across multiple states last week, prompting multiple hospital closures as response and recovery efforts are underway.
    • “Prospect Medical Holdings recently experienced a data security incident that has disrupted our operations,” the healthcare provider said Friday in a statement. The California-based company operates 16 hospitals and more than 165 clinics and outpatient facilities in California, Connecticut, Pennsylvania and Rhode Island.”

From the cybersecurity defenses front,

  • FedScoop reports
    • “The White House on Wednesday [August 9] announced a competition for cybersecurity researchers that is intended to spur the use of artificial intelligence to identify and fix software vulnerabilities.
    • “Teams that compete in the “AI Cyber Challenge,” which the Defense Advanced Research Projects Agency will lead, can win prizes worth up to $18.5 million. The agency has also allocated an additional $7 million in prize money for small businesses that participate.
    • “As part of the competition, researchers will use AI technology to fix software vulnerabilities, with a particular focus on open-source software. Leading AI companies Anthropic, Google, Microsoft and OpenAI will make their technology available for the challenge, according to the Biden administration.
    • “The White House’s announcement comes amid continued concern over rising cyber supply-chain risk across the federal government and the private sector. Last September, the Office of Management and Budget stipulated that all software providers would have to self-attest to the security of their products before deploying them on federal agency systems.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Cybersecurity Scoop reports,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] released its strategic plan for fiscal year 2024 through 2026 on Friday, following a plethora of strategies and implementation plans released over the past several months by the White House aimed at improving the nation’s overall cybersecurity preparedness. 
    • “Within CISA, this Plan will serve as a keystone for implementation, resource, and operational planning, as further executed through our Annual Operating Plans. Externally, it will help stakeholders understand and participate in our long-term cybersecurity planning and prioritization,” the document reads.
    • CISA’s strategic plan will focus on three goals: address immediate threats, harden the terrain and drive security at scale. Additionally, the strategy has nine objectives, three for each goal, outlining the agency’s scope for the next three years.
    • “The release comes shortly after the Office of the National Cyber Director released a National Cyber Workforce and Education Strategy, as well as the National Cybersecurity Strategy in March and subsequent Implementation Plan in July.”
  • and
    • “The Biden administration’s strategy for building the U.S. cybersecurity workforce calls for government, industry and civil society groups to collaborate in increasing the number of cybersecurity workers and also urges an overhaul of the U.S. immigration system. 
    • “To address a dire shortage of cybersecurity workers, Monday’s strategy document takes a broad approach in overhauling the cybersecurity workforce. “The national cyber director’s office can only really task federal departments and agencies because, realistically, we need all of society. We need them to be feel supported and heard and seen as we approach these ecosystem models,” Acting National Cyber Director Kemba Walden told CyberScoop.”

From the cybersecurity breaches and vulnerabilities front —

  • Health IT Security brings us up to date on MOVEit breaches affecting healthcare organizations.
  • Health IT Security adds, “The healthcare sector continued to face a high volume of cyberattacks in the past few months as infostealing malware rose in popularity, BlackBerry stated in its latest Global Threat Intelligence Report.”
  • Cybersecurity Dive reports
    • “Half of the 12 most-commonly exploited vulnerabilities in 2022 were discovered the previous year, cyber authorities from the Five Eyes said in a joint advisory released Thursday. One of the top 12 vulnerabilities was discovered in 2018.
    • “Flaws in Microsoft products accounted for 1 in 3 of the most-routinely exploited vulnerabilities, including three Exchange Server CVEs from 2021. Two-thirds of the most-exploited vulnerabilities were found in products from three vendors: Atlassian, Microsoft and VMware.
    • “Other vendors that made the list include Apache’s Log4j, F5 Networks, Fortinet and Zoho.
    • * * * “Delayed or inconsistent vulnerability patching remains an underlying problem. This, combined with the unmet need for vendors, designers and developers to adhere to secure-by-design and secure-by-default principles, is aggravating the risk of compromise by malicious cyber actors.
    • “The Five Eyes intelligence alliance, which includes authorities from the U.S., Australia, Canada, New Zealand and the U.K., reiterated the need for vendors to follow secure design practices throughout the software development lifecycle.”
  • Security Week tells us
    • The US government’s cybersecurity agency CISA is calling attention to under-researched attack surfaces in UEFI [Unified Extensible Firmware Interface], warning that the dominant firmware standard presents a juicy target for malicious hackers.
    • “UEFI is a critical attack surface. Attackers have a clear value proposition for targeting UEFI software,” the agency said in a call-to-action penned by CISA technical advisor Jonathan Spring and vulnerability management director Sandra Radesky. 
  • CISA’s Director Jen Easterly blogs about the importance of securing the Border Gateway Protocol, which she describes as being the most important part of the internet you have never heard of.
  • On July 31, CISA added another known exploited vulnerability to its catalog.

From the ransomware front —

  • HHS’s Health Sector Cybersecurity Coordination Center released a sector alert on August 4, 2023.
    • “Rhysida is a new ransomware-as-a-service (RaaS) group that has emerged since May 2023. The group drops an eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads. The group threatens to publicly distribute the exfiltrated data if the ransom is not paid. Rhysida is still in early stages of development, as indicated by the lack of advanced features and the program name Rhysida-0.1. The ransomware also leaves PDF notes on the affected folders, instructing the victims to contact the group via their portal and pay in Bitcoin. Its victims are distributed throughout several countries across Western Europe, North and South America, and Australia. They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector.”
  • Bleeping Computer informs us that “Clop ransomware now uses torrents to leak data and evade takedowns” and it offers its Week in Ransomware.
    • “Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.
    • “This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.”

From the cybersecurity defenses front —

  • Per Forbes
    • “Traditional passwords have proven to be an increasingly problematic authentication strategy in the evolving face of cybersecurity. Biometrics, such as fingerprints, facial recognition and iris scanning, are ushering in a new era of safe authentication.
    • “Biometrics provide distinct advantages over passwords in terms of security, convenience and user experience. But why exactly are biometrics more secure, and how can businesses successfully implement this technology into their existing strategies?
    • Forbes article explains how.
  • HelpNet offers advice on building cybersecurity defenses.
  • Security Intelligence explains how artificial intelligence can reduce data breach life cycles and costs.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front —

  • Cyberscoop reports
    • “President Biden on Wednesday nominated Harry Coker, a long-time CIA and National Security Agency official, to serve as the next national cyber director, a choice that elevates a relatively unknown official to take on a high-profile assignment as the president’s leading cybersecurity adviser. 
    • “Coker’s nomination ends a protracted search to replace Chris Inglis, who led the Office of the National Cyber Director until February after leading efforts to draft the administration’s cybersecurity strategy. 
    • “Leading voices in Capitol Hill have urged Biden in recent weeks to nominate Inglis’s deputy, Kemba Walden, who has been serving as the acting director. Despite the support of key lawmakers, the White House passed on elevating Walden to the permanent position — reportedly out of concern that her significant financial debts might hinder her confirmation before the Senate.”
  • The Cybersecurity and Infrastructure Security Agency tells us,
    • “Now that the cross-sector CPGs have been published, CISA is working with Sector Risk Management Agencies (SRMAs) to directly engage with each critical infrastructure sector to develop Sector-Specific Goals (SSGs).  In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector or, materials to assist sector constituents with effective implementation of the existing cross-sector CPGs. Sector-specific goals will be developed by:
    • “Identifying any additional cybersecurity practices not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.  
    • “Providing examples for recommended actions specific to the infrastructure and entities in that sector; and  
    • “Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.  
    • “As there are 16 Critical Infrastructure sectors with varying needs, CISA will be tackling this effort in several phases. The first four sectors CISA is working with include the Energy, Financial Services, IT, and Chemical Sectors. In addition, CISA will be working throughout the year with the Water/Wastewater Sector, Healthcare Sector, and K-12 Subsector on identifying approaches for how organizations in those sectors/subsectors can enhance their cybersecurity posture through the implementation of the existing body of cross-sector goals.”
  • Here is a link to the website for the healthcare sector coordinating council (HSCC), whose work the FEHBlog will begin to track. Surprisingly to the FEHBlog, OPM is not an HSCC member.

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive informs us,
    • “Healthcare continues to be the most expensive industry for data breaches, beating out other sectors for the 13th year in a row, according to research conducted by the Ponemon Institute and published by IBM Security
    • “The average cost of a healthcare data breach reached nearly $11 million in 2023, an increase of 8% from last year and a 53% jump since 2020, the report found. 
    • “Although the healthcare sector faces high levels of industry regulation, expenses accrued from data breaches in the sector were almost double compared to the financial industry, which saw the second-most expensive data breaches at $5.9 million.”
  • Cybersecurity Dive adds
    • “The investigation phase of data breaches is the fastest growing and costliest category of data breach expenses, contributing to the consistent year-over-year increase in costs. Detection and escalation costs jumped almost 10% to nearly $1.6 million per incident, IBM found.
    • “The breadth and depth of incident response investigations are scaling up directly with the overall costs, along with the off tempo of the criminal,” John Dwyer, head of research at IBM Security X-Force, told Cybersecurity Dive.”
  • On a related topic, Cybersecurity Dive lets us know,
    • “Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies, according to the Cybersecurity and Infrastructure Security Agency.
    • “Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year.
    • Valid accounts, including former employee accounts, not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment released Wednesday.
    • Spear-phishing links — malware-laced emails sent to targeted individuals — were responsible for 1 in 3 attacks, the report found.
    • The success rate of these techniques underscores the staying power of the most common methods threat actors use to gain initial access to targeted systems.
  • Cyberscoop relates
    • “Apple on Monday issued its third security update in roughly a month to remedy vulnerabilities exploited in Operation Triangulation, a spyware campaign that researchers say specifically targeted iMessage users in Russia. 
    • “The Russian arm of cybersecurity firm Kaspersky on June 1 revealed the details of a zero-click iOS exploit. The company’s researchers said they discovered it while monitoring the company’s own corporate Wi-Fi network dedicated to mobile devices. The findings were released the same day Russia’s Federal Security Service, or FSB, said it had uncovered an American espionage operation targeting Apple devices in Russia in cooperation with Apple. 
    • “Apple told CyberScoop at the time that it had “never worked with any government to insert a backdoor into any Apple product and never will.”
  • Per Cyberscoop,
    • “Executives, researchers and engineers at big tech companies and startups alike working on artificial intelligence face a growing threat from criminal and nation-state hackers looking to pilfer intellectual property or data that underlies powerful chatbots, the FBI warned on Friday.
    • “The growing risk coincides with the increasing availability of AI tools and services to the general public in the form of products such as OpenAI’s ChatGPT, or Google’s Bard, for instance, as well as the increasing ease and ability for many companies to develop AI language models.
    • “The warning comes two days after FBI Director Christopher Wray and Bryan Vorndran, the agency’s assistant director, cyber division, warned about the distinct AI-related threats from China, which political leaders in the U.S. and Europe have long warned wants to dominate all aspects of AI research and implementation.”
  • Per Security Week,
    • “New guidance from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) warns developers, vendors, and organizations of access control vulnerabilities in web applications.
    • “Described as insecure direct object reference (IDOR) issues, they allow threat actors to read or tamper with sensitive data via application programming interface (API) requests that include the identifier of a valid user.
    • “These requests are successful because the authentication or authorization of the user submitting the request is not properly validated, the three agencies explain.”
  • CISA added an additional known exploited vulnerability to its catalog on July 25, July 26, and July 27, 2023.
  • Yesterday CISA “published three malware analysis reports on malware variants associated with the exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero-day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.”
  • Also, yesterday, CMS shared its MOVEIt breach notice to Medicare beneficiaries.

From the ransomware front —

  • HelpNet Security points out that “In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.”
  • Here is a link to yesterday’s The Week in Ransomware from Bleeping Computer.
    • “With ransom payments declining, ransomware gangs are evolving their extortion tactics to utilize new methods to pressure victims.
    • “This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.
    • “Clop has begun to create clear websites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.”

From the cybersecurity defenses front —

  • TechRepublic shares cybersecurity defense ideas included in the Ponemon/IBM report.
  • Forbes offers a cybersecurity expert’s view on adopting a new paradigm in cybersecurity stemming from this conundrum:
    • Today, companies that house secure data and information are encountering an accessibility dilemma: On the one hand, they face an increased need for security and privacy of data, particularly as cyber threats become self-generating and more sophisticated. On the other hand, the value in securing assets lies in being able to utilize them, share them, and transact them effectively and efficiently with intended stakeholders so as to improve customer service and attain competitive differentiators. Companies struggle to balance these needs with the imperative to secure these data, particularly in accordance with certain industry standards or digital privacy regulations

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity breaches and vulnerabilities front —

  • Cybersecurity Dive tells us,
    • “Distributed denial of service attacks surged during the second quarter as criminal and state-linked hacking organizations unleashed a number of sophisticated attacks against critical infrastructure providers and other organizations across the globe, Cloudflare said in a report released Tuesday.  
    • “Experts linked pro-Russia hacktivist groups, including Killnet and Anonymous Sudan, to recent major DDoS attacks against Microsoft and threats against financial centers in the U.S. and Europe. 
    • “Cloudflare research shows a sharp increase in deliberately engineered and targeted DNS attacks.”
  • Health IT Security adds,
    • “Healthcare organizations face an uptick in cyber threats as malicious actors turn to tools like ransomware, artificial intelligence (AI), and Internet of Things (IoT) attacks. These threats are becoming increasingly significant in the dynamic cyber threat landscape, a Trustwave SpiderLabs report revealed.
    • “The report “Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape” provides insights and practical strategies to address the specific threats faced by healthcare organizations.”
  • Security Week informed us on July 21, 2023,
    • “Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.
    • “Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, and OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
    • “Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality and multi-tenant applications in certain conditions.”
  • Also per Security Week on July 18, 2023, “At least two new Adobe ColdFusion vulnerabilities have been exploited in the wild, including one that the software giant has not completely patched.”

From the ransomware front —

  • Cyberscoop interviews an FBI official about how the agency fights ransomware.
  • The FEHBlog welcomes back Bleeping Computer’s Week in Ransomware after two weeks away. This week’s article covers news from July 8 forward.

From the cybersecurity defenses front —

  • CISA explains how to take the first steps toward better cybersecurity.
  • What’s more, CISA “has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transition into a cloud environment and identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.” 
  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) on July 18, 2023, informed us about patches available for Critical and High Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) vulnerabilities.
  • HC3 also issued an analyst note on July 21, 2023, about Remote Identity Management.
    • “Identity theft is not limited to stolen medical records, social security numbers, and financial data. Threat actors can also target institutions by capitalizing on gaps in user access protocols, hiring processes, and mitigation capabilities to conceal some aspect of their identity and attention. Identity verification, fraud detection and user authentication are imperative when implementing a robust Identity and Access Management (IAM) program.”
  • Security Week looks into improving security awareness training for employees.
  • ISACA explains how to build cybersecurity resilience throughout an organization.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Homeland Security Today reports
    • “This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems. 
    • “The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”
  • Cybersecurity Dive tells us,
    • The Biden administration released its implementation plan for the national cybersecurity strategy Thursday, delegating cyber initiatives to a smattering of government agencies.
    • The plan, which is designed to guide the government’s completion of the national cybersecurity strategy, comes four months after the policy blueprint was unveiled.
    • “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Kemba Walden, acting national cyber director, said Wednesday during a press briefing.
    • “Fundamentally, we are publishing this plan because we will only achieve our goals with a whole-of-society approach,” Walden said. * * *
    • The 57-page document divides the five pillars and 27 objectives of the national cybersecurity plan into a broader series of initiatives.
    • While the implementation plan calls for the majority of initiatives to be completed before the end of fiscal year 2024, 11 are slated to be done in FY23, which closes at the end of September.
  • Cyberscoop adds
    • “As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner-operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
    • “In pushing for one big set of regulation for all critical infrastructure, you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
    • “And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.”
  • The Wall Street Journal points out,
    • “The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials. 
    • “The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the past few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.”
  • In sum, crafting an effective cybersecurity strategy is a tall order.

From the cybersecurity vulnerabilities and breaches front —

  • Bleeping Computer reported on July 11,
    • “HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
    • “HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
    • “As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
    • “The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
    • “The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
    • “However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.”
  • Cybersecurity Dive offers an update on the slow-moving MOVEit file transfer disasters.
    • “More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.”
  • Speaking of zero-day vulnerabilities, Security Week reported on July 11
    • “In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
    • “Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added five known exploited vulnerabilities to its catalog on July 11 and two more on July 13.
  • HHS’s Health Sector Cybersecurity Coordination Center released its report on June Vulnerabilities of Interest to the Health Sector.
    • “In June 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for June are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • HC3 also posted a PowerPoint titled “Artificial Intelligence, Cybersecurity and the Health Sector.”
  • Health IT Security points out
    • The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a new publication entitled “Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP).”
    • HIC-CHIRP provides healthcare organizations with a template for navigating a coordinated incident response when faced with disruptive cyber incidents. Specifically, the publication seeks to address healthcare-specific gaps in existing incident response resources.

In ransomware news,

  • Bleeping Computer lets us know,
    • “Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
    • “According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.”

From the cybersecurity defenses front —

  • CSO Online shares best practices for an effective cybersecurity strategy.
  • Tech Republics discusses Gartner’s 2023-24 cybersecurity outlook.
  • Forbes offers twenty cybersecurity training tips designed to make the training “stick.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity breaches and vulnerability front —

  • Cybersecurity Dive informed us on July 5,
    • “The widely exploited vulnerability in Progress Software’s MOVEit file transfer service has impacted nearly 200 organizations, according to Brett Callow, a threat analyst at Emsisoft.
    • “The scope of damage caused by Clop’s mass exploit of a zero-day vulnerability in MOVEit continues to snowball as third-party vendors expose multiple downstream victims. Progress discovered the zero-day over Memorial Day weekend on May 28.
    • “Despite the number of victims so far, experts anticipate more will come forward. “While many organizations have made a disclosure, a significant number have yet to do so,” Callow said via email.
    • “Progress on Wednesday released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.”
  • Here is a Cybersecurity and Infrastructure Security Agency (CISA) link about the Progress Software MOVEit patch.
  • CISA added another known exploited vulnerability yesterday.
  • On July 6, CISA issued a “Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants.”
    • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.
    • “Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with the Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.
    • “CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware-related incidents.” 
  • Bleeping Computer reports
    • “CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates.
    • “The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.
    • “A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm’s advisory reads.”
  • and
    • “Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
    • “Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.
    • “Today [July 8], Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.”
  • Cybersecurity Dive points out
    • “More than two-thirds of Fortinet’s FortiGate firewalls remain at risk of exploits through a vulnerability the company disclosed on June 12, according to research Bishop Fox released Friday.
    • “Researchers at Bishop Fox, an offensive security testing firm, identified 490,000 affected SSL VPN interfaces exposed to the internet and determined 69%, around 338,000, of those FortiGate firewalls are unpatched.
    • “The heap-based overflow vulnerability, CVE-2023-27997, could allow a remote attacker to execute arbitrary code or commands and has a CVSS score of 9.8 out of 10.”
  • ISACA warns us
    • “In the US, the FBI and FCC recently warned that free USB charging stations in public spaces, such as airports, hotels, hospitals, business buildings and any other type of publicly available location, can have devices hidden within them to steal data, spread malware and commit other malicious activities broadly referenced as juice jacking. The term “juice jacking” started being used several years ago to mean that while individuals using USB charging ports to charge (or “juice”) their phones, they were also having their data highjacked (“jacked”) through malicious, unnoticed skimming tech. I actually started covering this risk at a few onsite security and privacy training courses in 2010 when I first became aware of what was then an emerging new threat from a business friend, an electrical engineer, who I think may have invented what the first juice jack blocker—a data blocker for USB ports was.
    • “The malicious USB charging connection not only gives access to the phone apps and data, but it creates a connection to all the networks that the phone is connected to that do not have active access controls and blocks established when the phone was connected to the USB charger. So, malicious USB charging ports, cables and possibly other components of the public charging stations can also be used to plant ransomware, keystroke loggers and other types of malware, GPS tracking and audio eavesdropping. They can also take control of the device being charged. All these malicious activities can occur not only on the device being charged (phone, laptop, tablet, etc.) but also on devices and network components within those other connected networks.”
  • The FEHBlog notes the ISACA article offers the following suggestions plus policy advice
    • “Juice jack blockers attach to the end of your USB cable to protect against skimmers when you charge your devices in public places. This is not as bulky as hauling around most portable chargers and extra cables. I’ve purchased USB juice jack blockers for as low as two for US$12. They’re small and easily fit in a pocket without any bulkiness.
    • “It’s also a good idea to travel with personal charging devices. While not as small as juice jack blockers, they have become much smaller, with much more power, and less expensive in recent years. They limit the need to use public chargers at all.
    • “Ideally, it would be best to make sure only non-data power-only ports and cables are used in public areas. However, most cables used to support data transfer, and there is not an easy way for most folks to visually tell if a cable is charge-only.”

From the cybersecurity defenses front —

  • Cybersecurity Dive discusses “the role for AI in cybersecurity; generative AI can be an ally for new security professionals. For more seasoned security analysts, it can offer time to refine their skills through automation of repetitive tasks.” Check it out.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front

  • Cybersecurity Dive reports
    • “The White House outlined its cybersecurity budget priorities for fiscal year 2025 in a memorandum sent to executive departments and agencies Tuesday.
    • “The Biden administration is looking to connect cybersecurity investments to the five pillars of the national cybersecurity strategy it released in early March, the document shows.
    • “The letter, signed by Acting National Cyber Director Kemba Walden and Office of Management and Budget Director Shalanda Young, advises federal agencies to prioritize spending on critical infrastructure defense, disrupting and dismantling threat actors, software that is secure by design, resiliency and international partnerships. * * *
    • “Agencies that bear responsibility for disrupting ransomware are advised to submit budgets that prioritize staff resources to investigate ransomware, disrupt ransomware infrastructure and participate in interagency task forces focused on cybercrime.”
  • The Government Accountability Office issued a report on launching and implementing the national cybersecurity strategy.
    • “Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.
    • “This Snapshot covers the status of the National Cybersecurity Strategy. The strategy’s goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.
    • “It will be difficult to implement the strategy when the specific details have yet to be issued. The continued vacancy in the role of National Cyber Director is also a challenge.”

From the cybersecurity vulnerabilities and breaches front —

  • Health IT Security breaks down the breach reports submitted to the HHS portal in the first six months of 2023.
    • HealthITSecurity has compiled a list of the top ten biggest healthcare data breaches reported to the HHS Office for Civil Rights (OCR) data breach portal this year as of late June 2023, based on the number of individuals impacted for each event. It is important to note that this list refers to breaches reported to OCR in 2023, but a few occurred in 2022 or earlier.
    • “Some of the biggest breaches so far this year stemmed from known cybersecurity vulnerabilities in Fortra’s GoAnywhere managed file transfer (MFT) solution and attacks on other third-party vendors, while others involved direct cyberattacks against healthcare organizations.”
  • Cybersecurity Dive tells us
    • “Fallout from Clop’s mass exploit of a zero-day vulnerability in Progress Software’s MOVEit file transfer service continues to ensnare additional victims. The prolific ransomware actor is listing new compromised systems on its leak site daily and some organizations are still disclosing breaches.
    • “At least 108 organizations, including seven U.S. universities, have been listed by Clop or disclosed as having been impacted thus far, according to Brett Callow, threat analyst at Emsisoft.
    • “The University of California, Los Angeles, is the latest organization to disclose a breach of its MOVEit platform. The school’s IT security team discovered malicious activity on June 1, a spokesperson told Cybersecurity Dive. * * *
    • “Organizations are disclosing breaches weeks after Progress first acknowledged the MOVEit vulnerability and cybersecurity experts warned about mass exploits. Two additional vulnerabilities in the file-transfer service have subsequently been discovered. * * *
    • “Some organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file transfer service, including PBI Research Services and Zellis.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) informs us
    • “The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. 
    • “The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV)
    • “CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”
  • On June 29, 2023, CISA added eight known exploited vulnerabilities to its Catalog.
  • The Cybersecurity and Infrastructure Security Agency advises us
    • “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
    • “If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.
    • “Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
    • “Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.
    • “Organizations can take proactive steps to reduce the effects of an attack—See the following guidance for more information:

From the ransomware front, here is a link to Bleeping Computer’s the Week in Ransomware.

From the cybersecurity defenses front —

  • Venture Beat reports
    • “Forrester’s recent report, The State of Cloud in Healthcare, 2023, provides an insightful look at how healthcare providers are fast-tracking their cloud adoption with the hope of getting cybersecurity under control. Eighty-eight percent of global healthcare decision-makers have adopted public cloud platforms, and 59% are adopting Kuber netesto ensure higher availability for their core enterprise systems. On average, healthcare providers spend $9.5 million annually across all public cloud platforms they’ve integrated into their tech stacks. It’s proving effective — to a point.
    • “What’s needed is for healthcare providers to double down on zero trust, first going all-in on identity access management (IAM) and endpoint security. The most insightful part of the Forrester report is the evidence it provides that continuing developments from Amazon Web ServicesGoogle Cloud PlatformMicrosoft Azure and IBM Cloud are hitting the mark with healthcare providers. Their combined efforts to prove cloud platforms are more secure than legacy network servers are resonating.”
  • CISA released cloud services guidance and resources.
  • Cybersecurity Dive points out that “Long before a data breach, well-prepared companies set up incident response teams with workers from multiple departments.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Nextgov reports,
    • “Cybersecurity experts are warning that a potential cyber leadership vacuum in the federal government may prevent agencies from recovering and responding to a sprawling ransomware attack that has already exposed millions of Americans’ personal data.
    • “A senior official with the Cybersecurity and Infrastructure Security Agency confirmed on a call with reporters last week that several federal civilian agencies were among the victims in a widespread cyberattack that exploited a vulnerability discovered in the popular MOVEit file-transfer product developed by Progress Software. The attack is believed to have been carried out by CL0p, a Russian-linked ransomware gang otherwise known as TA505. Since the news of the global attack was first reported, a variety of federal and state agencies, banks and private sector organizations also confirmed they were victims and that data may have been stolen from millions of customers.
    • “The Office of the National Cyber Director was established under the National Defense Authorization Act for fiscal year 2021 in large part to provide coordination and guidance across the federal government on cybersecurity matters, including incident response and crisis management. Chris Inglis, the first-ever Senate-confirmed national cyber director, stepped down in February after helping to develop the new national cyber strategy released earlier this year. President Joe Biden has not yet nominated a replacement to fill the post.” 
  • Cybersecurity Dive adds,
    • “The U.S. State Department is offering a $10 million bounty related to information on the Clop ransomware gang, which is attributed to broad exploits of the MOVEit transfer vulnerabilities with victims that include federal agencies.  
    • “The Department of Energy confirmed data was impacted by an attack, and reports from CNN indicate a possible attack is being investigated against the Office of Personnel Management. The U.S. Department of Agriculture is also dealing with a third-party vendor data breach.” 
  • Cyberscoop tells us,
    • “The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday.
    • “The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington. 
    • “The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said. 
    • “The NatSec Cyber Center arrives at a time of growing concern about nation-state cyberattacks especially originating from Russia and China. Last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, warned Americans to be prepared for a major Chinese cyberattack. “This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” she said at an event in Washington.”
  • The Cybersecurity and Infrastructure Security Agency shares a “Readout from CISA’s 2023 Second Quarter Cybersecurity Advisory Committee Meeting.”
  • The National Institutes of Standards and Technology announced on June 22, 2023,
    • “U.S. Secretary of Commerce Gina Raimondo announced that the National Institute of Standards and Technology (NIST) is launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology. The Public Working Group on Generative AI will help address the opportunities and challenges associated with AI that can generate content, such as code, text, images, videos and music. The public working group will also help NIST develop key guidance to help organizations address the special risks associated with generative AI technologies. The announcement comes on the heels of a meeting President Biden convened earlier this week with leading AI experts and researchers in San Francisco, as part of the Biden-Harris administration’s commitment to seizing the opportunities and managing the risks posed by AI. * * *
    • “[Also on June 22], the National Artificial Intelligence Advisory Committee delivered its first report to the president and identified areas of focus for the committee for the next two years. The full report, including all of its recommendations, is available on the AI.gov website.
    • “Questions about the public working group or NIST’s other work relating to generative AI may be sent to: generativeAI@nist.gov

From the cybersecurity vulnerabilities and breaches front —

  • Cybersecurity Dive offers details on the MoveIT file transfer program vulnerability and resulting breaches.
    • “Big names disclose MOVEit-related breaches, including PwC, EY and Genworth Financial
    • “More than 100 organizations have been hit as part of the MOVEit attack campaign, including PBI Research Services, which exposed millions of customer data files to theft.”
  • Cyberscoop informs us,
    • “Apple issued a security update on Wednesday for all its operating systems to patch dangerous vulnerabilities that could allow attackers to take over someone’s entire device. 
    • “The vulnerabilities in question first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.
    • “The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”
  • HHS’s healthcare sector cybersecurity coordination center (HC3) issued an analyst note on “SEO poisoning.”
    • Search engine optimization (SEO) poisoning, considered a type of malvertising (malicious advertising), is a technique used by threat actors to increase the prominence of their malicious websites, making them look more authentic to consumers. SEO poisoning tricks the human mind, which naturally assumes the top hits are the most credible, and is very effective when people fail to look closely at their search results. This can lead to credential theft, malware infections, and financial losses. As more organizations utilize search engines and healthcare continues to digitally transform, SEO poisoning is becoming a larger security threat. HC3 has observed this attack method being used recently and frequently against the U.S. Healthcare and Public Health (HPH) sector.
  • Security Week relates,
    • “The National Security Agency (NSA) has published technical mitigation guidance to help organizations harden systems against BlackLotus UEFI bootkit infections.
    • “The NSA’s recommendations provide a blueprint for defenders to protect systems from BlackLotus, a stealthy malware that emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.”
  • This week, CISA added six and then five more known exploited vulnerabilities to its catalog.

From the ransomware front, here is the link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

  • Health IT Security points out,
    • Cyber resilience is crucial to business continuity amid a cyber incident, as it ensures that systems can recover quickly. As such, it is no surprise that cyber resilience would be top-of-mind for organizations undergoing a digital transformation.  
    • “In Accenture’s new “State of Cybersecurity Resilience 2023” report, researchers exemplified the benefits of cyber resilience by identifying a group of companies that it calls “cyber transformers.”
    • “Cyber transformers, according to Accenture, “strike a balance between excelling at cyber resilience and aligning with the business strategy to achieve better business outcomes.”
  • NIST announced
    • “NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218)describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customer.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front, the Wall Street Journal offers its quarterly cyber regulations update for June 2023.

From the cybersecurity vulnerabilities and breaches front —

  • On June 16, HHS’s health sector Cybersecurity Coordination Center (HC3) announced
    • “On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. As of June 15, 2023, the vulnerability has been serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036. The updates can be found on the Progress Security Center webpage.”
  • HC3 also released its May 2023 Cybersecurity Vulnerabilities Bulletin.
  • The Cybersecurity and Infrastructure Security Agency (CISA) added one more known exploited vulnerability to its catalog.
  • Health IT Security reports
    • “Johns Hopkins University and Johns Hopkins Health are actively investigating a cyberattack and data breach that occurred on May 31. Johns Hopkins said that the attack involved a “widely used software tool” and impacted “thousands of other large organizations across the world.”
    • “While the notice does not explicitly mention MOVEit, the timeline of the attack lines up with the discovery of a critical vulnerability in Progress Software’s MOVEit Transfer software, a widely used software tool.
    • “As previously reported, Clop ransomware has taken a special interest in this vulnerability and began exploiting the previously unknown SQL injection vulnerability on May 27.”
  • The Associated Press adds
    • “The Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments [MOVEit], but the impact was not expected to be great, Homeland Security officials said Thursday.
    • “But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts. 
    • “Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly. 
    • “Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.”

From the cybersecurity threat actors front —

  • HC3 issued a threat actor profile on FIN11
    • “FIN11 is a cybercriminal group that has been active since at least 2016, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, the group has shifted towards other initial access vectors. FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP). The group has targeted pharmaceutical companies and other health care targets during the COVID-19 pandemic and continues to target the health sector. The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture. This Threat Actor Profile provides information associated with FIN11, including recent campaigns, associated malware, CVEs exploited, and TTPs.”
  • HHS’s Administration for Strategic Preparedness and Response released a TimisoaraHackerTeam analysis.
  • On June 13, “CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents.”
  • On June 15 Cybersecurity Dive reported
    • “A suspected threat actor affiliated with China is exploiting a subset of compromised Barracuda Email Security Gateway SG devices to launch a widespread espionage campaign in support of the People’s Republic of China, according to a report released Thursday by Mandiant. 
    • “The threat actor, tracked as UNC4841, has been sending emails with malicious attachments since October 2022, in order to exploit the zero-day vulnerability disclosed in May. The hackers used a variety of custom malware to maintain a presence in targeted systems, and most of the exploitation taking place in the Americas. 
    • “This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in 2021,” Charles Carmakal, CTO of Mandiant Consulting, Google Cloud said in a statement. “In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations.”

From the ransomware front, we have the latest Week in Ransomware from the Bleeping Computer.

From the cybersecurity defenses front

  • Cybersecurity Dive tells us “LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack; Karim Toubba is ready to talk nearly a year after LastPass suffered a cyberattack that became one of the biggest security blunders of 2022.”
  • On June 13,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
    • “Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.”
  • On June 14,
    •  CISA, together with the National Security Agency (NSA), releasedCybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. 
    • “BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential.  
    • “CISA and NSA encourage all organizations managing servers to apply the recommended actions in this CSI.”
  • Also on June 15,
    • “Progress Software has released a security advisory for a privilege escalation vulnerability (CVE-2023-35708) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take control of an affected system.
    • “CISA urges users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.”