From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “President-elect Donald Trump’s pick to lead the Department of Homeland Security is signaling potential changes at the Cybersecurity and Infrastructure Security Agency.
  • “South Dakota Gov. Kristi Noem, nominated by Trump to serve as homeland security secretary, testified before the Senate Homeland Security and Governmental Affairs Committee on Friday. She fielded a range of questions, largely on border security and immigration enforcement.
  • “On the cybersecurity front, Noem in her opening statement said she would prioritize a “comprehensive, whole-of-government approach to cybersecurity,” without offering further specifics.
  • “I fully acknowledge that people in Washington, DC do not have all of the answers, and therefore I will leverage private, public partnerships,” Noem added as part of her opening statement. “I will advance cutting edge state of the art technologies to protect our nation’s digital landscape.”

• Cybersecurity Dive lets us know,
  • “The White House rolled out a highly anticipated executive order on Thursday [January 16, 2025] to combat a rising level of sophisticated attacks targeting U.S. government agencies, critical infrastructure providers and high-profile individuals by state-linked threat groups and other malign actors. 
  • “The executive order will give the U.S. more authority to level sanctions against malicious actors that have disrupted hospitals and other critical providers. 
  • “Federal authorities also plan to leverage the government’s $100 billion in annual IT spending to make sure technology companies develop more secure software.” * * *
  • To help increase security in the public and private sector, the executive order aims to: 
    • Give the U.S. more authority to level sanctions against hackers that have critical providers, including hospitals. 
    • Require software vendors doing business with the federal government to prove they are using secure development practices. The federal government plans to validate that evidence and publish the information to help private sector buyers make informed decisions on secure software. 
    • The National Institute for Standards and Technology will develop guidance on how to deploy software updates in a secure and reliable manner. 
    • The General Services Administration will develop guidance on how cloud customers can securely use these products.  
    • Identify minimum cybersecurity standards for companies working with the federal government. Bureaucracy and cybersecurity requirements for using federal information systems will be streamlined for three years. 
    • Federal authorities will begin research into AI-based tools to search for software vulnerabilities, manage patching and detect threats. A public-private partnership will be developed to use AI to protect critical infrastructure in the energy sector. 
    • The U.S. will only buy internet-connected devices that meet Cyber Trust Mark standards starting in 2027.   

• Cyberscoop adds,
  • “A sweeping executive order on cybersecurity released Thursday won largely positive reviews, with the main question being its timing — and what will come of it with the executive branch set to be handed over from president to president.”

• NextGov/FCW informs us,
  • The Office of Personnel Management did not take long nor have to look too far to find its next chief information officer.
  • Melvin Brown II, who previously served as OPM’s deputy chief information officer, was named OPM’s chief information officer this week, according to a LinkedIn post he published Sunday January 12, 2025.

• Cyberscoop relates,
  • “The Department of the Treasury has sanctioned a Chinese national and a cybersecurity company based in Sichuan, China, for taking part in the Salt Typhoon hacking campaign that has swept up data from at least nine U.S. telecommunications companies.
  • “The department’s Office of Foreign Assets Control (OFAC) named Yin Kecheng of Shanghai and the Sichuan Juxinhe Network Technology Co. Ltd., as entities that had “direct involvement” in the Salt Typhoon campaign. Kecheng is described as an affiliate of the Chinese Ministry of State Security with over a decade of hacking experience.
  • “Kecheng is also alleged to have been involved in a recent hack of the Treasury Department.”

• Per HHS news releases,
  • “[On January 14, 2025,] the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Solara Medical Supplies, LLC (Solara), a supplier and direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and Breach Notification Rule following a [2019] breach of electronic protected health information (ePHI) caused by a phishing incident.” * * *
  • “In November 2019, OCR received a breach report concerning a phishing attack in which an unauthorized third party gained access to eight of Solara’s employees’ email accounts between April and June 2019, resulting in the breach of 114,007 individuals’ ePHI. In January 2020, OCR received notification of a second breach, when Solara reported that it had sent 1,531 breach notification letters to the wrong mailing addresses. OCR’s investigation determined that Solara failed to conduct a compliant risk analysis to identify the potential risks and vulnerabilities to ePHI in Solara’s systems; failed to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and failed to provide timely breach notification to individuals, HHS, and the media.
  • “Under the terms of the resolution agreement, Solara agreed to implement a corrective action plan that will be monitored by OCR for two years and pay $3,000,000 to OCR.” * * *
  • “The resolution agreement and corrective action plan may be found here.”
• and
  • “[On January 15, 2025,] the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Surgical Group, P.C. (NESG), a provider of surgical services in Michigan, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
  • “In March 2023, OCR received a breach report concerning a ransomware incident that had affected NESG’s information system. NESG concluded that the protected health information of 15,298 patients had been encrypted and exfiltrated from its network. OCR’s investigation determined that NESG had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in NESG’s systems.
  • “Under the terms of the resolution agreement, NESG agreed to implement a corrective action plan that OCR will monitor for two years and paid $10,000 to OCR.: * * *
  • “The resolution agreement and corrective action plan may be found here.”

From the cybersecurity vulnerabilities and breaches front,

• Per Cybersecurity Dive,
  • “The Cybersecurity and Infrastructure Security Agency spotted Salt Typhoon on federal networks before defenders discovered the China-sponsored threat group intruded into U.S. telecom systems, Director Jen Easterly said Wednesday.
  • “CISA’s sleuthing “enabled law enforcement to unravel and ask for process on virtual private servers,” Easterly said during an onstage interview at the Foundation for Defense of Democracies. Details gathered from that investigation and response allowed CISA to discover Salt Typhoon and its activities, Easterly said.” * * *
  • “CISA’s observations didn’t prevent Salt Typhoon from attacking the telecom networks en masse, but Easterly presented the agency’s threat hunting and intelligence gathering capabilities as an example of intra-government and public-private collaboration improvements made under her stewardship of the agency.
  • “Easterly is scheduled to step down as CISA director when the President-elect Donald Trump takes office next week.”
• and
  • Threat hunters are scrambling to determine the scope of damage and potential impact from a critical zero-day vulnerability that impacts a trio of Ivanti products, including Ivanti Connect Secure VPN appliances.
  • Shadowserver scans identified more than 900 unpatched Ivanti Connect Secure instances on Sunday [January 12, 2025] and said the devices are likely vulnerable to exploitation. The amount of unpatched and vulnerable instances found by Shadowserver scans is down from more than 2,000 on Thursday [January 9, 2025].
  • The nonprofit, which analyzes and shares malicious activity with more than 200 national computer security incident response teams covering 175 countries, was asked not to disclose how it knows these instances are unpatched, but has yet to receive any false positive feedback, Shadowserver CEO Piotr Kijewski told Cybersecurity Dive via email on Friday.
  • Researchers are especially concerned about widespread exploitation of the zero-day because of previous cyberattacks linked to software defects in Ivanti products.

• CISA added seven more known exploited vulnerabilities to its catalog this week.
  • January 13, 2025
    • CVE-2024-12686 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
    • CVE-2023-48365 Qlik Sense HTTP Tunneling Vulnerability
  • January 14, 2025
    • CVE-2024-55591 Fortinet FortiOS Authorization Bypass Vulnerability
    • CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
    • CVE-2025-21334 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
    • CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
  • January 16, 2025
    • CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

• More details from

• Cybersecurity Dive
  • “The Cybersecurity and Infrastructure Security Agency added a command injection vulnerability in BeyondTrust Remote Support and Privileged Access Products to its catalog of known exploited vulnerabilities on Monday [January 13, 2025]. 
  • “The medium-severity flaw, listed as CVE-2024-12686, allows an attacker with administrative privileges to inject commands into a computer network and run as if they are a site user. The vulnerability has a CVSS score of 6.6. 
  • “The CVE is the second vulnerability disclosed by BeyondTrust during its investigation into an attack spree in December. The attacker reset the passwords of numerous accounts after compromising a Remote Support SaaS API key. A limited number of RemoteSupport SaaS customers were impacted by the attacks.” 

• CSO Online
  • Fortinet has confirmed the existence of a critical authentication bypass vulnerability in specific versions of FortiOS firewalls and FortiProxy secure web gateways. The flaw has been exploited in the wild since early December in what appears to be an indiscriminate and widespread campaign, according to cybersecurity firm Arctic Wolf.
  • The fix for this zero-day is part of a bigger patch cycle by Fortinet, which released updates for 29 vulnerabilities across multiple products, 14 of which impact FortiOS, the operating system used in Fortinet’s FortiGate firewalls. Some of the flaws impact multiple products that share the same code, which is the case for the zero-day now tracked as CVE-2024-55591.
  • Although Fortinet does not credit Arctic Wolf with discovering the vulnerability, the indicators of compromise listed in the advisory match the analysis of the attack campaign Arctic Wolf warned about in December and documented in more detail on Friday.

• Security Week
  • “The software giant [Microsoft] on Tuesday called urgent attention to three separate flaws in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and warned that malicious attackers are already launching privilege escalation exploits.
  • “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in a series of barebones advisories.
  • “As is customary, the company did not release technical details or IOCs (indicators of compromise) to help defenders hunt for signs of compromise.
  • “The three exploited zero-days — CVE-2025-21334, CVE-2025-21333 and CVE-2025-21335 — affect the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) that handles efficient resource management and communication between the host system and guest virtual machines (VMs).” 
• and
  • Threat actors are exploiting a critical-severity remote code execution (RCE) vulnerability in Aviatrix Controller to deploy malware, cybersecurity firm Wiz reports.
  • The issue, tracked as CVE-2024-50603 (CVSS score of 10/10), exists because user-supplied input is not properly neutralized, allowing unauthenticated, remote attackers to inject arbitrary code that is executed with high privileges on the Aviatrix cloud networking platform.
  • The solution is designed to help organizations manage and secure their cloud infrastructure across multiple providers from a single place.
  • Impacting certain endpoints within the Aviatrix Controller’s API, which is implemented in PHP, the vulnerability was patched in December, but technical information on it was only published last week.

From the ransomware front,

• Cybersecurity Dive reports on January 17, 2025,
  • Blue Yonder said it is investigating a threat after Clop listed the supply chain management company among nearly 60 companies the ransomware group claims it hacked. The attacks were linked to exploited vulnerabilities in Cleo file-transfer software, according to researchers from Zscaler and Huntress. 
  • A spokesperson for Blue Yonder on Friday confirmed the company uses Cleo to manage certain file transfers. Once the zero-day was confirmed, Blue Yonder said it immediately took steps to mitigate the threat.
  • “Like many Cleo Harmony customers across the globe, we are currently investigating any potential impact of this matter on our business and we continue to update our customers as we have additional information,” the spokesperson told Cybersecurity Dive via email.”

• CISO Online alerts us on January 13, 2025,
  • CISOs are being warned to make sure employees take extra steps to protect their AWS access keys after word that a threat actor is using stolen login passwords for ransomware attacks.
  • The target is Amazon S3 buckets and the attack uses AWS’ own encryption to make data virtually unrecoverable without paying the attackers for a decryption key, said a report by researchers at Halcyon Tech.
  • “Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure,” the report notes. “Once encrypted, recovery is impossible without the attacker’s key.” * * *
  • “There are, however, a few things AWS customers’ IT administrators can do:
    • “use the Condition element in IAM (identity and access management) policies to prevent the application of SSE-C to S3 buckets. Policies can be configured to restrict this feature to only authorized data and users;
    • “enable detailed logging for S3 operations to detect unusual activity, such as bulk encryption or lifecycle policy changes;
    • “regularly review permissions for all AWS keys to ensure they have the minimum required access;
    • ‘disable unused keys and rotate active ones frequently.
  • “In a statement accompanying the Halcyon report, AWS referred customers to this web page with information for administrators on how to deal with suspected unauthorized activity on their accounts.”

• Per Industrial Cyber,
  • “The U.S. National Institute of Science and Technology (NIST) through its National Cybersecurity Center of Excellence (NCCoE) division published Monday draft Ransomware Community Profile reflects changes made to the Cybersecurity Framework (CSF) from CSF 1.1 to CSF 2.0 which identifies security objectives that support managing, detecting, responding to, and recovering from ransomware events. The NIST IR 8374 Rev. 1 (draft) comes as the agency is currently considering a more comprehensive revision to the profile to reflect recent ransomware policy developments and incorporate the results of collaborative activities in the ransomware prevention and response space. 
  • “NIST is seeking feedback by March 14, 2025, on the revised draft of the risk management framework, which will guide the future of its ransomware prevention guidance. General comments on the draft are also encouraged. The agency is also looking for input on which elements of the Ransomware Community Profile have been beneficial. Suggestions for improvements to the Community Profile are also welcome.”

From the cybersecurity defense front,

• Here are CISA news releases from the last week of the Biden administration:
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published today [January 14, 2025] the Joint Cyber Defense Collaborative (JCDC) Artificial Intelligence (AI) Cybersecurity Collaboration Playbook. Developed alongside federal, international, and private-sector partners through JCDC, this playbook provides the AI community—including AI providers, developers, and adopters—with essential guidance on how to voluntarily share actionable incident information and it describes how proactive information sharing can enhance operational collaboration and improve resilience of AI systems.” 
  • “The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft, announces today [January 15, 2025] the release of Microsoft Expanded Cloud Log Implementation Playbook. This guidance helps public and private sector organizations using Microsoft Purview Audit (Standard) to operationalize newly available cloud logs to be an actionable part of their enterprise cybersecurity operations.”
  • CISA Director Jen Easterly’s final CISA blog post concerns “Strengthening America’s Resilience Against the PRC Cyber Threats.”
    
• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Bloomberg alerts us,
  • “The Biden administration is racing to put out an executive order meant to shore up US cybersecurity in its dwindling days in office, according to four people familiar with the matter.
  • “The executive order, which has cleared some internal hurdles and is close to being published, incorporates lessons from a series of major breaches during the Biden administration, including the most recent Treasury Department hack attributed to China, according to people familiar with the matter who didn’t want to be named to discuss information that hasn’t yet been made public.
  • “Among the measures, it directs the government to implement “strong identity authentication and encryption” across communications, according to an undated draft of the order seen by Bloomberg News. In the December Treasury hack, intruders accessed unclassified documents stored locally on laptops and desktop computers. Encrypting information sent by email and worked on in the cloud could help safeguard it from hackers who successfully access systems but then cannot open specific documents.” * * *
  • “Whether President-elect Donald Trump will leave the executive order in place when he takes office remains unclear, though he’s vowed to pare back federal regulation. Trump has signaled that he intends to repeal another Biden administration order intended to provide guardrails around artificial intelligence.” 

• Federal News Network provides more details on the draft EO for those interested.

• Dark Reading reports,
  • “Yesterday [January 7, 2025] the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.
  • “As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.
  • “Known as the “US Cyber Trust Mark,” the label has been a long time coming, with the Federal Communications Commission gathering input over the past 18 months. In a bipartisan and unanimous vote, the FCC authorized the program and said 11 vendors will act as label administrators while UL Solutions will serve as the lead administrator.
  • “The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency,” the White House brief read.”
  • “Though this new system has good intentions for both consumers and vendors, there are concerns and speculation as to how effective this cybersecurity label will be.” Read the article for those details.

• Here’s a link to the Federal Register version of the recent proposed HIPAA Security Rule amendments which appears in the January 6, 2025, issue. The public comment deadline is March 7, 2025.

• Fedscoop tells us,
  • “Guy Cavallo, the chief information officer of the Office of Personnel Management since July 2021, will retire from federal service on Jan. 13, he confirmed to FedScoop.
  • “Cavallo leaves federal service having held several top technology roles over the past decade, including as deputy CIO of the Small Business Administration and executive director of IT operations at the Transportation Security Administration. He also served as OPM’s principal deputy CIO and acting CIO before being named permanent CIO.
  • “As the longest-tenured CIO of OPM in recent memory, Cavallo led that charge on a two-year sprint replacing or migrating over 50 applications from legacy on-premises data centers to the cloud and the launch of the new Postal Health Benefits System last year for more than 1.7 million postal workers and retirees. He touted the system as fully operational 100% of the time with no unscheduled downtime throughout the Open Season.
  • “Cavallo also led OPM to winning several Technology Modernization Fund awards in recent years, the most recent of which came in late 2024 to support the use of artificial intelligence to update legacy mainframe programs for OPM’s retirement systems.“

• The National Institute of Standards and Technology announced on January 8,
  • NIST extends the public comment period on the initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) until January 17, 2025. 
  • NIST strongly encourages you to use the comment template and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
  • For more information, see the NIST Protecting CUI Project.

• Per HHS press releases,
  • “[On January 7, 2025], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced an $80,000 settlement with Elgon Information Systems (Elgon), a Massachusetts company that provides electronic medical record and billing support services to covered entities, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). The settlement resolves an investigation concerning a ransomware attack on Elgon’s information system.” * * *
  • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elgon-inc-ra-cap/index.html
• and
  • [Also on January 7, 2025], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a Virginia business associate that provides data hosting and cloud services to covered entities (health plans, health care clearinghouses, and most health care providers) and business associates, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). The settlement resolves an investigation concerning a ransomware attack on VPN Solutions’ information system.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/vpns-ra-cap/index.html

• Per Cyberscoop,
  • “Microsoft is petitioning a Virginia [federal] court to seize software and shut down internet infrastructure that they allege is being used by a group of foreign cybercriminals to bypass safety guidelines for generative AI systems.
  • “In a filing with the Eastern District Court of Virginia, Microsoft brought a lawsuit against ten individuals for using stolen credentials and custom software to break into computers running Microsoft’s Azure OpenAI services to generate “harmful content.”
  • “In a complaint filed Dec. 19, 2024, the company accuses the group of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act and the Racketeer Influence and Corrupt Organizations Act, as well as trespass to chattels and tortious interference under Virginia state law.”

From the cybersecurity reminiscences department,

• “HHS OCR Director Melanie Fontes Rainer reflects on 2024 as a historic year filled with tremendous activities and accomplishments for OCR on Health Insurance Portability and Accountability Act of 1996 (HIPAA) rulemakings, enforcement actions, and resources for the health care sector on HIPAA privacy and cybersecurity.”

• In Cyberscoop, “National Cyber Director Harry Coker looks back (and ahead) on the Cyber Director office. It’s made real strides, but there’s a lot more that it could be doing, he said, and more that needs to be done.”

• In a blog post, Valeria Colman, the Cybersecurity and Infrastructure Security Agency’s (CISA) chief strategy officer, looks back at “CISA Through the Years: Policy and Impact.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “AT&T and Verizon, two of the nine U.S. telecom companies attacked by Salt Typhoon, said they evicted the China-government sponsored threat group from their networks. 
  • “We detect no activity by nation-state actors in our networks at this time,” an AT&T spokesperson said in a prepared statement. A Verizon spokesperson made a similar statement, asserting the carrier has “contained the cyber incident brought on by this nation-state threat actor. An independent and highly respected cybersecurity firm has confirmed the Verizon containment.”
  • “AT&T and Verizon did not say when they ejected the nation-state group from their networks, but declared their networks secure last week.”

• Dark Reading adds,
  • “The Chinese threat actor group known as “Silk Typhoon” has been linked to the December 2024 hack on an agency that’s part of the US Department of the Treasury.
  • “In the breach, the threat actors were able to use a stolen Remote Support SaaS API key through third-party cybersecurity vendor BeyondTrust to steal data from workstations in the Office of Foreign Assets Control (OFAC).
  • “Silk Typhoon, also known as Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations.
  • “Using tools such as the China Chopper Web shell, the group’s cyber-espionage campaigns focus mainly on data theft.” * * *
  • “The Cybersecurity and Infrastructure Security Agency (CISA) has since confirmed that these exploits are limited to just the agency, and there is no indication that any other federal agencies have been impacted by the incident.” 

• Bleeping Computer lets us know,
  • BayMark Health Services, North America’s largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach.
  • The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces.
  • In data breach notification letters mailed to affected individuals, BayMark revealed that it learned of the breach on October 11, 2024, following an IT systems disruption. A follow-up investigation revealed that the attackers accessed BayMark’s systems between September 24 and October 14.

• Per Dark Reading,
  • Cybercriminals have picked up a new tactic, impersonating CrowdStrike recruiters in order to distribute a crypto miner on their victims’ devices.
  • This malicious campaign starts with an email, inviting the victim to schedule an interview with a recruiter for a position as a junior developer.
  • The illegitimate email contains a link, alleging that it will take the recipient to a site so they can schedule their interview, but in reality, takes the victim to a malicious website containing links to download a purported “CRM application.”

• CISA reminds us,
  • “In an era of increasingly sophisticated cyber threats, securing critical infrastructure has become a cornerstone of national security. CISA’s mission is to drive collaborative, proactive efforts to reduce risk and strengthen resilience for our nation’s critical infrastructure, federal civilian branch assets, and the private sector more broadly. While these efforts are many and varied, I’d like to highlight three particularly transformative initiatives—the Known Exploited Vulnerabilities (KEV) Catalog, Cybersecurity Performance Goals (CPGs), and the Pre-Ransomware Notification Initiative (PRNI)—to illustrate how we can collectively work to reshape the cybersecurity landscape.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • January 7, 2025
    • CVE-2024-41713 Mitel MiCollab Path Traversal Vulnerability
    • CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability
    • CVE-2020-2883 Oracle WebLogic Server Unspecified Vulnerability
  • January 8, 2025
    • CVE-2025-0282 Ivanti Connect Secure Vulnerability

• SC Media offers details on the January 7, 2025, KVEs while Cybersecurity Dive discusses the January 8, 2025, KVE.

From the ransomware front,

• Axios gives us a primer on ransomware.

• Here’s a link to a helpful September 2024 CISA PowerPoint presentation about its available tools such as the Pre-Ransomware Notification Initiative.

• Security Week discusses “Temple University’s Critical Infrastructure Ransomware Attacks (CIRA)” database.
  • “The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013 and includes nearly 300 entries for incidents that came to light in 2024. 
  • “It contains information such as name of the victim, date of the incident, country or US state, targeted critical infrastructure sector, name of the attacking threat group, duration of the incident, MITRE ATT&CK mapping, and — if known — the amount of money that was demanded by the attacker and the ransom paid by the victim.” * * * 
  • “The database is available for free upon request. To date it has been requested more than 1,500 times, mainly by researchers and other members of the cybersecurity industry (61%), as well as students, government entities, educators, and reporters.” 

From the cybersecurity defenses front,

• Cybersecurity Dive identifies four cybersecurity trends to watch this year.
  • Critical industries are up against never before seen challenges to remain secure and operational, while regulatory pressures have completely upended the role of the CISO in corporate America.

• Dark Reading considers current trends in artificial intelligence and cybersecurity.

• CISA Director Jen Easterly discusses “Corporate Cyber Governance: Owning Cyber Risk at the Board Level.”

• CISA also released its “Cybersecurity Performance Goals Adoption Report.”

• TechTarget shares “Top 15 email security best practices for 2025.”

• Here is a link to Dark Reading’s CISO Corner.

From the retrospection front,

• Bleeping Computer reflects on the fourteen “biggest cybersecurity and cyberattack stories of 2024.

• Dark Reading queries “What Security Lessons Did We Learn in 2024?”

From the cybersecurity policy and law enforcement front.

• Beckers Hospital Review highlights
  • “six things the proposed changes to HIPAA would require of [HIPAA covered entities and business associates:
    • 1. “Encrypt electronic protected health information “with limited exceptions.”
    • 2. “Implement multifactor authentication “with limited exceptions.”
    • 3. “Deploy antimalware software.
    • 4. “Establish written procedures to restore EHR systems and data within 72 hours of a cyberattack.
    • 5. “Notify certain regulators within 24 hours when an employee’s electronic access to EHR data or systems is changed or terminated.
    • 6. “Develop and revise an inventory and network map that illustrates the movement of EHR data through the organization’s systems at least once every 12 months.”

• Dark Reading summarizes themes of the proposed HIPAA Security Rule amendments (some of which are overkill in the FEHBlog’s opinion) and notes
  • “The changes to the security rule will cost approximately $9 billion in the first year and $6 billion for years two to five, said Anne Neuberger, deputy national security adviser for cyber and emerging technology, during a Dec. 27 press briefing.
  • “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger said.
  • “Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterward, although a specific date has not yet been set, followed by a compliance date of 180 days. It is also not clear whether work on the changes will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare.”

• Another Dark Reading article goes into more detail about proposed rule which is fitting for a “nearly 400-page proposal.”

• Dark Reading also reports,
  • “A US Army soldier was reportedly arrested Dec. 20 in Texas and charged with two counts of unlawful transfer of confidential phone records.  
  • “Cameron John Wagenius, 20, is suspected of leaking presidential call logs belonging to AT&T and Verizon under an online alias of “Kiberphant0m.”

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “The Treasury Department told lawmakers Monday [December 30, 2024] that a state-sponsored actor in China hacked its systems, accessing several user workstations and certain unclassified documents.
  • “The Treasury was informed on Dec. 8 by a third-party software service provider, BeyondTrust, that a threat actor used a stolen key to remotely access certain workstations and unclassified documents, according to a letter reviewed by The Wall Street Journal.
  • “Once alerted, the department said it immediately contacted the Cybersecurity and Infrastructure Security Agency and has since worked with law enforcement partners across the government to assess the incident.
  • “The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information,” a spokesperson said.
  • “In response, the Chinese embassy in Washington, D.C., denied the Treasury Department’s allegations, and said that its government opposes what it described as U.S. smear tactics without any factual basis.”

• Per Cybersecurity Dive,
  • “Weeks after BeyondTrust disclosed an attack spree against a limited number of customers, more than 8,600 instances of the company’s Privileged Remote Access and Remote Support products remain exposed, according to a blog post released Thursday [January 2, 2025] by Censys. 
  • “BeyondTrust in December warned that an attacker gained access to a limited number of Remote Support SaaS instances utilizing a compromised API key. This week, the U.S. Department of Treasury said a suspected state-linked attacker gained access to a number of workstations and stole unclassified information using a BeyondTrust key.
  • “Censys researchers, in the Thursday [January 2, 2025] blog, indicated that not all of the exposed instances are considered vulnerable, because the firm does not have access to the versions involved.”

• The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability its catalog this week.
  • “December 30, 2024
  • “CVE-2024-3393. Palo Alto Networks PAN-OS Malformed DNS Packet Vulnerability”

• Palo Alto Network offers details on this CVS at this link.

• An ISACA commentator cautions “Overreliance on Automated Tooling is A Big Cybersecurity Mistake.”

• A Dark Reading commentator warns,
  • “Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.
  • “There was a time when “trust but verify” made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.”

From the ransomware front,

• Cybersecurity Dive lets us know,
  • “Rhode Island officials said a ransomware group has begun to leak stolen information from a state social services database following a December attack. 
  • “In a Monday [December 30, 2024] press conference, Rhode Island Gov. Daniel McKee said the state was informed by Deloitte, which manages the RIBridges program, that hackers had begun to release data on a dark web leak site. 
  • “The contents of those files are still being analyzed by experts,” McKeetold reporters during the briefing. “Identifying what is in those files is a complex process, but they’re working right now to make those identifications.”
  • “RIBridges is a state program that administers several social services programs, including Medicaid, Temporary Assistance for Needy Families and other programs.”  * * *
  • “A threat group called Brain Cipher previously claimed credit for the attack, which was disclosed Dec. 5. The group has been active since June 2024 and leverages the LockBit 3.0 payload for their ransomware payloads, SentinelOne previously told Cybersecurity Dive.
  • “The group often uses phishing campaigns to gain initial access to targeted organizations, thus tricking users into downloading malicious files, according to Jon Miller, co-founder and CEO of Halcyon. 
  • “Once inside, they leverage tools and exploits to move laterally across networks, frequently targeting Windows domain administrator credentials to maximize their reach,” Miller said via email.
  • “Researchers from Sophos confirmed Brain Cipher posted detailed information on a leak site claiming credit for the RIBridges database incident.”

• Per Security Week,
  • “The Richmond University Medical Center in New York has been investigating a ransomware attack since May 2023 and it recently determined that the incident resulted in a data breach affecting more than 670,000 people. 
  • “The healthcare facility, which serves residents in Staten Island, New York, suffered significant disruptions in May 2023 after being targeted in a ransomware attack. It took the organization several weeks to restore impacted services.
  • “An initial forensic investigation showed that the hospital’s electronic health record systems were not compromised, but it was later determined that other files may have been accessed or exfiltrated from Richmond University Medical Center’s network in early May. 
  • “Once the investigation determined what files may have been accessed or removed from our network, we located a copy of each file and then undertook a manual review process of those files to determine whether they contained any sensitive personal information or personal health information,” the hospital said in a security incident notice.”

• Healthcare IT News adds,
  • “Ransomware attacks are having a severe impact on U.S. healthcare organizations, with an alarming escalation in incidents and their consequences, according to a Comparitech report.
  • “The study found that, since 2018, 654 ransomware attacks have targeted healthcare providers, with 2023 standing out as a record-breaking year, logging 143 incidents.
  • “These attacks compromised over 88.7 million patient records during this period, with more than 26.2 million breached in 2023 alone.
  • “Each day of downtime due to ransomware costs healthcare organizations an average of $1.9 million, culminating in an estimated $21.9 billion in downtime losses over six years.
  • “On average, medical organizations experienced 17 days of downtime per incident, with the highest disruptions reported in 2022, averaging 27 days.”

From the cybersecurity defenses front,

• A Dark Reading commentator explains how to get the most out of your cybersecurity insurance policy.
  • “As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.
  • “Prepare for increasingly rigorous risk assessments from [insurance] providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.
  • “Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.”

• Cybersecurity Dive informs us,
  • “Most cyber leaders are bullish on generative AI despite governance concerns, according to a CrowdStrike survey published in December. Nearly two-thirds say their organization would overhaul tooling in order to leverage better generative AI capabilities. 
  • “Leaders expect generative AI adoption to bring ROI through cost optimization, easier tool management, reduced incidents and shorter training cycles, according to the survey of more than 1,000 cybersecurity leaders and practitioners. 
  • “Respondents said the leading concern when weighing a generative AI purchase is how applications or services integrate with current tools. Around 70% intend to purchase access to the technology in the next year.”

• Dark Reading discusses “6 AI-Related Security Trends to Watch in 2025. AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity retrospection and predictions front as we approach New Year’s Day,

• CSO lists the “top 7 zero-day exploitation trends of 2024,” and “IT leaders’ top 9 takeaways from 2024.”

• Dark Reading points out “Emerging Threats & Vulnerabilities to Prepare for in 2025. From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.”

• Federal News Network offers a “2024 review: ‘Typhoons’ bookend [the Change Healthcare breach in a] busy year in cyber. From Volt Typhoon to Salt Typhoon, major cyber incidents in 2024 shined a spotlight on how agencies are managing cyber threats to critical infrastructure.”

• Healthcare Dive recounts “seven of the biggest healthcare cyberattack and breach stories of 2024 Cyberattacks targeting the healthcare industry continued to rise this year. Here are some of the largest incidents, from Change Healthcare to Ascension.”

From the cybersecurity policy front,

• Yesterday the Health and Human Services Department’s Office for Civil Rights announced its proposed amendments to the HIPAA Security Rule which is intended to protect electronic personal health information. The public comment deadline is March 7, 2025, sixty days from January 6, 2025, the date that proposed rule will be published in the Federal Register.

• Here is a link to the OCR’s fact sheet for the proposed rule. The HIPAA Security Rule dates back to 2003, and its hallmark was flexibility in implementation. To that end, the HIPAA Security rule set forth required standards and addressable standards. Because a lot has changed since 2003, I expected standard changes, but I did not expect OCR to do away with the required / addressable standard distinction in favor of exceptions. Like many other regulations issued by the current administration, the proposed amendments are loaded with new paperwork and oversight requirements. Hopefully the next administration will pull back the proposed rule so that the changes focus on requiring tools that are known to work, e.g., multi factor authentication, encryption, adequate backups.

• Cybersecurity Dive lets us know,
  • “Lax security controls played a significant role in allowing a China-government sponsored threat group to gain broad and full access to U.S. telecom networks, a senior White House official said Friday.
  • “From what we’re seeing regarding the level of cybersecurity implemented across the telecom sectors, those networks are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a Friday media briefing.
  • “Neuberger’s remarks came as the White House confirmed a ninth telecom company was among those compromised by Salt Typhoon’s widespread intrusion of U.S. telecom networks. The unnamed company recently determined it was impacted after reviewing threat hunting and hardening guidance provided by the U.S. government, Neuberger said.
  • “Earlier this month, U.S. officials said at least 8 U.S. telecom providers or infrastructure companies were compromised in a campaign that went undetected for months and has been underway for up to two years.”

• Per Federal News Network,
  • “The DoD’s big cybersecurity program advanced earlier this month. It’s a big rule to carry out if it becomes effective. For what the rule means and what comes next in the Cybersecurity Maturity Model Certification Program, Deltek cybersecurity researcher Michael Greenman joined the Federal Drive with Tom Temin for details.”
  • The article offers a transcript of this interview

From the cybersecurity breaches, ransomware, and vulnerabilities front,

• The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
  • December 23, 2024
    • CVE-2021-44207 Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability

• Here is a link to a Security Affairs explanation of the vulnerability.

• Bleeping Computer pointed out on December 24,
  • The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands.
  • The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.
  • In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.
  • The hackers note that the list represents only victims that have been contacted but did not respond to the message, suggesting that the list of affected companies may be larger.
  • “The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.” * * *
  • “The zero-day flaw exploited this time is now tracked as CVE-2024-50623 and it allows a remote attacker to perform unrestricted file uploads and downloads, leading to remote code execution.
  • “A fix is available for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21 and the vendor warned in a private advisory that hackers were exploiting it to open reverse shells on compromised networks.”
• and
  • “The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.
  • “In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces.
  • “The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations.”

From the cybersecurity defenses front,

• Netxgov/FCW alerts us that “Government and private sector organizations have begun to recognize that physical and virtual assets must be protected from cyber threats in the same way as IT.”

• Dark Reading discusses “Defining & Defying Cybersecurity Staff Burnout. Sometimes it feels like burnout is an inevitable part of working in cybersecurity. But a little bit of knowledge can help you and your staff stay healthy.”

• Here is a link to Dark Reading’s CISO Corner, which was updated this week.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.
  • “The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.
  • “Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  
  • “In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 
• and
  • “A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.
  • “The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
  • “Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.”
• and
  • “A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
  • “South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
  • “The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.”

From the cybersecurity vulnerabilities and breaches front,

• Per a Cybersecurity and Infrastructure Security Agency press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
  • “Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”

• CISA added eight known exploited vulnerabilities to its catalog this week.
  • November 18, 2024
    • CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
    • CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
    • CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • November 20, 2024
    • CVE-2024-38812 VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
    • CVE-2024-38813 VMware vCenter Server Privilege Escalation Vulnerability
  • November 21, 2024
    • CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability
    • CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
    • CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability

• Cybersecurity Dive adds,
  • “Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
  • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
  • “The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9.” 

• Security Week adds,
  • “Apple has rushed out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.
  • “The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday.
  • “As is customary, Apple’s security response team did not provide any details on the reported attacks or indicators of compromise (IOCs) to help defenders hunt for signs of infections.
  • “Raw details on the patched vulnerabilities:
    • “CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
    • “CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
  • “The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1, macOS Sequoia 15.1.1 and the older iOS 17.7.2.”

• Cybersecurity Dive lets us know,
  • “Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
  • “The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
  • “Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.”

• HHS Health Sector Cybersecurity Coordination Center offers an alert discussing a widespread phishing campaign abusing DocuSign software by impersonating well-known brands. The alert offers tips for avoiding this scam.

• Dark Reading lets us know,
  • “Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-serviceplatform that enabled its customers to target companies and individuals since 2017.
  • “ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft’s “Digital Defense Report 2024,” with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.”

From the ransomware front,

• The American Hospital Association News reports,
  • A joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of cybercriminal activity by the BianLian ransomware group. The agencies said actions by BianLian actors have impacted multiple sectors across the U.S. since 2022. They operate by gaining access to victims’ systems through valid remote desktop protocol credentials and use open-source tools and command-line scripting for finding and stealing credentials. The actors then extort money from victims by threatening to release the stolen data. 
  • “The BianLian group has been listed as one of the most active groups over the last several years, and they have been known to attack the health care sector,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The group often uses RDP for access, which serves as a reminder to ensure that hospitals strictly limit the use of RDP and similar services to help mitigate this threat and the many others which use RDP as part of their initial access to penetrate networks. They do not appear to be encrypting networks and disrupting hospital operations. In the event that anyone’s personally identifiable information is stolen and think they may be a victim of identity theft, an excellent resource to help assist them is identitytheft.gov.” 
     
• Hacker News informs us,
  • “Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
  • “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
  • “Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
  • “Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.”

• Per Dark Reading,
  • “The Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.
  • “The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.
  • “Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.
  • “The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other affected sectors include manufacturing, construction, retail, technology, education, and critical infrastructure.” 
    
• Security Intelligence tells us,
  • “Any good news is welcomed when evaluating cybercrime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.
  • “Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.”

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Artificial intelligence could ease pernicious labor challenges facing the healthcare sector, but health systems will need to boost their cybersecurity spending to manage increased risks, according to a report by Moody’s Ratings. 
  • “The emerging technology could help recruit and retain staff through tools that help nurses pick more flexible schedules or assist clinicians documenting clinical care, according to the credit ratings agency. 
  • “But new technology also brings more vulnerabilities for hackers to exploit — already a challenge for the healthcare industry, which is dependent on IT systems that house sensitive and valuable patient data.”
• and
  • “Microsoft unveiled the Windows Resiliency Initiative Tuesday, which follows the July global IT outage linked to a faulty CrowdStrike software update, according to a blog post from David Weston, VP of enterprise and OS security at Microsoft. The effort is intended to advance the company’s prior efforts to overhaul its security culture.
  • “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers,” Weston said in the blog. 
  • “Microsoft will allow IT administrators to make changes to Windows Update on PCs, even if the machines are unable to boot up. Administrators will not require physical access to the machines to make the necessary changes. 
  • “The service will be available to the Windows Insider Program community starting in early 2025.”

• CISA shares “Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization” and a “Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication.”

• Cyberscoop reports,
  • “Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 
  • “New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 
  • “Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 
  • “CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional [professional liability] insurance policies.”

• Here is a link to Dark Reading’s CISO Corner.

• An ISACA commentator explains how to grow cyber defenses from seed to system using a plant pathology approach.

• Dark Reading offers a commentary on the importance of learning from cybersecurity mistakes.
  • “Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM “Cost of a Data Breach Report 2024” estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it’s about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It’s time to shift the mindset: Every breach is an opportunity to innovate.”

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
  • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
  • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”

• NextGov/FCW tells us,
  • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
  • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
  • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
  • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
• and
  • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
  • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
  • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
  • “Second up is facilitating an effective transition for the incoming Trump administration 
  • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
  • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 

• The Government Accountability Office released a report highlighting that
  • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”

• The National Institute for Standards and Technology announced,
  • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
  • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
  • “The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
• FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

• From a November 12, 2024, CISA press release
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
  • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
    
• Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • November 12, 2024
    • CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
    • CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
    • CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
    • CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
    • CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
  • November 14, 2024
    • CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
    • CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

• Per Cybersecurity Dive,
  • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
  • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation. 
  • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”

• Per Dark Reading,
  • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
  • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
  • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
• and
  • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
  • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
  • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
  • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”

• Per AI Business,
  • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
  • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
  • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
  • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
  • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

• On November 13, the Register reported,
  • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
  • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
  • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
  • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”

• Bleeping Computer informs us,
  • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
  • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
  • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
  • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
    
• Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
  • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
  • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
  • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
  • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
  • “S3 buckets are one of the most referenced targets of malicious activity.
  • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
  • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
  • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”

• HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.

• Here is a link to Dark Reading’s CISO Corner.

• Bleeping Computer lets us know,
  • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
  • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
  • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”