From the cybersecurity policy front,

• Healthcare Dive informs us,
  • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
  • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
  • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
  • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
  • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
  • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
• Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.

• Why? Beckers Health IT adds,
  • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
  • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”

• Cybersecurity Dive points out,
  • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
  • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
  • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”

• Per a NIST press release,
  • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
  • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

• Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

• Cybersecurity Dive lets us know,
  • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
  • “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
  • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”

• This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
  • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

• Cybersecurity Dive cautions,
  • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
  • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
  • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
  • “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

• Modern Healthcare tells us,
  • The number of healthcare providers affected by ransomware attacks is steadily growing. 
  • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.

• Bleeping Computer warns,
  • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
  • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
  • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”

• PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

• SC Media calls attention to “five ways to beef up network security and reduce data theft.”
  • “Rethink access control
  • “Raise the firewall game
  • “Take incident response seriously
  • “Tap into network visibility
  • “Segment the network
• “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  
• A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”

• Per a CISA press release,
  • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
  • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
  • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us
  • “A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.
  • “A total of 13 agencies [including the U.S. Office of Personnel Management] received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.
  • “Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.
  • “Agencies generally saw lower scores in the previous FITARA scorecard released in February.”

• KFF Health News gives low marks to the federal agencies responsible for protecting healthcare organizations against cyberattacks.

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
  • “Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.” * * *
  • “The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities. 
  • “The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.”

• Per a NIST press release,
  • “NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.
  • “The program will build on existing NIST expertise, research and publications such as:
    • “The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A); 
    • “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
    • “Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226); 
    • “Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
    • “Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
    • “A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

• Dark Reading reports,
  • “The Justice Department today [September 19] announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.
  • “According to unsealed documents, the botnet, known as Raptor Train, is operated by People’s Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.
  • A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “Ivanti warned Thursday of a critical path traversal vulnerability in Cloud Service Appliance, which is currently facing exploitation attempts by hackers. The vulnerability, listed as CVE-2024-8963, has a CVSS score of 9.4 and allows an unauthenticated hacker to gain access to restricted functionality.
  • “Ivanti previously issued a patch for CSA on Sept. 10., but the company said the path traversal vulnerability was discovered while investigating exploitation linked to an OS command injection vulnerability, listed as CVE-2024-8190. 
  • “The company warned that when the two vulnerabilities are used in conjunction with each other, a hacker can bypass admin authentication and execute arbitrary commands.” 

• Dark Reading tells us “Security Firm’s North Korean Hacker Hire was not an Isolated Incident; What happened to KnowBe4 also has happened to many other organizations, and it’s still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.” Check out the article.

• CISA added twelve known exploited vulnerabilities to its catalog this week.
  • “September 16, 2024
    • CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
    • CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability”
  • “September 17, 2024
    • CVE-2014-0497 Adobe Flash Player Integer Underflow Vulnerability
    • CVE-2013-0643 Adobe Flash Player Incorrect Default Permissions Vulnerability
    • CVE-2013-0648 Adobe Flash Player Code Execution Vulnerability
    • CVE-2014-0502 Adobe Flash Player Double Free Vulnerability”
  • “September 18, 2024
    • CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
    • CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution” Vulnerability
    • CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
    • CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
    • CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability”
  • “September 19, 2024
    • CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability”

From the ransomware front,

• Dark Reading informs us,
  • “Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
  • “Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
  • “In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group’s latest weapon: Inc ransomware.”

• Per Cybersecurity Dive,
  • “A special legislative committee in Suffolk County, New York, found officials ignored repeated warnings and failed to prepare ahead of a September 2022 ransomware attack that disrupted essential government services for months, in a report released last week.
  • “Officials blamed the ransomware attack on a failure of leadership, including the lack of an incident response plan and a failure to respond to FBI warnings of potential infiltration. 
  • “Suffolk County operated using a variety of IT teams and had no CISO, resulting in a lack of coordination on how to prepare for potential cyber threats. The attack has so far cost the county more than $25 million in remediation costs and other expenses.”

• Cyberscoop reports on a debate of experts at the 2024 mWISE conference about what more could be done to stop ransomware attacks in the wake of police action and tens of millions in ransom payments over the past year. 

From the cyber defenses front,

• Cyberscoop points out,
  • “UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems. 
  • “When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.” 

• Cybersecurity Dive adds,
  • “CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
  • “Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.” * * *
  • “Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
  • “The questions on Mandia’s CISO confidence test include:
    • How would you break into us? What is our weak spot?
    • What is our worst-case scenario?
    • What would you do if the worst-case scenario occurred?
    • How resilient are we? How long would it take to recover our systems and applications?
    • What do you need?
  • “Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
  • “I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.”

• Health Tech offers five steps to follow after a breach.

• Per Bleeping Computer,
  • “Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
  • “Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation.
  • “Among the benefits of Windows Hotpatching, Redmond highlights faster installs and reduced resource usage, lower workload impact because of fewer reboots over time, and improved security protection because it reduces the time exposed to security risks.
  • “Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month),” said Windows Server Director of Product Hari Pulapaka on Friday [September 20].”
    
    

From the cybersecurity policy front,

• Federal News Network tells us,
  • “White House officials are contemplating a new cybersecurity executive order that would focus on the use of artificial intelligence.
  • “Federal cybersecurity leaders, convening at the Billington Cybersecurity Conference in Washington this past week, described AI as both a major risk and a significant opportunity for cyber defenders.
  • ‘White House Deputy National Security Advisor Anne Neuberger called AI a “classic dual use technology.” But Neuberger is bullish on how it could improve cyber defenses, including analyzing logs for cyber threats, generating more secure software code, and patching existing vulnerabilities.
  • “We see a lot of promise in the AI space,” Neuberger said. “You saw it in the president’s first executive order. As we work on the Biden administration’s potentially second executive order on cybersecurity, we’re looking to incorporate some particular work in AI, so that we’re leaders in the federal government in breaking through in each of these three areas and making the tech real and proving out what’s possible.”

• Per a Labor Department Employee Benefit Security Administration press release,
  • “In its continuing effort to protect U.S. workers’ retirement and health benefits, the U.S. Department of Labor today updated current cybersecurity guidance confirming that it applies to all types of plans governed by the Employee Retirement Income Security Act, including health and welfare plans, and all employee retirement benefit plans.
    • “The new Compliance Assistance Release issued by the department’s Employee Benefits Security Administration provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants. The release updates EBSA’s 2021 guidance and includes the following:
    • “Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
    • “Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks. 
    • “Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.”

• Cybersecurity Dive lets us know,
  • “The White House Office of the National Cyber Director launched a program Wednesday to help fill the gap of about 500,000 available cybersecurity jobs across the country. 
  • “Service for America, a program developed alongside the Office of Management and Budget and the Office of Personnel Management, is a recruitment and hiring push that will help connect Americans with available jobs in cybersecurity, technology and artificial intelligence. 
  • “The program’s major emphasis is to reach job candidates without traditional qualifications, such as computer science or engineering backgrounds. 
  • “Many Americans do not realize that a cyber career is available to them,” National Cyber Director Harry Coker Jr. said in a blog post released Wednesday. “There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber.”
  • “In reality, Coker said people of all backgrounds can find well-paying jobs in cybersecurity, and the White House has been promoting efforts to connect a new generation of prospective candidates into those positions.”
• and
  • “Marsh McLennan and Zurich Insurance Group on Thursday [September 5] issued a call for government intervention to help resolve the growing risk of catastrophic cyber events and a multibillion dollar gap in terms of what the current insurance market can absorb. 
  • “The cyber insurance market has seen significant growth in recent years, and is expected to exceed $28 billion in gross written premiums in 2027, more than double the amount written in 2023, according to a whitepaper released by the firms Thursday.  
  • “However, the companies warn a risk protection gap of about $900 billion exists between insured losses and economic losses due to cyberattacks. Many small- to medium-sized businesses are either underinsured or carry no coverage to protect against such losses.” 

From the cyber vulnerabilities and breaches front,

• Per a Centers for Medicare Services press release,
  • “The Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Part A/B claims and related services for CMS.  
  • “The notification comes following discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. WPS is among many organizations in the United States that have been impacted by the MOVEit vulnerability. The security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of healthcare providers that some individuals who are not Medicare beneficiaries have visited to receive health care services.
  • “CMS and WPS are mailing written notifications to 946,801 current people with Medicare whose PII may have been exposed, informing them of the breach and explaining actions being taken in response.”

• Cybersecurity Dive reports,
  • “Federal authorities in the U.S. and nine other countries warn that threat groups affiliated with Russia’s military intelligence service are targeting global critical infrastructure and key resource sectors, according to a joint cybersecurity advisory released Thursday. 
  • “Threat groups affiliated with a specialist unit of the Russian General Staff Main Intelligence Directorate have targeted government services, financial services, transportation systems, energy, and healthcare sectors of NATO members and countries in Europe, Central America and Asia, officials said in the advisory.
  • “To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional EU countries,” authorities said in the advisory. The attackers have defaced victim websites, scanned infrastructure, and exfiltrated and leaked stolen data.”

• The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog:
  • September 3, 2024
    • CVE-2021-20123 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability
    • CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability

• Dark Reading adds,
  • “This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.
  • “The vulnerabilities affect Baxter’s Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.”

• Per Cybersecurity Dive,
  • “Just over half of businesses in the U.S. and U.K. have been targets of a financial scam powered by “deepfake” technology, with 43% falling victim to such attacks, according to a survey by finance software provider Medius.
  • “Of the 1,533 U.S. and U.K. finance professionals polled by Medius, 85% viewed such scams as an “existential” threat to their organization’s financial security, according to a report on the findings published last month. Deepfakes are artificial intelligence-manipulated images, videos, or audio recordings that are bogus yet convincing.
  • “More and more criminals are seeing deepfake scams as an effective way to get money from businesses,” Ahmed Fessi, chief transformation and information officer at Medius, said in an interview. These scams “combine phishing techniques with social engineering, plus the power of AI.”

From the ransomware front,

• Tech Radar points out,
  • “Research from Searchlight Cyber has shown the number of ransomware groups that operated in the first half of 2024 rose to 73, up from 46 in the same period of 2023. The findings suggest law enforcement’s efforts to curb cyber criminal groups have seen some success, especially in disrupting the operations of notorious group BlackCat, which has since dissolved.
  • “Groups were targeted by law enforcement in ‘Operation Cronos’, which facilitated the arrests of two people, took down 28 servers, obtained 1,000 decryption keys, and froze 200 crypto accounts – all linked to the infamous LockBit organization.
  • “Although the number of groups has risen, the number of victims has fallen, which indicates a potential diversification rather than growth of ransomware groups. Other Ransomware as a Service (RaaS) groups such as RansomHub and BlackBasta have become more active, complicating the landscape for cyber security.

• Tripwire fills us in about Cicada ransomware.

• ‘Per Cybersecurity Dive,
  • “A previously disclosed cyberattack at Halliburton disrupted parts of its operations and information was stolen in connection with the incident, the company said in a filing with the Securities and Exchange Commission Tuesday. 
  • “Halliburton discovered the attack in late August and immediately shut off certain services as a proactive measure. It continues to offer its products and services across the globe, the company said.
  • “The Houston company has incurred and will continue to incur certain expenses related to the attack. However, it does not expect the attack to have a material impact on its financial condition or results of operations.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Cybersecurity professionals are reporting modest budget increases amid the need to defend against new hacking threats and secure emerging technologies such as artificial intelligence.
  • “Spending on cybersecurity is rising 8% this year, compared with 6% in 2023, according to a survey of chief information security officers published Thursday by cybersecurity consulting firm IANS and recruiting company Artico Search. The survey polled 755 CISOs from April into August, with 681 completing its budget section.
  • “Despite the small improvement, security spending is growing at a lower rate than the 17% increase in 2022. Still, the shift indicates a gradual recovery after companies slowed cyber spending and in some cases froze hiring after the pandemic, said Steve Martano, an Artico partner and IANS faculty member. 
  • “People are feeling more optimistic than they were six months ago,” Martano said, adding that more cybersecurity leaders are seeing small budget increases and there are signs the security job market will improve.”

• Dark Reading offers a commentary on “How CISOs Can Effectively Communicate Cyber-Risk. A proximity resilience graph offers a more accurate representation of risk than heat maps and risk registers,and allows CISOs to tell a complex story in a single visualization.”

• ISACA offers a commentary on “The Never-ending Quest: Why Continuous Monitoring is Crucial for Cybersecurity.”

• If you work for or represent a small or medium sized HIPAA covered entity or business associate, you may want to “register for an introductory webinar [to held on September 10 at noon ET and September 11 at 3 pm] on the free Security Risk Assessment Tool (SRA Tool) hosted by Altarum with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP). The webinar will also feature changes in SRA Tool version 3.5, available in September 2024.”

• Security Week shares a discussion between CSOs Jaya Baloo from Rapid7 and Jonathan Trull from Qualys about the route, role, and requirements in becoming and being a successful CISO.

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency introduced an online portal Thursday [August 29] for organizations to voluntarily report malicious cyberattacks, vulnerabilities and data breaches. 
  • “The CISA services portal is a secure platform that provides enhanced functionality and collaboration features, including the ability to save and update incident reports, share submitted reports with colleagues or clients and search for reports. Users can also have informal discussions with CISA through the portal.
  • “An organization experiencing a cyberattack or incident should report it — for its own benefit, and to help the broader community,” Jeff Greene, executive assistant director for cybersecurity at CISA, said in a statement. “CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident.”

• Per FedScoop,
  • “Federal agencies are counting down the days until September 30 to meet a combination of zero-trust cybersecurity requirements. The requirements are part of a multi-year strategy by the Office of Management and Budget (OMB) to apply various cybersecurity techniques to safeguard federal agency users, networks, devices and data.
  • “One of the more vexing requirements, according to a new report, includes provisions to inventory and monitor the increasingly complex IT landscape involving not just traditional IT but also an ever-expanding array of operating technologies (OT) and the Internet of Things (IoT). The convergence of data and applications linked to IT, OT and IoT devices has introduced a new era of security risks that OMB has tasked agencies to address.
  • “The widespread adoption of OT devices not only expands the number and diversity of assets agencies must manage but also the range of vulnerabilities they need to address,” explains a new report commissioned for FedScoop and underwritten by Asc3nd Technologies Group. “More to the point: Linking OT data and devices to IT systems creates new pathways for cyberattacks that adversaries are exploiting with increasing frequency.”
  • “To address those and related risks, OMB directive M-24-04 requires agencies, among other things, to put tools and measures in place that provide a comprehensive understanding of all devices connected to their networks. They must also be prepared to provide detailed asset reports to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours.”

• The Wall Street Journal adds,
  • As cyberattacks plague companies across all industries and cause headaches for consumers, regulators are demanding that victims report hacks in short time periods—and the rules are rarely consistent, creating a compliance nightmare.
  • In addition to widely publicized rules such as those brought into force by the U.S. Securities and Exchange Commission in December 2023, many companies must also comply with other federal demands, rules from state regulators and industry-specific requirements. * * *
  • “Health insurer Blue Cross Blue Shield Association, for instance, said in its response [to CISA proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule] that healthcare companies may need to report incidents under the Health Insurance Portability and Accountability Act, the Federal Trade Commission’s rules on data privacy, the SEC’s rules and CIRCIA, once that rule is final.  
  • “Four separate standards with similar but slightly different compliance expectations would impose an unreasonable burden with marginal benefit towards improving cybersecurity as compared to having a single, harmonized standard,” said Kris Haltmeyer, the association’s vice president of policy analysis.”

From the cyber vulnerabilities and breaches front,

• Dark Reading points out,
  • “Multiple exploit campaigns linked to a Russian-backed threat actor (variously known as APT29, Cozy Bear, and Midnight Blizzard) were discovered delivering n-day mobile exploits that commercial spyware vendors have used before.
  • “According to Google’s Threat Analysis Group (TAG), the exploit campaigns were delivered “from a watering hole attack on Mongolian government websites,” and each one is identical to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group. That suggests, as the researchers at Google TAG note, that the authors and/or providers are the same. * * *
  • “The researchers go on to add that though there are still outstanding questions as to how the exploits were acquired, this does highlight how exploits developed first by the commercial surveillance industry become even more of a threat as threat actors come across them.” 

• Cyberscoop adds,
  • “Online scam cycles have gotten significantly shorter and more effective over the past four years, as cybercriminals increasingly favor smaller, simpler, faster and more targeted campaigns that can yield higher revenues over the long term.
  • “The findings, from a mid-year cybercrime report released Thursday by Chainalysis, show that scammers are refreshing their online and blockchain-based infrastructure faster than ever before.
  • “For instance, a huge chunk of all scam revenues being tracked by Chainalysis on the blockchain (43%) were sent to wallets that only became active over the past year — something the company said suggests a surge of newly created scamming campaigns.
  • “That’s significantly larger than any other observed year — the previous high was 29.9% in 2022 — and it has coincided with what Chainalysis described as a concerted effort by criminals to dramatically shrink the time they spend on one spam campaign before moving onto another.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • August 26, 2024 — CVE-2024-7971 Google Chromium V8 Type Confusion Vulnerability
  • August 27, 2024 — CVE-2024-38856. Apache OFBiz Incorrect Authorization Vulnerability
  • August 28, 2024 — CVE-2024-7965. Google Chromium V8 Inappropriate Implementation Vulnerability

From the CrowdStrike outage front,

• Cybersecurity Dive informs us,
  • “The financial impact from last month’s ill-fated CrowdStrike Falcon sensor update that caused a global IT network outage will continue through the first half of 2025, company executives said Wednesday during an earnings call.
  • “Executives warned investors of temporary delays in its sales pipeline generation, longer sales cycles due to increased scrutiny from new and existing customers and muted upsell potential.
  • “CrowdStrike expects an impact of about $60 million in net new annual recurring revenue and subscription revenue due to what it dubbed its “customer commitment packages,” discounts it’s offering some customers through the second half of this year, CFO Burt Podbere said during the Wednesday earnings call for the company’s fiscal 2025 second quarter, which ended July 31. “When we get to the back half of next year, we’ll start to see an acceleration in the business.”

From the ransomware front,

• The American Hospital Association News reports,
  • “The FBI, Cybersecurity and Infrastructure Agency and the Department of Defense Cyber Crime Center Aug. 29 issued a joint advisory to warn of Iranian-based cyber actors leveraging unauthorized network access to U.S. organizations, including health care organizations, to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Government of Iran, has conducted a high volume of cyberattack attempts on U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors obtain network access for espionage reasons then collaborate with ransomware groups, including the notorious Russian-linked ransomware groups RansomHub and APLHV aka BlackCat, to execute ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate if the Iranian actors had any role in the Change Healthcare attack but does state that the Iranian group’s ransomware activities are not likely sanctioned by the Government of Iran.
  • “The joint advisory provides tactics, techniques, procedures, and indicators of compromise obtained from FBI investigations and third-party reporting. The federal agencies urge organizations to apply the recommendations in the mitigations section of the advisory to reduce the likelihood of compromise from these Iranian-based cyber actors and other ransomware attacks.
  • “This alert demonstrates the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the nation-state level sophistication and expertise of the ransomware groups that target U.S. health care. No health care organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers collaborating with sophisticated ransomware gangs. Clearly, the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, by policy and action, and impose significant risk and consequences on our cyber adversaries. Offense is the best defense.”
  • “Although there is no specific threat information at this time, the field is reminded to remain especially vigilant over the holiday weekend, as we have historically seen increased targeting of health care around the holidays.”

• Bleeping Computer adds,
  • “The RansomHub ransomware gang is behind the recent cyberattack on oil and gas services giant Halliburton, which disrupted the company’s IT systems and business operations.
  • “The attack caused widespread disruption, and Bleeping Computer was told that customers couldn’t generate invoices or purchase orders because the required systems were down.
  • “Halliburton disclosed the attack last Friday in an SEC filing, stating they suffered a cyberattack on August 21, 2024, by an unauthorized party.

• Cybersecurity Dive reports,
  • “Volt Typhoon, a prolific state-linked threat actor, is exploiting a zero-day vulnerability in Versa Director servers in a campaign targeting internet service providers, managed service providers and other technology firms, researchers from Black Lotus Labs warned in a blog post Tuesday.
  • “The vulnerability, listed as CVE-2024-39717, allows users to upload files that are potentially malicious and gives them advanced privileges. 
  • “Black Lotus Labs researchers identified a custom webshell, which they call VersaMem, that is designed to intercept and harvest credentials and allow an attacker to gain access to a downstream computer network as an authenticated user. 

From the cybersecurity defenses front,

• Per a NIST press release,
  • “[On August 29], the U.S. Artificial Intelligence Safety Institute at the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced agreements that enable formal collaboration on AI safety research, testing and evaluation with both Anthropic and OpenAI.
  • “Each company’s Memorandum of Understanding establishes the framework for the U.S. AI Safety Institute to receive access to major new models from each company prior to and following their public release. The agreements will enable collaborative research on how to evaluate capabilities and safety risks, as well as methods to mitigate those risks. 
  • “Safety is essential to fueling breakthrough technological innovation. With these agreements in place, we look forward to beginning our technical collaborations with Anthropic and OpenAI to advance the science of AI safety,” said Elizabeth Kelly, director of the U.S. AI Safety Institute. “These agreements are just the start, but they are an important milestone as we work to help responsibly steward the future of AI.”
  • “Additionally, the U.S. AI Safety Institute plans to provide feedback to Anthropic and OpenAI on potential safety improvements to their models, in close collaboration with its partners at the U.K. AI Safety Institute.” 

• Per Dark Reading, “Ransomware attacks and email-based fraud account for 80% to 90% of all claims processed by cyber insurers, but a handful of cybersecurity technologies can help prevent big damages.” Check it out.
  
  

From the CrowdStrike outage front,

• TechTarget offers lessons learned from the CrowdStrike outage.

• Cybersecurity Dive includes an opinion piece from Deepak Kumar, the founder and CEO of Adaptiva.
  • “Patching remains a top priority for every organization, but slow, manual, and reactive patching presents far more risk than benefit. Automated patching without the capability to pause, cancel, or roll back can be reckless and lead to disruptions or worse. 
  • “Automated patching, with the necessary controls, is undoubtedly the best path forward, offering the speed needed to thwart bad actors and the control required to prevent an errant update from causing widespread issues.”

From the cybersecurity policy front,

• Cyberscoop informs us,
  • “Federal contractors would be required to implement vulnerability disclosure policies that align with National Institute of Standards and Technology guidelines under a bipartisan Senate bill introduced last week.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., is a companion to legislation from Rep. Nancy Mace, R-S.C., which was advanced by the House Oversight Committee in May.
  • “The bill from Warner and Lankford on vulnerability disclosure policies (VDPs) aims to create a structure for contractors to receive reports of vulnerabilities in their products and then act against them before an attack occurs.
  • “VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” Warner said in a statement. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”

• Cybersecurity Dive reports from the Black Hat cybersecurity conference held at Las Vegas in the first week of August,
  • Despite a stream of devastating cyberattacks or mistakes that halt or disrupt large swaths of the economy, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, says the war against malicious activity is not lost.
  • It is possible to elevate organizations’ ability to repel or mitigate attacks and place a greater emphasis on vendors’ responsibilities, Easterly said Wednesday during a media briefing at Black Hat. “We got ourselves into this, we have to get ourselves out,” she said.
  • Easterly’s optimism isn’t the result of blind trust. “We have made enormous progress, even just over the past several years,” she said.” * * *
  • “We have to recognize that the cybersecurity industry exists because technology vendors for decades have been allowed to create defective, flawed, insecure software that prioritizes speed to market features over security,” Easterly said. 
  • “There is more we can do but that’s where the war will be won,” Easterly said. “If we put aside the threat actors and we put aside the victims and we talk about the vendors.”
• and
  • It’s time to stop thinking of threat groups as supervillains, experts say
  • “These villains do not have superpowers. We should not treat them like they do,” * * *
  • “The vast majority of organizations don’t have the time or resources to keep up with the chaos of tracking cybercriminal groups, Andy Piazza, senior director of threat intel at Palo Alto Networks Unit 42, said in an interview at Black Hat.
  • “You as a defender shouldn’t care about that,” Piazza said. Defenders can better serve their organizations by developing capabilities to detect and respond to malicious tactics, techniques and procedures, Piazza said.
  • “It’s hard to ignore the drama when groups are given names like Scattered Spider, Midnight Blizzard and Fancy Bear, but mythologizing the criminals responsible for cyberattacks can diminish defenders’ ability to detect and thwart malicious activity.”
    
• FedScoop lets us know,
  • “The National Institute of Standards and Technology has officially released three new encryption standards that are designed to fortify cryptographic protections against future cyberattacks by quantum computers.
  • “The finalized standards come roughly eight years after NIST began efforts to prepare for a not-so-far-off future where quantum computing capabilities can crack current methods of encryption, jeopardizing crucial and sensitive information held by organizations and governments worldwide. Those quantum technologies could appear within a decade, according to a RAND Corp. article cited by NIST in the Tuesday announcement.
  • “Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” Laurie E. Locascio, director of the Department of Commerce’s NIST and undersecretary of commerce for standards and technology, said in a statement. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
  • “The new standards provide computer code and instructions for implementing algorithms for general encryption and digital signatures — algorithms that serve as authentication for an array of electronic messages, from emails to credit card transactions.”

• Federal News Network adds,
  • “CISA Director Jen Easterly said in a keynote at The White House Office of Management and Budget will soon direct agencies to map out plans for adopting post-quantum encryption to protect their most sensitive systems and data.
  • “Federal Chief Information Office Clare Martorana said the new guidance will help agencies begin to adopt new cryptographic standards from the National Institute of Standards and Technology.
  • “We will be releasing guidance directing agencies to develop a prioritized migration plan to ensure that the most sensitive systems come first,” Martorana said during an event hosted by the White House today. “We can’t do it alone. It’s critical that we continue to foster robust collaboration and knowledge sharing between public and private sectors, which is why conversations like the one we’re having today are so incredibly critical.”

From the cybersecurity vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Administration (CISA) added seven known exploited vulnerabilities (KEV) to its catalog this week. NIST initially identifies the KEVs, which explains the Senate bill discussed above, and then CISA publicizes those KEVs in its catalog
  • August 13, 2024,
    • CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
    • CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
    • CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
    • CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
    • CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
    • CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability
  • Security Week discusses these Microsoft KEVs.
  • August 15, 2024,
    • CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
  • Cybersecurity Dive adds,
    • SolarWinds is urging customers to patch a critical vulnerability in its Web Help Desk application, in a Tuesday advisory, which was last updated Friday.
    • The company disclosed a java deserialization remote code execution vulnerability that, if successfully exploited, could allow an attacker to run commands on a host machine. The vulnerability, listed as CVE-2024-28986, has a CVSS score of 9.8.
    • The Cybersecurity and Infrastructure Security Agency on Thursday added the CVE to its Known Exploited Vulnerabilities catalog. 

• Cybersecurity Dive notes,
  • “A vulnerability in the common log file system of Microsoft Windows can lead to the blue screen of death, impacting all versions of Windows 10 and Windows 11, researchers from Fortra said Monday.  
  • “The vulnerability, listed as CVE-2024- 6768, is caused by improper validation of specified quantities of input data, according to a report by Fortra. The vulnerability can result in an unrecoverable inconsistency and trigger a function called KeBugCheckEx, leading to the blue screen. 
  • “A malicious hacker can exploit the flaw to trigger repeated crashes, disrupting system operations and the potential loss of data, according to Fortra.”

• TechTarget explains why “recent cyberattacks against OneBlood and McLaren Health Care shed light on the operational challenges that targeted organizations face.”

From the ransomware front,

• A Dark Reading commentator explains that to avoid losing the ransomware battle, companies that are “institutionalizing and sustaining fundamental cybersecurity practices” also must “commit to ongoing vigilance, active management, and a comprehensive understanding of evolving threats.”
  • “The challenge of institutionalizing and sustaining fundamental cybersecurity practices is multifaceted. It requires a commitment to ongoing vigilance, active management, and a comprehensive understanding of evolving threats. However, by addressing these challenges head-on and ensuring that cybersecurity practices are implemented, measured, and maintained with rigor, organizations can better protect themselves against the ever-present threat of ransomware attacks. Focusing on the basics first — such as implementing foundational controls like 2FA, fostering maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.”

• Cybersecurity Dive points out,
  • “Cyber risk company Resilience said in a report unveiled Tuesday that ransomware has remained a top threat since January 2023, with 64% of related claims in its portfolio resulting in a loss during that period.
  • “Increased merger-and-acquisition activity and reliance on ubiquitous software vendors created new opportunities for threat actors to unleash widespread ransomware campaigns by exploiting a single point of failure, the report said.
  • “Now more than ever, we need to rethink how the C-suite approaches cyber risk,” Resilience CEO Vishaal Hariprasad said in a press release. “Businesses are interconnected like never before, and their resilience now depends on that of their partners and others in the industry.”

• Per Bleeping Computers,
  • “RansomHub ransomware operators are now deploying new malware to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks.
  • “Named EDRKillShifter by Sophos security researchers who discovered it during a May 2024 ransomware investigation, the malware deploys a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system.
  • “This technique is very popular among various threat actors, ranging from financially motivated ransomware gangs to state-backed hacking groups.”
• and
  • “Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. 
  • “The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.”

From the cybersecurity defenses front,

• The American Hospital Association’s National Advisor for Cybersecurity and Risk, John Riggi, explains how healthcare entities should prepare for third party cyber risk.

• The Wall Street Journal shares remarks from a June 2024 WSJ conference on what can be learned from the Change Healthcare cyber-attack. “Two security experts explain why the hack affected so many institutions and people—and what could be done to protect the healthcare system.”

• For several months, the FEHBlog has not been able to access the HHS 405(d) program website. Magically this week, he regained access. Here is a link to the program’s July 2024 post which concerns the urgent need for data security in healthcare AI.

From the CrowdStrike outage front,

• Dark Reading reports,
  • The CrowdStrike update that hobbled businesses, disrupted consumer travel plans, and took French and British broadcasters offline has predictably led to a host of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.
  • Yet the incident could lead to another destination: software liability.
  • The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as “the Channel File 291 Incident.” However, the fact that affected businesses and consumers have little recourse to recover damages will likely lend momentum to legislation and state regulations to hold firms responsible for such chaos, says Chinmayi Sharma, associate professor of law at Fordham University.

• Cybersecurity Dive lets us know,
  • “A mismatched software update in CrowdStrike’s Falcon sensor led to the crash that caused a global IT outage of millions of Microsoft Windows systems on July 19, the company said Tuesday. 
  • “CrowdStrike, in a root cause analysis report, said the Falcon sensor expected 20 input fields in a rapid response content update, but the software update actually provided 21 input fields. The mismatch resulted in an out-of-bounds memory read, leading to the system crash. 
  • “We are using lessons learned from this incident to better serve our customers,” CrowdStrike CEO George Kurtz said in a statement Tuesday. “To this end, we have already taken decisive steps to prevent this situation from repeating, and to help ensure that we – and you – become even more resilient.”
• and
  • “CrowdStrike is in talks to acquire Action1, a Houston-based patch management and vulnerability specialist. The agreement being discussed would value the company at nearly $1 billion, according to a memo sent to Action1 employees. 
  • “Action1 Co-Founder and CEO Alex Vovk sent a memo to employees Wednesday confirming the discussions, after speculation around the talks gained within the company. A spokesperson for Action1 confirmed the authenticity of the memo to Cybersecurity Dive Friday. 
  • “This proves that Action1 is in a rapidly growing market and explains why Action1 is experiencing hypergrowth and is on track to soon reach $100M AAR,” Vovk wrote in the memo.” 

From the cybersecurity policy front,

• Per Cybersecurity Dive,
  • “For Cybersecurity and Infrastructure Security Agency Director Jen Easterly the doomed CrowdStrike software update that took global IT systems and networks offline last month holds a “big lesson” for critical infrastructure.
  • “The CrowdStrike incident was such a terrible incident,” Easterly said Wednesday during a media briefing at Black Hat, but “it was a useful exercise, like a dress rehearsal for what China may want to do to us.”
  • “The outage was not the result of a malicious act, but rather a basic field input error that caused an out-of-bounds memory read. Yet, to Easterly, the widespread chaos it caused offers a clear example of what could occur if China-affiliated attackers make good on its efforts to cause systemic disruption to U.S. critical infrastructure.
  • “When Easterly learned of the outage, around 2 a.m. on July 19: “What was going through my mind was ‘oh, this is exactly what China wants to do.’”

• Per Cyberscoop,
  • “Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, told attendees at the Black Hat security conference on Thursday that delivering major improvements in computer security will require a sea change in how companies approach building software. 
  • “Amid an epidemic of breaches, Easterly laid the blame squarely at the feet of the technology industry. “We don’t have a cybersecurity problem. We have a software quality problem,” she said. 
  • “We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure, flawed software,” Easterly said in her remarks.
  • “To address that issue, Easterly and CISA have launched a secure by design pledge, the signatories of which commit to a series of principles to improve the security of how products are developed and deployed. Easterly said 200 companies have now signed that pledge since its launch in March.”   

• To that end, this week, CISA and the FBI posted their “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” Here’s a link to the federal government’s Internet Complaint Center supplement guidance on this effort.

• Cyberscoop also tells us,
  • “A year after asking the hacker community how they can better help protect the open source software that is the foundation of the digital economy, the White House is looking to better secure the ecosystem through a new office dedicated to study such components in critical infrastructure.
  • “The Office of the National Cyber Director released new details Friday on several projects aimed at securing open source software. The report comes a year after the office asked attendees at DEF CON in 2023 to contribute to a request for information around how to better focus on securing open source software.
  • “The new office runs out of the Department of Homeland Security and will examine the prevalence of open source software present in critical infrastructure and how to secure it, said Nasreen Djouini, senior policy advisor at the Office of the National Cyber Director. The program will have the support of the Department of Energy’s national labs, including at Los Alamos and Lawrence Livermore.”

From the cybersecurity vulnerabilities and breaches front,

• Again, per Cyberscoop,
  • “An Israeli cybersecurity firm has identified a zero-day vulnerability affecting major web browsers that could allow attackers to bypass normal browser security measures and potentially breach local networks.
  • “The flaw, discovered by Oligo Security, was found in how browsers handle network requests. 
  • “In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private. 
  • “This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.
  • Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”

• Here are the known exploited vulnerabilities that CISA added to its catalog this week,
  • August 5, 2024: CVE-2018-0824 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
  • August 7, 2024, CVE-2024-36971 Android Kernel Remote Code Execution Vulnerability, and CVE-2024-32113 Apache OFBiz Path Traversal Vulnerability

• Security Week points out,
  • The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices.
  • The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature. 
  • This feature has been abused for years to take control of Cisco switches and this is not the first warning issued by the US government. 

From the ransomware front,

• Per a CISA press release,
  •  “CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit and legacy Royal activity. FBI investigations identified these TTPs and IOCs as recently as July 2024.
  • “BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing.
  • “CISA encourages network defenders to review the updated advisory and apply the recommended mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.”

• Per Bleeping Computer,
  • ‘​On Tuesday (August 6], IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.
  • “McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.
  • “While McLaren Health Care continues to investigate a disruption to our information technology system, we want to ensure our teams are as prepared as possible to care for patients when they arrive,” a statement on the health system’s website reads.”

From the cybersecurity defenses front,

• TechTarget identifies
  • Five key capabilities for effective cyber-risk management,
• and explains how
  • DSPM technologies have help organizations take a proactive approach to monitoring data stores continuously, and in the case of a breach, assess the magnitude quickly and accurately.

• Dark Reading writes about how
  • “Enterprises are implementing Microsoft’s Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. But at the same time, Copilot is also an ideal tool for threat actors.
  • “Security researcher Michael Bargury, a former senior security architect in Microsoft’s Azure Security CTO office and now co-founder and chief technology officer of Zenity, says attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don’t open emails or click on links.
  • The article explains how to avoid such attacks.

From the CrowdStrike front,

• Dark Reading explains why the CrowdStrike outage should be a wakeup call for cybersecurity experts. “The incident serves as a stark reminder of the fragility of our digital infrastructure. By adopting a diversified, resilient approach to cybersecurity, we can mitigate the risks and build a more secure digital future.”

• Cybersecurity Dive reports,
  • “After CrowdStrike outage, what will become of automatic IT updates? Blind enterprise trust in software updates is the latest symptom of a race toward IT automation.” FEHBlog observation: Good question.
• and
  • Federal officials said the global IT outage stemming from a faulty CrowdStrike software update is raising prior concerns about the security of the software supply chain. 
  • The U.S. Government Accountability Office released a report Tuesday [July 30] noting the July 19 outage, which led to the disruption of 8.5 million Microsoft Windows systems. The CrowdStrike incident resurrected concerns raised during the state-linked supply chain attack against SolarWinds in 2020, according to the GAO. 
  • The CrowdStrike incident highlights specific warnings about memory safety issues in software development, the White House said on Thursday. The remarks build on a February report that raised questions about the link between memory safety issues and software vulnerabilities. 
• and
  • “The global IT outage stemming from a faulty CrowdStrike software update will lead to cyber insurance losses primarily driven by business interruption claims, Moody’s Ratings said in a report released Monday. 
  • “Businesses are expected to make claims under “systems failure” provisions, coverage that is becoming standard for cyber insurance policies, because the incident was not considered a malicious attack. Moody’s said insured organizations will link claims to direct business losses as well as contingent losses of third-party vendors. 
  • “The outage is likely to spur larger reviews of underwriting, with a focus on systems failure, according to Moody’s. The outage has already raised concerns about the risk of single points of failure, as lone organizations with a vast footprint can bring down operations across so many critical industries.”

From the cybersecurity policy front,

• Cyberscoop lets us know,
  • “Cybersecurity legislation aimed at unscrambling regulations, strengthening health system protections and bolstering the federal workforce sailed through a key Senate committee Wednesday [July 31], moving the trio of bipartisan bills to future consideration before the full chamber.
  • “The Senate Homeland Security and Governmental Affairs Committee voted first on the Streamlining Federal Cybersecurity Regulations Act, a bill co-sponsored by committee Chair Gary Peters, D-Mich., and Sen. James Lankford, R-Okla., that seeks to streamline the country’s patchwork of federal cyber rules. 
  • “The bill would harmonize federal cyber requirements for the private sector, which has long been critical about conflicting rules imposed by agencies. A committee made up of the national cyber director, the chief of the Office of Management and Budget’s Office of Information and Regulatory Affairs, the heads of each federal regulatory agency and other government leaders as determined by the chair would be charged with identifying cyber regulations deemed “overly burdensome, inconsistent, or contradictory” and recommending updates accordingly.
  • “Also moving forward Wednesday was the Healthcare Cybersecurity Act from Sens. Jacky Rosen, D-Nev., Todd Young, R-Ind., and Angus King, I-Maine. The legislation, which came in the aftermath of the February ransomware attack on the payment processor Change Healthcare, calls on the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services on cyber defenses, providing resources to non-federal entities connected to threat indicators.” * * *
  • “The final cyber bill headed to the full Senate is the Federal Cyber Workforce Training Act, which tasks the national cyber director with coming up with a plan to create a centralized resource and training center for federal cybersecurity workforce development.” 

• Fedscoop tells us,
  • “Lisa Einstein, the Cybersecurity and Infrastructure Security Agency’s senior adviser for artificial intelligence, has been tapped to serve as the agency’s first chief AI officer.
  • “A Stanford and Princeton graduate who joined CISA in 2022 as executive director of its Cybersecurity Advisory Committee, Einstein will assume the CAIO role at a time when the agency is attempting to leverage the technology to advance cyber defenses and more effectively support critical infrastructure owners and operators.
  • “I care deeply about CISA’s mission — if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable. AI tools could accelerate our progress,” Einstein said in a statement. “But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools.” 
• and
  • “The White House issued final FedRAMP modernization guidance Friday [July 26, 2024] as a response to cloud market changes and agency needs for more diverse mission delivery.
  • “The final guidance, previewed by FedScoop before its official release, aims to reform the cloud security authorization program by increasing focus on several strategic goals, such as enabling FedRAMP to conduct “rigorous reviews” and requiring cloud service providers (CSPs) to quickly mitigate any security architecture weaknesses to protect federal agencies from the most “salient threats.” The Office of Management and Budget began accepting public comments on a draft version of the guidance last fall.
  • “The memo places particular emphasis on a program to establish an automated process for intaking, using and reusing security assessments and reviews to reduce the burden on participants and speed up the implementation process for cloud solutions.” 

• The National Institute of Standards and Technology published on July 30, 2024,
  • “NIST Special Publication (SP) 800-231, Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities, is now available. It presents an overview of the Bugs Framework (BF) systematic approach and methodologies for the classification of bugs and faults per orthogonal by operation software and hardware execution phases, formal specification of weaknesses and vulnerabilities, definition of secure coding principles, generation of comprehensively labeled weakness and vulnerability datasets and vulnerability classifications, and development of BF-based algorithms and systems.” * * *
  • Visit the Bugs Framework site at https://usnistgov.github.io/BF/.
• and announced on August 1, 2024,
  • “The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is now returning to Washington, D.C. at the HHS Headquarters.
  • “The conference will explore the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event will highlight the present state of healthcare cybersecurity, and practical strategies, tips, and techniques for implementing the HIPAA Security Rule. * * *
  • “Virtual registration for the event is now open and costs $50 per person. 
  • “Please visit the event web page for more details and to register for virtual attendance to the conference.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive points out,
  • “Data breaches are painfully expensive and the cost for impacted businesses has grown every year since 2020. The global average cost of a data breach is nearly $4.9 million this year, up nearly 10% from almost $4.5 million in 2023, IBM said Tuesday in its annual Cost of a Data Breach report.
  • “U.S. organizations led the world with the highest average data breach cost of almost $9.4 million, a dubious distinction it has earned for the 14th straight year. Businesses in the Middle East, the Benelux countries, Germany and Italy rounded out the top five.
  • “Healthcare was far and away the costliest industry for data breaches — as it’s been since 2011 — with an average breach cost of almost $9.8 million, the report found. That’s a decrease from last year’s $10.9 million for the sector.”  

• Security Weeks notes,
  • “HealthEquity is notifying 4.3 million individuals that their personal and health information was compromised in a data breach at a third-party vendor.
  • “The incident, the company said in a regulatory filing with the Maine Attorney General’s Office, was identified on March 25 and required an “extensive technical investigation”.
  • “Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” HealthEquity said.
  • “According to the company, the data was exposed after attackers compromised a vendor’s user accounts that had access to the online repository, gaining access to the information stored there.”

• Per Cybersecurity Dive,
  • “Microsoft said a DDoS attack led to an eight-hour outage Tuesday [July 30] involving its Azure portal, as well as some Microsoft 365 and Microsoft Purview services. 
  • “Microsoft said an unexpected spike in usage led to intermittent errors, spikes and timeouts in Azure Front Door and Azure Content Delivery Network. An initial investigation showed an error in the company’s security response may have compounded the impact of the outage. 
  • “Microsoft said it will have a preliminary review of the incident in 72 hours and a final review within two weeks, to see what went wrong and how to better respond.”

• CISA added the following known exploited vulnerabilities to its catalog this week.
  • “July 29, 2024
    • CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability
    • CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
    • CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
  • “July 30, 2024
    • CVE-2024-37085 VMware ESXi Authentication Bypass Vulnerability”

From the ransomware front,

• Cybersecurity Dive relates,
  • “Nearly one-third of companies that suffered a ransomware attack paid a ransom four or more times in the past 12 months to regain access to their systems, according to the 2024 Ransomware Risk Report released Tuesday by Semperis, a cybersecurity software company.
  • “This decision to pay multiple times involved 32% of attacked companies in France, Germany, the U.K. and U.S. across multiple industries, according to the survey of 900 IT and security executives.  
  • “Nearly half of the German companies queried paid four or more ransom payments, compared to one-fifth of companies in the U.S.
  • “More than a third of companies that paid the extortion demand either did not receive the decryption keys from attackers or were given corrupted keys, according to the report.”

• Per TechTarget,
  • “Blood donation nonprofit OneBlood is actively responding to a ransomware attack that is affecting its ability to operate and provide blood to hospitals at its typical volume. According to a notice posted on OneBlood’s website on July 31, 2024, the company is operating at a “significantly reduced capacity, which impacts inventory availability.”
  • “OneBlood provides blood to more than 250 hospitals in Alabama, Florida, North Carolina, South Carolina and Georgia.
  • “OneBlood is continuing to collect, test and distribute blood to hospitals at a reduced capacity. Due to these limitations, OneBlood urged eligible donors to donate blood immediately, with an urgent request for O positive, O negative and platelet donations.”

• Dark Reading notes,
  • “A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.
  • “Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.
  • “But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.”
• and considers whether making ransom payments illegal would result in fewer attacks?
  • “Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.

• Security Week alerted us on July 29, 2024,
  • “Less than a week after VMware shipped patches for a critical vulnerability in ESXi hypervisors, Microsoft’s threat intel team says the flaw is being exploited by ransomware groups to gain full administrative access on domain-joined systems. 
  • “The flaw, tagged as CVE-2024-37085 with a CVSS severity score of 6.8, has already been abused by multiple known ransomware groups to deploy data-extortion malware on enterprise networks, according to a new warning from Redmond’s threat hunting teams.
  • “Strangely, Broadcom-owned VMware did not mention in-the-wild exploitation when it released patches and workarounds last week alongside warnings that it could be used by hackers to gain unauthorized access and control over ESXi hosts.”

From the cybersecurity defenses front,

• An ISACA expert discusses “Navigating the Modern CISO Landscape: Practical Strategies for Cybersecurity Success.”

• Dark Reading explains how to implement identity continuity with the NIST Cybersecurity Framework. “Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.”

• McKinsey & Co. delves into “Generative AI in healthcare: Adoption trends and what’s next.”