Cybersecurity Saturday
From the cybersecurity policy front –
- The Wall Street Journal reports,
- “[On July 9, 2024,] Australia, the U.S. and six other allies warned that a Chinese state-sponsored hacking group poses a threat to their networks, in an unusual, coordinated move by Western governments to call out a global hacking operation they say is directed by Beijing’s intelligence services.
- “Tuesday’s advisory was a rare instance of Washington’s major allies in the Pacific and elsewhere joining to sound the alarm on China’s cyber activity. Australia led and published the advisory. It was joined by the U.S., U.K., Canada and New Zealand, which along with Australia are part of an intelligence-sharing group of countries known as the Five Eyes. Germany, Japan and South Korea also signed on.” * * *
- “The technical advisory detailed a group known in cybersecurity circles as Advanced Persistent Threat 40, or APT40, which conducts cybersecurity operations for China’s Ministry of State Security and has been based in the southern island province of Hainan. The advisory detailed how the group targeted two networks in 2022—though it didn’t identify the organizations—and said the threat is continuing.”
- Federal News Network informs us,
- “A top Department of Homeland Security official says DHS is working to harmonize new cyber incident reporting rules, as industry and even some lawmakers criticize the draft rule’s scope and potential duplicative requirements.
- “The comment period for the Cybersecurity and Infrastructure Security Agency’s draft rule closed July 3. The proposal would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CISA expects to finalize the rule next spring. The rules will require organizations across the 16 critical infrastructure sectors to report cyber incidents to CISA within 72 hours.
- “Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk, and resilience, said officials are just starting to adjudicate all the feedback it received. But Kahangama acknowledged widespread comments from industry about the “burden” of duplicative cyber incident rules.
- “We are going to be viewing and administering CIRCIA with an eye towards harmonization,” Kahangama said during a July 10 event in Washington hosted by the Homeland Security Defense Forum. “We’re also establishing conversations between the department and all the other agencies that have cyber reporting requirements to identify ways that we can harmonize reporting.”
- “He pointed to interagency agreements that “allow for reciprocal sharing of information such that … a report to one will count as a report to another and vice versa through CISA.”
- “We want to make sure we’re maximizing the ability to do that,” Kahangama said. “That’s quite complicated, because each agency has different requirements. And so, you need to make sure that they’re substantially similar enough and that those are fleshed out. But those are really wonky but interesting conversations that my office is actively having right now as we develop CIRCIA.”
- The FEHBlog finds it interesting that recent cyberbreach news articles rely on Securities and Exchange Commission 8-K reports from public companies.
- Cyberscoop summarizes a variety of criticisms levelled against the CIRCIA proposed rule in the public comments.
- Cyberscoop adds,
- “New legislation from a bipartisan pair of senators would create an interagency committee tasked with streamlining the country’s patchwork system of cybersecurity regulations if signed into law.
- “The Streamlining Federal Cybersecurity Regulations Act [S. 4630] from Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., calls on the White House’s national cyber director to create a committee that would harmonize the myriad cyber requirements imposed on companies by federal regulatory agencies, according to bill text shared with CyberScoop.
- “The introduction of the bill comes a month after a Senate hearing in which Nicholas Leiserson, the assistant national cyber director for cyber policy and programs, warned lawmakers of increasing “fragmentation” of cybersecurity regulations. “It is a problem that requires leadership from ONCD and Congress informed by the private sector,” he said.”
- Cybersecurity Dive tells us,
- “The Cybersecurity and Infrastructure Security Agency and FBI advised software vendors to eliminate operating system command injection vulnerabilities from products before they ship. The agencies issued the advisory Wednesday [July 10, 2024] as part of their secure-by-design alert series.
- “Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs and CVE-2024-3400 in Palo Alto Networks firewalls.
- “OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA and the FBI said in the advisory.”
- Per the HeathIT.gov website,
- “ONC’s HTI-2 proposed rule [released July 10] implements provisions of the 21st Century Cures Act and reflects ONC’s focused efforts to advance interoperability and improve information sharing among patients, providers, payers, and public health authorities.
- “Key proposals include:
- “Two sets of new certification criteria, designed to enable health IT for public health as well as health IT for payers to be certified under the ONC Health IT Certification Program. Both sets of certification criteria focus heavily on standards-based application programming interfaces to improve end-to-end interoperability between data exchange partners (health care providers to public health and to payers, respectively).
- “Technology and standards updates that build on the HTI-1 final rule, ranging from the capability to exchange clinical images (e.g., X-rays) to the addition of multi-factor authentication support.
- “Requiring the adoption of United States Core Data for Interoperability (USCDI) version 4 by January 1, 2028.
- “Adjustments to certain “exceptions” to the information blocking regulations to cover additional practices that have recently been identified by the regulated community, including a new “Protecting Care Access” exception, which would cover practices an actor takes in certain circumstances to reduce its risk of legal exposure stemming from sharing information.
- “Establishing certain Trusted Exchange Framework and Common AgreementTM (TEFCATM) governance rules, which include requirements that implement section 4003 of the 21st Century Cures Act.”
- The public comment deadline will end in early September, depending on the date of the proposed rule’s publication in the Federal Register.
From the cybersecurity vulnerabilities and breaches front,
- Cybersecurity Dive lets us know,
- “A cyberattack targeting AT&T’s Snowflake environment compromised data on nearly all of the telecom provider’s wireless customers, the company said in a Friday filing with the Securities and Exchange Commission. Nearly 110 million customers are impacted, according to AT&T’s annual report for the period of compromised data.
- “Data stolen during the intrusion includes records of AT&T customers’ calls and text messages spanning a six-month period ending Oct. 31, 2022, and records from Jan. 2, 2023, the company said in the SEC filing.
- “The attack did not expose the content of calls or text messages, customer names or personally identifiable information, according to AT&T. Yet, the stolen records include the phone numbers AT&T wireless customers interacted with, counts of those interactions and aggregate call duration for a day or month.”
- Dark Reading adds,
- “Nearly all” of AT&T’s wireless customers are affected, the company admitted, as well as customers of mobile virtual network operators (MVNOs) using AT&T’s network. According to public resources, those MVNOs likely include popular wireless service providers like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless.” * * *
- “Earlier this year, data belonging to more than 70 million AT&T customers leaked to the Dark Web. The trove included all the hallmark personally identifying information (PII) types, like Social Security numbers, mailing addresses, and dates of birth.
- “This time, none of the stolen data has as yet been observed on the public web, and customers’ most sensitive PII has remained untouched. [FEHBlog note the theft occurred in April — the public notice was delayed with Justice Department approval.]
- Still, AT&T warned, “There are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
- Cyberscoop notes that Snowflake “announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users.”
- On a related note, Help Net Security discloses,
- “On July 1, Twilio – the company that develops the Authy MFA mobile app – shared with the public that attackers have leveraged one of its unauthenticated API endpoints to compile a list of phone numbers and other data belonging to Authy users.
- “Company systems were not breached, Twilio said, and Authy accounts have not been compromised, but the company warned that “threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.”
- “The list, which apparently holds data of 33 million Authy users, has been offered for sale by ShinyHunters, a threat actor that specializes in breaching companies and stealing their customers data, then holding it for ransom and/or selling it to the highest bidder on forums and markets frequented by cybercriminals.”
- Cybersecurity Dive calls attention to a recent survey,
- “Almost 60% of organizations can’t track what happens to their information once it goes out in an email or through another communication channel, a survey by data security company Kiteworks finds.
- “That’s a risk management problem because data breaches are correlated with how information leaves an organization.
- “The more communication tools an organization uses — email, file sharing, managed file transfer, secure file transfer protocol, web forms, among others — the higher the risk of information ending up where it wasn’t intended, the survey finds.
- “Respondents with over seven communication tools experienced 10-plus data breaches — 3.55x higher than the aggregate,” the survey report says. “
- On July 9, 2024 —
- “CISA added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- “CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
- “CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability”
- “CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability”
- Health IT Security pointed out recent breaches involving healthcare entities.
- HHS’s Health Sector Cybersecurity Coordination Center (HC3) posted its bulletin on June 2024 vulnerabilities of interest to the health sector.
- “CISA added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- Health IT Security alerts us,
- “Change Healthcare published a substitute data breach notice on its website [earlier this week] to inform affected individuals of the breach that resulted from the February 2024 cyberattack against the company. Change has publicly stated that the cyberattack involved the data of approximately one-third of Americans.
- “Change Healthcare said that it would begin mailing written letters to affected individuals on June 20, once it completed its data review. Additional customers may be identified as impacted as the review continues.
- “The company provided a brief timeline of events in its substitute notice, which was published on its website. Although the cyberattack began on February 21, it was not until March 13 that Change was able to obtain a dataset of exfiltrated files that was safe to investigate. * * *
- “Any individual who believes that their information has been impacted by the data breach can enroll in two years of complimentary credit monitoring and identity theft protection services. Ahead of the breach notice, state attorneys general encouraged consumers to take advantage of these free resources.”
From the ransomware front,
- Cyberscoop reports,
- “The ransomware group linked to a June cyberattack against auto industry software provider CDK Global received a payment of more than $25 million two days after the attack that hobbled software used by roughly 15,000 car dealerships in the U.S. became public, researchers told CyberScoop.
- “A cryptocurrency wallet likely controlled by BlackSuit — the ransomware group believed to be responsible for the attack — received approximately 387 bitcoins on June 21, worth roughly $25 million, researchers with blockchain intelligence firm TRM Labs told CyberScoop.
- “The evidence uncovered by TRM Labs is firmest evidence yet to indicate that CDK Global paid a ransom in order to resolve the attack on its systems, though TRM’s findings do not conclusively prove that the payment came from CDK.”
- SC Media and Bleeping Computer discuss RansomHub attacks on the Florida Department of Health and the Rite Aid pharmacy chain.
- Dark Reading reports,
- “Akira ransomware actors are now capable of squirreling away data from victims in just over two hours, marking a significant shift in the average time it takes for a cybercriminal to move from initial access to information exfiltration.
- “That’s the word from the BlackBerry Threat Research and Intelligence Team, which today released a breakdown of a June Akira ransomware attack on a Latin American airline. According to BlackBerry’s anatomy of the attack, the threat actor, using Secure Shell (SSH) protocol, gained initial access via an unpatched Veeam backup server, and immediately set about heisting information before deploying the Akira ransomware the next day.
- “The likely culprit is Storm-1567 (aka Punk Spider and Gold Sahara), a prolific user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, according to the report. The gang is known for using double-extortion tactics and has attacked more than 250 organizations across numerous industry verticals globally since emerging from the shadows in March 2023. It mainly sets its sites on Windows systems, but has developed Linux/VMware ESXi variants as well, and has consistently shown a high level of technical prowess.”
- The Register (UK) tells us,
- “As ransomware crews increasingly shift beyond just encrypting victims’ files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the more mature crime organizations are developing custom malware for their data theft.
- “In a report published on Wednesday by Cisco Talos, the threat intelligence unit reviewed the top 14 ransomware groups and analyzed their tactics, techniques and procedures (TTPs). Talos selected the 14 based on volume and impact of attacks and “atypical threat actor behavior,” using data from the criminals’ leak sites, internal tracking, and other open-source reporting.
- “The 14, listed here by number of victims on their respective shaming sites, are the ones you’d likely expect: LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal/Blacksuit, Rhysida, Hunters International, Akira, and Trigona.
- “Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” the report’s authors note.”
From the cybersecurity defenses front,
- Cybersecurity Dive discusses “What does your CEO need to know about cybersecurity? CEOs don’t necessarily have to become experts in the technical aspects of cybersecurity to be prepared in case of an attack or — hopefully — stop one before it starts.”
- Per a July 11, 2024, CISA press release,
- “CISA released CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth in coordination with the assessed organization. This Cybersecurity Advisory (CSA) details key findings and lessons learned from a 2023 assessment, along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.
- “The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.
- “CISA encourages all organizations review the advisory and apply the recommendations and mitigations within, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication.”