From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “Congress might pull in opposite directions on cybersecurity in its new two-year term, while President-elect Donald Trump’s position on key cyber topics remains a wild card.
  • “The agenda is packed: Corporate executives want regulatory harmonization, policymakers realize that key critical infrastructure sectors like healthcare need more support and oversight, and artificial intelligence continues to intrigue lawmakers.
  • “Despite partisan tensions over everything from taxes to immigration, cybersecurity is likely to remain an issue that brings Democrats and Republicans together on national security grounds. Still, Republicans are expected to go after regulation they see as burdensome, in particular the Securities and Exchange Commission’s incident-reporting rule.
  • “It’s important now more than ever that policymakers ensure advancing common-sense and bipartisan cybersecurity policy is a top priority for the 119th Congress,” said John Miller, senior vice president of policy, trust, data and technology at the Information Technology Industry Council, a trade group.”

• NextGov/FCW discusses the Defense Department related cybersecurity and other provisions found in the Fiscal Year 2025 National Defense Authorization Act which Congress passed this week.

• Security Affairs lets us know,
  • “According to the WSJ, the U.S. government is considering banning TP-Link routers starting in 2025.
  • “TP-Link holds 65% of the U.S. market and is the top choice on Amazon, powering internet communications for the Defense Department.
  • “In August, two U.S. lawmakers urged the Biden administration to investigate TP-Link over concerns its devices could be used in cyberattacks.
  • “The Commerce, Defense and Justice departments have opened separate probes into the company, with authorities targeting a ban on the sale of TP-Link routers in the U.S. as early as next year, the report said.” reported Reuters. “An office of the Commerce Department has even subpoenaed the company while the Defense Department launched its investigation into Chinese-manufactured routers earlier this year, the newspaper reported, citing people familiar with the matter.” * * *
  • “[A] spokesperson for TP-Link’s U.S. subsidiary told the WSJ that the company welcomes any opportunities to engage with the U.S. government to demonstrate that its security practices align with industry standards and to show its ongoing commitment to the U.S. market, consumers, and addressing national security risks.”

• The Office of Management and Budget’s Office of Information and Regulatory Affairs concluded its review of the HHS’s Office for Civil Rights proposed amendments to the HIPAA Security Rule on December 18.
  • AGENCY: HHS-OCR  RIN: 0945-AA2 Status: Concluded
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    Section 3(f)(1) Significant: Yes
    STAGE: Proposed Rule  Economically Significant: No
    RECEIVED DATE: 10/18/2024. LEGAL DEADLINE: None   COMPLETED: 12/18/2024
    COMPLETED ACTION: Consistent with Change
• The next step is publication of the proposed rule in the Federal Register.

• Last Monday, the Cybersecurity and Infrastructure Security Agency released its “2024 Year in Review Highlights CISA’s Achievements in Reducing Risk and Building Resilience in Cybersecurity and Critical Infrastructure Security.”

• Cyberscoop adds,
  • “Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.
  • “CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.
  • “CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”
  • “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
• and
  • “The Cybersecurity and Infrastructure Security Agency unveiled a detailed set of guidelines Wednesday to safeguard the mobile communications of high-value government targets in the wake of the ongoing Salt Typhoon telecom breach.
  • “The guide aims to help both political and federal leadership harden their communications and avoid any data interception by the Chinese-linked espionage group. As of earlier this month, government agencies were still grappling with the attack’s full scope, federal officials told reporters. Among the targets were officials from both presidential campaigns, including the phone of President-elect Donald Trump.
  • “The advisory details several key practices intended to mitigate risks associated with cyber threats and raise awareness on techniques that can thwart any type of malicious actor.
  • “I want to be clear that there’s no single solution that will eliminate all risks, but implementing these best practices will significantly enhance the protection of your communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. “We urge everyone, but in particular those highly targeted individuals, to review our guidance and apply those that suit their needs.”
  • “Even with the guidance’s focus on high-value targets, the advice is good for anyone that wants to take actions to secure their mobile devices. One of the primary recommendations includes the exclusive use of end-to-end encrypted messaging applications for secure communication. CISA suggests adopting apps like Signal, which provide robust encryption for both Android and iPhone platforms, preventing unauthorized interception of messages.”
    
• The American Hospital Association News tells us,
  • The Cybersecurity and Infrastructure Security Agency is seeking comments on its draft National Cyber Incident Response Plan Update. The plan describes how the federal government, private sector, and state, local, tribal and territorial government entities will coordinate to manage, respond to and mitigate the consequences of high-profile cyberattacks. The update addresses changes in the cyberthreat and operations landscape by incorporating feedback and lessons learned from stakeholders in previous incidents. Comments are being accepted in the Federal Register until Jan. 15.

• Per a Justice Department press release,
  • “A superseding criminal complaint filed in the District of New Jersey was unsealed today charging a dual Russian and Israeli national for being a developer of the LockBit ransomware group.
  • “In August, Rostislav Panev, 51, a dual Russian and Israeli national, was arrested in Israel pursuant to a U.S. provisional arrest request with a view towards extradition to the United States. Panev is currently in custody in Israel pending extradition on the charges in the superseding complaint.
  • “The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” said Attorney General Merrick B. Garland. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

From the cyber vulnerabilities and breaches front,

• SC Media relates,
  • “A Chinese-backed malware operation is building a botnet out of smart cameras and video boxes.
  • “The FBI said [on December 16] that a group identified as HiatusRAT has been seeding internet-of-things (IoT) devices with malware that allows for remote access and control. Targets include smart cameras and DVR boxes.
  • “In addition to gathering video footage or traffic data from the compromised hardware, attackers can use the edge-facing devices as a foothold to gain access into other hardware on the network and perform further attacks and data exfiltration.
  • “In this case, the FBI believes that the attackers are trying to compromise U.S. government agencies and the private contractors that work with them. It is believed that the threat actors are working on behalf of the Chinese government to infiltrate networks and gather data that would benefit Beijing.”

• The American Hospital Association adds,
  • “This recent campaign appears to have targeted vulnerable Chinese-branded webcams and DVRs for specific, published vulnerabilities and default passwords set by the vendor,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “These devices are often used in security video monitoring systems. Several of these vulnerabilities impacting older, end-of-life devices have not been patched by the manufacturer and the FBI recommends replacing them with updated devices. The critical takeaway from this bulletin is that patch management programs must cover not only traditional computer systems, but also Internet of Things devices on your network.” 

• On December 17, HHS’s Health Sector Cybersecurity Coordination Center issued an analyst note about credential harvesting.

• Bleeping Computer lets us know,
  • “A new Microsoft 365 phishing-as-a-service platform called “FlowerStorm” is growing in popularity, filling the void left behind by the sudden shutdown of the Rockstar2FA cybercrime service.
  • “First documented by Trustwave in late November 2024, Rockstar2FA operated as a PhaaS platform facilitating large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.
  • “The service offered advanced evasion mechanisms, a user-friendly panel, and numerous phishing options, selling cybercriminals access for $200/two weeks.
  • According to Sophos researchers Sean Gallagher and Mark Parsons, Rockstar2FA suffered from a partial infrastructure collapse on November 11, 2024, making many of the service’s pages unreachable.
  • Sophos says this does not appear to be the result of law enforcement action against the cybercrime platform but rather a technical failure.
  • A few weeks later, FlowerStorm, which first appeared online in June 2024, started quickly gaining traction.

• CISA added eight known exploited vulnerabilities to its catalog this week.
  • December 16, 2024
    • CVE-2024-20767 Adobe ColdFusion Improper Access Control Vulnerability
    • CVE-2024-35250 Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability
  • December 17, 2024
    • CVE-2024-55956 Cleo Multiple Products Unauthenticated File Upload Vulnerability
  • December 18, 2024
    • CVE-2018-14933 NUUO NVRmini Devices OS Command Injection Vulnerability
    • CVE-2022-23227 NUUO NVRmini 2 Devices Missing Authentication Vulnerability
    • CVE-2019-11001 Reolink Multiple IP Cameras OS Command Injection Vulnerability
    • CVE-2021-40407 Reolink RLC-410W IP Camera OS Command Injection Vulnerability
  • December 19, 2024
    • CVE-2024-12356 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
      
• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical vulnerability in Apache Struts 2 just days after it was originally disclosed and patched, researchers warn.  
  • “The vulnerability, listed as CVE-2024-53677, involves a flaw in file upload logic, according to a bulletin from Apache. The vulnerability has a CVSS score of 9.5 out of 10, indicating the risk is considered critical.  
  • “An attacker can manipulate file upload parameters to enable path traversal. Apache urged users to upgrade to Struts 6.4.0 or greater and use the Action File Upload Interceptor. Security researchers warn the vulnerability can allow an attacker to conduct malicious actions.”\
• and
  • “Researchers have now traced exploitation of a critical vulnerability in Cleo file transfer software back to October, Mandiant Consulting CTO Charles Carmakal said in a LinkedIn post Wednesday. Mandiant’s discovery puts active exploitation at least a month earlier than previously observed by other researchers.
  • “Mandiant identifies the cluster actively exploiting the two vulnerabilities, CVE-2024-50623 and CVE-2024-55956, as UNC5936. Researchers say the cluster has overlaps with FIN11, also known as Clop, which claimed responsibility for the attacks earlier this month. 
  • “There is currently no evidence of mass data theft, which was observed in prior campaigns by the threat group, Carmakal said. However, malicious backdoors including Beacon and Goldtomb have been deployed on exploited systems.”
• and
  • “An attacker gained access to a limited number of BeyondTrust customers’ instances of Remote Support SaaS, an access-management tool, the company said in a Dec. 8 blog post, which was updated Wednesday. The attacker compromised a Remote Support SaaS API key and reset passwords of multiple accounts.
  • “The cybersecurity vendor initially detected anomalous activity on one customer instance of Remote Support SaaS on Dec. 2, according to the updated blog. Three days later, the company determined multiple customers were impacted, suspended those instances and revoked the compromised API key.
  • “Our initial investigation has found that no BeyondTrust products outside of Remote Support SaaS are impacted,” the company said in the blog post.”

From the ransomware front,

• Cybersecurity Dive points out,
  • “Data from nearly 5.6 million people was exposed due to a ransomware attack on nonprofit health system Ascension this spring, according to a report to federal regulators.
  • “The attack compromised personal information from some current and former Ascension patients, senior living residents and employees, the system said on Thursday [December 19]. Personal details, medical information, payment information, insurance details and government ID numbers, including Social Security numbers, could have been exposed.
  • “The breach is the third largest reported to the HHS’ Office for Civil Rights’ healthcare data breach portal this year, trailing only incidents at Change Healthcare and Kaiser Foundation Health Plan.” * * *
  • “In June, Ascension reported that cybercriminals gained access to its systems after a worker accidentally downloaded a malicious file, and that personally identifiable and protected health information may have been exposed.
  • “Now, the health system has completed its review of what data may have been compromised. Ascension is mailing letters to affected people, which should be delivered over the next two to three weeks, the health system said in an update Thursday [December 19].
  • “Though patient data was involved, Ascension said it found no evidence that data was stolen from EHR and other clinical systems, where full patient records are stored.” 

• Statescoop lets us know,
  • Hackers are threatening as early as this week to release the personal information of potentially hundreds of thousands of Rhode Islanders connected with RIBridge, the state’s health and social services system that suffered a cyberattack on Dec. 5, Gov. Dan McKee and state officials told media over the weekend.
  • Brian Tardiff, Rhode Island’s chief digital officer, said that the cybercriminals behind the attack threatened to release the data they claim to have obtained in the Dec. 5 cyberattack unless they receive a ransom payment. Tardiff did not specify the ransom deadline, amount of money demanded or if the hackers identified themselves.
  • “Any individual who has received or applied for state health coverage or health and human services programs or benefits could be impacted by this breach,” according to an update posted to the state’s website Friday after the cyberattack was detected.
  • The state’s benefits programs that may be impacted by the breach include Medicaid, Supplemental Nutrition Assistance Program, Temporary Assistance for Needy Families,  Child Care Assistance Program, health coverage purchased through HealthSource RI, Rhode Island Works, Long-Term Services and Supports, General Public Assistance and Program At HOME Cost Share.

• Per TechTarget,
  • “Despite being taken down and humiliated by the National Crime Agency (NCA) coordinated Operation Cronos in February 2024, an unknown individual(s) associated with, or claiming to represent, the LockBit ransomware gang has broken cover to announce the impending release of a new locker malware, LockBit 4.0.
  • “In screengrabs taken from the dark web that have been widely circulated on social media in the past day, the supposed cybercriminal invited interested parties to “sign up and start your pen tester billionaire journey in 5 minutes with us”, promising them access to supercars and women. At the time of writing, none of the links in the post direct anywhere, while a countdown timer points to a ‘launch’ date of 3 February 2025.
  • “Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said it was hard to say at this stage what LockBit 4.0 entailed – whether the gang was launching a new leak site, its old one having been seized, or whether it has made changes to its ransomware.
  • “It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It’s therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement,” said Fitzsimons.”

From the cybersecurity defenses front,

• Dark Reading discusses
  • “Managing Threats When Most of the Security Team Is Out of the Office. During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls”
• and
  • “To Defeat Cybercriminals, Understand How They Think. Getting inside the mind of a threat actor can help security pros understand how they operate and what they’re looking for — in essence, what makes a soft target.”

• Here is a link to Dark Reading’s CISO Corner.

• The Cyberscoop article on CISA’s mobile communications protection guide adds
  • “The guidelines advocate for the use of Fast Identity Online (FIDO) phishing-resistant authentication as a superior alternative to traditional multifactor authentication (MFA) methods. FIDO authentication, especially through hardware-based security keys such as Yubico or Google Titan, is recommended for enhancing the security of high-targeted accounts.
  • The guidance also emphasizes moving away from Short Message Service (SMS) messages as a form of MFA, advising that SMS-based authentication is not encrypted and can be easily intercepted by those with access to telecommunications infrastructure.
  • “Additional recommendations include the use of a password manager, regular software updates for both operating systems and applications to patch vulnerabilities and setting telecommunications account PINs to prevent SIM-swapping attacks — a common technique used by hackers to hijack phone numbers and intercept sensitive communications.
  • “Specific guidelines tailored for Apple iPhone and Android users were also included. iPhone users are advised to enable “Lockdown Mode” to restrict app access and deploy Apple iCloud Private Relay for secure internet browsing. Meanwhile, Android users are encouraged to choose devices with strong security records and long-term update commitments, and to ensure the use of encrypted Rich Communication Services (RCS) for messaging.”

From the cybersecurity policy and law enforcement front

• Cyberscoop reports,
  • “The $3 billion that Congress folded into the annual defense policy bill to remove Chinese-made telecommunications technology from U.S. networks would be a huge start to defending against breaches like the Salt Typhoon espionage campaign, senators and hearing witnesses said Wednesday.
  • “Federal Communications Commission Chairwoman Jessica Rosenworcel recently told Hill leaders that the $1.9 billion Congress had devoted to the “rip and replace” program to get rid of Huawei and ZTE equipment left the agency with a $3.08 billion hole to reimburse 126 carriers for eliminating use of that tech, “putting our national security and the connectivity of rural consumers who depend on these networks at risk.”
  • “The fiscal 2025 National Defense Authorization Act (NDAA), which passed the House by a 281-140 vote Wednesday, contains language authorizing funds to fill that gap. Sen. Ben Ray Luján, the New Mexico Democrat who chairs the Commerce Subcommittee on Communications, Media and Broadband, said at Wednesday’s hearing of his panel that Congress should approve that funding even though there’s much still unknown about the attacks from the Chinese government hackers known as Salt Typhoon.
  • “What we do know is that more must be done to prevent attacks like this in the future,” he said. “One obvious thing we can do today is get equipment manufactured by companies that collaborate with our foreign adversaries out of our American networks. … I’m hopeful that there’s strong bipartisan agreement to fully fund this program through this year’s National Defense Authorization Act and address one of the major known vulnerabilities facing our networks every day once and for all.”

• Federal News Network discusses the Defense Department cybersecurity provisions found in the Fiscal Tear 2025 NDAA which is expected to clear the Senate next week.

• Per a December 10, 2024, press release,
  • [T]he U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the internet. * * *
  • “In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.” * * *
  • “Under the terms of the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement – PDF with 33 states that includes corrective actions that address OCR’s findings in this matter.” * * *
  • “The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html“

• Cyberscoop tells us,
  • “A federal court has indicted 14 more North Korean IT workers as part of an ongoing U.S. government campaign to crack down on Pyongyang’s use of tech professionals to swindle American companies and nonprofits.
  • “The Justice Department said the 14 indicted workers generated at least $88 million throughout a conspiracy that stretched over approximately six years, ending in March 2023. North Korea-controlled companies in China and Russia — Yanbian Silverstar and Volasys Silverstar, respectively — used the so-called “IT Warriors” to obtain false U.S. identities, pose as employees doing remote IT work in the United States and transfer funds from their employers to eventually end up in the hands of the North Korean government, according to the indictment. 
  • “When the defendants gained access to a U.S. employer’s sensitive business information, the defendants in some instances extorted payments from the employer by threatening to release, and in some cases releasing, that sensitive information online,” per the indictment, which the DOJ publicized Thursday [December 12].
  • “The U.S. District Court of the Eastern Division of Missouri handed down the indictment. In addition to the indictment, the State Department announced rewards of up to $5 million for individuals and companies involved in the scheme.
• and
  • The Justice Department announced Thursday [December 12] that it had participated in a coordinated effort to seize and dismantle Rydox, an online marketplace for stolen personal information and cybercrime tools. The operation led to the arrest of three individuals alleged to be the site’s administrators.
  • Rydox has been linked to over 7,600 illicit sales and generated substantial profits since its inception in 2016. Authorities reported the site’s revenue exceeded $230,000, primarily sourced from selling sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The site has offered for sale at least 321,372 cybercrime products to over 18,000 users.
  • The operation was carried out by the FBI’s Pittsburgh Office, Albania’s Special Anti-Corruption Body (SPAK) and its National Bureau of Investigation (BKH), the Kosovo Special Prosecution Office, the Kosovo Police, and the Royal Malaysian Police.
  • Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo. They will be extradited to the Western District of Pennsylvania to face multiple charges, including identity theft and money laundering. A third man, Shpend Sokoli, also from Kosovo, was detained in Albania. Sokoli will be prosecuted in Albania.

From the cyber vulnerabilities and breaches,

• HHS’s Heath Sector Cybersecurity Coordination Center released on December 9 its bulletin about November vulnerabilities of interest to the health sector.

• Bleeping Computer informs us,
  • “Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks.
  • “In March, Cisco reported that threat actors were conducting password spray attacks on the Cisco VPN devices. In some cases, these attacks caused a denial-of-service state, allowing the company to find a DDoS vulnerability they fixed in October.
  • “In October, Microsoft warned that the Quad7 botnet was abusing compromised TP-Link, Asus, Ruckus, Axentra, and Zyxel networking devices to perform password spray attacks on cloud services. * * *
  • “Today [December 13], Citrix released a security bulletin warning of the uptick in password spray attacks on Netscaler devices and provided mitigations on how to reduce their impact.”

• The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
  • December 10, 2024
    • CVE-2024-49138. Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
  • December 13, 2024
    •  CVE-2024-50623. Cleo Multiple Products Unrestricted File Upload Vulnerability

• Bleeping Computer adds,
  • “CISA confirmed today [December 13] that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks.
  • “This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online.
  • “Cleo released security updates to fix it in October and warned all customers to “immediately upgrade instances” to additional potential attack vectors.
  • The company has not disclosed that CVE-2024-50623 was targeted in the wild; however, on Friday, CISA added the security bug to its catalog of known exploited vulnerabilities, tagging it as being used in ransomware campaigns.” * * *
  • “While the cybersecurity agency didn’t provide any other information regarding the ransomware campaign targeting Cleo servers left vulnerable to CVE-2024-50623 exploits, these attacks are uncannily similar to previous Clop data theft attacks that exploited zero-days in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in recent years.
  • “Some also believe the flaw was exploited by the Termite ransomware operation. However, it is believed that this link was only made because Blue Yonder had an exposed Cleo software server, and they were breached in a cyberattack claimed by the ransomware gang.”

From the ransomware front,

• Oh, the humanity! The Wall Street Journal reports,
  • “Doughnut maker Krispy Kreme said a cyberattack detected in late November is still disrupting its online ordering. The attack, which happened shortly before a big annual holiday promotion, comes as other hacks have snarled supply chains in the retail industry.
  • “The company said it is working with outside experts to restore online capabilities and it expects the attack to have a short-term material impact on its business. Krispy Kreme’s physical locations remain open.”

• In that regard, InfoSecurity Magazine points out,
  • “Ransomware claims reached an all-time high in November 2024, with Corvus Insurance reporting 632 victims claimed on ransomware groups’ data leak sites (DLS).
  • “More than double the monthly average of 307 victims, the November count exceeds the previous peak of 527 victims recorded in May 2024.
  • “According to a December 11 report by Corvus, these record numbers can be attributed to heightened activity by several ransomware groups, especially RansomHub and Akira.”

• Forbes reports,
  • “Although little is known, in truth, about a cybercriminal actor employing what has become known as the Cloak ransomware threat, the group has risen rapidly to gain status as a significant player in the ransomware landscape since first emerging in 2022.
  • “Threat researchers at Halcyon have now analyzed the Cloak ransomware threat and uncovered a new and worrying variant that not only displays “sophisticated extraction and privilege escalation mechanisms” but also terminates processes related to both security and data backup tools. This new Cloak variant, Halcyon warned, can spread by way of dangerous drive-by downloads disguised as legitimate updates like Microsoft Windows installers.”

From the cybersecurity defenses front,

• HP shares ransomware prevention tips.

• An ISACA commentator examines approaches to mitigating human cybersecurity risks.

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Fedscoop reports,
  • “Legislation to improve federal agency oversight and management of software purchases passed the House on Wednesday [December 4], keeping top IT and software trade groups’ hopes alive that the bill will get through the Senate and become law before this congressional term is up.
  • “The Strengthening Agency Management and Oversight of Software Assets Act (H.R.1695) was introduced by Rep. Matt Cartwright, D-Pa., last year and co-sponsored by a bipartisan group of 20 House lawmakers. 
  • “Calling the rooting out of waste, fraud and abuse a “signal mission” of the House Oversight Committee, Cartwight said the bill would ensure that federal agencies are required to conduct a “comprehensive assessment of their current software assets and restructure their operations to reduce unnecessary costs.” 
  • “Our federal government spends billions of taxpayer dollars every year on software licenses alone. Most of these software license purchases are purposeful, but some are redundant, duplicative, simply unnecessary,” he said. “This commonsense bill will reduce waste, strengthen cybersecurity and modernize government operations.”

• Cyberscoop adds,
  • “Private-sector tech leaders told House lawmakers Thursday [December 5] that the Cybersecurity and Infrastructure Security Agency’s [CISA] secure-by-design push may benefit from more of an incentive structure, but poorly trained developers remain “a real problem” for the nearly two-year-old initiative.
  • “The four witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection all characterized CISA’s voluntary secure-by-design pledge as a net positive that has resulted in significant industry-wide progress. The question posed by subcommittee Chair Andrew Garbarino, R-N.Y., and ranking member Eric Swalwell, D-Calif., was how the initiative could level up and better enhance cybersecurity across more U.S. sectors.
  • “Shane Fry, chief technology officer at RunSafe Security, acknowledged that CISA’s secure-by-design program — which now counts over 250 companies as signees — “is making a lot of waves.” But there’s a missing piece, Fry said, in limiting the program to IT systems and not addressing operational technology device manufacturers.
  • “Let’s work with Congress and find a good way, or CISA to find a good way, to incentivize these companies to actually secure their systems,” Fry said. “Because I think limiting it to just IT systems is a little bit short-sighted.”

• Cybersecurity Dive lets us know,
  • Federal Communications Commission Chair Jessica Rosenworcel on Thursday [December 5] proposed stronger rules requiring telecom operators to secure their networks from intrusions, in response to the wave of China-linked attacks on U.S. carriers’ infrastructure.
  • The measure has two parts. Rosenworcel proposed a declaratory ruling to clarify telecom operators are legally obligated to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act. The second lever, a notice of proposed rulemaking, includes an annual certification requirement for telecom providers to maintain cybersecurity risk management plans.
  • “While the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future,” Rosenworcel said in a statement Thursday.

• Dark Reading tells us,
  • “Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he’s talking.
  • “Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.
  • “He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.”

• Per Department of Health and Human Services press releases,
  • “[On December 3], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI).” * * * 
  • “In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.
  • “The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html“
• and
  • “[On December 5], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $548,265 civil monetary penalty against Children’s Hospital Colorado, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following receipt of breach reports in 2017 and 2020, relating to email phishing and cyberattacks. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI).” * * *
  • “In June 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Children’s Hospital Colorado waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $548,265.
  • “The Notice of Proposed Determination can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens-hospital-colorado-npd/index.html.
  • “The Notice of Final Determination can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens-hospital-colorado-nfd/index.html.”

From the cybersecurity vulnerabilities and breaches front,

• STAT News reports,
  • “As many as 172 million individuals — more than half the population of the United States — may have been impacted by large health data breaches reported to the Department of Health and Human Services in 2024, according to a STAT analysis of records from HHS’ Office for Civil Rights. It’s a new record for the scale of large health care breaches, breaking one set just last year. 
  • “The vast majority of those health data breaches — 532 of the 656 reported as of December 4 — have resulted from hacks and ransomware attacks, continuing a years-long trend. Since 2018, HHS has reported, it has seen a 264% increase in large ransomware breaches, and seven health systems have been fined up to $950,000 for failing to protect patients’ protected health information from ransomware attacks.” * * *
  • “It’s unlikely that 172 million Americans had their health data exposed in breaches reported this year. There are overlaps in the individuals included in each breach. And after an attack, covered entities have to report that individual data was compromised unless they can actively prove that it wasn’t. “In ransomware, it’s hard to prove that the data was not exfiltrated,” said Jigar Kadakia, chief information security and privacy officer for Atlanta-based Emory Healthcare. “That’s where the escalation has been probably in the last three years.” 

• The Wall Street Journal adds,
  • “Data breaches at healthcare organizations have become common in recent years. But what do hackers want with your health information, anyway?
  • “Usually, hackers break into providers’ networks looking for a ransom, doing things like locking the provider out of its own computer systems or threatening to release its data online. But they are also looking for patient data.
  • “Healthcare records have personal information that hackers are always eager to grab, like addresses and credit-card numbers. But the records also hold an array of private information about patients, ranging from insurance-policy numbers to medical conditions to medications—data that lets crooks scam insurance companies and Medicare and Medicaid, leaving patients exposed to steep financial and medical risk.
  • “They give hackers a full picture to commit insurance fraud, identity theft or other malicious activity in the future,” says John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, a trade organization that represents 90% of the hospitals in the U.S.
  • “What’s more, the theft of health records can have a longer-lasting impact on victims than regular financial fraud or identity theft, because the information in those records is harder to detect and more challenging to correct when misused.

• Per the Wall Street Journal,
  • “Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign that has affected dozens of countries, a top U.S. security official said Wednesday.
  • “Speaking during a press briefing Wednesday, Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached.
  • “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” Neuberger said.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 3, 2024
    • CVE-2023-45727 North Grid Proself Improper Restriction of XML External Entity (XEE) Reference Vulnerability
    • CVE-2024-11680 ProjectSend Improper Authentication Vulnerability
    • CVE-2024-11667 Zyxel Multiple Firewalls Path Traversal Vulnerability
  • December 4, 2024
    • CVE-2024-51378 CyberPanel Incorrect Default Permissions Vulnerability

• Cybersecurity Dive adds,
  • “Multiple government authorities and security researchers are warning about a directory traversal vulnerability in Zyxel Networks firewalls that threat actors are actively exploiting to deploy Helldown ransomware.
  • “The vulnerability, listed as CVE-2024-11667, with a CVSS score of 7.5, is located in the web management interface of Zyxel ZLD firewall firmware versions 5.00 through 5.38, and could allow an attacker to download or upload files through a crafted URL. The Cybersecurity and Infrastructure Security Agency on Tuesday added the CVE to its known exploited vulnerabilities catalog.
  • “Zyxel, in a blog post, confirmed it is aware of recent attempts to exploit the vulnerability, following disclosures from security researchers at Sekoia. The company is urging users to immediately update their firmware and change their admin passwords.”

From the ransomware front,

• CBS News reported on December 4,
  • PIH Health [located in southern California] was targeted in a ransomware attack, forcing officials to completely shut their network offline and leaving millions in the dark when it comes to healthcare. 
  • Families are being told that they can either wait it out for systems to turn back online, or to go to another hospital for treatment because of the issue, which happened over the weekend. 
  • Officials say that they were targeted on Sunday by a “criminal act” that “compromised their network.” In turn, network services were turned off at their hospitals in Downey, Whittier and downtown LA. 
  • While urgent care centers and emergency room remained open, patients and physicians were left without access to health records, laboratory systems, pharmacy orders and radiation access. On top of that, internet access and phone lines were completely turned off. 

• Cybersecurity News informs us,
  • “Black Basta ransomware operators have improved their tactics, leveraging Microsoft Teams to deploy Zbot, DarkGate, and Custom Malware.
  • “The ongoing social engineering campaign comprises a threat actor flooding a user’s inbox with junk and contacting the user to offer assistance. 
  • “Researchers observed that threat actors used Microsoft Teams as their primary medium for initial communication with the target.
  • ‘Suppose the user responds to the lure by answering the call or sending a message. In that case, the threat actor will try to persuade them to install or run a remote management (RMM) program, such as QuickAssist, AnyDesk, TeamViewer, Level, or ScreenConnect, among others.
  • “After establishing a remote connection, the threat actor proceeds to download payloads from their infrastructure to obtain the credentials of the affected users and continue to persistently target their assets.
  • “The overall goal following initial access appears to be the same: to quickly enumerate the environment and dump the user’s credentials. Operators will still attempt to steal any available VPN configuration files, when possible,” Rapid7 said in a report shared with Cyber Security News.”

From the cybersecurity defenses front,

• Techradar tells us,
  • “US authorities are urging Americans to use encrypted messaging apps to secure their sensitive data against foreign attackers.
  • “The security call comes in the wake of an “unprecedented cyberattack” on the countries’ telecoms companies, NBC News reported. The attack is considered among the largest intelligence compromises in US history and isn’t yet fully fixed.
  • “The China-linked Salt Typhoon group was first spotted targeting US telecoms with a new backdoor malware a few months ago. It has reportedly hacked the likes of AT&T, Verizon, and Lumen Technologies to spy on their customers’ activities.”

• Cybersecurity Dive adds, “T-Mobile undeterred as telecom sector reels from attack campaign. Cybersecurity Dive spoke with CSO Jeff Simon about how the carrier says it thwarted a threat group resembling Salt Typhoon despite its past security failures.”

• The Wall Street Journal asks, “Do Your Passwords Meet the Proposed New Federal Guidelines? New standards want to make passwords secure—but also more user-friendly.”
  • “The key to password security, the standards institute emphasizes, is length rather than special characters. The guidelines recommend passwords be at least eight characters long while suggesting organizations push for a minimum of 15 characters. The shorter minimum is acceptable when combined with multifactor authentication, Regenscheid says, which most federal websites now require when accessing personal information. That means having two different ways to confirm identity, not just the password itself.
  • “The institute also suggested a maximum length of at least 64 characters, a number Regenscheid calls “fairly arbitrary” but sufficient for security needs. Systems need some upper limit to prevent malicious users from trying to overwhelm servers with extremely long passwords, he says, and do things like download sensitive data from databases. 
  • “The emphasis on length over complexity reflects decades of research showing longer passwords are significantly harder to crack. “A truly randomly chosen 24-character password is not going to be broken,” says Stuart Schechter, an associate at Harvard’s School of Engineering and Applied Sciences. “That’s long enough that it’s not likely to be broken in the lifespan of the universe.
  • “When it comes to creating long, strong passwords, research shows that both random strings of characters and random sequences of words can work well. “People’s brains work differently, and our tech should be designed to help you achieve your desired level of security with the option that works best for you,” Schechter says. His research found most people can memorize either type effectively.
  • “But it is a time-consuming process, and it isn’t clear how many passwords people can remember, Schechter says, so he uses the password manager built into his browser, an option available in browsers like Safari and Chrome. While some security experts push for stand-alone password managers that must be purchased separately, Schechter argues that built-in browser options are a good solution for most people’s needs and are very secure.”

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. The SCC was recently updated based on the new National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Version 2.0 mapping updates. 
  • “The TIC 3.0 SCC provides a list of deployable security controls, security capabilities, and best practices. The catalog is intended to guide secure implementations and help agencies satisfy program requirements within discrete networking environments. 
  • “Further, the SCC helps agencies to apply risk management principles and best practices to protect federal information in various computing scenarios. The trust considerations presented in the TIC 3.0 Reference Architecture can be further applied to an agency’s implementation of a given use case to determine the level of rigor required for each security capability. In some cases, the security capabilities may not adequately address residual risks necessary to protect information and systems; agencies are obligated to identify and apply compensating controls or alternatives that provide commensurate protections. Additional collaboration with vendors is necessary to ensure security requirements are adequately fulfilled, configured, and maintained.”

• Per Cybersecurity Dive,
  • “Protecting the cloud: combating credential abuse and misconfigurations. To defend again two of today’s biggest cloud security threats, organizations must adapt and develop proactive strategies, Google Cloud’s Brian Roddy writes [in an opinion piece],
• and
  • “For IT pros, the CrowdStrike crisis was a ‘call to arms’. The global outage triggered investments in people, processes and technologies to beef up enterprise resilience, Adaptavist research found.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us
  • “Cybersecurity is set to get a decidedly South Dakotan bent in 2025.
  • “Three Republican South Dakota politicians are in line to take on more prominent roles to influence cyber policy next year: Gov. Kristi Noem is president-elect Donald Trump’s pick to lead the Homeland Security Department, Sen. Mike Rounds is poised to seize the gavel of a key cybersecurity subcommittee and John Thune will become Senate majority leader.
  • Cyberscoop interviews “José-Marie Griffiths, [the] president of Dakota State University, a school that has put a big focus on cybersecurity and tech, [who] has worked with all three of them closely on cyber issues — testifying before their committees, consulting them on legislation, being appointed to national commissions by them and more.”
    
• HHS Office of Inspector General criticized the HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, for inadequately conducting routine Security Rule audits of HIPAA covered entities and business associates. According to an OIG news release,
  • “We made a series of recommendations to OCR to enhance its HIPAA audit program, including that it expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the HIPAA Security Rule, document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner, and define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited covered entities and business associates’ protections over ePHI and periodically review whether these metrics should be refined. The full recommendations are in the report.
  • “OCR did not concur with one recommendation but concurred with our three other recommendations and detailed steps it has taken and plans to take in response.”

• Per an HHS press release, the Office of Civil Rights announced
  • “a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, concerning an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule due to an impermissible disclosure of a female patient’s protected health information, including information related to reproductive health care.”
  • The Hospital had mistakenly sent the woman’s entire medical record to the patient’s prospective employer instead of sending a specific test result as requested.
  • OCR evidently spends more time on enforcement than on routine audits.

• The Wall Street Journal considers the pros and cons of creating a cybersecurity branch of the U.S. armed forces.
  • “The idea of creating a military branch dedicated to cybersecurity has been floated before. Last year, an independent study of the idea was initially included in—but then dropped from—Congress’s annual National Defense Authorization Act, legislation that specifies the annual budget and expenditures of the Defense Department. This year’s version of the bill currently includes the study, but that could change before it comes to a vote. 
  • “Rep. Morgan Luttrell (R., Texas) says a study would provide significant data to understand what more, if anything, needs to be done to increase the country’s cybersecurity. “That’s fair” as a way to address conflicting views about a Cyber Force, says Luttrell, who is a member of the House Armed Services Committee and is one of the representatives who proposed including a study in this year’s spending bill. “It gives us the ability to negotiate and debate,” he says.”

• Bleeping Computer reports,
  • “Russian law enforcement has arrested and indicted notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for developing malware and his involvement in several hacking groups.
  • “While the prosecutor’s office has yet to release any details on the individual’s identity (described as a “programmer” in court documents), the individual is Matveev, according to an anonymous source of the Russian state-owned news agency RIA Novosti.
  • “At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor has been sent to the Central District Court of the city of Kaliningrad for consideration on the merits,” the Russian Ministry of Internal Affairs said in a statement.” * * *
  • “Last year, in May 2023, the U.S. Justice Department also filed charges against Matveev for his involvement in the Hive and LockBit ransomware operations that targeted victims across the United States.”

From the cyber vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog this week.
  • November 25, 2024 — CVE-2023-28461 Array Networks AG and vxAG ArrayOS Improper Authentication Vulnerability
    
• Hacker News adds,
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
  • “The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023.” * * *
  • “The inclusion to KEV catalog comes shortly after cybersecurity company Trend Micro revealed that a China-linked cyber espionage group dubbed Earth Kasha (aka MirrorFace) has been exploiting security flaws in public-facing enterprise products, such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997), for initial access.”

• Cybersecurity Dive warns,
  • “The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday [November 26] warned businesses to protect themselves against cybercriminals trying to fraudulently divert payments during the holiday season.
  • “Threat activity involving fraudulent third parties usually accelerates during the holiday season, the agencies said. Businesses need to be aware of emails from alleged vendors or retailers claiming to change their account numbers. 
  • “Officials urged businesses and individuals that are targeted to promptly report the incidents to IC3, which has an asset recovery unit that can help intercept fraudulent payment activity and return those payments back to the victim.”

• Cyberscoop informs us,
  • “Those with firsthand knowledge of Salt Typhoon’s hack of several U.S. telecommunications companies have called the group’s actions some of the most sophisticated cyber-espionage efforts they have ever seen. A prominent security vendor may have unearthed some malware that shows why. 
  • “Trend Micro released a report Monday that gives details on the tactics, techniques and procedures used by Salt Typhoon, which the company referred to as one of “the most aggressive Chinese advanced persistent threat (APT) groups” currently in operation. 
  • “While the company explicitly states that it does not have any evidence the malware detailed in the report was used in the telecom hacks, Trend Micro researchers write that several pieces of malware used by the group have been used to infiltrate other telecommunications companies and government entities around the world. Tracked as “Earth Estries,” Trend Micro says this group, which is also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the U.S., Asia-Pacific, Middle East, and South Africa.”

From the ransomware front,

• Cybersecurity Dive relates,
  • “Just ahead of the holiday season, U.S. companies and critical infrastructure providers are once again bracing for the potential risk of cyberattack, as threat groups look to exploit distracted IT security teams for maximum leverage.
  • “The vast majority of organizations — nearly 9 in 10 — hit by ransomware over the past 12 months were targeted at night or over a weekend period, when IT security staffing was low, a November report from Semperis shows. 
  • “Nearly two-thirds of organizations said they were targeted by ransomware after a major corporate event when employees could be distracted, such as a restructuring or major layoff announcement, an initial public offering or a corporate merger. 
  • “The report, conducted in partnership with Censuswide, is based on a survey of more than 900 IT security professionals in the U.S., U.K., France and Germany.”

• The Wall Street Journal reported on November 25,
  • “A ransomware attack against a major supply chain technology provider left retailers including Starbucks and U.K. grocery chain Sainsbury’s triggering backup plans to manage operations including scheduling and handling inventories.
  • “Blue Yonder, one of the world’s largest supply chain software providers, said Monday it was working to restore services after the attack last week disrupted systems it hosts for customers.
  • “Blue Yonder said it didn’t have a timeline for when services would be restored. The company said the attack didn’t affect systems that run on public cloud-based platforms.
  • “Starbucks said Monday the ransomware attack affected company-owned stores in its network of around 11,000 sites in North America. It disrupted the coffee chain’s ability to pay baristas and manage their schedules, leaving cafe managers to manually calculate employees’ pay. * * *
  • “The incident is the latest cyberattack to disrupt grocery supply chains this month as companies prepare for the busy holiday shopping season.
  • “Dutch supermarket conglomerate Ahold Delhaize, which owns Stop & Shop, Food Lion, Hannaford and other grocery chains, on Nov. 8 reported a “cybersecurity issue” within its U.S. network. The incident caused nearly two weeks of product shortages at Stop & Shop stores across the Northeast U.S.”
  • P.S. The FEHBlog could not find any articles closing the loop on the Blue Yonder attack.

• SC Media added yesterday,
  • “Both Texas’ City of Coppell and the Minneapolis Park and Recreation Board were admitted having been compromised by the RansomHub ransomware operation, which also claimed to target two U.S. schools, according to The Record, a news site by cybersecurity firm Recorded Future.”

From the cybersecurity defenses front,

• CISA gives advice on “Shop[ping] Safely Online This Holiday Season with Tips from Secure Our World.”

• Federal New Network reports,
  • The Cybersecurity and Infrastructure Security Agency is rolling out a new education platform that the agency says will offer a more modern cyber training environment for CISA staff, the broader federal workforce, veterans and other users.
  • The new platform, CISA Learning, debuted this month. It serves up cybersecurity classes ranging from cloud security and ethical hacking to risk management and malware analysis.
  • The new platform is replacing both CISA’s internal education platform, as well as the Federal Virtual Training Environment, known as FedVTE, which had been used by users from across the federal government and other external organizations.

• Dark Reading reports,
  • “A data-focused approach to tackling phishing and business fraud promises significant reductions in the amount of phishing and phone-based fraud that companies — and their customers — face but worries remain over whether fraudsters will adapt.
  • “The Financial Services Information Sharing and Analysis Center (FS-ISAC) unveiled its Phishing Prevention Framework on Nov. 19, a program consisting of best practices in data collection, defense, and customer communications that has already reduced the volume of phishing incidents — as measured by abuse complaints — in a pilot program with three banks. The framework cut the incidence of abuse complaints for those financial services firms in half and promises significant benefits for any business targeted by cybercriminals, if they implement certain best practices — such as security education and intelligence collection — included in the framework.
  • “While FS-ISAC has released the framework for the financial services sector — where phishing is a pernicious problem — the techniques are broadly applicable, says Linda Betz, executive vice president of global community engagement at the organization.”

• SC Media offers “Five steps to better cyber risk assessments via autonomous pentesting.”
  
• Dark Reading adds,
  • “Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.
  • “In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its “Q3 SASE Threat Report.” In the past, the firm’s threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.
  • “The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.”

• Finally, here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Cybersecurity Dive offers “four tech issues to watch in Trump’s second term.”

• The Wall Street Journal reports,
  • “A federal agency has issued a directive to employees to reduce the use of their phones for work matters because of China’s recent hack of U.S. telecommunications infrastructure, according to people familiar with the matter.
  • “In an email to staff sent Thursday, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms such as Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.
  • “Do NOT conduct CFPB work using mobile voice calls or text messages,” the email said, while referencing a recent government statement acknowledging the telecommunications infrastructure attack. “While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” said the email, which was sent to all CFPB employees and contractors.
  • “The alert is the latest demonstration of concerns within the federal government about the scale and scope of the hack, which investigators are still endeavoring to fully understand and have attributed to a group dubbed Salt Typhoon.” 

• The Office of National Coordination for Health IT released version 3.5 of its HIPAA Security Risk Assessment tool for small and medium healthcare entities.

From the cybersecurity vulnerabilities front,

• The Cybersecurity and Infrastructure Security Agency (CISA) added six known exploited vulnerabilities to its catalog this week.
  • November 4, 2024
    • CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
    • CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability
  • November 7, 2024
    • CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
    • CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
    • CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
    • CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

• Bleeping Computer adds,
  • “Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS.
  • “This security flaw, tracked as CVE-2024-5910, was patched in July, and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.
  • “Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA says.
  • “While the cybersecurity agency has yet to provide more details on these attacks, Horizon3.ai vulnerability researcher Zach Hanley released a proof-of-concept exploit in October that can help chain this admin reset flaw with a CVE-2024-9464 command injection vulnerability (patched last month) to gain “unauthenticated” arbitrary command execution on vulnerable Expedition servers.”
    
• Also from Bleeping Computer,
  • “A malicious Python package named ‘fabrice’ has been present in the Python Package Index (PyPI) since 2021, stealing Amazon Web Services credentials from unsuspecting developers.
    According to application security company Socket, the package has been downloaded more than 37,000 times and executes platform-specific scripts for Windows and Linux.
  • “The large number of downloads is accounted by fabrice typosquatting the legitimate SSH remote server management package “fabric,” a very popular library with more than 200 million downloads.
  • “An expert explained to Bleeping Computer that that fabrice remained undetected for so long because advanced scanning tools were deployed after its initial submission on PyPI, and very few solutions conducted retroactive scans.”

From the ransomware front,

• Per Bleeping Computer,
  • “After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.
  • “Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers.
  • “watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4.”
  • “Code White also delayed sharing more details when it disclosed the flaw because it “might instantly be abused by ransomware gangs.”
• and
  • “A new phishing campaign dubbed ‘CRON#TRAP’ infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
  • “Using virtual machines to conduct attacks is nothing new, with ransomware gangs and cryptominersusing them to stealthily perform malicious activity. However, threat actors commonly install these manually after they breach a network.
  • “A new campaign spotted by Securonix researchers is instead using phishing emails to perform unattended installs of Linux virtual machines to breach and gain persistence on corporate networks.
• and
  • “UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.
  • “Last week, Sophos published a series of reports dubbed “Pacific Rim” that detailed five-year attacks by Chinese threat actors on edge networking devices.
  • ‘One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions. 
  • ‘The malware, which is designed for compromising network devices, features advanced persistence, evasion, and remote access mechanisms and has a rather complex code structure and execution paths.
  • “Although the NCSC report does not attribute the observed activity to known threat actors, it underlines similar techniques, tactics, and procedures (TTPs) to the “Castletap” malware, which Mandiant has associated with a Chinese nation-state actor.”

From the cybersecurity defenses front,

• Cybersecurity Dive tells us,
  • “Google Cloud is mandating multifactor authentication for all users, the company said in a Monday blog post. It will roll out MFA in phases through the end of 2025.
  • “The hyperscaler said it will start encouraging users to enroll in MFA this month. More than 70% of Google accounts owned by people who regularly use its products already use MFA, the company said. 
  • “In early 2025, Google Cloud said it will require MFA for all users who sign into their account with a password. By the end of next year, the MFA requirement will extend to all users who federate authentication into Google Cloud via identity providers.” 

• A Dark Reading commentator discusses ‘[t]he Power of Process in Creating a Successful Security Posture. Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “The White House is close to finalizing a second executive order on cybersecurity that covers a wide range of subjects for federal agencies to address, including artificial intelligence, secure software, cloud security, identity credentialing and post-quantum cryptography, according to sources familiar with work on the document.
  • ‘The executive order, a follow-up to the sweeping cybersecurity executive order President Joe Biden signed in his first year in office, had been working its way through the interagency process, during which agencies give feedback on the draft, sources said.
  • “According to one source familiar with the order, the interagency process has wrapped up and a draft is “95%” of the way toward its final incarnation. The target is to get something signed in early December, subject to the president’s review and approval. But another source recently told CyberScoop that the executive order is viewed as “pretty aspirational to get it done.”
• and
  • “A coalition of influential infrastructure trade groups and associations want to change key definitions around an incoming cyber reporting mandate, citing long-standing “concerns” around the Cybersecurity and Infrastructure Security Agency’s engagement process and existing regulatory requirements.
  • “In a letter to CISA Director Jen Easterly this week, 21 organizations from the communications, energy, aviation, IT, and transportation sectors, among others, asked the cyber agency to start an “ex parte” process that would apply the critical infrastructure cyber reporting mandate “in a manner consistent with congressional intent.”
  • “Simply put, the public record to date is insufficient, and a single round of comments in response to CISA’s [Notice of Proposed Rulemaking] will not allow the agency to effectively capture and leverage stakeholder feedback,” the letter states. “Absent increased industry engagement, CISA’s proposed regulation may inadvertently impose requirements that hinder rather than help our sectors maintain security and operational efficiency.”

• Per Fedscoop,
  • “A week before a deadline for federal agencies to submit to the White House their updated zero-trust implementation plans, a coalition of government IT leaders released a guide intended to strengthen data security practices.
  • “The 42-page Federal Zero Trust Data Security Guide, spearheaded by the Federal Chief Data Officers and Federal Chief Information Security Officers councils, zeroes in on “securing the data itself, rather than the perimeter protecting it,” part of what a Thursday press release termed “a foundational pillar of effective” zero-trust implementation.
  • “By Nov. 7, federal agencies must provide their updated plans for zero-trust implementation to the Office of the National Cyber Director and the Office of Management and Budget.
  • “This guide represents insights from agency practitioners who are in the trenches working to implement zero trust and secure their organization’s data,” Kirsten Dalboe, the Federal Energy Regulatory Commission’s CDO and chair of the CDO Council, said in a statement. “We’re building a cooperative relationship between data and cyber to tackle this government-wide challenge and ultimately ensure the public’s data is secured.” 

• Per October 31, 2024, HHS press releases,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Plastic Surgery Associates of South Dakota in Sioux Falls, for several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following its investigation into a ransomware attack breach by OCR. Ransomware and hacking are the primary cyber-threats in health care.” * * *
  • “OCR initiated an investigation following the receipt of a breach report filed by Plastic Surgery Associates of South Dakota in July 2017, which reported that it discovered that nine workstations and two servers were infected with ransomware, affecting the protected health information of 10,229 individuals. The credentials the hacker(s) used to access Plastic Surgery Associates of South Dakota’s network were obtained through a brute force attack (hacking method that uses trial and error to guess passwords, login information, encryption keys, etc.) to their remote desktop protocol. After discovering the breach, Plastic Surgery Associates of South Dakota was unable to restore the affected servers from backup.
  • “OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; implement procedures to regularly review records of information system activity; and implement policies and procedures to address security incidents.” * * *
  • “Under the terms of the settlement, Plastic Surgery Associates of South Dakota paid $500,000 to OCR and agreed to implement a corrective action plan that requires them to take steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/psa-ra-cap/index.html .”
• and
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Bryan County Ambulance Authority (BCAA), a provider of emergency medical services in Oklahoma for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on BCAA’s information systems.” * * *
  • “In May 2022, OCR received a breach report concerning a ransomware incident that encrypted files on BCAA’s network. BCAA determined that the encrypted files affected the protected health information of 14,273 patients. OCR’s investigation determined that BCAA had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.
  • “Under the terms of the resolution agreement, BCAA agreed to pay $90,000 and to implement a corrective action plan that will be monitored by OCR for three years. Under the corrective action plan, BCAA will take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI * * * . * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bcaa-ra-cap/index.html .
    

From the cybersecurity vulnerabilities and breaches front,

• Infor Security lets us know,
  • “Cybersecurity firm Sophos has detailed evolving tactics by Chinese advanced persistent threat (APT) groups following five years of collecting telemetry on campaigns targeting its customers.
  • “Working with other cybersecurity vendors, governments and law enforcement agencies, the researchers were able to attribute specific clusters of observed activity from December 2018 to November 2023 to the groups Volt Typhoon, APT31 and APT41/Winnti.
  • “A notable shift from widespread, indiscriminate attacks towards narrow targeting of high value organizations was observed over the period.
  • “Sophos assessed with high confidence that exploits developed by the threat actors were shared with multiple Chinese state-sponsored frontline groups, which have differing objectives, capabilities, and post-exploitation tooling.
  • ‘The analysis was conducted in response to calls from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) for technology developers to provide transparency around the scale of exploitation of edge network devices by state-sponsored adversaries.
  • “In the interests of our collective resilience, we encourage other vendors to follow our lead,” Sophos wrote in a blog dated October 31, 2024.”

• Cybersecurity Dive alerts us on October 31,
  • “Fortinet alerted customers to four new indicators of compromise for a widely exploited zero-day vulnerability in its network and security management tool FortiManager in an updated security advisory on Wednesday.
  • “The cybersecurity vendor said the situation is evolving and the updates don’t reflect any major changes. “Since we worked with the hosting provider to take down the actor infrastructure, some IP IoCs have changed,” a Fortinet spokesperson said Wednesday in an email.
  • “Fortinet initially disclosed active exploitation of CVE-2024-47575, a missing authentication for critical function vulnerability which has a CVSS score of 9.8, last week. Mandiant said at least 50 organizations across various industries were impacted by a spree of attacks it described as a “mass exploitation” event.”

• Cybersecurity Dive adds,
  • “Enterprise modernization initiatives are too often threatened by aging infrastructure and systems that have run out of technical support, according to a recent Kyndryl report. The IT services firm surveyed 3,200 C-suite executives and collected anonymized customer data from its Kyndryl Bridge platform.
  • “While 9 in 10 executives said their company’s technology is best-in-class, nearly two-thirds acknowledged that outdated systems present a major concern. Data indicating 44% of mission-critical enterprise IT infrastructure is approaching or at end-of-life confirmed the apparent paradox.
  • “If a company lacks comprehensive IT asset and configuration management, locating tech debt is a challenge, according to Michael Bradshaw, Kyndryl’s SVP and global practice leader for applications, data and AI. “It’s almost like an archaeological dig,” he said. “You don’t know where the problems are unless you stub your toe on something that’s reached end-of-support.”

• CISA did not add known exploited vulnerabilities to its catalog this week.

From the ransomware front,

• The American Hospital Association reports,
  • “The Cybersecurity and Infrastructure Security Agency Oct. 31 issued an alert on a large-scale spear-phishing campaign targeting organizations in several sectors. The agency received multiple reports on the matter. According to the agency, the foreign threat actor, often posing as a trusted entity, sends spear-phishing emails with malicious remote desktop protocol files to targeted organizations to connect to and access files stored on the target’s network. If the threat actor gains access, it could perform additional activities, such as deploying malicious code to achieve persistent access to the target’s network. CISA, other federal agencies and partners are coordinating and assessing the impact of the campaign and urged organizations to take proactive measures to protect their data and systems. 
  • “The malicious use of RDP to conduct cyberattacks, including highly disruptive ransomware attacks, continues to be a significant attack vector used by foreign cybercriminals, ransomware gangs and spies,” said John Riggi, AHA national advisor for cybersecurity and risk. “To help mitigate this type of cyberattack risk, it is strongly recommended health care organizations restrict outbound RDP connections, block RDP connections in communication platforms, prevent execution of RDP files and use phishing-resistant multi-factor authentication for all remote access. Please review the alert for additional recommendations.” 

• Info Security reports,
  • “A North Korean-backed hacking group has engaged in a ransomware campaign for the first time, according to Palo Alto Networks.
  • “Jumpy Pisces, a hacking group tied to the Reconnaissance General Bureau of the Korean People’s Army, has been involved in a recent ransomware incident, according to a new report by Palo Alto’s threat intelligence team, Unit 42, published on October 30.
  • “This marks a shift in the nation-state group’s tactics and the first time they have been involved with financially motivated cyber threat actors.”

From the cyber defenses front,

• Cybersecurity Dive relates
  • “UnitedHealth Group appointed Tim McKnight to CISO, marking a change in the company’s security leadership eight months after a ransomware attack on subsidiary Change Healthcare led to sustained nationwide disruptions. McKnight shared the news on LinkedIn this week. 
  • “McKnight replaces Steven Martin, who became CISO in May 2023, nine months before the ransomware attack. As part of the change, Martin shifted to a new role at UnitedHealth as chief restoration officer. Martin previously served as CIO and CTO at Change Healthcare and Optum, another subsidiary of UnitedHealth Group.
  • “Earlier this month, UnitedHealth Group confirmed the cyberattack, which involved compromised credentials to a remote access Citrix portal, compromised data on at least 100 million people, the largest healthcare data breach ever reported to federal regulators. The attack also hinged on a consequential mistake the healthcare giant made in failing to protect a critical system: it did not turn on multifactor authentication.”

• Here is a link to Dark Reading’s CISO Corner.