Cybersecurity Saturday

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reported on December 13,
    • “The Senate confirmed Harry Coker Jr. as national cyber director Tuesday, ending a 10-month absence of a permanent leader in the role.
    • “The Navy veteran and executive director of the National Security Agency from 2017 to 2019, will lead the Office of the National Cyber Director and its team of about 100 employees after the Senate confirmed his nomination by a 59-40 vote.
    • “Coker joins the White House at a critical time, with the onus now on him to implement the national cybersecurity strategy that aims to shift the responsibility for security to technology manufacturers and vendors instead of customers.”
  • Bank Info Security explains,
    • “In a Friday advisory, CISA said it had performed the assessment in January at the request of a “large organization deploying on-premise software” that the agency did not identify.
    • “The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.
    • “Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.
    • “CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.
    • “The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.”

From the cybersecurity vulnerability and breaches front,

  • Cybersecurity Dive reports,
    • “U.S. authorities warn that threat actors linked to the Russian Foreign Intelligence Service (SVR) are exploiting a critical vulnerability in JetBrains TeamCity software as part of a worldwide effort that could lead to extensive supply chain attacks.
    • “The FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, along with U.K. and Polish authorities, said Nobelium/Midnight Blizzard — a threat group linked to the 2020 Sunburst attacks against SolarWinds — has been targeting hundreds of unpatched TeamCity servers across the globe, which are widely used for software development. 
    • “The hackers have not yet launched supply chain attacks, but have used their initial access to escalate privileges, move laterally within systems and install malicious backdoors in preparation for larger attacks, authorities said.”
  • and
    • “CitrixBleed isn’t going away: Security experts struggle to control critical vulnerability. While officials echo urgent mitigation steps to contain the zero-day vulnerability, high-profile organizations continue to bear the impact.”
  • CISA added a known exploited vulnerability to its catalog on December 11.

From the ransomware front, Bleeping Computer’s Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • CISA offers insights from its intensive risk assessment project discussed above under cybersecurity policy.
    • Here are the headlines:
      • “ACTIONS TO TAKE TODAY TO HARDEN YOUR INTERNAL ENVIRONMENT TO MITIGATE FOLLOW-ON ACTIVITY AFTER INITIAL ACCESS.
      • “Use phishing-resistant multi-factor authentication (MFA) for all administrative access.
      • “Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials.
      • “Implement network segregation controls.”
  • ISACA offers five things for various professionals to put on their 2024 to-do lists. Here are the five things for cybersecurity and privacy professionals. Check them out.
  • Security Boulevard discusses the next great line of defense, security as a code (SaC).
    • “Security as Code (SaC) is the practice of building and integrating security into tools and workflows by identifying places where security checks, tests, and gates may be included.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Healthcare Dive reports,
    • “The HHS released [on December 6] a working paper this week that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule.
    • “The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs.
    • “The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy. The HHS’ Office for Civil Rights found a 93% increase in large breaches reported from 2018 to 2022, and a 278% increase in large breaches involving ransomware.  * * *
    • “Money and voluntary goals alone won’t drive enough change, the department said. The HHS’ third step focuses on proposing to add healthcare-specific cybersecurity goals into existing regulations, which will inform future standards.
    • “The CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the HHS’ OCR will begin to update the HIPAA Security Rule in the spring to include new standards. [Reginfo.gov tells us the proposed rule is expected to be released in September 2024.]
    • “The American Hospital Association CEO Rick Pollack said the trade and lobbying group welcomes more federal expertise and funding to protect the sector from cyberattacks, but it can’t support mandatory requirements.
    • “Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” Pollack said in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”
  • Cyberscoop tells us,
    • “Addressing computer security vulnerabilities by quickly finding and patching flaws is a fundamentally broken model in need of being overhauled, Eric Goldstein, a top cybersecurity official at the Cybersecurity and Infrastructure Security Agency, said Friday.
    • “To say that our solution to cybersecurity is at least in part, patch faster, fix faster, that is a failed model,” Goldstein said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”
    • “Goldstein, the executive assistant director for cybersecurity at CISA, argued that delivering broad gains in computer security requires a “philosophical shift” that puts a smaller burden on school districts, water utilities, and small businesses to maintain secure systems, and asks more of the large companies to provide secure software and hardware.
    • “If you’re a school district, a water utility, a small business, you’re fundamentally not going to repeatedly succeed over time against the malicious actors that we are trying to manage every day,” Goldstein said.”
  • The Department of Health and Human Services Office of Civil Rights announced,
    • “a settlement with Lafourche Medical Group, a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. HIPAA is the federal law that protects the privacy and security of health information. 
    • “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks. * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lafourche-medical-group/index.html
  • The Federal Bureau of Investigation announced,
    • “The Securities and Exchange Commission’s new requirements for companies to disclose material cybersecurity incidents take effect on December 18, 2023. The FBI, in coordination with the Department of Justice, is providing guidance on how victims can request disclosure delays for national security or public safety reasons.
    • “You can click on the buttons at the bottom of this page to read guidance on requesting a delay and providing necessary information to the FBI, to view the SEC Rule, and to read the FBI’s Policy Notice about how victim requests are processed.  
    • “The FBI recommends all publicly traded companies establish a relationship with the cyber squad at their local FBI field office. The FBI also strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination. If the victim of a cyber intrusion engages with the FBI, that doesn’t trigger materiality. However, it could assist with the FBI’s review if the company determines that a cyber incident is material and seeks a disclosure delay. 
    • Please note that delay requests won’t be processed unless they are made immediately upon a company’s determination of materiality.”
  • The National Institute of Standards and Technology released an updated
    • The NIST Cybersecurity and Privacy Reference Tool (CPRT) [which] provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications.

From the cybersecurity vulnerabilities and breaches front,

  • The HHS health sector Cybersecurity Coordination Center (HC3) issued its November report on vulnerabilities of interest to the health sector.
    • “In November 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, Becton, Dickinson (BD) and Company, and ownCloud. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
  • The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog on December 4, four more on December 5 and another two on December 7.
  • HC3 posted a white paper on ownCloud vulnerability.
    • “The ownCloud platform allows organizations to store, synchronize, and share files and other content, as well as collaborate and consolidate work processes. This platform is known to be deployed across the U.S. health sector, among other industries. The nature of this platform provides cyber-attackers with a target that can potentially provide access to sensitive health information, as well as a staging point for further attacks. Three vulnerabilities were recently identified in certain versions of ownCloud, the most egregious of which is known to be under active attack. HC3 recommends healthcare organizations running ownCloud identify vulnerable instances and prioritize implementation of the mitigation steps in this document.”
  • HC3 also posted a PowerPoint about Open Source Software risks in the health sector.
  • Federal News Network informs us,
    • “The Cybersecurity and Infrastructure Security Agency is reminding agencies and the public to patch known cyber vulnerabilities after a federal agency was hacked earlier this year by threat actors leveraging a bug in outdated software.
    • “In a cyber advisory issued this week, CISA said unidentified threat actors exploited a vulnerability in older versions of Adobe ColdFusion software to gain access to the network of a federal civilian executive branch agency. The specific agency was not identifie
    • “Analysis of the agency’s network logs confirmed the compromise of “at least two public-facing servers” within the agency’s environment between June and July of this year.
    • “Both servers were running outdated versions of software which are vulnerable to various [Common Vulnerabilities and Exposures],” CISA said in the advisory.”
  • Per Cybersecurity Dive,
    • “Cyberattacks and data breaches are exposing personal data at an ever-growing rate, according to an Apple-commissioned study conducted by Stuart Madnick, professor of IT at Massachusetts Institute of Technology, published Thursday.
    • “More than 2.6 billion personal records were compromised in 2021 and 2022, and the number of records breached jumped 36% in 2022 to 1.5 billion, the report said.
    • “Data breaches at U.S. organizations are at an all-time high, up 20% in the first nine months of 2023 compared to all of last year, the study found.”
  • and
    • “Two years after the historic disclosure of a critical zero-day vulnerability in the Apache Log4j library sent organizations racing to contain the damage, nearly 2 in 5 applications are still using vulnerable versions, according to a report released Thursday from Veracode
    • “The report found nearly one-third of applications are running Log4j2 1.2.x, which reached end-of-life status in August 2015 and no longer receives patch updates. Another 2.8% of applications are still using versions vulnerable to the actual Log4Shell vulnerability.
    • “Veracode found 3.8% of applications are using Log4j2 2.17.0, which was patched against Log4Shell, but contains CVE-2021-44832, another high severity, remote code execution vulnerability.”
  • The Wall Street Journal reports,
    • “The recent breach of  23andMe user accounts shows a simple yet powerful truth about data security: Don’t reuse passwords, people.
    • “The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.
    • “The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including NetflixNintendoZoom and PayPal
    • “It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm. 
    • “The issue here is that 23andMe is a social site that also has healthcare information,” he said. “And both of these increase the risk of exposure of the data, and the value of the data itself.” 

From the ransomware front,

  • The Hacker News explains ransomware as a service. (Note: The Week in Ransomware was not published this week.)

From the cybersecurity defenses front,

  • Security Boulevard offers 2024 predictions for cybersecurity.
  • An ISACA experts explains how to create a health security culture.
  • Medriva discusses the cybersecurity steps that the Cleveland Clinic has taken.

Cybersecurity Saturday

From the cybersecurity policy front,

  • FedScoop tells us,
    • “A new bipartisan House bill aims to bolster the U.S. cybersecurity workforce by creating two training programs within the federal government, building on companion legislation introduced in the Senate earlier this year.
    • “The Federal Cybersecurity Workforce Expansion Act, co-sponsored by Reps. Chrissy Houlahan, D-Pa., and Mike Gallagher, R-Wis., would establish a cybersecurity registered apprenticeship program in the Cybersecurity and Infrastructure Security Agency and a Department of Veterans Affairs pilot program that would provide cybersecurity training to veterans.
  • The Cybersecurity and Infrastructure Security Agency (“CISA”) announced,
    • “In the fast-paced world of cybersecurity, staying ahead of threats is essential. And while security is without a doubt a priority for businesses of all sizes, it is easy to feel overwhelmed by all the information available. At CISA, we have been diligently developing a solution aimed at simplifying the way our partners and potential collaborators understand their cyber risk and prioritize their investments, ensuring they can quickly navigate this complexity with ease. Our focus has been on making the process of working with us more intuitive and user-friendly so that every organization can spend more time meeting business goals and less time sifting through cybersecurity resources. We believe this approach will be especially helpful for smaller to medium sized stakeholders with fewer resources, who need help prioritizing actions to help them to reduce the likelihood and impact of damaging intrusions.
    • “In early 2024, we look forward to launching a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around our Cybersecurity Performance Goals. This new tool is called ReadySetCyber. While we’re not quite ready to unveil all the details just yet, we are excited to share a glimpse of what’s on the horizon.”
    • That glimpse is available here.
  • The Wall Street Journal reports,
    • “A cyberattack that disrupts everyday life in the U.S. will likely cost more than the insurance industry can afford to cover, requiring government intervention, insurers and brokers said.
    • “The idea of a federal backstop to help insurers cope in the event of a catastrophic cyberattack has been examined by the government in recent years, but has gained momentum with tandem efforts at the Treasury Department, the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency over the past year. Government officials and the insurance industry plan to meet in April to work out exactly what such a program would look like.
    • “Federal support in the event of a catastrophic attack would undoubtedly be necessary, said John Keogh, president and chief operating officer of insurer Chubb.
    • “While the industry could absorb a major natural disaster, the effects of a cyberattack on a similar scale would quickly overwhelm its capacity to cover losses.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive points out last Monday,
    • A cyberattack targeting Fidelity National Financial led to disruptions across its services, including title insurance and mortgage transactions, after it was forced to block access to certain systems, the company said last week in a filing with the Securities and Exchange Commission
    • An investigation showed an unauthorized third party gained access to some of its systems and stole certain credentials, the company said.
    • The threat group known as AlphV/BlackCat claimed responsibility for the attack, according to security researcher Dominic Alvieri.
  • CISA added two more known exploited vulnerabilities to its catalog on November 30, 2023, and removed one on December 1, 2023.

From the ransomware front, here’s a link to the latest Bleeping Computer’s Week in Ransomware.

From the cybersecurity defenses front,

  • Technopedia identifies the top nine cybersecurity trends for 2024.
  • Cybersecurity Dive informs us,
    • “Technology like generative AI can address some key security challenges confronting organizations, but professionals that overemphasize those capabilities miss the fundamental need to put people and their unique talents first.
    • “Security is a people issue,” Amazon CSO Stephen Schmidt said Monday during a presentation at AWS re: Invent in Las Vegas. “Computers don’t attack each other. People are behind every single adversarial action that happens out there.”
    • “For Schmidt, winning in security is akin to playing chess — focusing on the board, how the pieces move and interact — while practicing psychology. Security professionals need to understand the human elements at play, including their own tendencies and opponents’ motivations.
    • “You’re not playing just one chess match,” Schmidt said. “You are playing dozens or hundreds of games at the same time, because you have a variety of adversaries with different motivations who are going after you.”
    • “This cybersecurity scrum can feel overwhelming, but many defenders view generative AI as an ally that can automate repetitive tasks. Cybersecurity vendors across the landscape have released security tools infused with the technology, and more are in the pipeline.”
  • Tech Republic adds that Open AI first released ChatGPT on November 30, 2022. The site explains how the technology has evolved.

Cybersecurity Saturday

From the cybersecurity vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center posted a Sector Alert about a “Critical Vulnerability in Fortinet FortiSIEM Platform” on November 22, 2023.
    • “Fortinet has identified a vulnerability in its FortiSIEM platform, which is utilized by the Healthcare and Public Health (HPH) sector. This vulnerability enables a threat actor to execute commands on the target system, allowing for a potentially wide-scale and impactful cyberattack. HC3 recommends that all healthcare organizations operating FortiSIEM prioritize the upgrade of these platforms in a timely manner.”
  • The Cybersecurity and Infrastructure Security Agency added one more known exploited vulnerability to its catalog on November 21, 2023.
  • Dark Reading points out,
    • “A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.
    • “Experts say this could be the first time they’ve observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.
    • “The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.”
  • Health IT Security notes,
    • “The HHS Office for Civil Rights (OCR) completed a HIPAA investigation into New York-based Saint Joseph’s Medical Center following claims that the organization had impermissibly disclosed COVID-19 patients’ protected health information (PHI) to a news reporter. Saint Joseph’s Medical Center agreed to pay $80,000 to OCR and implement corrective actions.
    • “OCR launched the investigation following the publication of an article by the Associated Press about the academic medical center’s response to the COVID-19 pandemic. The article included photographs and information about three COVID-19 patients, including diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
    • “Further investigation determined that Saint Joseph’s had provided the information to the Associated Press without first obtaining written consent from the three patients.”
  • The HHS Inspector General warns us “about a fraud scheme involving monthly billing for remote patient monitoring.”

From the ransomware front,

  • Cybersecurity Dive reports on November 22, 2023,
    • “Criminal threat groups and nation-state actors are exploiting a critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway to launch attacks, the Cybersecurity and Infrastructure Security Agency and FBI warned on Tuesday.
    • “Affiliates of LockBit 3.0 exploited the vulnerability — dubbed CitrixBleed by researchers — to gain access into Boeing’s parts and distribution unit and exfiltrate data, as part of a suspected ransomware attack, according to federal authorities.
    • “CISA, through its ransomware vulnerability warning program, has notified almost 300 organizations they were running vulnerable instances of the devices and needed to take mitigation measures before they were attacked, Eric Goldstein, executive assistant director of cybersecurity at CISA, said during a conference call with reporters.” 
  • Here is a link to the CISA analysis of CitrixBleed.
  • Cyberscoop provides its perspective on this and related schemes.
    • “Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
    • “Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.” 
    • “That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”

From the cybersecurity defenses front,

  • CISA discusses how the agency has re-envisioned its Cybersecurity Insurance and Data Analysis Working Group to help reduce cybersecurity risk.
    • “When we re-launch the CIDAWG in December, the working group will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, with the intent to correlate data with cybersecurity controls to understand their effectiveness. CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness. This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.”
  • The Wall Street Journal explains why storytelling can improve cybersecurity training.
    • “I recently wrote about the “phishing tests” that many companies use to train (well, scare) employees into being more cyber-vigilant. They send around a phony phishing email, and measure how many people click on it. But my research shows that these tests can actually be harmful. They create fear, stress and distrust among employees, and in the end they don’t improve phishing resistance much.
    • “When I wrote that article, a number of readers wrote in asking a simple question: If phishing tests don’t work, what does?
    • “I believe a better way to train people is to have their peers tell them stories about their experience with scams. Humans have an innate ability to learn from stories about other people—even if they are just casual stories that fall into the middle of a conversation. My research on the topic has found just how effective stories can be when applied to cybercrime: Hearing about somebody else getting snagged by phishing, or narrowly avoiding it, makes people more likely to take security seriously and avoid the mistakes they have heard about.”
  • The Hackers News recommends six steps to accelerate cybersecurity incident response.
  • ISACA offers a report on optimizing risk transfer for systematic resilience.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop reports,
    • “Former National Security Agency Executive Director Harry Coker is one step closer to being the next national cyber director after the Senate Homeland and Governmental Affairs Committee advanced his nomination Wednesday.
    • “Coker, also a former CIA officer, told the panel during the initial nomination hearing that he would plan on continuing the work of his potential predecessors.
    • “Coker’s nomination comes after the White House was criticized by experts and policy wonks for not nominating Kemba Walden, the current acting national cyber director, to the permanent role. The Washington Post reported that Walden’s personal debts were the White House’s rationale for declining to nominate her.
    • “Walden’s last day as the acting cyber chief is Friday, according to an ONCD spokesperson.”
  • On November 14, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released
    • “its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.”its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.
    • “Last month, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.”
  • Federal News Network observes,
    • “When federal government agencies were breached by Chinese hackers due to a Microsoft Azure vulnerability, the Cybersecurity and Infrastructure Security Agency released an advisory calling for the use of more enhanced monitoring tools to build resilience against increasingly sophisticated attacks. This latest advisory was further amplified by the National Cybersecurity Strategy, which reinforced the need to make the government’s critical infrastructure more resilient by modernizing federal networks.  
    • “Despite these measures, a recent study shows that only 26% of the public sector (compared to 40% of the private sector) have a formal approach to building resilience. Moreover, federal agencies whose mission-set centers on critical infrastructure, such as the Departments of Energy or Transportation, still face challenges to maintain legacy toolsin contrast to the public sector as a whole.   
    • “This is because federal agencies need more support to implement modern monitoring tools that help improve their threat detection and response. Without the proper technology in place to match the challenges of today’s threat landscape, it is difficult to remain resilient when faced with an attack. But how might an organization begin to achieve the resilience required for today’s cyber threats?  
    • “It starts with federal agencies prioritizing observability strategies. Despite its growing popularity, observability is a fresh concept – one that can be difficult to define and see as a path to resilience without first understanding its foundation. The roots of observability can simply be traced down to a collection of logs, metrics and traces by which monitoring systems can more proactively mitigate potential threats.”

From the cybersecurity vulnerability and breaches front,

  • The HIPAA Journal offers its October 2023 Healthcare Data Breach Report.
    • “For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).”
  • Federal News Network reports,
    • “The Office of Personnel Management faces a tight deadline to set up a new health insurance marketplace for Postal Service employees and retirees to enroll in new plans, starting next year.
    • “Now OPM is addressing watchdog concerns about whether the IT infrastructure supporting this new USPS marketplace is following federal cybersecurity requirements.
    • “OPM’s Office of Inspector General, in a flash audit released Friday, raised concerns about the cybersecurity steps OPM took before launching the IT systems that will run the Postal Service Health Benefits (PSHB) Program. * * *
    • “The IG report focuses on the steps OPM took to launch Carrier Connect, a system OPM uses to communicate and share data with health care providers. [FEHBLog note — FFF presumably refers to sharing data with FEHB plans.]
    • “According to the report, OPM officials acknowledged the agency started the assessment and authorization process too late in the security development lifecycle — in the summer of 2023 — and knew they would have to launch Carrier Connect under a provisional authority to operate (ATO).
    • IT security was not integrated at the beginning, and as a result, many of the required elements of an authorization to operate (ATO) package were not completed before the system was authorized to operate and placed into production,” the IG report states.”
  • HHS’s health sector Cybersecurity Coordination Center (HC3) posted a PowerPoint presentation about Emotet malware, which HC3 describes as “the enduring and persistent threat to the health sector.”
  • This week, CISA added six known exploited vulnerabilities to its catalog on November 13, then another three on November 14, and then finally another three on November 16.
  • Get a load of this Dark Reading article.
    • “The ransomware group ALPHV (aka “BlackCat”) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations. * * *
    • “Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.
    • “For one thing, in a statement provided to BleepingComputer on Wednesday, MeridianLink stated that it wasn’t yet sure if any consumer personal information was compromised, adding that “based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” Exactly what data ALPHV stole and published may affect whether the breach is “material,” per SEC language.
    • “Second, as noted in its original press release, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).
    • “Future victims of similar attacks will have fewer breaks to count on.
    • “Using the threat of filing a ‘failure to report’ complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group’s benefit,” Tiquet warns. “Disciplinary action from the SEC is not to be taken lightly and fines can be very steep.”

From the ransomware front

  • Cybersecurity Dive reports,
    • “The group of threat actors claiming responsibility for major attacks against MGM ResortsCaesars Entertainment and Clorox is composed of experts in social engineering, and federal cyber authorities are prodding more victims to come forward.
    • “Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a Thursday advisory.
    • “The FBI and Cybersecurity and Infrastructure Security Agency shared technical details and data gleaned from investigations as recently as this month to help organizations thwart and mitigate attacks. Yet, officials say more information is needed, as a lack of reporting hinders law enforcement’s ability to take action.
    • “Scattered Spider’s high level of activity underscores the importance of prevention and the need for more victim organizations to report cyberattacks to CISA or the FBI, agency officials said.”
  • The American Hospital Association News adds,
    • “Scattered Spider’s sophisticated technical cyberattacks begin with sophisticated psychological attacks,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Scattered Spider employs social engineering techniques to deceive end users into providing their credentials, authentication codes or downloading ‘help desk’ tools on their computers that allow the adversary to gain and maintain persistent access to computer networks. Staff should be advised of help desk verification protocols and that help desk personnel should not be asking staff to divulge their credentials or multi-factor authentication codes. Conversely, the help desk should enhance its verification protocols and challenge questions to ensure they do not improperly reset staff credentials and to help staff distinguish valid help desk interaction from social engineering attempts.
  • On November 15, 2023, CISA issued a #StopRansomware Advisory regarding Rhysida Ransomware.
  • On November 13, 2023, CISA posted an update to its Royal Ransomware Advisory.
    • “The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.”
  • Bleeping Computer’s The Week in Ransomware is back this week.

From the cybersecurity defenses front,

  • On November 17, CISA postedthe Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.”
  • Forta tells us about Amazon Web Services’ Six Pillars of Cybersecurity.
  • Dark Reading explains how to build a resilient incident response team.

Cybersecurity Saturday

Happy Veterans Day! Thanks to all those who served our country.

From the cybersecurity policy front,

  • Health IT Security reports,
    • “US Senators Mark Warner (D-VA), Bill Cassidy (R-LA), John Cornyn (R-TX), and Maggie Hassan (D-NH) launched a bipartisan Senate healthcare cybersecurity working group. The group will focus on proposing legislative solutions within the Senate Health, Education, Labor, and Pensions (HELP) Committee to strengthen healthcare cybersecurity.
    • “We are seeing a disturbing rise in cyberattacks on our health care system. These attacks not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy stated. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans’ crucial health data.”
  • Cyberscoop Informs us,
    • “[On November 2, 2023,] [f]ormer National Security Agency Executive Director Harry Coker told members of the Senate Homeland Security and Governmental Affairs Committee that if he’s confirmed as the next national cyber director, he’d largely continue along the same path as his predecessors.
    • “Coker, who also spent 17 years at the Central Intelligence Agency and had made few public appearances before Thursday’s hearing, expressed appreciation for previous Office of the National Cyber Director work, including the National Cybersecurity Strategy, the subsequent implementation plan and the National Cyber Workforce and Education Strategy.
    • “If confirmed, I would frankly continue the good work that ONCD has done with its partners,” Coker said. He noted in his opening statement he’s “seen the need for stronger partnerships and collaboration between the public and private sectors” and that collaboration would be “the north star” under his leadership.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) announced that
    • “Director Jen Easterly and the Republic of Korea’s Deputy Director of the National Intelligence Service (NIS) Baek Jong-wook signed a Memorandum of Understanding (MoU) outlining areas for collaboration under the bilateral Cyber Framework signed by President Biden and Republic of Korea President Yoon in April.   
    • “The Framework affirms cooperation with Korea in key CISA mission areas, to include sharing technical and operational cyber threat information and best practices in cyber crisis management.  In June, senior leaders from both countries determined that CISA and NIS would co-lead a Framework Action Group on critical infrastructure. This Action Group will also bring together Korea’s Ministry of Science and ICT and other USG departments and agencies. ” 
  • The National Institute of Standards and Technology (NIST) informed us on November 9, 2023,
    • “The final public draft of NIST Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is now available for public review and comment.  * * *
    • “Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Informationis also available.
    • “The public comment period for both drafts is open through January 12, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to 800-171comments@list.nist.gov.”
  • NextGov offers an overview of the NIST’s final draft publications.
  • On November 9, 2023, CISA, the National Security Agency and their partners released.
    • Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.
    • Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.
    • CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “Business software maker SolarWinds is denying charges that it lacked adequate cybersecurity controls in the build up to a significant hack of its products in 2020, and accused the U.S. Securities and Exchange Commission of misrepresenting facts in its complaint.
    • “On Oct. 30, the SEC announced that it had filed charges against SolarWindsalleging the firm defrauded investors by repeatedly misleading them about its cyber vulnerabilities and the ability of attackers to penetrate its systems. 
    • “The SEC’s lawsuit is fundamentally flawed—both legally and factually—and we plan to defend vigorously against the charges,” SolarWinds said. The SEC declined to comment.”
  • Cybersecurity Dive points out,
    • Mortgage servicing provider Mr. Cooper Group shut down multiple systems after it determined a threat actor accessed certain technology systems on Oct. 31, according to a Thursday [November 2, 2023] filing with the Securities and Exchange Commission.
    • The company initiated precautionary containment measures in response to the cyberattack, a move that’s temporarily halting recurring payments and leading customers to make one-time loan payments online, via phone, email or third parties. The status of customers’ loans were last updated Oct. 31.
    • Mr. Cooper is the third-largest mortgage servicer in the U.S. with more than 4.3 million customers, according to the company.
  • TechCrunch adds,
    • Mr. Cooper, the mortgage and loan giant with more than four million customers, has confirmed customer data was compromised during a recent cyberattack.
    • In an updated notice on its website published Thursday [November 9, 2023], Mr. Cooper said that it was “still investigating what data may have been exposed,” though it remains unclear what kind of cyberattack hit Mr. Cooper’s system
  • CISA added another known exploited vulnerability to its catalog on November 7 and one more on November 8, 2023.
  • BusinessTech discusses the vulnerability management lifecycle.

From the ransomware front,

  • Because Bleeping Computer did not publish the Week in Ransomware yesterday, here is a notable attack featured in Cybersecurity Dive:
    • “A U.S. subsidiary of China’s largest bank was hit by a ransomware attack Wednesday that resulted in disruption to certain financial services systems, the bank announced Thursday [November 9, 2023].
    • “The hack disrupted the trading of U.S. Treasuries, forcing the Industrial and Commercial Bank of China Financial Services to send required settlement details to certain parties by a messenger carrying a USB stick, according to Bloomberg.
    • “The New York City-based firm said it reported the incident to law enforcement and successfully cleared U.S. Treasury trades executed Wednesday and repo financing trades done Thursday.
  • Dark Reading adds,
    • “The disruptive ransomware attack on the world’s largest bank this week, the PRC’s Industrial and Commercial Bank of China (ICBC), may be tied to a critical vulnerability that Citrix disclosed in its NetScaler technology last month. The situation highlights why organizations need to immediately patch against the threat if they haven’t done so already.
    • “The so-called “CitrixBleed” vulnerability (CVE-2023-4966) affects multiple on-premises versions of Citrix NetScaler ADC and NetScaler Gateway application delivery platforms.
    • “* * * The exploit activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue fresh guidance and resources this week on addressing the CitrixBleed threat. CISA warned of “active, targeted exploitation” of the bug in urging organizations to “update unmitigated appliances to the updated versions” that Citrix released last month.”
  • HHS’s health sector cybersecurity coordination center issued an analyst note on Blacksuit ransomware:
    • “A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector. Discovered in early May 2023, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today. Both Royal and the now-defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly. What follows [in the note] is an overview of the potential new group, possible connections to other threat actors, an analysis of its ransomware attacks, its target industries and victim countries, impact to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defense and mitigations against the group.”
  • The HIPAA Journal notes,
    • “A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.
    • “To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyber attackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.”

From the cybersecurity defenses front,

  • An ISACA expert discusses how “Cyber Advisors, Security Services Providers Can Use Zero-Sum Game Theory Framework to Benefit Clients.”
  • Dark Reading explains “How to Outsmart Malware Attacks That Can Fool Antivirus Protection. One of the main challenges for Android users is protecting themselves from malicious applications that can damage devices or perform other harmful actions.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • The FAR Council extended the public comment deadline for its October 3, 2023, proposed cybersecurity rules from December 4, 2023, to February 2, 2024. The FEHBlog noticed that the proposed rules (cited in the link) would be added to FAR Part 39 captioned “Acquisition of Information Technology.” In contrast, the FAR cybersecurity rules already found in the FEHB contract are found in FAR Part 4, captioned “Administrative and Information Matters.” For this reason, the FEHBlog has formed the opinion that these rules would not apply to FEHB plan contracts. In any event, the OPM FEHB contracts already include requirements for reporting data breaches and cyber incidents (Section 1.37).
  • Health IT Security tells us,
    • “HITRUST issued a response to the White House’s request for information (RFI) on the harmonization of cybersecurity regulations, suggesting that regulation alone is not a fix to the ongoing cyber challenges that critical infrastructure entities face.
    • “Rather, HITRUST recommended a shift away from further regulations in favor of a renewed focus on accountability and reciprocity within existing standards. Additionally, HITRUST emphasized the importance of reliable cybersecurity assessments and assurances.”
  • and
    • “The HHS Office for Civil Rights (OCR) released an educational video to help covered entities understand how the HIPAA Security Rule can help them defend against cyberattacks. The video was produced in recognition of National Cybersecurity Month.
    • “Hosted by Nick Heesters, senior advisor for cybersecurity at OCR, the 43-minute video explores cyberattack trends gleaned from OCR breach reports and discusses how Security Rule compliance can help covered entities combat these threats.”
  • Cyberscoop informs us,
    • “The White House announced a long-awaited executive order on Monday that attempts to mitigate the security risks of artificial intelligence while harnessing the potential benefits of the technology. 
    • “Coming nearly a year after the release of ChatGPT — the viral chatbot that captured public attention and kicked off the current wave of AI frenzy — Monday’s executive order aims to walk a fine line between over-regulating a new and potentially groundbreaking technology and addressing its risks.
    • “The order directs leading AI labs to notify the U.S. government of training runs that produce models with potential national security risks, instructs the National Institutes of Standards and Technology to develop frameworks for how to adversarially test AI models, and establishes an initiative to harness AI to automatically find and fix software vulnerabilities, among other measures. 
    • “Addressing questions of privacy, fairness and existential risks associated with AI models, Monday’s order is a sweeping attempt to lay the groundwork for a regulatory regime at a time when policymakers around the world are scrambling to write rules for AI. A White House fact sheet describes the order as containing “the most sweeping actions ever taken to protect Americans from the potential risks of AI systems.”

From the cyber vulnerabilities and breaches front,

  • Per Cybersecurity Dive,
    • “The Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020. 
    • “The SEC on Monday [October 29] alleged the company overstated its cybersecurity practices and failed to disclose known risks from October 2018, when the company went public, up to at least the Sunburst attack. 
    • “Public statements from the company contradicted internal assessments, including a 2018 assessment by a company engineer, shared with Brown and others, showing the company’s remote access setup was “not very secure,” the SEC complaint said.
    • “SEC officials allege SolarWinds and Brown ignored repeated red flag warning signs that put the company’s cybersecurity at risk. 
  • Security Week offers industry reaction to the lawsuit.
    • “It remains to be seen how the lawsuit against the SolarWinds CISO will unfold and what implications it will have for the cybersecurity industry as a whole. Regardless of the outcome, it serves as a stark reminder that the role of CISOs is continually evolving, and they must navigate a complex landscape of legal and regulatory challenges.”
  • HHS’s Heath Sector Cybersecurity Coordination Center (HC3) issued its October vulnerability bulletin.
    • “In October 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for October are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, SolarWinds, NextGen Healthcare, and F5. A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”
  • Cyberscoop points out
    • “The exploitation of zero-day vulnerabilities is on the rise globally and directly impacting federal agencies, part of what a senior Cybersecurity and Infrastructure Security Agency official called a “very eventful past six months” in the cyber threat landscape.
    • “Michael Duffy, the associate director for capacity building within CISA’s cybersecurity division, said that in the past month or so, the agency has seen “a really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks throughout the federal government.”
    • “Duffy’s comments, made during a cybersecurity governance panel this week at ACT-IAC’s Imagine Nation ELC conference in Hershey, Pa., come following a notable decline in so-called in-the-wild zero days last year. According to a July report from Google’s Threat Analysis Group, 41 zero days were detected and disclosed in 2022, down from 69 in 2021.
    • “Despite the decline, the number of zero-day exploits observed in the wild remained the second-highest number since TAG started tracking such exploits in 2014. U.S. government officials recently have described a tendency toward growing sophistication in the state-backed hacking campaigns, one hallmark of which is the use of the previously unknown vulnerabilities known as zero days.”  
  • The Cybersecurity and Infrastructure added two known exploited vulnerabilities to its catalog on Tuesday, October 31, and another on Thursday, November 2.

From the ransomware front,

  • Health IT Security reports,
    • “The International Counter Ransomware Initiative (CRI) held its third summit in Washington, DC, with representatives from 50 countries joining together to build upon counter-ransomware projects and announce new focus areas. Among the commitments announced, at least 40 of the member countries agreed not to pay ransoms to cybercriminals, Reuters first reported.
    • “As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow,” said Anne Neuberger, US deputy national security adviser for cyber and emerging technology in the Biden Administration. [see The Week in Ransomware’s observation below.]
    • “The Federal Bureau of Investigation (FBI) has long encouraged ransomware victims to avoid paying the ransom when faced with a ransomware attack. Paying the ransom can embolden cybercriminals to continue targeting other victims and does not guarantee the safe return of data. * * *
    • “In addition to the pledge, CRI members continued to expand upon the commitments they made at last year’s summit. Key deliverables at the 2023 summit were centered around “developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against ransomware actors,” the White House noted in a press release.”
  • and
    • “The HHS Office for Civil Rights (OCR) announced a $100,000 settlement to resolve a data breach investigation with Doctors’ Management Services, a Massachusetts-based medical management company and healthcare business associate that suffered a ransomware attack in 2018. The settlement marks the first-ever ransomware agreement that OCR has reached.
    • “In April 2019, Doctors’ Management Services filed a breach report with HHS, acknowledging that 206,695 individuals were impacted by a cyberattack carried out by GandCrab ransomware actors. Although the report was filed in 2019, the initial intrusion occurred in 2017. Doctors’ Management Services only detected the breach in December 2018, when ransomware was used to encrypt its files.”
  • HC3 released an analyst note about 8Base ransomware.
    • A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors, primarily across the United States.
    • This surge in operational activity included the group’s engagement in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups against mostly small- to medium-sized companies.
    • While similarities exist between 8Base and other ransomware gangs, the group’s identity, methods, and motivations remain largely unknown. What follows is an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the group.
  • Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. 
    • “The plan follows a massive government and industry backlash to Microsoft after the state-linked email theft from the U.S. State Department. Microsoft came under fierce criticism from key members of Congress and federal officials who were concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features to protect against sophisticated attackers. 
    • “The pushback related to the State Department case was that Microsoft was upcharging customers for additional, important security features. 
    • “Microsoft plans to enable secure default settings out of the box, so customers will not have to engage with multiple configurations to make sure a product is protected against hackers. 
    • For example, Microsoft will implement Azure baseline controls, which include 99 controls across nine security domains by default. 
  • An ISACA expert explains how to craft a corporate generative AI policy.
  • The Wall Street Journal reports,
    • “Economic uncertainty continues to chip away at corporate cybersecurity. 
    • “Layoffs, budget cuts and general skimping are putting more pressure on cybersecurity teams, which, in some cases, are pausing hiring and technology investment.
    • “Because of the economic pressure, there are more questions being asked about backfills or head counts,” said Diego Souza, chief information security officer at engine and generator manufacturer Cummins.
    • “Of 14,865 cyber professionals asked, 47% said there had been some form of cutbacks in cybersecurity—layoffs, budget cuts, hiring or promotion freezes—in the past 12 months, according to a survey by trade group ISC2 in collaboration with Forrester Research. Of that group, 22% said there had been layoffs on their teams, while 53% saw delays in buying or implementing technology, according to the study published Tuesday [October 31].

Cybersecurity Saturday

From the cybersecurity policy front,

  • The Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services held
    • “a roundtable discussion on the cybersecurity challenges that the U.S. healthcare and public health (HPH) sector system faces, and how government and industry can work together to close the gaps in resources and cyber capabilities. Ahead of the roundtable, CISA and HHS released a cybersecurity tool kit that includes resources tailored for the healthcare and public health sector. * * *
    • This toolkit is easy to navigate online at www.CISA.gov/healthcare and consolidates resources like:  
      • “CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.   
      • “HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.  
      • “HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.” 
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a request for comment on how to create a more harmonized system of software identification as part of a larger effort to make the software supply chain more secure. 
    • “Since President Joe Biden issued an executive order on improving cybersecurity in 2021, CISA and other federal agencies have been working to prioritize software security by improving vulnerability management and the use of software bill of materials (SBOMs). 
    • “The request for comment is designed to establish some uniform parameters to track critical information required to improve software security. Information on known vulnerabilities, what mitigations or security patches are available, and which software is approved for use are all part of the effort, according to a white paper released by CISA.” 
  • The Wall Street Journal tells us,
    • “President Biden is expected to sign an executive order next week addressing rapid advances in artificial intelligence, laying the groundwork for Washington’s embrace of AI as a tool in the national security arsenal while also pressuring companies to develop the technology safely.
    • “The order, which hasn’t been finalized and was described by people briefed on its expected contents, is aimed at establishing guideposts for federal agencies’ own use of AI, while also leveraging the government’s purchasing power to steer companies to what it considers best practices. 
    • “The White House began inviting people this week to an event on “safe, secure and trustworthy AI,” according to people familiar with the matter. A spokeswoman for the White House declined to comment.”

From the cybersecurity vulnerabilities and defenses front,

  • Health Exec reports,
    • “A new report reveals there have been 480 healthcare data breaches in 2023 so far, with over 25% of Americans impacted. The estimated number of patients affected is 87 million this year so far, over double the 37 million in 2022. 
    • “The report comes from Atlas VPN, which utilized publicly available data from the U.S. Department of Health and Human Services (HHS), which keeps a running list of healthcare security incidents. Federal law requires data breaches that potentially leak more than 500 patient records to be reported to the HHS.  * * *
    • “The full report can be found here.”
  • HHS’s Health Sector Cybersecurity Coordination Center issued three warnings this week. Here are the executive summaries:
    • AI-Augments Phishing — “Phishing has historically been a very successful means for cyberattackers of any motivation to compromise an organization and launch a full-fledged cyberattack to achieve their goals. Phishing attacks are frequently utilized, and this is especially true with regard to the health sector. The two most common cyberattacks targeting the health sector are ransomware and data breaches. (And usually both together!)
    • “These attacks often begin with a successful phishing attack. The advent of artificial intelligence has only made phishing attempts more effective, especially since those tools are freely available to the public.
    • In this paper, we provide a brief overview of basic artificial intelligence concepts, phishing attacks, and the application of artificial intelligence to phishing. We conclude with efforts that should be made to reduce the likeliness of all phishing attacks, including those that have been augmented by the use of artificial intelligence.”
  • and
    • QR Code Based Phishing – Phishing – the use of phony e-mails to deliver malicious code – has historically been a successful means for cyber attackers to compromise victim organizations and launch full-fledged, multi-staged cyberattacks. Phishing attacks are frequently utilized as the first stage of an attack – the infection vector – and this is especially true for the health sector. A cyberattack that begins with phishing often ends with ransomware and/or a major healthcare data breach.
    • Quick response (QR) codes were designed to quickly read and transmit legitimate data but have become increasingly abused as part of phishing attacks, called “quishing”.
    • In this paper, we provide a brief overview of QR codes, phishing attacks, and the application of both of these to cyberattacks on the health sector. We conclude this analysis with recommended defense and mitigation actions to reduce the likeliness and effectiveness of phishing attacks, including those augmented by the use of QR codes.
  • and
    • SolarWinds has published security fixes for their Access Rights Manager (ARM). This update addressed eight vulnerabilities, with three of them being rated as critical (CVE-2023-35182, CVE-2023-35185, CVE-2023-35187) and can lead to remote code execution on the “SYSTEM” of a Windows computer. This could enable an attacker to operate with the highest level of privileges available on the machine. In early 2020, the SolarWinds Orion system was targeted by an attacker(s), which led to the supply chain compromise of up to 18,000 of its customers.
    • Due to the previous malicious targeting and wide use of SolarWinds, HC3 strongly encourages users to monitor and upgrade their systems to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.

From the ransomware front,

  • Cybersecurity Dive reports,
    • “The threat group behind some of the most high profile, identity-based cyberattacks this year is also “one of the most dangerous financial criminal groups” currently in operation, Microsoft researchers said in a Wednesday report.
    • “The group, which Microsoft identifies as Octo Tempest and other researchers identify as Oktapus, Scattered Spider and UNC3944, uses multiple forms of social engineering to gain access to organizations’ infrastructure, steal corporate data and extort victims for ransom payments, according to Microsoft Threat Intelligence.
    • “The collection of young, native English-speaking threat actors, which was initially observed in 2022 and affiliated with the ransomware-as-a-service operation ALPHV or BlackCat in mid-2023, has claimed responsibility for major attacks against MGM ResortsCaesars Entertainment and Clorox in the past few months. * * *
    • “The threat actors engage in aggressive communications with victims, such as leaving threatening notes within a text file on a system, contacting executives via text messages and emails, and infiltrating communication channels being used by victims to respond to incidents,” Mandiant, a Google Cloud unit, said last month in a report on UNC3944.
    • “We’ve seen very young individuals break into some of the biggest organizations by leveraging these techniques that are so hard to defend against,” Mandiant Consulting CTO Charles Carmakal said during an April briefing.
    • “They are incredibly disruptive and aggressive,” Carmakal told Cybersecurity Dive via email last month following the MGM Resorts attack.”

From the cybersecurity defenses front,

  • CISA announced,
    • “A new release of Logging Made Easy, a Windows-based, free and open log management solution designed to help organizations more effectively use available security data to detect and address cyber threats.
    • In April 2023, CISA assumed Logging Made Easy from the United Kingdom’s National Cyber Security Centre (UK-NCSC). Following a period of transition and enhancement, it is now available with step-by-step installation instructions for both legacy and new users.
    • “Logging is critical for proactive monitoring of threats and retroactive investigation and remediation in the event of an incident. Logging Made Easy is a tested and reliable solution that can help organizations with limited resources needing a centralized logging capability,” said Chad Poland, Product Manager for Cyber Shared Services. “CISA is excited to offer this shared service capability to U.S. and international organizations that can help them mitigate risk and identify vulnerabilities.” * * *
    • For more information, visit CISA’s new Logging Made Easy webpage.
  • ISACA announced its “AI Survey Results: What Do Infosec Professionals REALLY Need to Know?”
  • “The HSCC Cybersecurity Working Group has reprinted its Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT) document.” 

Cybersecurity Saturday

From the cybersecurity policy front,

  • The National Institutes of Standards and Technology (NIST) announced,
    • “NIST is issuing one new proposed control and two control enhancements with corresponding assessment procedures for an expedited 2-week public comment period for October 17–31, 2023. All interested users are invited to provide real-time input to SP 800-53 controls, participate in public comment periods, and plan for future changes to the catalog at the website for Public Comments on SP 800-53 Controls. Review and submit comments on the proposed new control and enhancements by selecting the “Candidates” button. 
    • “NIST will also issue a patch release — SP 800-53 Release 5.1.1 — in early November 2023 via the Cybersecurity and Privacy Reference Tool to help organizations better manage cybersecurity and privacy risks to identity and access management systems. The changes included will not be issued as a new PDF publication at this time, and organizations will have the option to defer implementing the changes included in Patch Release 5.1.1 until SP 800-53, Release 6.0.0 is issued. 
    • “For more information, see the News Item and FAQ about SP 800-53 Comment Period Release 5.1.1.”
  • Yesterday, “the Cybersecurity and Infrastructure Security Agency (CISA) announced next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). As directed by the President’s 2023 National Cybersecurity Strategy, CISA, in close coordination with the Office of the National Cyber Director, is embarking on a process to gather input from public and private sector partners– including the federal interagency, Sector Risk Management Agencies (SRMAs), regulators, and critical infrastructure organizations, to identify key changes for incorporation into the updated NCIRP.”
    • Here is a link to the related CISA fact sheet. “CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.”
  • The American Hospital Association News adds that federal agencies this week issued “updated guidance to help software manufacturers demonstrate their commitment to secure by design principles and customers ask for products that are secure by design.”

From the cybervulnerabilities and breaches front,

  • Dark Reading tells us,
    • “Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.
    • “As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.
    • “So, admins should take note that on Thursday [October 19], Trend Micro’s Zero Day Initiative (ZDI) revealed a series of “High” and “Critical”-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, “The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets.”
  • American Hospital News informs us,
    • The CISA, FBI and Multi-State Information Sharing and Analysis Center this week alerted organizations to a critical vulnerability affecting certain versions of the Atlassian Confluence Data Center and Server that enables malicious actors to obtain access to victim systems and continue active exploitation post-patch. The agencies strongly encourage network administrators to immediately apply the recommended upgrades and recommended responses to indicators of compromise.”
  • CISA added one more known exploited vulnerability to its catalog on October 16 and two more on October 19.
  • HHS’s Health Sector Cybersecurity Coordination Center issued on October 18 an Analyst Note titled “Summary of Findings on Potential ServiceNow Vulnerability.”
    • “On October 14, 2023, a cybersecurity researcher claimed that there is a potential data exposure issue within ServiceNow’s built-in capability that could allow unauthenticated users to extract data from records.
    • “ServiceNow is a cloud computing platform to help companies manage digital workflows for enterprise operations, including the Healthcare and Public Health (HPH) sector. Types of data likely exposed include names, e-mail addresses, and internal documents from potentially thousands of companies.
    • “One cybersecurity company stated that around 70% of total instances seem to be affected in ServiceNow’s capability. The vulnerability has yet to be exploited by threat actors, but the likelihood that it will be is probable.”
  • Bleeping Computer reports,
    • “Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
    • “Out of more than 1.8 million administrator credentials analyzed, over 40,000 entries were “admin,” showing that the default password is widely accepted by IT administrators.”

From the ransomware front,

  • On October 19,
    • “CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated version of the joint #StopRansomware Guide. The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights.
    • “Developed through the U.S. Joint Ransomware Task Force (JRTF), #StopRansomware Guide is designed to be a one-stop resource to help organizations minimize the risks posed by ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
    • “CISA and its partners encourage organizations to implement the recommendations in the guide to reduce the likelihood and impact of ransomware incidents. For more information, visit CISA’s Stop Ransomware page.”

From the cybersecurity defenses front,

  • The FEHBlog noticed that Security Week published a series of articles on this topic in October.
    • Lost and Stolen Devices: A Gateway to Data Breaches and Leaks; By implementing strong security practices, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.
    • Applying AI to API Security; While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs.
    • Addressing the People Problem in Cybersecurity; Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder.
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rule, released its October 2023 Cybersecurity Newsletter, which concerns how sanctions policies can support HIPAA compliance.
  • NIST “interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.”
  • On October 18, CISA “National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.”  
  • Dark Reading discusses “Change From Within: 3 Cybersecurity Transformation Traps for CISOs to Avoid.”

Cybersecurity Saturday

From the cybersecurity policy front,

  • Per Cybersecurity Dive,
    • Federal authorities are trying to strengthen the security of open-source software used by critical infrastructure providers in a bid to improve risk management, particularly across operational technology and industrial control system vendors. 
    • Critical infrastructure providers have faced heightened risks of malicious attack in recent years, both from nation-state threat actors and criminal ransomware groups, the Cybersecurity and Infrastructure Security Agency and other federal agencies said Tuesday in an open-source security guide.   
  • Forbes tells us about the top ten cybersecurity trends In 2024 that everyone must be ready for now.

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports,
    • “Distributed denial of service attacks just keep getting bigger. On Tuesday, a coalition of tech giants revealed the biggest one yet, a DDoS campaign from August that compressed a month’s worth of Wikipedia traffic into a two-minute deluge and exploited a flaw in the fundamental technology powering the internet to do it. 
    • “At its peak, the DDoS campaign described by Google, Cloudflare and Amazon AWS reached more than 398 million requests per second (RPS) — more than eight times larger than the biggest DDoS attack previously observed by Google, which clocked in at 46 million RPS, according to the firm. The new attack uses a novel method that exploits a zero-day vulnerability dubbed “HTTP/2 Rapid Reset,” which takes advantage of the protocol that manages how computers request data from websites.
    • “For a sense of scale, this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google said Tuesday.
    • “The DDoS attacks using the vulnerability have been ongoing since August and have targeted major infrastructure providers like Google Cloud, Cloudflare and Amazon Web Services.”
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog on Tuesday, October 10, 2023.

From the ransomware front,

  • Per Cybersecurity Dive,
    • “Threat actors can break into an organization’s infrastructure to initiate ransomware attacks in many ways, but vulnerability exploits remain an effective and productive tool for financially-motivated cybercriminals, data from the Cybersecurity and Infrastructure Security Agency shared Thursday illustrates.
    • “Nearly 1 in 5 exploited common vulnerabilities and exposures (CVE) are also known to be used in ransomware attacks, according to CISA’s Known Exploited Vulnerabilities Catalog.
    • “The database of 1,019 exploited CVEs, some dating back to 2002, was updated Thursday to include those with known ransomware exploits. At least 184 CVEs have known use in ransomware attacks, according to CISA.
    • “Of those, more than 2 in 5 of the vulnerabilities exploited by threat actors to conduct ransomware are linked to Microsoft products, which are ubiquitous in the enterprise.”
  • Here’s a link to the referenced CISA report, which was released on October 12, 2023.
  • CISA “released [on October 11, 2023] a joint Cybersecurity Advisory (CSA), #StopRansomware: AvosLocker Ransomware (Update) to disseminate known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.”
  • HHS’s Healthsector Cybersecurity Coordination Center (HC3) issued an Analyst Note on NoEscape Ransomware on October 12.
    • “A relatively new threat actor and ransomware to the cybercriminal community, NoEscape ransomware emerged in May 2023, but is believed to be a rebrand of Avaddon, a now-defunct ransomware group shut down in 2021. Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch. Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the Healthcare and Public Health (HPH) sector. Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group. What follows is an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, and recommended defense and mitigations against the ransomware.”
  • Bleeping Computer’s The Week in Ransomware” returned this week.
    • Researchers and government agencies released some interesting news this week:
      • “A new Q3 2023 Ransomware Trends Summary shows that ransomware continues to explode, with Q3 being the most successful quarter ever recorded.
      • “The FBI shared technical details, defense tips, and IOCs for the AvosLocker ransomware, which has not been active lately.
      • “Ransomware attacks have now started to target unpatched WS_FTP servers. However, these attacks are more encryption-focused rather than for data theft.”

From the cybersecurity defenses front.

  • HC3 offers a PowerPoint on cybersecurity incident response plans.
  • Forbes points out the top 10 cybersecurity trends to prepare you for next year and explains why 18 factors and metrics can prove the value of cybersecurity initiatives.
  • Health IT Security reports on three best practices for maturing healthcare third party risk management.
  • An ISACA expert delves into “Quantum-Resistant Cryptography.”
    • “Crypto-agility was introduced in this year’s Gartner Hype Cycle, an annual analysis released for data security and emerging technologies. Gartner added both crypto-agility and post-quantum cryptography for the first time this year. The presence of data-in-use technologies in the Hype Cycle reflects the focus on data-in-transit security.
    • “It is imperative that organizations watch this space closely and upgrade encryption algorithms used in real time, because sovereign data strategies and digital communications governance are crucial areas to develop. In fact, CISA (Cybersecurity and Infrastructure Security Agency) was already urging organizations to prepare for the dawn of this new age in August.”