From the cybersecurity policy front,

• The Federal Employees Health Benefits Program has two sets of regulations — OPM’s rules found at 5 CFR Part 890 and because federal procurement contracts create FEHB plans, the Federal Acquisition Regulation (FAR) at 48 CFR Chap. 1 and OPM’s implementing FEHB Acquisition Regulation (FEHBAR)found at 48 CFR Chap. 16. It’s worth noting that the FAR was first issued forty years ago.
• The Holland and Knight law firm discusses two proposed FAR cybersecurity rules published on October 3, 2023. The first one (FAR Case No. 2021-17) captioned “Cyber Threat and Incident Reporting and Information Sharing will apply to the FEHB Program as it generally imposes obligations on federal contractors. The other rule (FAR Case No. 2021-19 captioned “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” will not apply to the FEHB because carrier systems are not federal information systems. The public comment deadline for the two proposed rules is December 4, 2023.  

• The National Security Agency announced on October 5, 2023,
  • “The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint Cybersecurity Advisory (CSA) highlighting the top ten most common cybersecurity misconfigurations found in large organizations’ networks. The CSA details tactics, techniques, and procedures (TTPs) that cyber actors could use to compromise these networks, as well as mitigations to defend against this threat. * * *
  • “As indicated in the CSA, these most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise.
  • “Some of the misconfigurations mentioned in the CSA include default configurations of software and applications, weak or misconfigured multifactor authentication (MFA) methods, and unrestricted code execution.
  • “NSA and CISA encourage network defenders and software manufacturers to implement the recommendations found within the Mitigations section of this advisory to reduce the risk of compromise. The agencies also recommend network owners and operators examine their networks for similar misconfigurations even when running other software not specifically mentioned in the advisory.”

• The Cybersecurity and Infrastructure Security Agency (CISA) announced on October 4, 2023,
  • “CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.
  • “This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.
  • “Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.”

• The Health Sector Cybersecurity Coordination Center (HC3) released on October 4, 2023, a sector alert about securing remote access and management software.
  • “Cybersecurity and law enforcement agencies such as CISA, MS-ISAC, CIS, and the FBI have been reporting on increased misuse of remote access software to target organizations and critical infrastructure sectors.
  • “For implications to the Healthcare and Public Health (HPH) sector, remote access solutions keep healthcare professionals connected while also providing increased flexibility and convenience. But the same solutions used to operate, maintain, and secure healthcare systems and networks can also be turned against their own infrastructure. Mitigating the risk associated with them is not as simple as deploying a patch or reconfiguring an application.”

• The Health Sector Council released an updated Health Industry Cybersecurity Supply Chain Risk Management Guide – Version 2023 (HIC-SCRiM-v2)
  • The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.

From the cybersecurity breaches and vulnerabilities front,

• HC3 announced on October 6, 2023,
  • “Cisco recently released an update that fixes a critical vulnerability in their Emergency Responder communications platform, a system that is utilized in the health sector. The exploitation of this vulnerability allows for a cyberattacker to completely compromise a vulnerable system and then utilize it for further cyberattacks across an enterprise network. HC3 recommends healthcare organizations identify vulnerable systems in their infrastructure and prioritize the implementation of this update.”

• HC3 posted its report on September vulnerabilities of interest to the health sector on October 5, 2023.
  • In September 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for September are from Microsoft, Google/Android, Cisco, Apple, Mozilla, SAP, Fortinet, VMWare, Progress Software, and Adobe.
  • A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
  • HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.

• CISA added one known exploited vulnerability to its catalog on October 2, another one on October 3, two more on October 4 (and deleted five catalog entries) and three more on October 5, 2023.

From the cybersecurity defenses front,

• Cybersecurity Dive discusses what to consider when choosing cybersecurity providers.

• Dark Reading proposes “five steps [by which] organizations can develop stronger security practices and make the inevitable breaches inconsequential.

• An ISACA expert explains how to comply with multiple security standards and frameworks.

• Another ISACA expert discusses common privacy dark patterns and ways to improve digital trust.

From the cybersecurity policy front,

• The Cybersecurity and Infrastructure Security Agency announced
  • “[T]he kickoff of the 20th Cybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online. “Secure Our World” will also be the enduring theme for throughout the year as we work to drive behavioral change around core cybersecurity habits by providing everyone with the knowledge and tools they need. 
  • “As cyber threats become more sophisticated, individuals and families, small and medium businesses, and large companies all have an important role to play to in keeping our digital world safe and secure,” said CISA Director Jen Easterly. “This Cybersecurity Awareness Month we are asking everyone to do their part to ‘Secure Our World’ by adopting key behaviors that promote online safety and security.” * * *
  • “CISA encourages everyone to explore the resources on our Cybersecurity Awareness Month website, which includes a toolkit, tip sheets, and animated videos.”

• Cyberscoop also reports on CISA’s campaign.

• The National Institutes of Standards and Technology tells us
  • “The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.   
  • “Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology. We seek to better understand and improve people’s interactions with cybersecurity systems, products, and services. 
  • “To learn more about our latest projects, watch our latest videos, meet the team, or to view our publications, visit our revamped website https://csrc.nist.gov/projects/human-centered-cybersecurity.” 

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Progress Software quietly alerted customers to eight vulnerabilities in WS_FTP Server, another file-transfer service from the company behind MOVEit.
  • “The company shared the news the day after its fiscal third-quarter earnings call.
  • “Two of the eight vulnerabilities are critical, with CVSS scores of 10 and 9.9 out of 10, CVE-2023-40044 and CVE-2023-42657, respectively. All versions of the file-transfer service, which allows customers to remotely manage their service from any internet connection, are impacted, the company said Wednesday. Thousands of IT teams use WS_FTP Server, according to a product page.
  • “There’s no indication any of the vulnerabilities in WS_FTP Server have been exploited, a Progress Software spokesperson told Cybersecurity Dive.”

• Yesterday, the Health Sector Cybersecurity Coordination Center (HC3) issued a related Sector Alert.
  • “Progress Software, the maker of the MOVEit file transfer software, which was widely exploited by the CL0P ransomware-as-a-service (Raas) group, has released a new advisory regarding multiple vulnerabilities in the WS_FTP Server, a file transfer product. Two of the vulnerabilities were rated as critical and are being tracked as CVE-2023-40044, which can allow an attacker to execute remote commands, and as CVE- 2023-4265, which is a directory traversal vulnerability. Due to the recent and malicious targeting of Progress Software’s products to compromise Healthcare and Public Health (HPH) sector entities, HC3 strongly encourages patching and upgrading these devices to prevent serious damage to the HPH sector.”

• Dark Reading also discusses this development.

• Also on Friday, HC3 issued an Analyst Note on LokiBot malware.
  • “Active since 2015 and among the most prevalent and persistent strains of malware families since 2018, LokiBot has matured to target multi-sector industries. Despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the Healthcare and Public Health (HPH) sector shows its reach.
  • “In March 2020, a multi-threat actor spearphishing campaign to spread LokiBot malware with a false World Health Organization trademark image solidified its threat to the HPH sector. In addition to other malware analyses, HC3 reported this specific cyberattack in a 2020 HC3 Sector Note on LokiBot. The malware has been widely used for years, and it takes a lot of effort to monitor because of behavior changes. However, some best practices exist for protecting against LokiBot and managing its impact.
  • “What follows [in the analyst note] is an update to the previous HC3 analysis of LokiBot, a timeline of multi-sector targeted applications, detection strategies, sample MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the malware.”

• According to a post on Wednesday,
  • “[T]he U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA) People’s Republic of China-Linked Cyber Actors Hide in Router Firmware. The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
  • “BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets.
  • “CISA strongly recommends organizations review the advisory and implement the detection and mitigation techniques described to protect devices and networks. For additional guidance, see People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices and visit CISA’s China Cyber Threat Overview and Advisories page.”

• Cyberscoop lets us know,
  • North Korean cyberespionage operation targeted employees of an aerospace company in Spain using a previously unreported backdoor and a creative phishing campaign featuring a phony Silicon Valley recruiter, demonstrating a “significant advancement in malicious capabilities,” researchers with the cybersecurity firm ESET said Friday. 
  • Hackers linked with North Korea’s Lazarus Group — an umbrella term for a collection of North Korean cyber units — posed as a recruiter for Meta and contacted employees of the unnamed company via LinkedIn and sent two coding challenges supposedly part of the hiring process but which were in fact laced with malware, Peter Kálnai, an ESET researcher, wrote in a report published Friday.
  • The operation, carried out some time last year, is just the latest example of North Korean-linked cyber operations using phony job opportunities to target various professionals, including journalists, security researchers and software developers, among others. 

• Over the past week, CISA added three known exploited vulnerabilities to its catalog on Monday and another on Thursday.

• Per Health IT Security,
  • Advanced email attacks remain a top threat to organizations around the world, including those in the healthcare sector, Abnormal Security observed in its latest blog post. Abnormal saw a 167 percent increase in advanced email attacks in 2023, which included business email compromise (BEC), malware, credential phishing, and extortion.

From the ransomware front,

• BitDefender reported on Thursday,
  • “Johnson Controls, a multinational conglomerate that secures industrial control systems, security equipment, fire safety and air conditioning systems, has been hit by a massive cyber attack.
  • “The company, which employs over 100,000 people around the world, suffered a ransomware attack over the weekend which left data encrypted and caused it to shut down sections of its IT infrastructure.
  • “The Dark Angels ransomware group has claimed responsibility for the attack and claims to have exfiltrated over 25 TB of data from the organization.  The threat?  If a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the “Dunghill Leaks” site.

• Here’s a link to Bleeping Computer’s Week in Ransomware. On top of the Johnson Control’s attack, Bleeping tells us
  • We also continue to see the effects of Clop’s massive MOVEit data-theft attacks, with the National Student Clearinghouse warning of a data breach that impacted 890 schools and the BORN Ontario child registry breach impacting 3.4 million people, including patients at the Hospital for Sick Children (SickKids).
  • Cybersecurity firms, journalists, and law enforcement also released interesting reports this week:
    • A threat actor named ShadowSyndicate is linked to 7 ransomware operations.
    • Hackers are actively exploiting OpenFire flaws to encrypt servers.
    • The Snatch extortion gang left their server status page open, allowing anyone to see who was connecting to the server.
    • The FBI warned that ransomware affiliates are accelerating double-encryption attacks.
    • A look at Akira’s new PowerRanges variant, internally called Megazord.

From the cybersecurity defenses front,

• An ISACA expert discusses lessons learned from Microsoft’s “massive” data exposure incident.

• CIO explores the changing face of cybersecurity threats this year.

• The Wall Street Journal looks into why employees ignore workplace cybersecurity rules.
  • “People are able to justify their bad behavior with rationalizations. Companies need to tackle the lies we tell ourselves head on.”

• The GAO issued
  • “A Cybersecurity Program Audit Guide (CPAG) to be used in conducting cybersecurity performance audits. The intent of the guide is to arm cyber analysts and auditors with a set of methodologies, techniques, and audit procedures to evaluate components of agency cybersecurity programs and systems. GAO welcomes federal and other governmental organizations to use this guide to assess their cybersecurity programs.”

• The Wall Street Journal reports,
  • “It’s telling that, in a year that was pretty economically challenging, security didn’t plummet in terms of spending,” said Nick Kakolowski, director of research at IANS Research, a cybersecurity advisory group.
  • “Cyber budgets grew this year for the most part, but modestly, IANS found in a study with recruiting company Artico Search. After double-digit increases in 2020 and 2021, the average growth in cybersecurity budgets for 2023 was 6%, according to the survey of 550 security executives. As a portion of overall technology budgets, cyber accounted for 11.6%, the study found. Around 37% of respondents to the survey said their cyber budgets were flat or reduced, the survey found.”

From Washington, DC —

• Health IT Security reports,
  • “The Department of Homeland Security (DHS) issued recommendations to Congress about how the federal government could improve critical infrastructure cyber incident reporting in a new report. Notable recommendations include streamlining the reporting process by establishing a single reporting web portal, as well as creating a model incident report form that federal agencies can adopt.
  • “The report, aptly titled “Harmonization of Cyber Incident Reporting to the Federal Government,” was a deliverable required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March of last year. CIRCIA enabled the creation of the Cyber Incident Reporting Council (CIRC), which took the lead on the report and represents leaders from 33 federal agencies.
  • “The report acknowledged ongoing challenges that stem from duplicative federal cyber incident reporting requirements. Currently, there are 52 cyber incident reporting requirements either in effect or proposed across the federal government.”
• FEHBlog note – At least 53 cyber incident reporting requirements exist as the DHS report overlooks OPM’s requirements for FEHB plan carriers.

• What’s more,
  • SUMMARY: The Office of the National Cyber Director (ONCD) invites public comments on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy. ONCD seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity (the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements) in regulator acceptance of other regulators’ recognition of compliance with baseline requirements.
  • DATES: The original comment deadline for this RFI was 5 p.m. EDT September 15, 2023. ONCD has extended the deadline for comments to be received to 5 p.m. EDT October 31, 2023.
  • ADDRESSES: Interested parties may submit comments through www.regulations.gov
  • Cyberscoop discusses this initiative here.

• Per Cybersecurity Dive,
  • “FBI Director Christopher Wray urged private sector organizations to help the agency by coming forward with information regarding malicious cyber activity. 
  • “Wray told attendees at Mandiant’s annual mWISE 2023 conference Monday that many of the agency’s successful cyber operations in recent years were accomplished with the assistance of private sector partners. He emphasized organizations would be treated properly as victims of malicious actors and not punished for their cooperation.
  • “We know the private sector hasn’t always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won’t be showing up in raid jackets,” Wray told conference attendees. “Instead, we’ll treat you like the victims you are – just like we treat all victims of crimes.”

• and
  • The U.S. has made significant progress towards developing a more resilient cybersecurity infrastructure after implementing about 70% the Cyberspace Solarium Commission’s recommendations, according to a report from CSC 2.0. 
  • CSC co-chairs Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., praised the launch and implementation of the National Cybersecurity Strategy during a presentation Tuesday in Washington D.C., but said more work needed to be done on deterrence. 
  • Key gaps remain in the nation’s cybersecurity posture, including the need to create more resilient federal networks and strengthen key critical infrastructure sectors, such as healthcare, agriculture and water.

From the cybersecurity business front,

• Cybersecurity Dive reports
  • “Cisco reached a deal valued at $28 billion in cash, or $157 per share, to buy software observability firm Splunk, the companies announced Thursday. The deal, which marks Cisco’s largest-ever acquisition, is built around the “complementary capabilities” across AI, security and observability between Cisco and Splunk. 
  • “Cisco expects the deal to become cash flow positive and gross margin accretive within the first fiscal year after the deal closes, which is expected in Q3 2024. The agreement, which has been unanimously approved by the board of directors at Cisco and Splunk, remains subject to regulatory approval.
  • “Splunk President and CEO Gary Steele will join the executive leadership team at Cisco, reporting directly to Chair and CEO Chuck Robbins.”

From the cybersecurity breaches and vulnerabilities front,

• HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its August 2023 cybersecurity vulnerability bulletin.
  • “In August 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for August are from Microsoft, Google/Android, Cisco, Apple, Mozilla, Fortinet, VMWare, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”

• HC3 also pointed out last week,
  • “Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which is tracked as CVE-2022-47966. This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT) known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the same capabilities. Further analysis of this campaign has also shown that the group is using a new malware tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. Both CISA and the FBI have previously warned that these types of vulnerabilities are common attack methods for malicious actors and can pose a significant risk to healthcare and public health organizations. HC3 strongly encourages organizations to update these systems.”

• HC3 posted a PowerPoint on Chinese and North Korean cybercrime. In sum,
  • “Chinese and North Korean “cybercriminal groups” act as unique threats to the U.S. health sector.
  • “China and North Korea are significant cyber powers–China in absolute terms and North Korea in relative terms.
  • “Domestic politics in both organizations has created a unique cybercriminal ecosystem, where the only significant cybercriminals threatening the U.S. health sector are state-sponsored.
  • “Most significant criminal gangs (i.e., are financially motivated) have all the sophistication of many other cybercriminal gangs but also have the resources (technological, financial and diplomatic) of a state behind them.”
    • “They are state-backed criminals, and they target a number of industries, including the U.S. health sector.”

• This week, CISA added eight known exploited vulnerabilities to its catalog on September 18, another on September 19, and one more on September 21.

• SecurityWeek calls attention to
  • “Apple’s announcement on Thursday [September 20] that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.”

From the ransomware front,

• On September 20,
  • “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.
  • “Snatch threat actors operate a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.

• From Dark Reading,
  • “Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).
  • “An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery. 
  • “The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.
  • “As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.”

From the cyberdefenses front,

• Cybersecurity Dive explains why,
  • “Security has an underlying defect: passwords and authentication; Cyberattacks are fueled by the shortcomings of business authentication controls. Bad things happen when access falls apart and credentials land in the wrong hands.”

• An ISACA expert discusses how to mitigate emerging technology risks.

From the cybersecurity policy front,

• Cyberscoop tells us,
  • “An advisory committee to the Cybersecurity and Infrastructure Security Agency [CISA] delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance. 
  • “These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
  • “The recommendations of CISA’s Cybersecurity Advisory Committee will need to be made into policy by Easterly, but in the past, she has mostly embraced the recommendations of the committee, which is made up of former top-ranking officials, executives and lawmakers, such as former National Cyber Director Chris Inglis, former Rep. Jim Langevin and Southern Company CEO Tom Fanning, who chairs the panel.” 

• Per Health IT Security,
  • “Healthcare stakeholders have an opportunity to provide feedback to the Senate on improving health data privacy in the US, thanks to a request from US Senator Bill Cassidy (R-LA), a ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee.  
  • “Cassidy issued a request for information (RFI) from stakeholders to gain insights into improving health data privacy and modernizing HIPAA. The deadline to submit feedback to Cassidy’s team is September 28.”

• Cybersecurity Dive points out,
  • “The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors. 
  • “However, Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaking during the Billington Cybersecurity Summit in Washington D.C., raised the possibility of a letter grade rating that would hold key providers accountable for maintaining a certain level of cyber resilience. 
  • “As good as public-private partnerships are, the administration sees additional enforcement ability as necessary.” 

• The Wall Street Journal offers its September 2023 cybersecurity regulatory update.
  • “In this quarter’s edition: updates on recently passed regulations from the U.S. Securities and Exchange Commission and the New York Department of Financial Services, new regulatory measures introduced by the California Privacy Protection Agency, the new cybersecurity strategy in New York state, and expert commentary on the draft regulations recently published by CPPA.”

From the cybersecurity breaches and vulnerabilities front,

• Per Cybersecurity Dive,
  • “The dark web marketplaces dedicated to the trade of credentials and vulnerabilities boasts some big names in enterprise compromises, Flashpoint research released Tuesday [September 12] shows.
  • “Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high profile, actively exploited CVEs, according to the threat intelligence firm.
  • “The remote code execution vulnerability in Barracuda’s email security gateway appliances, CVE-2023-2868, was purchased for $15,000 during Q2. Barracuda disclosed and attempted to patch the actively exploited zero-day vulnerability in May, but the patches failed, and exploits are still underway.
  • “Flashpoint said its threat intelligence analysts observed a post expressing interest in the exploit on June 16, and another user offered help in response two days later.”

• Dark Reading informs us,
  • “A global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm (aka Holmium) has successfully plucked targets in the satellite, defense, and pharmaceutical sectors, Microsoft is warning. 
  • “The cyber offensive has been active since February, according to a blog post from Microsoft Threat Intelligence, which concluded that the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
  • “The password spray method of attack is a type of brute-force method used by hackers to gain unauthorized access to user accounts and systems. Password spraying involves attempting to access multiple accounts using common passwords, reducing the risk of account lockouts.”

• Tripwire reports
  • “Apple has released emergency security updates for the flaws found in macOS, iOS, iPadOS, and watchOS used in the BLASTPASS exploit chain. As Bleeping Computer reports, Citizen Lab has warned Apple customers to apply the updates immediately and consider turning on Lockdown Mode if they suspect they’re particularly vulnerable to being targeted by sophisticated hackers. CISA has added the flaws to its catalog of known exploited vulnerabilities, saying that they pose “significant risks to the federal enterprise” and ordered all federal agencies to patch against them by October 2, 2023.”

• Security Week notes
  • “Deepfake is a term used to describe synthetic media — typically fake images and videos. Deepfakes have been around for a long time, but advancements in artificial intelligence (AI) and machine learning (ML) have made it easier and less costly to create highly realistic deepfakes. 
  • “Deepfakes can be useful for propaganda and misinformation operations. For example, deepfakes of both Russia’s president, Vladimir Putin, and his Ukrainian counterpart, Volodymyr Zelensky, have emerged since the start of the war.
  • “However, in their new report, the FBI, NSA and CISA warn that deepfakes can also pose a significant threat to organizations, including government, national security, defense, and critical infrastructure organizations.” 

• HelpNetSecurity warns
  • “Your security solutions might stave off a LockBit infection, but you might still end up with encrypted files: according to Symantec’s threat researchers, some affiliates are using the 3AM ransomware as a fallback option in case LockBit gets flagged and blocked.”

• CISA added a bunch of known exploited vulnerabilities to its catalog this week: two on Monday, two more on Tuesday, three on Wednesday, and another to top off Thursday.

From the ransomware front,

• The Healthcare Sector Cybersecurity Coordination Center provides us with a sector alert on Akira Ransomware.
  • “Akira is a Ransomware-as-a-Service (RaaS) group that started operations in March 2023. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale. Akira has garnered attention for a couple of reasons, such as their retro 1980s-themed website and the considerable demands for ransom payments ranging from $200,000 to $4 million. Akira has been observed obtaining initial malware delivery through several methods, such as leveraging compromised credentials and exploiting weaknesses in virtual private networks (VPN), typically where multi-factor authentication (MFA) is not being used. Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption. It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets. The group has targeted multiple sectors, including finance, real estate, manufacturing, and healthcare.”

• Here is a link to the latest Bleeping Computer Week in Ransomware, which features an attack on Las Vegas.

From the cybersecurity defenses front,

• Health IT Security calls our attention to
  • The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announce[ing] the release of version 3.4 of the Security Risk Assessment (SRA) Tool, further enhancing the user experience and helping covered entities navigate risk assessment requirements under the HIPAA Security Rule.
  • “OCR and ONC developed the SRA Tool to help small- and medium-sized healthcare providers identify and assess risks and vulnerabilities to electronic protected health information (ePHI). The tool is a software application that organizations can download at no cost.”

• Check out the 405(d) Post, which offers “Five Key Insights from The Healthcare Cybersecurity Benchmarking Study.”

• An ISACA expert explores risk assessment in a rapidly changing threat landscape.

• CSO offers “Ten principles to ensure strong cybersecurity in agile development.”

From the cybersecurity policy front,

• We learn from Cybersecurity Dive that
  • Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
  • “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said. 
  • Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.

• Per Fedscoop,
  • “New policy guidance is coming soon to help agencies comply with the Federal Risk and Authorization Management Program (FedRAMP) as the cloud landscape evolves, according to the federal government’s No. 2 IT official.
  • “Drew Myklegard, deputy federal CIO, said Thursday at FedScoop’s FedTalks that the forthcoming guidance comes as the federal cloud marketplace has evolved to be more dominated by software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings. 
  • “The landscape has changed. SaaS — and now it’s heavy, heavy SaaS — and a lot of PaaS providers really need access to the government and their mission. So now we’re pivoting and it takes a couple of years to do that, but we’re pivoting towards that market,” Myklegard said.
  • “He continued: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “A record year for cyberattacks on U.S. hospitals is putting patients in danger, as hospitals struggle to cope with disabled equipment and frozen data, an official from the American Hospital Association warned Thursday.
  • “Hackers, especially ransomware groups, are routinely taking down medical applications and internet connections, and freezing up patient and operations data, John Riggi, national adviser for cybersecurity and risk at the AHA, said, speaking at a meeting of the Healthcare Information and Management Systems Society. 
  • “Email and phones go down. Backup computers generally don’t work or have only about three days of data on them,” Riggi said. “We have seen this consistently,” he told the audience of healthcare technology and cyber leaders.”

• The American Hospital Association adds,
  • “The U.S. Treasury Department, in coordination with the United Kingdom, Sept. 7 sanctioned 11 individuals who are part of the Russia-based Trickbot cybercrime group, whose targets have included hospitals and other critical infrastructure organizations. The Department of Justice also unsealed indictments against nine individuals in connection with Trickbot malware and Conti ransomware, including seven of the sanctioned individuals. According to the agencies, the Trickbot group in 2020 launched a wave of ransomware disruptions against U.S. hospitals and health care facilities, in one case deploying ransomware that disrupted computer networks and telephones at three Minnesota facilities and caused them to divert ambulances.”  

• Last week, the Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog

• Cybersecurity Dive points out
  • “A consumer signing key that caused security headaches for Microsoft earlier this year was exposed in an April 2021 crash dump, the company said Wednesday. A China-based threat group behind attacks later used the key to compromise more than two dozen customers, including U.S. State Department emails earlier this year. 
  • “Microsoft disclosed the crash dump, which redacts sensitive information, as part of an internal investigation into how the consumer signing key was left exposed. The threat group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer following the crash dump,
  • “The threat group stole sensitive emails from the State Department and reportedly U.S. Commerce Secretary Gina Raimondo.”

• Per Krebs on Security, “Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach.”

From the ransomware front,

• Security Week reports,
  • “Cisco this week raised the alarm on a zero-day in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that has been exploited in Akira ransomware attacks since August.
  • “Tracked as CVE-2023-20269 (CVSS score of 5.0, medium severity), the issue exists in the remote access VPN feature of Cisco ASA and FTD and can be exploited remotely, without authentication, in brute force attacks. 
  • “This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Cisco explains in an advisory.”

• Bleeping Computer’s :The Week in Ransomware” is back after a two week long vacation.

From the cybersecurity defenses front,

• Cybersecurity Dive identifies the top five behaviors of successful CISOs thanks to Gartner Research.

• Dark Reading discusses three strategies to defending against “resurgent info stealers.”

• An ISACA experts explores using near-miss incidents are risk indicators.

From the cybersecurity policy front,

• Federal News Network informs us
  • “Vulnerability disclosure policies have proliferated throughout federal agencies in recent years, and if a new House bill ends up becoming law, federal contractors would have to adopt policies for accepting vulnerability information from security researchers as well.
  • “Rep. Nancy Mace (R-S.C.) today announced the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace is chairwoman of the House Oversight and Accountability Committee’s cybersecurity, information technology and government innovation subcommittee.
  • “The bill would require the White House Office of Management and Budget to lead updates to the Federal Acquisition Regulation that ensure federal contractors implement a vulnerability disclosure policy. * * *
  • “Mace’s bill would have contractors specifically follow the VDP guidelines established by the National Institute of Standards and Technology.
  • “In May, NIST published “Recommendations for Federal Vulnerability Disclosure Guidelines.” The document lays out a federal vulnerability disclosure framework, including information about how agencies should set up a system for receiving information about potential security vulnerabilities, as well as methods for communicating ways to resolve those vulnerabilities to other agencies and the public.

From the cybersecurity vulnerabilities and breaches front,

• HHS’s Health Sector Cybersecurity Coordination Center released its July 2023 report on vulnerabilities of interest to the health sector.
  • “In July 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for July are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, MOVEit, Oracle, and Adobe. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”

• The Cybersecurity and Infrastructure Security Administration added a new known exploited vulnerability to its catalog on August 21; two more on August 22, and another two on August 24.

• Per Health IT Security,
  • “Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.
  • “While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.”

In HIPAA Privacy Rule news,

• Health IT Security says,
  • “The HHS Office for Civil Rights (OCR) reached a settlement with UnitedHealthcare Insurance Company (UHIC) to resolve potential HIPAA right of access violations. UHIC, a health insurer that provides coverage to millions across the US, agreed to pay $80,000 to OCR to resolve the investigation.
  • “The investigation marks the 45th case settled under OCR’s HIPAA Right of Access Initiative, which was created in 2019 to underscore OCR’s commitment to ensuring that patients have timely access to their medical records.
  • “The UHIC case arose in March 2021, when OCR received a complaint alleging that UHIC had not responded to an individual’s request for a copy of their medical record. The individual requested their records in January 2021, finally receiving them in July 2021, after OCR had initiated its investigation into the matter.”

From the ransomware front,

• Cybersecurity Dive reports
  • “The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
  • “The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
  • “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”

• and
  • “Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.
  • “Clop’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service rapidly catapulted the group to the head of the global ransomware threat actor pack.
  • “The threat actor has compromised more than 730 organizations as part of this campaign, according to the latest figures tracked by Emsisoft and KonBriefing Research.”
• and
  • “The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.
  • “The threat actor said it stole more than 500,000 Social Security numbers, passport data of clients and employees, patient medical files, and financial and legal documents, according to a Thursday post on the dark web. 
  • “Emsisoft Threat Analyst Brett Callow shared a screenshot of the post on X, the platform formerly known as Twitter, Thursday [August 24].”

• Bleeping Computers’ The Week in Ransomware is on summer vacation this week.

From the cybersecurity defenses front,

• Per CISA,
  • “[On August 21,] the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
  • “CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources about CISA’s PQC work, visit the Post-Quantum Cryptography Initiative.”

• Per Health IT Security,
  • “The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.
  • “Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC), the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.
  • “The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information-sharing entities.”

• Dark Reading identifies five best practices for implementing Risk-First Cybersecurity.
  • “Organizations face an uphill battle to safeguard hybrid cloud assets and sensitive data from evolving cyber threats in an increasingly interconnected and digitized world. While the security-first approach is essential, it has limitations in addressing the dynamic nature of these threats. The risks resulting from these threats are multifaceted and sophisticated, encompassing cybersecurity, compliance, privacy, business continuity, and financial implications. Therefore, a shift toward a risk-first approach is necessary.”

• ISACA shares an executive view of key cybersecurity trends in 2023.
  • “2023 has further proven that the state of cybersecurity is constantly evolving. New technologies are emerging and increasingly being adopted for purposes of enhancing threat detection, analyzing large volumes of data for anomalies and automating security processes. Meanwhile, cyber threats are becoming increasingly sophisticated. In 2022, 76% of organizations were targeted by a ransomware attack, of which 64% were infected.¹ To more effectively defend against such attacks, it is important for cyber professionals to understand current trends and challenges that exist in the field of cybersecurity.”

• The Wall Street Journal offers its quarterly cyber insurance update.
  • In this quarter’s update, we look at new Securities and Exchange Commission cyber rules that may increase insurance risks for corporate directors, how new technologies such as artificial intelligence are helping assess a company’s cyber risk profile, and whether having a cyber insurance policy increases the likelihood of being a victim of a ransomware attack?

From the cybersecurity policy front —

• Ars Technica reports
  • The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to healthcare systems, hospitals and clinics, and health-related devices.

• FedScoop tells us,
  • Federal agencies got a reminder from the White House yesterday [August 16] of the need to firm up their cybersecurity in compliance with a Biden executive order.
  • The National Security Advisor Jake Sullivan sent a memo to departments and agencies Wednesday morning “to ensure their cyber infrastructure is compliant with” a May 2021 cybersecurity executive order on improving U.S. agencies’ cyber defense, a National Security Council spokesperson said in an emailed statement. 

• Per NextGov,
  • “The White House is working to develop a 10-year modernization plan for federal civilian agencies as part of a broader effort to transition away from outdated information technology systems while bolstering the nation’s cyber posture, a top official said Tuesday.
  • “Federal Chief Information Security Officer Chris DeRusha told Nextgov/FCW that replacing costly legacy IT systems with resilient and secure technologies has become a top priority for the administration following the release of the National Cybersecurity Strategy earlier this year. 
  • “We need a 10-year modernization plan for legacy IT,” DeRusha said at Nextgov/FCW’sIdentity Security Workshop. “Legacy IT modernization is the number one biggest rock that needs to get moved for us to be able to secure our systems.”

• NIST released a summary of public comments received on draft Special Publication 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. FEHB claims data falls within the scope of this SP.
  • “NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171r3 security requirements. NIST anticipates releasing SP 800-171r3 fpd and SP 800-171A ipd for public comment in Q1 of FY 2024 (October – December 2023) and looks forward to ongoing engagement with users during the comment period.” 

• Per Cybersecurity Dive,
  • Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.
  • The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency [CISA] said.

From the cybersecurity vulnerabilities and breaches front,

• The Health Sector Cybersecurity Coordination Center released a threat analysis of China-based threat actors.
  • “This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.”

• CISA added one more known exploited vulnerability to its catalog on August 16, 2023.

• Dark Reading reports
  • “Hackers are on a spree of hijacking LinkedIn accounts, in some cases monetizing the attacks by demanding a small ransom from users to regain access and threatening permanent deletion.
  • “Though LinkedIn, a subsidiary of Microsoft, has not yet commented publicly about the campaign, it has affected people worldwide over the last few weeks. Conversations on social media and Google searches indicate a “significant surge in the past 90 days” of account hacks on the professional-oriented social media platform, according to a recent report published by Cyberint.”

• Bloomberg Technology examines a larger email hack of Microsoft.
  • “No one likes losing their keys. But after a single Microsoft Corp. key fell into the hands of Chinese hackers, it’s going to take more than changing the locks to restore its reputation. 
  • “The consumer signing key was used to forge authentication tokens — which are meant to verify a user’s identity — and access emails, including the accounts of Commerce Secretary Gina Raimondo and State Department officials, shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping in June.
  • “The world’s largest software maker is now facing increasing criticism from computer security experts and government officials alike over the hack, among the more embarrassing breaches of US government networks since the so-called SolarWinds attack was disclosed in 2020. Russian state-sponsored hackers also abused Microsoft’s software as part of that attack.
  • “Senator Ron Wyden, in a blistering letter last month about the lapse, called for multiple investigations. Shortly after, a US cybersecurity advisory panel opened a probe into the risks of cloud computing, and it is also looking at Microsoft’s role in the email hack.”

• Health IT Security brings us up to date on the hack that keeps on giving – the MoveIT transfer hack.
  • Entities across the country are still feeling the effects of the MOVEit Transfer hack as more organizations report breaches stemming from the vulnerability.
  • Earlier this week, the Colorado Department of Health Care Policy & Financing (HCPF), which operates Colorado’s Medicaid program, notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident.
  • MOVEit disclosed the vulnerability on May 31 and issued a patch on the same day. 

From the cybersecurity defenses front,

• Cybersecurity Dive explains why
  • “Security basics aren’t so basic — they’re hard; Lax security controls cause heavy damages, and security experts warn how unmet basics turn up, time and again, when things go wrong” and
• identifies
  • AWS customers’ most common security mistake; All too often organizations are not doing least-privilege work with identity systems, AWS’ Mark Ryland told Cybersecurity Dive,” and
• discusses how to take advantage of sometimes disjointed threat intelligence.

• The Wall Street Journal reports
  • “Hackers exploit the trust relationships between organizations and their third-party suppliers and vendors, resulting in potentially damaging targeted and untargeted attacks.
  • “Understanding the organizations in a supply chain and critical dependencies is essential to reducing the risk, though some threats are nearly impossible to mitigate.
  • “Multiple internal stakeholders working together with technology solutions and consultancy expertise can significantly reduce the risk of, or impact from, supply chain attacks[, e.g., the MoveIT transfer hack].”