From the cybersecurity breaches and vulnerabilities front —

• Cybersecurity Dive tells us,
  • “Distributed denial of service attacks surged during the second quarter as criminal and state-linked hacking organizations unleashed a number of sophisticated attacks against critical infrastructure providers and other organizations across the globe, Cloudflare said in a report released Tuesday.  
  • “Experts linked pro-Russia hacktivist groups, including Killnet and Anonymous Sudan, to recent major DDoS attacks against Microsoft and threats against financial centers in the U.S. and Europe. 
  • “Cloudflare research shows a sharp increase in deliberately engineered and targeted DNS attacks.”

• Health IT Security adds,
  • “Healthcare organizations face an uptick in cyber threats as malicious actors turn to tools like ransomware, artificial intelligence (AI), and Internet of Things (IoT) attacks. These threats are becoming increasingly significant in the dynamic cyber threat landscape, a Trustwave SpiderLabs report revealed.
  • “The report “Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape” provides insights and practical strategies to address the specific threats faced by healthcare organizations.”

• Security Week informed us on July 21, 2023,
  • “Researchers at cloud security startup Wiz have an urgent warning for organizations running Microsoft’s M365 platform: That stolen Microsoft Azure AD enterprise signing key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.
  • “Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, and OneDrive,” Wiz researcher Shir Tamari said in a document posted online.
  • “Tamari said the hackers may have also accessed Microsoft customer applications that support the “login with Microsoft” functionality and multi-tenant applications in certain conditions.”

• Also per Security Week on July 18, 2023, “At least two new Adobe ColdFusion vulnerabilities have been exploited in the wild, including one that the software giant has not completely patched.”

• The Cybersecurity and Infrastructure Security Agency added one more known exploited vulnerability to its catalog on July 19, 2023, and two more on July 20, 2023.

From the ransomware front —

• Cyberscoop interviews an FBI official about how the agency fights ransomware.

• The FEHBlog welcomes back Bleeping Computer’s Week in Ransomware after two weeks away. This week’s article covers news from July 8 forward.

From the cybersecurity defenses front —

• CISA explains how to take the first steps toward better cybersecurity.

• What’s more, CISA “has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transition into a cloud environment and identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.” 

• HHS’s Health Sector Cybersecurity Coordination Center (HC3) on July 18, 2023, informed us about patches available for Critical and High Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway) vulnerabilities.

• HC3 also issued an analyst note on July 21, 2023, about Remote Identity Management.
  • “Identity theft is not limited to stolen medical records, social security numbers, and financial data. Threat actors can also target institutions by capitalizing on gaps in user access protocols, hiring processes, and mitigation capabilities to conceal some aspect of their identity and attention. Identity verification, fraud detection and user authentication are imperative when implementing a robust Identity and Access Management (IAM) program.”

• Security Week looks into improving security awareness training for employees.

• ISACA explains how to build cybersecurity resilience throughout an organization.

From the cybersecurity policy front, the Wall Street Journal offers its quarterly cyber regulations update for June 2023.

From the cybersecurity vulnerabilities and breaches front —

• On June 16, HHS’s health sector Cybersecurity Coordination Center (HC3) announced
  • “On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. As of June 15, 2023, the vulnerability has been serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036. The updates can be found on the Progress Security Center webpage.”

• HC3 also released its May 2023 Cybersecurity Vulnerabilities Bulletin.

• The Cybersecurity and Infrastructure Security Agency (CISA) added one more known exploited vulnerability to its catalog.

• On June 15, CISA, the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released an update for joint Cybersecurity Advisory (CSA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server. 

• Health IT Security reports
  • “Johns Hopkins University and Johns Hopkins Health are actively investigating a cyberattack and data breach that occurred on May 31. Johns Hopkins said that the attack involved a “widely used software tool” and impacted “thousands of other large organizations across the world.”
  • “While the notice does not explicitly mention MOVEit, the timeline of the attack lines up with the discovery of a critical vulnerability in Progress Software’s MOVEit Transfer software, a widely used software tool.
  • “As previously reported, Clop ransomware has taken a special interest in this vulnerability and began exploiting the previously unknown SQL injection vulnerability on May 27.”

• The Associated Press adds
  • “The Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments [MOVEit], but the impact was not expected to be great, Homeland Security officials said Thursday.
  • “But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts. 
  • “Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly. 
  • “Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.”

From the cybersecurity threat actors front —

• HC3 issued a threat actor profile on FIN11
  • “FIN11 is a cybercriminal group that has been active since at least 2016, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, the group has shifted towards other initial access vectors. FIN11 often runs high-volume operations mainly targeting companies in various industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP). The group has targeted pharmaceutical companies and other health care targets during the COVID-19 pandemic and continues to target the health sector. The group is behind multiple high-profile, widespread intrusion campaigns leveraging zero-day vulnerabilities. It is likely that FIN11 has access to the networks of far more organizations than they are able to successfully monetize, and choose if exploitation is worth the effort based on the location of the victim, their geographical location, and their security posture. This Threat Actor Profile provides information associated with FIN11, including recent campaigns, associated malware, CVEs exploited, and TTPs.”

• HHS’s Administration for Strategic Preparedness and Response released a TimisoaraHackerTeam analysis.

• On June 13, “CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents.”

• On June 15 Cybersecurity Dive reported
  • “A suspected threat actor affiliated with China is exploiting a subset of compromised Barracuda Email Security Gateway SG devices to launch a widespread espionage campaign in support of the People’s Republic of China, according to a report released Thursday by Mandiant. 
  • “The threat actor, tracked as UNC4841, has been sending emails with malicious attachments since October 2022, in order to exploit the zero-day vulnerability disclosed in May. The hackers used a variety of custom malware to maintain a presence in targeted systems, and most of the exploitation taking place in the Americas. 
  • “This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in 2021,” Charles Carmakal, CTO of Mandiant Consulting, Google Cloud said in a statement. “In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations.”

From the ransomware front, we have the latest Week in Ransomware from the Bleeping Computer.

From the cybersecurity defenses front

• Cybersecurity Dive tells us “LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack; Karim Toubba is ready to talk nearly a year after LastPass suffered a cyberattack that became one of the biggest security blunders of 2022.”

• On June 13,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.
  • “Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.”

• On June 14,
  •  CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. 
  • “BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to a vulnerable BMC. A vulnerable BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential.  
  • “CISA and NSA encourage all organizations managing servers to apply the recommended actions in this CSI.”

• On June 15,
  • “Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately. 
  • “CISA urges organizations to review the Barracuda advisory and for all impacted customers to follow the mitigation steps as well as hunt for the listed indicators of compromise (IOCs) to uncover any malicious activity. For more information, see Mandiant’s advisory on Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.”

• Also on June 15,
  • “Progress Software has released a security advisory for a privilege escalation vulnerability (CVE-2023-35708) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take control of an affected system.
  • “CISA urges users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.”

From the cybersecurity policy front —

• A CSO analysis reports, “Federal cyber incidents reveal challenges of implementing US National Cybersecurity Strategy. As federal government cybersecurity incidents continue to mount, the Biden administration’s National Cybersecurity Strategy should help, although experts say implementing it won’t be easy.”
  • “More than any previous administration, the Biden administration has taken a serious step forward to secure federal government infrastructure (and, by extension, the private sector through government contractor requirements) with its expansive National Cybersecurity Strategy, released in March.
  • “The strategy outlines five broad “pillars” of cybersecurity efforts that civilian agencies must meet, including approaches to defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and enhancing public-private operational collaboration to disrupt adversaries.
  • “But the details of how agencies should start tackling the challenges won’t be fully understood until the administration releases the strategy’s implementation guidance, which officials say could occur over the next month or so.
  • “No matter how the guidance shakes out, government agencies’ challenges in implementing the strategy will undoubtedly be significant. First off is the sheer size and complexity of the federal government.”

• The Wall Street Journal similarly explains that while “The Biden administration’s proposal to hold software makers accountable offers a starting point, it leaves a lot of questions open.

From the cybersecurity vulnerabilities and breaches front —

• Health IT Security tells us,
  • “Just like in years past, threat actors are leveraging ransomware, social engineering, denial of service, and basic web application attacks to disrupt operations and compromise data with great success. Verizon’s newly released 2023 Data Breach Investigations Report (DBIR) provided significant evidence of these trends through its analysis of more than 16,300 security incidents that occurred between November 1, 2021, and October 31, 2022.
  • “Of the 16,312 security incidents analyzed, 5,199 of them were confirmed data breaches. What’s more, 74 percent of all breaches involved a human element, such as social engineering, use of stolen credentials, or privilege misuse. * * *
  • “Verizon defines a “breach” as an incident that results in confirmed data disclosures to an unauthorized party, while an “incident” is a security event that compromises the integrity, availability, or confidentiality of information.
  • “Top attack patterns in healthcare included system intrusions, basic web application attacks, and miscellaneous errors, which collectively accounted for 68 percent of all healthcare breaches.
  • “The [h]ealthcare vertical is highly targeted by ransomware gangs, which results in both the loss of use of their systems—potentially with life-threatening consequences—as well as data breaches,” the report stated.”

• Cybersecurity Dive reports (June 9)
  • “Barracuda’s email security gateway appliances, which were compromised by a zero-day vulnerability disclosed last month, need to be scrapped and replaced immediately, the company said Tuesday in an action notice.
  • “The vulnerability, CVE-2023-2868, has been actively exploited for at least eight months. Despite a series of patches issued to all appliances last month, Barracuda said, regardless of patch version level, its “remediation recommendation at this time is full replacement of the impacted ESG.”
  • “Barracuda’s decision to effectively retire all compromised ESG appliances is akin to an admission the company could not fully remove threat actor access and recover the devices for customers, according to experts.”
• and (also June 9)
  • “Microsoft is investigating claims by an alleged hacktivist group that it launched a series of DDoS attacks that disrupted the company’s OneDrive and other Microsoft 365 services. 
  • “The company suffered a series of outages this week that impacted a range of services, including Microsoft Teams, SharePoint Online and OneDrive for Business. The OneDrive disruption was still impacting customers as of Thursday. 
  • “The group, known as Anonymous Sudan, has claimed credit for the alleged DDoS attacks and made additional threats against the company. Microsoft officials acknowledged the public claims and are working to fully restore services. 
  • “We are aware of these claims and are investigating,” a Microsoft spokesperson said via email. “We are taking the necessary steps to protect customers and ensure the stability of our services.”

• HHS’s Health Sector Cybersecurity Coordination Center offers a PowerPoint presentation titled “Types of Cyber Threat Actors That Threaten Healthcare.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added two known exploited vulnerabilities to its catalog on June 5 and one more on June 7.

• Cybersecurity Dive adds
  • “Senior level corporate executives are increasingly being targeted by sophisticated cyberattacks that target their corporate and home office environments and even extend to family members, according to a study released Monday from BlackCloak and Ponemon Institute. 
  • “About 42% of organizations surveyed had a senior executive or an executive’s family member attacked over the past two years. The study is based on a survey of more than 550 IT security leaders. 
  • “These attacks often lead to the theft of sensitive company data, including financial information, intellectual property or other information. In one-third of these cases, hackers are reaching these executives through insecure home-office networks used during remote work.”

From the ransomware front –

• Cybersecurity Dive informs us,
  • “Most of Dallas’ network and IT infrastructure has been restored following a ransomware attack in early May that took most of the city’s services offline and disrupted operations, the city said Monday.
  • “Our staff has worked tirelessly to restore and rebuild systems and return all systems to full functionality as quickly and securely as possible,” the city said Monday in a statement. “At this time, we are more than 90% restored, with most public-facing services restored.”
  • “Dallas previously cautioned full functionality would take weeks, and some services are still non-operational. The city’s municipal court reopened on May 30, but trials and jury duty remain canceled until further notice and library staff are still tracking item availability manually.

• CISA and the FBI released an “Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability” on June 7.
  • Cyberscoop provides background on the advisory.
  • Bleeping Computer’s The Week in Ransomware” focuses on this case.

• Security Week reports
  • “Cybersecurity firm Obsidian has observed a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.
  • “The attack was analyzed post-compromise when the victim employed the Obsidian product and research team to determine the finer points of the attack. In its blog account of the incident, Obsidian did not disclose the victim but believes the attacker was the group known as 0mega.”
• and
  • “Japanese pharmaceutical giant Eisai [a developer of the new Alzheimer’s Disease drug Leqembi] this week announced that it has fallen victim to a ransomware attack that forced it to take certain systems offline.
  • “Headquartered in Tokyo, the company has manufacturing facilities in Asia, Europe, and North America and has subsidiaries on both American continents, in Asia-Pacific, Africa, and Europe. Last year, the company reported more than $5 billion in revenue.
  • “The ransomware attack, the company says in an incident notification on its website, was identified on June 3 and resulted in the encryption of multiple servers.
  • “Eisai says it immediately implemented its incident response plan, which involved taking systems offline to contain the attack, and launched an investigation.”

From the cybersecurity defenses front —

• On June 6, “CISA, Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.”  
  • Health IT Security and Security Boulevard offer reports on the new guidance.

• ISACA discusses the increasing importance of information technology audits to Boards of Directors.

• Security Boulevard offers ten “go-to” tips for achieving/maintaining HIPAA Security Rule compliance.

• Help Net Security suggests twenty cybersecurity projects on GitHub you should check out.

From the cybersecurity policy front —

• The Wall Street Journal reports,
  • “Companies shouldn’t wait for new rules around cybersecurity, privacy and emerging technologies to be finalized before preparing for them, lawyers say, particularly as senior executives with the right experience can be hard to come by.
  • “Proposed cybersecurity rules from the Securities and Exchange Commission would require public companies to disclose which board members have security knowledge or experience, along with details about the board’s approach to cyber oversight. The SEC published draft rules in March 2022 and is expected to finalize them in the coming months.” 

• Nextgov tells us,
  • A federal council tasked with harmonizing future cyber incident reporting requirements is set to release proposed recommendations on how to develop an incident-reporting framework across key agencies and regulatory bodies, according to the chair of the council.
  • Department of Homeland Security Under Secretary for Policy Robert Silvers said the Cyber Incident Reporting Council is expecting to submit its report to Congress “in the next month or two” during a panel discussion Thursday at the Center for Strategic and International Studies, a nonprofit think tank.
  • The council was established under the Cyber Incident Reporting for Critical Infrastructure Act last year with the goal of minimizing industry burden while ensuring timely awareness of cyber incidents impacting critical infrastructure sectors across all required federal components. 
  • The Cybersecurity and Infrastructure Security Agency is currently developing regulations as required under the law for critical infrastructure owners and operators to report cyber incidents within 72 hours and has led a series of listening sessions with sector-specific industries to aid its rule-making process. 
  • “CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements,” CISA’s Executive Director Brandon Wales wrote in a March blog post reflecting on his agency’s implementation of the bill a year after it was signed into law. 
  • CISA also issued a request for information from key stakeholders on the proposed regulations and said it was specifically interested in “definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content and procedures for submission of reports required under CIRCIA.”

From the cybersecurity reports front —

• The OPM Inspector General released its latest semi-annual report to Congress. That report includes a section on cybersecurity audits of FEHB plans.

• The National Institutes of Standards and Technology issued its Fiscal Year 2022 Cybersecurity and Privacy Annual Report.

From the cybersecurity vulnerabilities front —

• Cybersecurity Dive reports
  • “A zero-day vulnerability first disclosed by Barracuda last week was actively exploited up to seven months ago, the security vendor said in an updated incident report Tuesday [May 30].
  • “The sizable time gap between the first known active exploitation of CVE-2023-2868 in October and Barracuda’s disclosure increases the potential for widespread compromise for customers using the security vendor’s email security gateway appliances.
  • “Malware was identified on a subset of appliances allowing for persistent backdoor access,” the company said. Data exfiltration was also identified on a subset of impacted appliances.
  • “Barracuda did not respond to questions about how many customers use its ESG appliances nor how many customers are potentially compromised and had data stolen.”

• On June 2, 2023, HHS’s health sector Cybersecurity Coordination Center issued a sector alert titled “Healthcare Sector Potentially at Risk from Critical Vulnerability in MOVEit Transfer Software.”
  • “On May 31, 2023, Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation. The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. As of May 31, 2023, the vulnerability does not have a CVE. File transfer solutions are frequently targeted by multiple threat actors, including ransomware groups. Progress Software has yet to report any attempts of extortion due to exposure to the vulnerability, nor is there any attribution to any specific threat actors. However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers. Both of these products are managed on file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) released a corollary alert.
    • “Progress Software has released a security advisory for a SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take over an affected system.
    • “CISA urges users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.”

• CISA announced on May 31, 2023, adding one more known exploited vulnerability to its catalog and another on June 2, 2023.

From the ransomware front, we have Bleeping Computer’s The Week in Ransomware.

• “There have been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said they share very strong similarities.
• “While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.
• “Finally, IBM released a report about BlackCat/ALPHV’s new ‘Sphynx’ encryptor and other tools used by the operation that is a worthwhile read.”

From the cybersecurity defenses front —

• The Wall Street Journal reports
  • “Retail giant Walmart said artificial intelligence is helping it to make sense of the data its security systems generate and to spot patterns that its analysts might miss. Generative AI systems like ChatGPT might enhance that ability further.
  • “Rob Duhart, Walmart’s deputy chief information security officer, said the sheer amount of information the company handles means that some form of automation is essential.
  • “There’s scale, and then there’s Walmart scale,” he said, speaking at the WSJ Pro Cybersecurity Forum held virtually Wednesday.
  • “With around 10,500 stores globally and 2.3 million employees, the company scans around 11 billion lines of code each year, Duhart said. Its cybersecurity tools generate around 6 trillion data points annually, and it blocks 8.5 billion malicious bots a month.
  • “Walmart has developed a number of AI tools in-house, given that off-the-shelf products typically can’t handle the vast body of data it needs to analyze, Duhart said. It’s also a problem for human analysts, who can’t comb through the information they need quickly enough.”

• Health IT Security adds
  • “With recent economic trends pointing toward a recession, companies are bracing for the downturn and slashing resources in anticipation of financial turmoil.  
  • “Yet, cybersecurity budgets remain resilient. A recent survey revealed that most IT security decision-makers, including those in healthcare, have ramped up their 2023 cybersecurity spending to strengthen programs. 
  • “Nuspire’s Second Annual CISO Research Report on Challenges and Buying Trends surveyed 200 CISOs across various sectors. The results showed that 58 percent had increased their budgets in 2023, with 42 percent planning to pour more even funding into cybersecurity within the following year. 
  • “This uptick in budget allocation speaks volumes as leaders recognize the importance of a strong landscape. 
  • “As we’ve seen in previous years, the current economic conditions have shown how resilient cybersecurity budgets are in the face of business cost reductions,” said Lewie Dunsworth, CEO of Nuspire.”

From the cybersecurity policy front —

• DefenseScoop reports
  • The Department of Defense sent its new classified cyber strategy to Congress this week, the Pentagon said Friday.
  • The highly anticipated strategy is the first since 2018 and follows the release of the National Cybersecurity Strategy in March.
  • The DOD also publicly released an unclassified “fact sheet” on Friday, and said an unclassified “summary” will be provided in the “coming months.” 
  • Of note, the fact sheet explains that the updated strategy is based upon real-world operations. Prior to 2018, the Pentagon had only conducted a limited number of cyber ops due to a variety of factors such as stringent authorities and a high-risk calculous.
  • The 2018 National Defense Authorization Act combined with changes to executive policy streamlined authorities and made it easier for the DOD to approve and conduct operations.\

• Politico adds
  • “President Joe Biden has nominated U.S. Air Force Lt. Gen. Timothy Haugh, the no. 2 at U.S. Cyber Command, to serve as the new head of both Cyber Command and the National Security Agency, according to an Air Force notice.
  • “The notice, obtained by POLITICO, was sent out on Monday and is titled “General Officer Nomination.” It announces that the president has nominated Haugh to the Senate for promotion to four-star general and assignment in the dual-hatted role. * * *
  • “If confirmed, Haugh will replace Gen. Paul Nakasone, who has led both NSA and Cyber Command since 2018. Nakasone is planning to step down sometime this year.”

• Cyberscoop also tells us
  • “Microsoft rolled out a blueprint for regulating artificial intelligence on Thursday that calls for building on existing structures to govern AI.
  • “Microsoft’s proposal is the latest in a string of ideas from industry on how to regulate a technology that has captured public attention, attracted billions of dollars in investments and prompted several of its principal architects to argue that AI is in desperate need of regulation before it has broad, harmful effects on society. 
  • “In remarks before a Washington, D.C. audience on Thursday, Microsoft President Brad Smith proposed a five-point plan for governing AI: implementing and building upon existing frameworks, requiring effective brakes on AI deployments, developing a broader legal and regulatory framework, promoting transparency and pursuing new public-private partnerships.”

From the cybersecurity breaches and vulnerabilities front —

• Cybersecurity Dives informs us
  • “PillPack, an online pharmacy owned by Amazon, has reported a data breach affecting more than 19,000 customers.
  • “The cyberattack exposed users’ email addresses, prescription information and their providers’ contact details. Social Security numbers and credit card information weren’t involved. PillPack said more than 3,600 affected accounts included prescription data.
  • “The online pharmacy said it discovered the breach on April 3, and it determined an unauthorized person used users’ email addresses and passwords to sign into their accounts between April 2 and April 6.”

• Dark Reading relates
  • “China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.
  • “That’s according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) “Volt Typhoon.” It’s a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.”

• Cyberscoop adds
  • “A rare form of malicious software designed to infiltrate and disrupt critical systems that run industrial facilities such as power plants has been uncovered and linked to a Russian telecom firm, according to a report released Thursday from the cybersecurity firm Mandiant. 
  • “The discovery of the malware dubbed “CosmicEnergy” is somewhat unusual since it was uploaded to VirusTotal — a service that Google owns that scans URLs and files for malware — in December 2021 by a user with a Russian IP address and was found through threat hunting and not following an attack on a critical infrastructure system. 
  • “Whatever the motivation for developing it and uploading the code to VirusTotal, CosmicEnegy joins an highly specialized group of malware such as Stuxnet, Industroyer and Trisis that are purpose built for industrial systems. Furthermore, the discovery adds another layer of concern for critical infrastructure operators and organizations that are increasingly targeted by criminal and nation-backed hackers.
  • “Researchers at Mandiant, which is part of Google Cloud, noted that its highly unusual for this type of code to be discovered or even disclosed to the public. Yet, it’s not clear if the malware was intended for use in a cyberattack or it could have been developed for internal red-teaming exercises before the code was released into the wild.”

• Health IT Security reports
  • “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA) regarding BianLian ransomware group.
  • “The group has been observed targeting a variety of United States critical infrastructure sectors since June 2022, as well as Australian critical infrastructure sectors. BianLian typically gains access via valid Remote Desktop Protocol (RDP) credentials and uses open-source tools for credential harvesting. In 2023, BianLian has threatened negative financial, legal, and business impacts if victims refuse to pay the ransom.
  • “BianLian group actors then extort money by threatening to release data if payment is not made,” the advisory stated. “BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.”

• CISA warned of hurricane/typhoon-related scams and identified three and then one more known vulnerabilities to its catalog.

From the ransomware front —

• Cybersecurity Dive informs us, “A trio of [recent] ransomware attacks targeting the Dallas metro area have the hallmarks of a targeted campaign. They also underscore a very real problem: society is becoming desensitized to disruption.”

• Here’s a link to the latest issue of Bleeping Computer’s The Week in Ransomware.

From the cybersecurity defenses front —

• Cybersecurity Dive reports
  • “The Cybersecurity and Infrastructure Security Agency for the first time since 2020 released an updated version of #StopRansomware, in partnership with the FBI, National Security Agency and the Multi-State Information Sharing and Analysis Center. 
  • “The updated guide, developed through the Joint Ransomware Task Force, reflects lessons learned over the last few years, adding the FBI and NSA as co-authors for the first time. It offers recommendations to prevent initial intrusion as well as steps to protect data using cloud backups. * * *
  • “It includes a comprehensive list of best practices to defend against attacks, including: 
    • “Maintain offline, encrypted backups of critical data and regularly test those backups in a simulation of disaster recovery. This should include “golden images” of critical systems, including preconfigured operating systems and associated applications. 
    • “Develop, maintain and practice a basic cyber incident response plan for ransomware and data breaches. This should include a communications plan, including disclosure notifications to government authorities. 
  • “The guide also includes a comprehensive set of measures to prevent and mitigate ransomware and data extortion, including: 
    • “Conduct regular scanning to identify and address vulnerabilities, particularly on internet facing devices. 
    • “Regularly patch and update software and operating systems to the latest versions. 
    • “Make sure all on premises, cloud services, mobile and bring your own devices are properly configured and security features are enabled. 
    • “Implement phishing-resistant multifactor authentication.
    • “Enforce lockout policies after a certain number of failed login attempts.
  • “The guide suggests creating illustrated guides that provide detailed information about data flows inside an organization. This will help incident responders understand which systems to focus on during an attack.” 

• The Wall Street Journal informs us
  • “Cyber insurance prices in the United States rose 11% year over year on average in the first quarter of 2023 according to insurance broker Marsh. This was a noticeably smaller increase than the 28% rise in Q4 2022 and was the fifth straight quarter that prices rose by less than the previous quarter. Additionally, rate increases moderated during 2022, with an average increase of 17% in December 2022, which was down significantly from a December 2021 high average increase of 133%. 
  • “Marsh said increased competition, improved cybersecurity controls, and a reduction in ransomware attacks in 2022 were factors that affected the continued moderation in pricing, while noting there has been an upturn in ransomware incidents and claims since Q4 2022.”

• Tom’s Guide updates us on best VPN logging practices.

• The Harvard Business Review offers ideas on creating effective cybersecurity training programs.