From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
  • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
  • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”

• NextGov/FCW tells us,
  • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
  • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
  • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
  • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
• and
  • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
  • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
  • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
  • “Second up is facilitating an effective transition for the incoming Trump administration 
  • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
  • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 

• The Government Accountability Office released a report highlighting that
  • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”

• The National Institute for Standards and Technology announced,
  • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
  • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
  • “The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
• FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

• From a November 12, 2024, CISA press release
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
  • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
    
• Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • November 12, 2024
    • CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
    • CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
    • CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
    • CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
    • CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
  • November 14, 2024
    • CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
    • CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

• Per Cybersecurity Dive,
  • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
  • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation. 
  • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”

• Per Dark Reading,
  • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
  • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
  • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
• and
  • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
  • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
  • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
  • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”

• Per AI Business,
  • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
  • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
  • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
  • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
  • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

• On November 13, the Register reported,
  • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
  • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
  • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
  • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”

• Bleeping Computer informs us,
  • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
  • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
  • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
  • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
    
• Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
  • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
  • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
  • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
  • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
  • “S3 buckets are one of the most referenced targets of malicious activity.
  • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
  • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
  • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”

• HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.

• Here is a link to Dark Reading’s CISO Corner.

• Bleeping Computer lets us know,
  • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
  • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
  • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”
    
    
    
    
    
    

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).
  • “The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.
  • The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.
  • “OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.”

• Here’s the entry in reginfo.gov
  • AGENCY: HHS-OCR. RIN: 0945-AA22. Status: Pending Review. Request EO Meeting
    TITLE: Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information
    STAGE: Proposed Rule. SECTION 3(f)(1) SIGNIFICANT: Yes. RECEIVED DATE: 10/18/2024
    LEGAL DEADLINE: None  
    
• Fedscoop tells us,
  • “The Biden administration published its anticipated national security memo on artificial intelligence Thursday, establishing a roadmap that aims to ensure U.S. competitiveness with adversaries on the technology, while still upholding democratic values in its deployment. 
  • “Specifically, the memo details more responsibilities for the Department of Commerce’s AI Safety Institute, directs agencies to evaluate models for risks and identify areas in which the AI supply chain could be disrupted, outlines actions to streamline acquisition of AI used for national security, and defines new governance practices for federal agencies through a new framework.
  • “In remarks on the memo delivered Thursday at National Defense University, National Security Advisor Jake Sullivan highlighted the potential AI has for the country’s national security advantage but spoke in dire terms about taking action.
  • “The stakes are high,” Sullivan said. “If we don’t act more intentionally to seize our advantages, if we don’t deploy AI more quickly and more comprehensively to strengthen our national security, we risk squandering our hard-earned lead.”

• Per a NIST announcement,
  • “NIST has released an initial public draft (ipd) revision of Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths.
  • “NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. This publication provides guidance on transitioning to the use of stronger cryptographic keys and more robust algorithms.
  • “This revision proposes a) the retirement of ECB as a confidentiality mode of operation and the use of DSA for digital signature generation and b) a schedule for the retirement of SHA-1 and the 224-bit hash functions. This draft also discusses the transition from a security strength of 112 bits to a 128-bit security strength and to quantum-resistant algorithms for digital signatures and key establishment.
  • “The public comment period is open through December 4, 2024. See the publication details for a copy of the draft and instructions for submitting comments.”

• The Wall Street Journal reports,
  • “Four tech companies settled federal cases over allegations they misled investors about the extent to which they were compromised in the 2020 SolarWinds hack. 
  • “Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys didn’t admit wrongdoing in separate deals with the U.S. Securities and Exchange Commission, which found their financial disclosures played down what the companies knew about how their systems were affected by breached SolarWinds software. 
  • “Unisys agreed to pay a penalty of $4 million, and the other three companies will pay about $1 million each.
  • “In a breach disclosed in 2020, which the U.S. later attributed to Russia, hackers slipped malicious code into software from Austin, Texas-based SolarWinds. Thousands of customers inadvertently downloaded the malware. Moscow has denied involvement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop lets us know,
  • “The Change Healthcare data breach in February affected 100 million Americans, the company told the Health and Human Services Department this week, making it the biggest breach of health care data ever reported to U.S. regulators.
  • “The development is the latest ripple in what was already an unprecedented attack, one in which the company paid a $22 million ransom, resulted in estimated losses of more than $1 billion and attracted the attention of policymakers who have sought new rules for the industry.
  • “Change Healthcare notified HHS about the updated number, with the company previously stating only that “a substantial proportion of people in America” were affected. HHS posted about the new figure it in its own update Thursday. HHS’s Office of Civil Rights is conducting an investigation of the breach.
  • “The previous record for victims of a breach in the sector was the Anthem breach of 2015, which impacted nearly 79 million Americans and resulted in the company paying a $16 million settlement to HHS.”

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
• October 21, 2024
  • CVE-2024-9537. ScienceLogic SL1 Unspecified Vulnerability
• October 22, 2024
  • CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability
• October 23, 2024
  • CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability
• October 24, 2024
  • CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
  • CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

• Cybersecurity Dive adds,
  • “Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
  • “Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
  • “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”

• Dark Reading informs us,
  • “Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world’s most notorious threat actor. An arm of the Russian Federation’s Foreign Intelligence Service (SVR), it’s best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft’s codebase and political targets across Europe, Africa, and beyond. Russia’s premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
  • “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior staff research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

• Per Bleeping Computer,
  • “Cisco fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software, which was discovered during large-scale brute force attacks against Cisco VPN devices in April.
  • ‘The flaw is tracked as CVE-2024-20481 and impacts all versions of Cisco ASA and Cisco FTD up until the latest versions of the software.
  • “A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service,” reads the CVE-2024-20481 security advisory.”

From the ransomware front,

• Dark Reading points out,
  • “Nearly 400 US healthcare organizations have been infected with ransomwarethis fiscal year, compromising private information, disrupting facilities, and putting lives at risk, according to a study released this week.
  • “The average payment that these organizations have reported paying has gone up to roughly $4.4 million and is costing facilities up to $900,000 in downtime, putting healthcare among ransomware’s most lucrative target sectors.
  • “The disruption that healthcare operations face when hit with ransomware attacks doesn’t just affect hospitals either. It also impacts clinics and doctors in adjacent areas, which absorb displaced patients in these emergencies.” * * *
  • According to the study, ransomware has become such a pronounced issue for the healthcare sector because of its track record of complying with the bad actors and making ransom payments. But since these organizations are dealing with literal life and death issues, they are usually willing to pay millions of dollars to avoid any disruption of care and the data that support it.
    
• Cyberscoop relates,
  • “Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
  • “That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant. 
  • “Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
  • “Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.”

• Per Cybersecurity Dive,
  • “Ransomware attacks hit at least 30 organizations using SonicWall firewalls running firmware affected by a critical vulnerability the vendor disclosed and patched two months ago, security researchers at Arctic Wolf Labs said Thursday.
  • “SonicWall disclosed and patched the improper access control vulnerability, CVE-2024-40766, which has a CVSS score of 9.3, on Aug. 22. Arctic Wolf Labs said it began observing Akira and Fog ransomware variant intrusions involving the affected SSL VPN feature of SonicWall firewalls in early August.
  • “We have observed a significant increase in activity consistent with attempted intrusions since August, with spikes in activity typically occurring during non-business hours,” Bret Fitzgerald, senior director of global public relations at SonicWall, said Thursday via email.”

• Bleeping Computer alerts us,
  • “The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
    “Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
    “After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Microsoft Chair and CEO Satya Nadella asked for the board to reduce part of his annual compensation package to account for his role in how the company prepared for malicious cyberattacks that led to an overhaul of its internal security culture. 
  • “Nadella received more than $79 million in total compensation in fiscal 2024, which included a base salary of $2.5 million, about $71.2 million in stock awards and $5.2 million in non-equity incentive plan compensation, according to a filing with the Securities and Exchange Commission. The total included almost $170,000 classified as other compensation. 
  • “However, Nadella “asked the board to consider departing from the established performance metrics and reduce his cash incentive to reflect his personal accountability for the focus and speed required for the changes that today’s cybersecurity threat landscape showed were necessary,” according to a letter included in the filing from the compensation committee at Microsoft.” 

• Per Bleeping Computer,
  • Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.
  • The company also seeks to improve the system’s security and has expanded its security bounty program to include rewards of up to $1 million for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC.”
  • Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy.
    
• Cybersecurity Dive shares Gartner’s four ways AI could impact employees, workflows.

• Here is a link to Dark Reading’s CISO Corner.

• An ISACA commentator discusses “How the Emerging Technology Landscape is Impacting Cybersecurity Audits.”

• “In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.”

• Tripwire shares “Advanced Tips for Leveraging the NIST Cybersecurity Framework for Compliance.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
  • “Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
  • ‘On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.” * * *
  • “The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
  • “The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.”

• Federal News Network lets us know,
  • “The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today [October 11], further paving the way for CMMC requirements to show up in contracts starting next year.
  • “The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.
  • “The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.”

• Per an October 3, 2024, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.
  • “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.” * * *
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html“
    
• Fedscoop notes,
  • “The Department of Health and Human Services is working on a new strategic plan for the use of artificial intelligence across the entire breadth of its mission, the department’s top AI official said Tuesday.
  • “Micky Tripathi — HHS’s acting chief AI officer and its assistant secretary for technology policy — said at the NVIDIA AI Summit in Washington, D.C., that the AI strategic plan should arrive sometime in January and that it will span “the entire, you know, sort of breadth of what the department covers.”
  • “During a panel discussion, Tripathi detailed the complex web of mission sets spanning “the value chain of life sciences and health care” that HHS oversees that the new strategic plan will attempt to wrap its arms around. Those include medical research and discovery, preclinical work, measuring the safety and effectiveness of medical products, health care delivery, health technology standards setting, human services, public health and more, he said.”

From the cybersecurity vulnerabilities and breaches front,

• Beckers Health IT informs us,
  • “In the past 12 months, 92% of healthcare organizations reported experiencing at least one cyberattack, up from 88% in 2023, an Oct. 8 survey from Proofpoint and Ponemon Institute found.
  • “Of those cyberattacks, 69% reported disruptions to patient care as a direct consequence.”

• The American Hospital Association News reports,
  • “The FBI, along with the National Security Agency, Cyber National Mission Force and United Kingdom’s National Cyber Security Centre, today released a joint agency advisory on cyber operations by the Russian Federation’s Foreign Intelligence Service (SVR), also known as APT29, Midnight Blizzard, Cozy Bear, and the Dukes, targeting U.S. and global entities. The agencies recommend prioritizing rapid patch deployment and keeping software up to date to protect against cyberattacks.
  • “This alert highlights the SVR’s aggressive targeting of U.S. critical infrastructure for espionage and possible future offensive cyber operations,’ said John Riggi, AHA national advisor for cybersecurity and risk. “Although health care is not cited as being intentionally targeted by this SVR campaign, it is noted that any entity could become a target of opportunity if it has internet-facing vulnerabilities. The SVR takes advantage of opportunistic tactics to host malicious infrastructure, conduct follow-on operations from compromised accounts, or attempt to pivot to other networks on unprotected victim infrastructure. To mitigate this threat and other types of cyberattacks, such as ransomware attacks, it is imperative that health care entities prioritize patching internet-facing vulnerabilities, employ multi-factor authentication and follow the voluntary cybersecurity performance goals.”

• HHS’s Health Section Cybersecurity Coordination Center issued its September report on vulnerabilities of interest to the health sector.

• Cyberscoop points out,
  • “The number of malicious packages found in the open-source ecosystem has dramatically grown in the past year, according to a new report from Sonatype.
  • “The cybersecurity firm found that the number of malicious packages intentionally uploaded into open-source repositories has jumped by more than 150% compared to last year. Open-source software, a transparent development process where almost anyone can contribute to the code and components, is the bedrock of the digital age that can be found in most modern digital technologies.
  • “Sonatype, a firm that specializes in the open-source supply chain, looked at more than 7 million open-source projects and found that more than 500,000 contained a malicious package.
  • “Vulnerabilities in open-source packages and the developers who maintain them have become a hot topic following a spree of high-profile bugs and cyberattacks in recent years. Earlier this year, the maintainer of the data-compression tool XZ Utils was the focus of a yearslong campaign by hackers with the aim of inserting a vulnerability that would have been found in Linux servers throughout the world.”

• The Cybersecurity and Infrastructure Security Agency (CISA) alerted us on October 10,
  • CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network.
  • CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. Additionally, F5 has developed an iHealth heuristic to detect and alert customers when cookie persistence profiles do not have encryption enabled. BIG-IP iHealth is a diagnostic tool that “evaluates the logs, command output, and configuration of a BIG-IP system against a database of known issues, common mistakes, and published F5 best practices” to help users verify the optimal operation of their BIG-IP systems.

• CISA added six more known exploited vulnerabilities to its catalog this week.
  • October 8, 2024
    • CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
    • CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
    • CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability
  • October 9, 2024
    • CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability
    • CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
    • CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

• Cybersecurity Dive adds,
  • “Ivanti released updates for three actively exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance, which hackers are chaining together with a previously disclosed path traversal vulnerability, the company said in a Tuesday blog post. 
  • “Successful exploitation of the flaws can allow an attacker to gain administrative privileges to bypass restrictions, obtain remote code execution or run arbitrary SQL statements. The vulnerabilities are listed as CVE-2024-9379, CVE-2024-9380, CVE-2024-9381. 
  • “Ivanti previously disclosed and issued a patch that would address the prior critical vulnerability, listed as CVE-2024-8963, on Sept. 10. The company said it discovered the path traversal vulnerability when it was investigating exploitation of an OS command injection vulnerability, listed as CVE-2024-8190.”

From the ransomware front,

• Tech Radar reports,
  • “The number of active ransomware groups over the last 12 months is on the rise as criminals look for more ways to target businesses, new research has claimed.
  • “The 2024 State of Threat Report from Secureworks has revealed a rise in the number of active ransomware groups over the last 12 months – identifying a 30% rise in the number of active groups.
  • “The figures represents a diversification of the landscape rather than a particularly drastic increase in criminals. Since the notorious Lockbit disruption, in which the most prolific group was briefly shut down, the ransomware ecosystem has evolved, with 31 new groups being established.” * * *
  • “One of the key findings from the report is that unpatched vulnerabilities remain the top Initial Access Vector (IAV) in ransomware attacks, making up almost 50% of all IAVs. This outlines more than ever the importance of staying on top of cybersecurity and software updates.”

• Per Security Affairs,
  • “Sophos researchers warn that ransomware operators are exploiting the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.
  • “In early September 2024, Veeam released security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One.
  • “The most severe flaw included in the September 2024 security bulletin is a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).”

• Palo Alto Networks Unit 24 tells us,
  • “In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.
  • “Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven’t confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model.”

From the cybersecurity defenses front,

• American Hospital Association cybersecurity expert John Riggi offers his perspective on this year’s cybersecurity challenges in the healthcare sector.

• “Moffitt Cancer Center was one of many health systems impacted by the Change Healthcare ransomware attack earlier this year. The organization’s VP of RCM operations [Lynn Ansley] explains [in Health Leaders] how she navigated the disaster.”

• Here is a link to Dark Reading’s CISO Corner.

• HHS’s 405(d) program shares an endpoints security poster with the public.

From the cybersecurity policy front,

• Healthcare Dive informs us,
  • “Lawmakers introduced a bill Thursday [September 26] that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
  • “The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.” * * *
  • “The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.
  • “Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 
  • “The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 
  • “The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.”
• Wow. It strikes the FEHBlog that at least parts of this bill, in not the whole tamale, could be enacted in the lame duck session of Congress at the end of this year. The bill has a variety of effective dates.

• Why? Beckers Health IT adds,
  • “The financial fallout from recent data breaches in the healthcare industry continues to raise alarms as organizations grapple with the costs of cyberattacks and ensuing lawsuits.
  • “Two incidents — the ransomware attack on St. Louis-based Ascension and a class-action lawsuit faced by Allentown, Pa.-based Lehigh Valley Health Network — highlight the impact of these breaches on health systems’ operations and bottom lines.”

• Cybersecurity Dive points out,
  • “The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report released Thursday [September 26]. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 
  • “Among the key remaining priorities is a push to identify the “minimum security burdens” of critical infrastructure entities that have a “disproportionate impact on U.S. national security,” the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”
  • “The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.”

• Per a NIST press release,
  • “Today [September 24], U.S. Secretary of Commerce Gina Raimondo announced that the Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded $6 million to Carnegie Mellon University (CMU) to establish a joint center to support cooperative research and experimentation for the test and evaluation of modern AI capabilities and tools. The center will be housed on the Carnegie Mellon campus, in Pittsburgh.
  • “Artificial intelligence is the defining technology of our generation, and at the Commerce Department we are committed to working with America’s world-class higher education institutions, like Carnegie Mellon University, to advance safe, secure and trustworthy development of AI,” Raimondo said. “I am excited to announce this NIST award of $6 million for Carnegie Mellon to boost research of AI systems and support a new generation of scientists and engineers that will help advance American innovation globally.”

From the CrowdStrike front

• Cybersecurity Dive offers five takeaways from a CrowdStrike official’s apologetic testimony before Congress last Thursday.

From the cyber breaches and vulnerabilities front,

• Cybersecurity Dive lets us know,
  • “Security researchers are warning about critical vulnerabilities in the Common Unix Printing System used on Linux, which could allow a hacker to gain control over remote command execution when the flaws are chained together and a print job is separately launched by the user.
  • “The vulnerabilities, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP urls on a printer with a malicious version, giving them the ability to command capabilities on a system. 
  • “The vulnerabilities were initially assigned a score of 9.9, with the expectation of coordinated disclosure and later public notification by Oct. 6. However, the original research leaked on Thursday, and security researchers have since dialed back some of their initial fears, which compared the potential impact to Log4j and Heartbleed.”

• This week, the Cybersecurity and Infrastructure Security Administration added one known exploited vulnerability to its catalog on September 24, 2024,
  • CVE-2024-7593. Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

• Cybersecurity Dive cautions,
  • “A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
  • “However, researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency’s closely monitored catalog of known exploited vulnerabilities.  
  • “Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.” * * *
  • “NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.” 

From the ransomware front,

• Modern Healthcare tells us,
  • The number of healthcare providers affected by ransomware attacks is steadily growing. 
  • More than two-thirds of healthcare providers reported a ransomware attack in the past year compared with 60% in 2023, according to a survey released Thursday from cybersecurity company Sophos. In 2021, only 34% of providers said they were affected by an attack.

• Bleeping Computer warns,
  • “Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.
  • “The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.
  • “Storm-0501’s recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.”

• PC World explains how to turn on Microsoft Windows’ built in ransomware protection.

From the cybersecurity defenses front,

• SC Media calls attention to “five ways to beef up network security and reduce data theft.”
  • “Rethink access control
  • “Raise the firewall game
  • “Take incident response seriously
  • “Tap into network visibility
  • “Segment the network
• “These five approaches to network data security have been around for quite some time, yet they continue to mature and stay relevant because of new AI features that align with emerging challenges. Ultimately, the security team needs to choose and deploy the right combination of these tools that correlate with industry-specific risks facing the organization.”
  
• A Dark Reading commentator explains why “Managing Cyber-Risk Is No Different Than Managing Any Business Risk. A sound cyber-risk management strategy analyzes all the business impacts that may stem from an attack and estimates the related costs of mitigation versus the costs of not taking action.”

• Per a CISA press release,
  • “Today [September 26], the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
  • “Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
  • “Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.”

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us
  • “A record number of federal agencies and their chief information officers are getting top marks on how they manage IT and cybersecurity.
  • “A total of 13 agencies [including the U.S. Office of Personnel Management] received an overall A letter grades on a semiannual Federal IT Acquisition Reform Act (FITARA) scorecard.
  • “Another 10 agencies got a B grade for their overall IT and cybersecurity management. Only one agency, the Energy Department, received a C grade. No agencies received a D or an F.
  • “Agencies generally saw lower scores in the previous FITARA scorecard released in February.”

• KFF Health News gives low marks to the federal agencies responsible for protecting healthcare organizations against cyberattacks.

• Per a CISA press release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies.
  • “Each FCEB agency has a unique mission, and thus have independent networks and system architectures to advance their critical work. This independence means that agencies have different cyber risk tolerance and strategies. However, a collective approach to cybersecurity reduces risk across the interagency generally and at each agency specifically, and the FOCAL Plan outlines this will occur. CISA developed this plan in collaboration with FCEB agencies to provide standard, essential components of enterprise operational cybersecurity and align collective operational defense capabilities across the federal enterprise.” * * *
  • “The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities. 
  • “The Plan is not intended to provide a comprehensive or exhaustive list that an agency or CISA must accomplish. Rather, it is designed to focus resources on actions that substantively advance operational cybersecurity improvements and alignment goals.”

• Per a NIST press release,
  • “NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.
  • “The program will build on existing NIST expertise, research and publications such as:
    • “The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A); 
    • “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
    • “Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226); 
    • “Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
    • “Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
    • “A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

• Dark Reading reports,
  • “The Justice Department today [September 19] announced a court-authorized operation to disrupt a botnet affecting 200,000 devices in the United States and abroad.
  • “According to unsealed documents, the botnet, known as Raptor Train, is operated by People’s Republic of China (PRC) state-sponsored hackers working for a company based in Beijing. Known publicly as Integrity Technology Group, it is also known as the advanced persistent threat (APT) group Flax Typhoon in the private sector.
  • A variety of connected and Internet of things (IoT) devices have been affected by the botnet malware, including small-office/home-office (SOHO) routers, Internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”

From the cyber vulnerabilities and breaches front,

• Cybersecurity Dive lets us know,
  • “Ivanti warned Thursday of a critical path traversal vulnerability in Cloud Service Appliance, which is currently facing exploitation attempts by hackers. The vulnerability, listed as CVE-2024-8963, has a CVSS score of 9.4 and allows an unauthenticated hacker to gain access to restricted functionality.
  • “Ivanti previously issued a patch for CSA on Sept. 10., but the company said the path traversal vulnerability was discovered while investigating exploitation linked to an OS command injection vulnerability, listed as CVE-2024-8190. 
  • “The company warned that when the two vulnerabilities are used in conjunction with each other, a hacker can bypass admin authentication and execute arbitrary commands.” 

• Dark Reading tells us “Security Firm’s North Korean Hacker Hire was not an Isolated Incident; What happened to KnowBe4 also has happened to many other organizations, and it’s still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.” Check out the article.

• CISA added twelve known exploited vulnerabilities to its catalog this week.
  • “September 16, 2024
    • CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
    • CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability”
  • “September 17, 2024
    • CVE-2014-0497 Adobe Flash Player Integer Underflow Vulnerability
    • CVE-2013-0643 Adobe Flash Player Incorrect Default Permissions Vulnerability
    • CVE-2013-0648 Adobe Flash Player Code Execution Vulnerability
    • CVE-2014-0502 Adobe Flash Player Double Free Vulnerability”
  • “September 18, 2024
    • CVE-2024-27348 Apache HugeGraph-Server Improper Access Control Vulnerability
    • CVE-2020-0618 Microsoft SQL Server Reporting Services Remote Code Execution” Vulnerability
    • CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
    • CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability
    • CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability”
  • “September 19, 2024
    • CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability”

From the ransomware front,

• Dark Reading informs us,
  • “Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
  • “Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
  • “In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group’s latest weapon: Inc ransomware.”

• Per Cybersecurity Dive,
  • “A special legislative committee in Suffolk County, New York, found officials ignored repeated warnings and failed to prepare ahead of a September 2022 ransomware attack that disrupted essential government services for months, in a report released last week.
  • “Officials blamed the ransomware attack on a failure of leadership, including the lack of an incident response plan and a failure to respond to FBI warnings of potential infiltration. 
  • “Suffolk County operated using a variety of IT teams and had no CISO, resulting in a lack of coordination on how to prepare for potential cyber threats. The attack has so far cost the county more than $25 million in remediation costs and other expenses.”

• Cyberscoop reports on a debate of experts at the 2024 mWISE conference about what more could be done to stop ransomware attacks in the wake of police action and tens of millions in ransom payments over the past year. 

From the cyber defenses front,

• Cyberscoop points out,
  • “UnitedHealth Group is still in the recovery process months after a ransomware attack on its Change Healthcare subsidiary, with its chief information security officer saying the company has essentially “started over” with regard to its computer systems. 
  • “When I say start over, I really, truly mean start over,” Steven Martin said Thursday at the Mandiant Worldwide Information Security Exchange (mWISE). “The only thing that we kept from the old environment into the new environment was the cables. New routers, new switches, new compute infrastructure, deployed everything from a safe environment, truly started over. I felt like that was the only way that we could really ensure that we ended up with something that we could stand behind for the health care space, because it’s what it deserved.” 

• Cybersecurity Dive adds,
  • “CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
  • “Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.” * * *
  • “Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
  • “The questions on Mandia’s CISO confidence test include:
    • How would you break into us? What is our weak spot?
    • What is our worst-case scenario?
    • What would you do if the worst-case scenario occurred?
    • How resilient are we? How long would it take to recover our systems and applications?
    • What do you need?
  • “Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
  • “I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.”

• Health Tech offers five steps to follow after a breach.

• Per Bleeping Computer,
  • “Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
  • “Hotpatching deploys Windows security updates without requiring a reboot by patching the in-memory code of running processes without restarting them after each installation.
  • “Among the benefits of Windows Hotpatching, Redmond highlights faster installs and reduced resource usage, lower workload impact because of fewer reboots over time, and improved security protection because it reduces the time exposed to security risks.
  • “Instead of 12 mandatory reboots a year on ‘Patch Tuesday,’ you’ll now only have quarterly scheduled reboots (with the rare possibility of reboots being required in a nominal Hotpatch month),” said Windows Server Director of Product Hari Pulapaka on Friday [September 20].”