Cybersecurity Saturday
From the cybersecurity policy front,
- Cybersecurity Dive lets us know,
- “Microsoft President Brad Smith promised to move forward with significant culture changes at the tech giant as the company accepted full responsibility for its security failures, he said in testimony Thursday [June 13] before the House Committee on Homeland Security.
- “Smith, who also serves as vice chair, testified before lawmakers Thursday in response to a blistering report from the U.S. Cyber Safety Review Board that analyzed Microsoft’s security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group.
- “Smith was asked repeatedly during the hearing about whether Microsoft is changing its culture to encourage workers to speak up about security concerns.
- “We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems and then learn from the problems,” Smith said during questioning.”
- Cyberscoop tells us,
- “A congressional watchdog is sending a reminder to the White House that it has a long laundry list of cybersecurity regulations to address as the 2024 election draws near.
- “The Government Accountability Office is breaking biennial tradition with the latest update to its “high-risk list,” a term the watchdog uses to denote areas that are “vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.”
- “Cybersecurity has been on the GAO’s high-risk list since 1997, Sarah Kaczmarek, acting managing director for GAO’s Office of Public Affairs, said during a call with reporters this week. * * *
- “The more than 80-page report goes over four main areas: establishing a comprehensive cybersecurity strategy with effective oversight, securing federal systems and information, protecting critical infrastructure and protecting privacy and sensitive data.
- “The White House has yet to implement 567 out of 1,610 cybersecurity-related recommendations the government watchdog has issued since 2010, according to the report.
- “A lot of them are really, really critical to securing the cybersecurity of our nation,” said Marisol Cruz Cain, director of information technology and cybersecurity at the GAO.”
- Federal News Network adds,
- “The number of cybersecurity incidents in 2023 grew by almost 10%. Agencies reported more than 32,000 cyber incidents to the Cybersecurity and Infrastructure Security Agency in fiscal 2023. The latest Federal Information Security Modernization Act (FISMA) report to Congress from the Office of Management and Budget showed an increase from more than 29,000 cyber incidents from the year before. Of those 32,000 incidents, 38% — or more than 12,000 — were due to improper usage, which means someone violated an agency’s acceptable use policy. The second biggest attack vector, once again, was email phishing, which saw more than a 50% increase in 2023 as compared to 2022. The good news, OMB said, is 99% of all incidents in 2023 were considered “unsubstantiated or inconsequential event[s].”(Most cyber events in 2023 were ‘unsubstantiated or inconsequential,’ OMB says – White House)”
- Per a Cybersecurity and Infrastructure Security Agency (CISA) press release,
- “Yesterday [June 13], the Cybersecurity and Infrastructure Security Agency (CISA) conducted the federal government’s inaugural tabletop exercise with the private sector focused on effective and coordinated responses to artificial intelligence (AI) security incidents. This exercise brought together more than 50 AI experts from government agencies and industry partners at the Microsoft Corp. facility in Reston, Virginia.
- “The four-hour exercise was led by the Joint Cyber Defense Collaborative (JCDC), a public-private partnership model established by CISA to undertake joint planning efforts and drive operational collaboration. This exercise simulated a cybersecurity incident involving an AI-enabled system and participants worked through operational collaboration and information sharing protocols for incident response across the represented organizations. CISA Director Jen Easterly and FBI Cyber Division Deputy Assistant Director Brett Leatherman delivered opening and closing remarks, respectively, emphasizing the need for advancing robust operational structures to address existing and potential security threats, while prioritizing secure-by-design AI development and deployment.
- “This tabletop exercise is supporting the development of an AI Security Incident Collaboration Playbook spearheaded by JCDC.AI, a dedicated planning effort within JCDC focused on building an operational community of AI providers, AI security vendors, and other critical infrastructure owners/operators to address risks, threats, vulnerabilities, and mitigations concerning AI-enabled systems in national critical infrastructure. The playbook, slated for publication by year-end, will facilitate AI security incident response coordination efforts among government, industry, and global partners.”
From the cybersecurity vulnerabilities and breaches front,
- Modern Healthcare informs us,
- “Ascension said Friday it has restored access across all markets to the core system for electronic health records and patient portals after a cyberattack.
- “Patients should see a smoother process for scheduling appointments and filling prescriptions, plus improved wait times, Ascension said in a news release. Some information may be temporarily inaccessible as the system updates medical records collected in the last month, according to the health system. * * *
- “Ascension did not provide further details on what additional systems still need to be restored and the expected timeline for restoration. Ascension set a June 14 deadline for restoring electronic medical records.”
- Cybersecurity Dive adds,
- “Personally identifiable and protected health information may have been exposed during a cyberattack at Ascension last month, the Catholic health system said Wednesday.
- “Hackers were able to take files from seven servers used by Ascension for routine tasks. The provider said it has about 25,000 servers across its network.
- “The attackers gained access to Ascension systems after a worker accidentally downloaded a malicious file, according to the health system.”
- HHS’s Health Sector Cybersecurity Coordination Center released its May 2024 report on vulnerabilities of interest to the health sector.
- CISA added the following known exploited vulnerabilities to its catalog last week
- June 12, 2024
- CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
- CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability
- June 13, 2024
- CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability
- CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability
- CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
- June 12, 2024
- Bleeping Computer adds,
- “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Windows vulnerability abused in ransomware attacks as a zero-day to its catalog of actively exploited security bugs [on June 13].
- “Tracked as CVE-2024-26169, this security flaw is caused by an improper privilege management weakness in the Windows Error Reporting service. Successful exploitation lets local attackers gain SYSTEM permissions in low-complexity attacks that don’t require user interaction.
- “Microsoft addressed the vulnerability on March 12, 2024, during its monthly Patch Tuesday updates. However, the company has yet to update its security advisory to tag the vulnerability as exploited in attacks.”
- CISA further warns the public,
- “Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.
- “If you suspect you are a target of an impersonation scammer claiming to be a CISA employee:
- Do not pay the caller.
- Take note of the phone number calling you.
- Hang up immediately.
- Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.
- Per Cybersecurity Dive,
- “More than 100 Snowflake customers are caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers, Mandiant said Monday in a threat intelligence report. The attacks were not caused by a breach of Snowflake’s systems, Mandiant said.
- “Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants,” Mandiant Consulting CTO Charles Carmakal said Monday in a prepared statement. “The threat actor systematically compromised customer tenants, downloaded data, extorted victims and advertised victim data for sale on cybercriminal forums.”
- “Snowflake first disclosed the attacks on May 30 and said it first became aware of the malicious activity on May 23. Snowflake was not immediately available to comment on Mandiant’s research. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation.”
- and
- “Researchers on Friday [June 14] warned a critical vulnerability in the PHP programming language is under increased exploitation activity, as the TellYouThePass ransomware group is targeting vulnerable sites, according to a blog post from Censys.
- “The vulnerability, listed as CVE-2024-4577, has been under attack from the threat group since at least June 7, with about 1,000 infected hosts observed as of Thursday — they are mainly located in China. The number of observed infections is down from about 1,800 as of June 10.
- “The Cybersecurity and Infrastructure Security Agency added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday. [June 12]”
From the cybersecurity defenses front,
- Health IT Security reports,
- “Microsoft and Google have pledged to help rural hospitals prevent cyberattacks by offering free or discounted cybersecurity resources. The commitment from the tech giants is part of a White House-led initiative to bolster cybersecurity in the healthcare sector.”
- “According to an announcement from the White House, Microsoft will extend its nonprofit program to provide grants to independent critical access hospitals and rural emergency hospitals. For these types of hospitals, the company will also offer a 75% discount on security products optimized for smaller organizations. Larger rural hospitals already using eligible Microsoft solutions will receive the company’s “most advanced security suite at no additional cost for one year.”
- “The White House also said Microsoft will offer free cybersecurity assessments by technology security providers and free training for frontline and IT staff at eligible rural hospitals. The company also pledged to extend security updates for Windows 10 to participating hospitals for one year at no cost.”
- Here’s a link to Dark Reading’s CISO corner.
- Here ares links to an ISACA Blog article titled “Managing AI’s Transformative Impact on Business Strategy & Governance: Strategies for CISOs,” and a Tech Target article titled “How to craft a responsible generative AI strategy.”