From the cybersecurity policy front,

• FedScoop tells us,
  • “A new bipartisan House bill aims to bolster the U.S. cybersecurity workforce by creating two training programs within the federal government, building on companion legislation introduced in the Senate earlier this year.
  • “The Federal Cybersecurity Workforce Expansion Act, co-sponsored by Reps. Chrissy Houlahan, D-Pa., and Mike Gallagher, R-Wis., would establish a cybersecurity registered apprenticeship program in the Cybersecurity and Infrastructure Security Agency and a Department of Veterans Affairs pilot program that would provide cybersecurity training to veterans.

• The Cybersecurity and Infrastructure Security Agency (“CISA”) announced,
  • “In the fast-paced world of cybersecurity, staying ahead of threats is essential. And while security is without a doubt a priority for businesses of all sizes, it is easy to feel overwhelmed by all the information available. At CISA, we have been diligently developing a solution aimed at simplifying the way our partners and potential collaborators understand their cyber risk and prioritize their investments, ensuring they can quickly navigate this complexity with ease. Our focus has been on making the process of working with us more intuitive and user-friendly so that every organization can spend more time meeting business goals and less time sifting through cybersecurity resources. We believe this approach will be especially helpful for smaller to medium sized stakeholders with fewer resources, who need help prioritizing actions to help them to reduce the likelihood and impact of damaging intrusions.
  • “In early 2024, we look forward to launching a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around our Cybersecurity Performance Goals. This new tool is called ReadySetCyber. While we’re not quite ready to unveil all the details just yet, we are excited to share a glimpse of what’s on the horizon.”
  • That glimpse is available here.

• The Wall Street Journal reports,
  • “A cyberattack that disrupts everyday life in the U.S. will likely cost more than the insurance industry can afford to cover, requiring government intervention, insurers and brokers said.
  • “The idea of a federal backstop to help insurers cope in the event of a catastrophic cyberattack has been examined by the government in recent years, but has gained momentum with tandem efforts at the Treasury Department, the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency over the past year. Government officials and the insurance industry plan to meet in April to work out exactly what such a program would look like.
  • “Federal support in the event of a catastrophic attack would undoubtedly be necessary, said John Keogh, president and chief operating officer of insurer Chubb.
  • “While the industry could absorb a major natural disaster, the effects of a cyberattack on a similar scale would quickly overwhelm its capacity to cover losses.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive points out last Monday,
  • A cyberattack targeting Fidelity National Financial led to disruptions across its services, including title insurance and mortgage transactions, after it was forced to block access to certain systems, the company said last week in a filing with the Securities and Exchange Commission. 
  • An investigation showed an unauthorized third party gained access to some of its systems and stole certain credentials, the company said.
  • The threat group known as AlphV/BlackCat claimed responsibility for the attack, according to security researcher Dominic Alvieri.

• CISA added two more known exploited vulnerabilities to its catalog on November 30, 2023, and removed one on December 1, 2023.

From the ransomware front, here’s a link to the latest Bleeping Computer’s Week in Ransomware.

From the cybersecurity defenses front,

• Technopedia identifies the top nine cybersecurity trends for 2024.

• Cybersecurity Dive informs us,
  • “Technology like generative AI can address some key security challenges confronting organizations, but professionals that overemphasize those capabilities miss the fundamental need to put people and their unique talents first.
  • “Security is a people issue,” Amazon CSO Stephen Schmidt said Monday during a presentation at AWS re: Invent in Las Vegas. “Computers don’t attack each other. People are behind every single adversarial action that happens out there.”
  • “For Schmidt, winning in security is akin to playing chess — focusing on the board, how the pieces move and interact — while practicing psychology. Security professionals need to understand the human elements at play, including their own tendencies and opponents’ motivations.
  • “You’re not playing just one chess match,” Schmidt said. “You are playing dozens or hundreds of games at the same time, because you have a variety of adversaries with different motivations who are going after you.”
  • “This cybersecurity scrum can feel overwhelming, but many defenders view generative AI as an ally that can automate repetitive tasks. Cybersecurity vendors across the landscape have released security tools infused with the technology, and more are in the pipeline.”

• Tech Republic adds that Open AI first released ChatGPT on November 30, 2022. The site explains how the technology has evolved.

From the cybersecurity policy front,

• Cyberscoop reports,
  • “Former National Security Agency Executive Director Harry Coker is one step closer to being the next national cyber director after the Senate Homeland and Governmental Affairs Committee advanced his nomination Wednesday.
  • “Coker, also a former CIA officer, told the panel during the initial nomination hearing that he would plan on continuing the work of his potential predecessors.
  • “Coker’s nomination comes after the White House was criticized by experts and policy wonks for not nominating Kemba Walden, the current acting national cyber director, to the permanent role. The Washington Post reported that Walden’s personal debts were the White House’s rationale for declining to nominate her.
  • “Walden’s last day as the acting cyber chief is Friday, according to an ONCD spokesperson.”

• On November 14, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released
  • “its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.”its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of artificial intelligence capabilities. DHS plays a critical role in ensuring AI safety and security nationwide.
  • “Last month, President Biden issued an Executive Order that directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions. As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.”

• Federal News Network observes,
  • “When federal government agencies were breached by Chinese hackers due to a Microsoft Azure vulnerability, the Cybersecurity and Infrastructure Security Agency released an advisory calling for the use of more enhanced monitoring tools to build resilience against increasingly sophisticated attacks. This latest advisory was further amplified by the National Cybersecurity Strategy, which reinforced the need to make the government’s critical infrastructure more resilient by modernizing federal networks.  
  • “Despite these measures, a recent study shows that only 26% of the public sector (compared to 40% of the private sector) have a formal approach to building resilience. Moreover, federal agencies whose mission-set centers on critical infrastructure, such as the Departments of Energy or Transportation, still face challenges to maintain legacy toolsin contrast to the public sector as a whole.   
  • “This is because federal agencies need more support to implement modern monitoring tools that help improve their threat detection and response. Without the proper technology in place to match the challenges of today’s threat landscape, it is difficult to remain resilient when faced with an attack. But how might an organization begin to achieve the resilience required for today’s cyber threats?  
  • “It starts with federal agencies prioritizing observability strategies. Despite its growing popularity, observability is a fresh concept – one that can be difficult to define and see as a path to resilience without first understanding its foundation. The roots of observability can simply be traced down to a collection of logs, metrics and traces by which monitoring systems can more proactively mitigate potential threats.”

From the cybersecurity vulnerability and breaches front,

• The HIPAA Journal offers its October 2023 Healthcare Data Breach Report.
  • “For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).”

• Federal News Network reports,
  • “The Office of Personnel Management faces a tight deadline to set up a new health insurance marketplace for Postal Service employees and retirees to enroll in new plans, starting next year.
  • “Now OPM is addressing watchdog concerns about whether the IT infrastructure supporting this new USPS marketplace is following federal cybersecurity requirements.
  • “OPM’s Office of Inspector General, in a flash audit released Friday, raised concerns about the cybersecurity steps OPM took before launching the IT systems that will run the Postal Service Health Benefits (PSHB) Program. * * *
  • “The IG report focuses on the steps OPM took to launch Carrier Connect, a system OPM uses to communicate and share data with health care providers. [FEHBLog note — FFF presumably refers to sharing data with FEHB plans.]
  • “According to the report, OPM officials acknowledged the agency started the assessment and authorization process too late in the security development lifecycle — in the summer of 2023 — and knew they would have to launch Carrier Connect under a provisional authority to operate (ATO).
  • “IT security was not integrated at the beginning, and as a result, many of the required elements of an authorization to operate (ATO) package were not completed before the system was authorized to operate and placed into production,” the IG report states.”

• HHS’s health sector Cybersecurity Coordination Center (HC3) posted a PowerPoint presentation about Emotet malware, which HC3 describes as “the enduring and persistent threat to the health sector.”

• This week, CISA added six known exploited vulnerabilities to its catalog on November 13, then another three on November 14, and then finally another three on November 16.

• Get a load of this Dark Reading article.
  • “The ransomware group ALPHV (aka “BlackCat”) has filed a formal complaint with the US Securities and Exchange Commission (SEC), alleging that a recent victim failed to comply with new disclosure regulations. * * *
  • “Putting aside the sheer audacity of the move, ALPHV may be out of luck with the SEC for two reasons.
  • “For one thing, in a statement provided to BleepingComputer on Wednesday, MeridianLink stated that it wasn’t yet sure if any consumer personal information was compromised, adding that “based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” Exactly what data ALPHV stole and published may affect whether the breach is “material,” per SEC language.
  • “Second, as noted in its original press release, the new SEC disclosure rule only takes effect on Dec. 18. (Smaller companies will have even more leeway, with an extra 180 days before they have to get on board).
  • “Future victims of similar attacks will have fewer breaks to count on.
  • “Using the threat of filing a ‘failure to report’ complaint against its own victim to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group’s benefit,” Tiquet warns. “Disciplinary action from the SEC is not to be taken lightly and fines can be very steep.”

From the ransomware front

• Cybersecurity Dive reports,
  • “The group of threat actors claiming responsibility for major attacks against MGM Resorts, Caesars Entertainment and Clorox is composed of experts in social engineering, and federal cyber authorities are prodding more victims to come forward.
  • “Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a Thursday advisory.
  • “The FBI and Cybersecurity and Infrastructure Security Agency shared technical details and data gleaned from investigations as recently as this month to help organizations thwart and mitigate attacks. Yet, officials say more information is needed, as a lack of reporting hinders law enforcement’s ability to take action.
  • “Scattered Spider’s high level of activity underscores the importance of prevention and the need for more victim organizations to report cyberattacks to CISA or the FBI, agency officials said.”

• The American Hospital Association News adds,
  • “Scattered Spider’s sophisticated technical cyberattacks begin with sophisticated psychological attacks,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Scattered Spider employs social engineering techniques to deceive end users into providing their credentials, authentication codes or downloading ‘help desk’ tools on their computers that allow the adversary to gain and maintain persistent access to computer networks. Staff should be advised of help desk verification protocols and that help desk personnel should not be asking staff to divulge their credentials or multi-factor authentication codes. Conversely, the help desk should enhance its verification protocols and challenge questions to ensure they do not improperly reset staff credentials and to help staff distinguish valid help desk interaction from social engineering attempts.

• On November 15, 2023, CISA issued a #StopRansomware Advisory regarding Rhysida Ransomware.

• On November 13, 2023, CISA posted an update to its Royal Ransomware Advisory.
  • “The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.”

• Bleeping Computer’s The Week in Ransomware is back this week.

From the cybersecurity defenses front,

• On November 17, CISA posted “the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.”

• Forta tells us about Amazon Web Services’ Six Pillars of Cybersecurity.

• Dark Reading explains how to build a resilient incident response team.

From the cybersecurity policy front,

• The FAR Council extended the public comment deadline for its October 3, 2023, proposed cybersecurity rules from December 4, 2023, to February 2, 2024. The FEHBlog noticed that the proposed rules (cited in the link) would be added to FAR Part 39 captioned “Acquisition of Information Technology.” In contrast, the FAR cybersecurity rules already found in the FEHB contract are found in FAR Part 4, captioned “Administrative and Information Matters.” For this reason, the FEHBlog has formed the opinion that these rules would not apply to FEHB plan contracts. In any event, the OPM FEHB contracts already include requirements for reporting data breaches and cyber incidents (Section 1.37).

• Health IT Security tells us,
  • “HITRUST issued a response to the White House’s request for information (RFI) on the harmonization of cybersecurity regulations, suggesting that regulation alone is not a fix to the ongoing cyber challenges that critical infrastructure entities face.
  • “Rather, HITRUST recommended a shift away from further regulations in favor of a renewed focus on accountability and reciprocity within existing standards. Additionally, HITRUST emphasized the importance of reliable cybersecurity assessments and assurances.”
• and
  • “The HHS Office for Civil Rights (OCR) released an educational video to help covered entities understand how the HIPAA Security Rule can help them defend against cyberattacks. The video was produced in recognition of National Cybersecurity Month.
  • “Hosted by Nick Heesters, senior advisor for cybersecurity at OCR, the 43-minute video explores cyberattack trends gleaned from OCR breach reports and discusses how Security Rule compliance can help covered entities combat these threats.”

• Cyberscoop informs us,
  • “The White House announced a long-awaited executive order on Monday that attempts to mitigate the security risks of artificial intelligence while harnessing the potential benefits of the technology. 
  • “Coming nearly a year after the release of ChatGPT — the viral chatbot that captured public attention and kicked off the current wave of AI frenzy — Monday’s executive order aims to walk a fine line between over-regulating a new and potentially groundbreaking technology and addressing its risks.
  • “The order directs leading AI labs to notify the U.S. government of training runs that produce models with potential national security risks, instructs the National Institutes of Standards and Technology to develop frameworks for how to adversarially test AI models, and establishes an initiative to harness AI to automatically find and fix software vulnerabilities, among other measures. 
  • “Addressing questions of privacy, fairness and existential risks associated with AI models, Monday’s order is a sweeping attempt to lay the groundwork for a regulatory regime at a time when policymakers around the world are scrambling to write rules for AI. A White House fact sheet describes the order as containing “the most sweeping actions ever taken to protect Americans from the potential risks of AI systems.”

From the cyber vulnerabilities and breaches front,

• Per Cybersecurity Dive,
  • “The Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020. 
  • “The SEC on Monday [October 29] alleged the company overstated its cybersecurity practices and failed to disclose known risks from October 2018, when the company went public, up to at least the Sunburst attack. 
  • “Public statements from the company contradicted internal assessments, including a 2018 assessment by a company engineer, shared with Brown and others, showing the company’s remote access setup was “not very secure,” the SEC complaint said.
  • “SEC officials allege SolarWinds and Brown ignored repeated red flag warning signs that put the company’s cybersecurity at risk. 

• Security Week offers industry reaction to the lawsuit.
  • “It remains to be seen how the lawsuit against the SolarWinds CISO will unfold and what implications it will have for the cybersecurity industry as a whole. Regardless of the outcome, it serves as a stark reminder that the role of CISOs is continually evolving, and they must navigate a complex landscape of legal and regulatory challenges.”

• HHS’s Heath Sector Cybersecurity Coordination Center (HC3) issued its October vulnerability bulletin.
  • “In October 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for October are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, Atlassian, SolarWinds, NextGen Healthcare, and F5. A vulnerability is given the classification as a zero-day when it is actively exploited with no fix available or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

• Cyberscoop points out
  • “The exploitation of zero-day vulnerabilities is on the rise globally and directly impacting federal agencies, part of what a senior Cybersecurity and Infrastructure Security Agency official called a “very eventful past six months” in the cyber threat landscape.
  • “Michael Duffy, the associate director for capacity building within CISA’s cybersecurity division, said that in the past month or so, the agency has seen “a really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks throughout the federal government.”
  • “Duffy’s comments, made during a cybersecurity governance panel this week at ACT-IAC’s Imagine Nation ELC conference in Hershey, Pa., come following a notable decline in so-called in-the-wild zero days last year. According to a July report from Google’s Threat Analysis Group, 41 zero days were detected and disclosed in 2022, down from 69 in 2021.
  • “Despite the decline, the number of zero-day exploits observed in the wild remained the second-highest number since TAG started tracking such exploits in 2014. U.S. government officials recently have described a tendency toward growing sophistication in the state-backed hacking campaigns, one hallmark of which is the use of the previously unknown vulnerabilities known as zero days.”  

• The Cybersecurity and Infrastructure added two known exploited vulnerabilities to its catalog on Tuesday, October 31, and another on Thursday, November 2.

From the ransomware front,

• Health IT Security reports,
  • “The International Counter Ransomware Initiative (CRI) held its third summit in Washington, DC, with representatives from 50 countries joining together to build upon counter-ransomware projects and announce new focus areas. Among the commitments announced, at least 40 of the member countries agreed not to pay ransoms to cybercriminals, Reuters first reported.
  • “As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow,” said Anne Neuberger, US deputy national security adviser for cyber and emerging technology in the Biden Administration. [see The Week in Ransomware’s observation below.]
  • “The Federal Bureau of Investigation (FBI) has long encouraged ransomware victims to avoid paying the ransom when faced with a ransomware attack. Paying the ransom can embolden cybercriminals to continue targeting other victims and does not guarantee the safe return of data. * * *
  • “In addition to the pledge, CRI members continued to expand upon the commitments they made at last year’s summit. Key deliverables at the 2023 summit were centered around “developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against ransomware actors,” the White House noted in a press release.”
• and
  • “The HHS Office for Civil Rights (OCR) announced a $100,000 settlement to resolve a data breach investigation with Doctors’ Management Services, a Massachusetts-based medical management company and healthcare business associate that suffered a ransomware attack in 2018. The settlement marks the first-ever ransomware agreement that OCR has reached.
  • “In April 2019, Doctors’ Management Services filed a breach report with HHS, acknowledging that 206,695 individuals were impacted by a cyberattack carried out by GandCrab ransomware actors. Although the report was filed in 2019, the initial intrusion occurred in 2017. Doctors’ Management Services only detected the breach in December 2018, when ransomware was used to encrypt its files.”

• HC3 released an analyst note about 8Base ransomware.
  • A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors, primarily across the United States.
  • This surge in operational activity included the group’s engagement in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups against mostly small- to medium-sized companies.
  • While similarities exist between 8Base and other ransomware gangs, the group’s identity, methods, and motivations remain largely unknown. What follows is an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the group.

• Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.
  • “Due to the increasing number of attacks, an alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying the ransom demanded.
  • “However, this may be an empty pledge, as federal governments typically do not pay ransomware demands, and it does not prevent local governments from giving into extortion demands. * * *
  • “[N]ew research was released this week about ransomware, including:
    • A report on GhostSec, who is now using a ransomware encryptor in attacks.
    • Threat actors are exploiting Apache ActiveMQ flaws to deploy HelloKitty ransomware.
    • Sophos walked us through a step-by-step MoneyMessage attack.
    • A new BiBi-Linux wiper was spotted used in attacks on Israeli orgs.
    • Finally, we released a report on the new Hunters International ransomware gang, which is believed to be a rebrand of Hive.

From the cybersecurity defenses front,

• Per Cybersecurity Dive,
  • “Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. 
  • “The plan follows a massive government and industry backlash to Microsoft after the state-linked email theft from the U.S. State Department. Microsoft came under fierce criticism from key members of Congress and federal officials who were concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features to protect against sophisticated attackers. 
  • “The pushback related to the State Department case was that Microsoft was upcharging customers for additional, important security features. 
  • “Microsoft plans to enable secure default settings out of the box, so customers will not have to engage with multiple configurations to make sure a product is protected against hackers. 
  • For example, Microsoft will implement Azure baseline controls, which include 99 controls across nine security domains by default. 

• Dark Reading offers articles about tailored ransomware readiness assessments and the need for the IT team to collaborate with the security team.

• An ISACA expert explains how to craft a corporate generative AI policy.

• The Wall Street Journal reports,
  • “Economic uncertainty continues to chip away at corporate cybersecurity. 
  • “Layoffs, budget cuts and general skimping are putting more pressure on cybersecurity teams, which, in some cases, are pausing hiring and technology investment.
  • “Because of the economic pressure, there are more questions being asked about backfills or head counts,” said Diego Souza, chief information security officer at engine and generator manufacturer Cummins.
  • “Of 14,865 cyber professionals asked, 47% said there had been some form of cutbacks in cybersecurity—layoffs, budget cuts, hiring or promotion freezes—in the past 12 months, according to a survey by trade group ISC2 in collaboration with Forrester Research. Of that group, 22% said there had been layoffs on their teams, while 53% saw delays in buying or implementing technology, according to the study published Tuesday [October 31].

From the cybersecurity policy front,

• The Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services held
  • “a roundtable discussion on the cybersecurity challenges that the U.S. healthcare and public health (HPH) sector system faces, and how government and industry can work together to close the gaps in resources and cyber capabilities. Ahead of the roundtable, CISA and HHS released a cybersecurity tool kit that includes resources tailored for the healthcare and public health sector. * * *
  • This toolkit is easy to navigate online at www.CISA.gov/healthcare and consolidates resources like:  
    • “CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.   
    • “HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.  
    • “HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.” 

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a request for comment on how to create a more harmonized system of software identification as part of a larger effort to make the software supply chain more secure. 
  • “Since President Joe Biden issued an executive order on improving cybersecurity in 2021, CISA and other federal agencies have been working to prioritize software security by improving vulnerability management and the use of software bill of materials (SBOMs). 
  • “The request for comment is designed to establish some uniform parameters to track critical information required to improve software security. Information on known vulnerabilities, what mitigations or security patches are available, and which software is approved for use are all part of the effort, according to a white paper released by CISA.” 

• The Wall Street Journal tells us,
  • “President Biden is expected to sign an executive order next week addressing rapid advances in artificial intelligence, laying the groundwork for Washington’s embrace of AI as a tool in the national security arsenal while also pressuring companies to develop the technology safely.
  • “The order, which hasn’t been finalized and was described by people briefed on its expected contents, is aimed at establishing guideposts for federal agencies’ own use of AI, while also leveraging the government’s purchasing power to steer companies to what it considers best practices. 
  • “The White House began inviting people this week to an event on “safe, secure and trustworthy AI,” according to people familiar with the matter. A spokeswoman for the White House declined to comment.”

From the cybersecurity vulnerabilities and defenses front,

• Health Exec reports,
  • “A new report reveals there have been 480 healthcare data breaches in 2023 so far, with over 25% of Americans impacted. The estimated number of patients affected is 87 million this year so far, over double the 37 million in 2022. 
  • “The report comes from Atlas VPN, which utilized publicly available data from the U.S. Department of Health and Human Services (HHS), which keeps a running list of healthcare security incidents. Federal law requires data breaches that potentially leak more than 500 patient records to be reported to the HHS.  * * *
  • “The full report can be found here.”

• HHS’s Health Sector Cybersecurity Coordination Center issued three warnings this week. Here are the executive summaries:
  • AI-Augments Phishing — “Phishing has historically been a very successful means for cyberattackers of any motivation to compromise an organization and launch a full-fledged cyberattack to achieve their goals. Phishing attacks are frequently utilized, and this is especially true with regard to the health sector. The two most common cyberattacks targeting the health sector are ransomware and data breaches. (And usually both together!)
  • “These attacks often begin with a successful phishing attack. The advent of artificial intelligence has only made phishing attempts more effective, especially since those tools are freely available to the public.
  • In this paper, we provide a brief overview of basic artificial intelligence concepts, phishing attacks, and the application of artificial intelligence to phishing. We conclude with efforts that should be made to reduce the likeliness of all phishing attacks, including those that have been augmented by the use of artificial intelligence.”
• and
  • QR Code Based Phishing – Phishing – the use of phony e-mails to deliver malicious code – has historically been a successful means for cyber attackers to compromise victim organizations and launch full-fledged, multi-staged cyberattacks. Phishing attacks are frequently utilized as the first stage of an attack – the infection vector – and this is especially true for the health sector. A cyberattack that begins with phishing often ends with ransomware and/or a major healthcare data breach.
  • Quick response (QR) codes were designed to quickly read and transmit legitimate data but have become increasingly abused as part of phishing attacks, called “quishing”.
  • In this paper, we provide a brief overview of QR codes, phishing attacks, and the application of both of these to cyberattacks on the health sector. We conclude this analysis with recommended defense and mitigation actions to reduce the likeliness and effectiveness of phishing attacks, including those augmented by the use of QR codes.
• and
  • SolarWinds has published security fixes for their Access Rights Manager (ARM). This update addressed eight vulnerabilities, with three of them being rated as critical (CVE-2023-35182, CVE-2023-35185, CVE-2023-35187) and can lead to remote code execution on the “SYSTEM” of a Windows computer. This could enable an attacker to operate with the highest level of privileges available on the machine. In early 2020, the SolarWinds Orion system was targeted by an attacker(s), which led to the supply chain compromise of up to 18,000 of its customers.
  • Due to the previous malicious targeting and wide use of SolarWinds, HC3 strongly encourages users to monitor and upgrade their systems to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.

• CISA added one more known exploited vulnerability to its catalog on October 23 and another on October 26.

From the ransomware front,

• Cybersecurity Dive reports,
  • “The threat group behind some of the most high profile, identity-based cyberattacks this year is also “one of the most dangerous financial criminal groups” currently in operation, Microsoft researchers said in a Wednesday report.
  • “The group, which Microsoft identifies as Octo Tempest and other researchers identify as Oktapus, Scattered Spider and UNC3944, uses multiple forms of social engineering to gain access to organizations’ infrastructure, steal corporate data and extort victims for ransom payments, according to Microsoft Threat Intelligence.
  • “The collection of young, native English-speaking threat actors, which was initially observed in 2022 and affiliated with the ransomware-as-a-service operation ALPHV or BlackCat in mid-2023, has claimed responsibility for major attacks against MGM Resorts, Caesars Entertainment and Clorox in the past few months. * * *
  • “The threat actors engage in aggressive communications with victims, such as leaving threatening notes within a text file on a system, contacting executives via text messages and emails, and infiltrating communication channels being used by victims to respond to incidents,” Mandiant, a Google Cloud unit, said last month in a report on UNC3944.
  • “We’ve seen very young individuals break into some of the biggest organizations by leveraging these techniques that are so hard to defend against,” Mandiant Consulting CTO Charles Carmakal said during an April briefing.
  • “They are incredibly disruptive and aggressive,” Carmakal told Cybersecurity Dive via email last month following the MGM Resorts attack.”

• Here’s the link to the latest Bleeping Computer’s The Week in Ransomware.
  • “Ransomware attacks are increasing significantly, with reports indicating that last month was a record month for ransomware attacks in 2023.
  • “According to NCC Group data, ransomware groups launched 514 attacks in September, surpassing March 2023 activity, which included 459 attacks that were heavily skewed by Clop’s Fortra GoAnywhere data theft attacks.”

From the cybersecurity defenses front,

• CISA announced,
  • “A new release of Logging Made Easy, a Windows-based, free and open log management solution designed to help organizations more effectively use available security data to detect and address cyber threats.
  • “In April 2023, CISA assumed Logging Made Easy from the United Kingdom’s National Cyber Security Centre (UK-NCSC). Following a period of transition and enhancement, it is now available with step-by-step installation instructions for both legacy and new users.
  • “Logging is critical for proactive monitoring of threats and retroactive investigation and remediation in the event of an incident. Logging Made Easy is a tested and reliable solution that can help organizations with limited resources needing a centralized logging capability,” said Chad Poland, Product Manager for Cyber Shared Services. “CISA is excited to offer this shared service capability to U.S. and international organizations that can help them mitigate risk and identify vulnerabilities.” * * *
  • For more information, visit CISA’s new Logging Made Easy webpage.

• ISACA announced its “AI Survey Results: What Do Infosec Professionals REALLY Need to Know?”

• “The HSCC Cybersecurity Working Group has reprinted its Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT) document.”