Year: 2023

The number of reported card skimming incidents increased 20 percent during the first half of 2023 compared to the same period in 2022. More specifically, New Jersey is one of several states with the most significant increases in skimming incidents, with at least a 50 percent year-over-year increase in incidents occurring during the first half of 2023. Based on this trend, the upcoming holiday shopping season means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various digital and physical realms, such as stores, restaurants, gas stations, and ATMs. Threat actors continue to seek out better methods to conceal their attacks and evade various security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, identity theft, fraud, and subsequent malicious activity.

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sell on dark web or other marketplaces. These attacks continue to be prevalent, with a new campaign observed abusing 404 error pages and targeting many large organizations in the retail and food industries. Manipulating the website’s default 404 error page to hide malicious code is one of the more advanced obfuscation techniques seen before and creates challenges for detection and mitigation. Similar to the recent uptick in Magecart attacks, the Kritec campaign is ramping up its activity in time for the holiday shopping season based on the number of newly registered domain names attributed to the threat actor. In this skimming campaign, threat actors create compelling customized templates in local languages that make detection difficult.

Card skimming is not just limited to online transactions. Threat actors can discretely install small card-reading devices in point-of-sale (POS) terminals to steal card information. These devices can be installed at stores, restaurants, and gas stations. This past year, the Walmart retailer has been a frequent target of card skimming at 16 different US locations. Also, skimming devices were found on two gas pumps at a Delaware BP gas station. Threat actors are also targeting ATMs and shifting in terminal types and locations of card compromises. Non-bank ATMs at convenience stores and gas stations are becoming more prevalent than bank ATMs. In September 2023, skimming devices were discovered at an ATM inside a Wawa convenience store in Cinnaminson, NJ and may have been installed for two months prior to its discovery.

The Health Information Sharing and Analysis Center (Health-ISAC) has released a white paper on vulnerability management prioritization to provide insight into the different ways security teams can assess their organization’s level of risk against vulnerabilities while facing the challenge of addressing ongoing disclosures.

Network security teams are often encumbered with the ongoing release of vulnerabilities that are either publicly disclosed or identified as zero-days by vendors and security researchers. Each of these vulnerabilities’ severity and exploitability levels is associated with a Common Vulnerability Scoring System (CVSS) score and, often, with a Common Vulnerabilities and Exposures (CVE) number. These swaths of information have proven cumbersome and, at times, can pose a conundrum to organizations concerning their vulnerability management capabilities.

The concept of prioritization in vulnerability management is significant as it helps to support effective mitigation and remediation strategies across different organizational capability levels. The correlation between prioritization and organizations’ capability level is closely aligned as it can help security teams communicate effectively with stakeholders, identify asset value, and develop remediation policies conducive to the continuity of business-critical systems. Prioritization is a process that spans all capability levels and allows security teams to properly allocate resources to address vulnerabilities associated with severity levels that exceed the organization’s risk appetite.

The paper takes into consideration different factors that influence decisions in vulnerability management prioritization and provides comprehensive guidance on the application of well-known concepts used to maintain the confidentiality, integrity, and availability of enterprise systems.

This updated Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are re-releasing this Joint Cybersecurity Advisory to add new TTPs, IOCs, and information related to Royal Ransomware activity.

Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous Joint Cybersecurity Advisory for Royal ransomware was published on March 2, 2023. This joint advisory provides updated IOCs identified through FBI investigations.

FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this Joint Cybersecurity Advisory to reduce the likelihood and impact of ransomware incidents.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the Cybersecurity and Infrastructure Security Agency (CISA) has released Business Continuity in a Box. Business Continuity in a Box, developed by ACSC with contributions from CISA, assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident.

Comprised of two core components—Continuity of Communications and Continuity of Applications—Business Continuity in a Box is designed for situations where the availability or integrity of an organization’s data and/or systems has been compromised. The core components focus on keeping communications flowing during an incident and establishing interim business-critical applications.

Business Continuity in a Box aligns with CISA’s goals for Critical Infrastructure Security and Resilience Month which aims to provide businesses of all sizes with free or low-cost resources and tools that aid in strengthening our national cybersecurity posture.

Explore core AI concepts at Azure Virtual Training Day: AI Fundamentals from Microsoft Learn. Join us for this free training event to learn how organizations use AI technology to solve real-world challenges and see how to build intelligent applications using Azure AI services. This training is suitable for anyone interested in AI solutions—including those in technical or business roles. You will have the opportunity to: Understand foundational AI concepts and real-world use cases. Get started using AI services on Azure and machine learning in Azure Machine Learning Studio. Identify common AI workloads and ways to use AI responsibly. Join us at an upcoming event: December 8, 2023 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

The National Institute of Standards and Technology (NIST) is extending the period for submitting comments to support the development of an implementation plan for the United States Government National Standards Strategy for Critical and Emerging Technology (USG NSSCET) until Dec. 22, 2023.

Submit comments now via the Federal Register notice. 

“It is critical to our economy and national security that we have high quality standards for the critical and emerging technologies that will transform the way we live and work,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “We are asking experts and stakeholders to share their best ideas for implementing a national strategy that will strengthen U.S. leadership and competitiveness in each of these sectors.”

Read More

This FBI Private Industry Notification (PIN) is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The FBI is releasing this PIN to highlight ransomware initial access trends and encourage organizations to implement the recommendations in the mitigations section to reduce the likelihood and impact of ransomware incidents.

As of July 2023, the FBI noted several trends emerging or continuing across the ransomware environment and is releasing this notification for industry awareness. New trends included ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions.

This FBI PIN provides an overview of the threat, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

NICE is continuing to refine and clarify the Workforce Framework for Cybersecurity (NICE Framework) as a fundamental reference resource that is agile, flexible, modular, and interoperable. As such, we are pleased to announce that refactored Task statements are ready for your review and feedback!  Proposed updates to the NICE Framework Task statements follow the principles set forth in the Task, Knowledge, Skill (TKS) Statements Authoring Guide for Workforce Frameworks. Updates include improvements for: Consistency: Statements follow a common structure that begins with the activity to be executed and focus on the work to be done (not the knowledge or skills needed to do that work) Clarity: Statements are clearly stated Redundancy: Statements are unique and do not duplicate or unnecessarily overlap with others Compound statements: Statements do not include more than one task Once the Task statement comments are received and adjudicated, NICE intends to release a full, updated set of TKS statements for use with the NICE Framework, including a mapping of the 2017 statements to this updated data set.

WE WANT TO HEAR FROM YOU!

Comments on the proposed updates to Task statements should be submitted by email to NICEFramework@nist.gov by 11:59 pm ET on January 29, 2024. Take Action:  Read the Task Statement Summary of Updates Review the Refactored Task Statements (clicking the link downloads an XLSX file) Submit comments to NICEFramework@nist.gov by January 29th Join the NICE Framework Users Group to join community discussions. Visit the NICE Framework Resource Center for additional information.

The US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Analyst Note to provide awareness of BlackSuit ransomware.

A relatively new ransomware group and strain known as BlackSuit, with significant similarities to the Royal ransomware family, will likely be a credible threat to the Healthcare and Public Health (HPH) sector. Discovered in early May, BlackSuit’s striking parallels with Royal, the direct successor of the former notorious Russian-linked Conti operation, potentially places the group with one of the most active ransomware groups in operation today. Both Royal and the now defunct Conti are known to have aggressively targeted the HPH sector, and if their purported ties to BlackSuit prove to be verified, then the sector will likely continue to be attacked profoundly.

This HC3 Analyst Note provides an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, recommended defenses and mitigations,  and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

NIST issues SP 800-53 Release 5.1.1 in Cybersecurity and Privacy Reference Tool

NIST has issued SP 800-53 Release 5.1.1 and SP 800-53A Release 5.1.1 in the Cybersecurity and Privacy Reference Tool (CPRT). This inaugural patch release includes minor grammatical edits and clarifications that do not impact the implementation or outcome of the controls, as well as one new control and three supporting control enhancements to address recent vulnerabilities related to identity and access management systems, and corresponding assessment procedures. A two-week, expedited public comment period on the new control and supporting control enhancements was held in October 2023 using the SP 800-53 Public Comment site. This release is available via the CPRT in JSON, spreadsheet, and in OSCAL formats.

This patch release marks the first time NIST has issued controls and assessment procedures in this way; and NIST will use this approach to ensure that the catalog of security and privacy controls, assessment procedures, and control baselines stay up to date to address the evolving threat landscape while allowing for user feedback, review, and transparency in our development process.

Organizations that already use and implement SP 800-53r5 (Revision 5) have the option to defer implementing the changes in the patch release until SP 800-53 Release 6.0.0 is issued. Refer to the SP 800-53 Release 5.1.1 FAQ for more information.

Additional questions and comments can be directed to 800-53comments@list.nist.gov.

NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: 800-53comments@list.nist.gov
CSRC Website questions: csrc-inquiry@nist.gov