The US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Analyst Note to provide awareness of 8Base ransomware.

A recent attack on a US-based medical facility in October highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors primarily across the United States. This surge in operational activity included the group’s engagement in double extortion tactics as an affiliate of Ransomware-as-a-Service (RaaS) groups against mostly small to medium-sized companies. While similarities exist between 8Base and other ransomware gangs, the group’s identity, methods, and motivations remain largely unknown.

This HC3 Analyst Note provides an overview of the group, possible connections to other threat actors, an analysis of their ransomware attacks, their target industries and victim countries, impacts to the HPH sector, MITRE ATT&CK techniques, indicators of compromise, recommended defenses and mitigations,  and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

NIST Seeks Collaborators for Consortium Supporting Artificial Intelligence Safety

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is calling for participants in a new consortium supporting development of innovative methods for evaluating artificial intelligence (AI) systems to improve the rapidly growing technology’s safety and trustworthiness. This consortium is a core element of the new NIST-led U.S. AI Safety Institute announced yesterday at the U.K.’s AI Safety Summit 2023, in which U.S. Secretary of Commerce Gina Raimondo participated.

The institute and its consortium are part of NIST’s response to the recently released Executive Order on Safe, Secure, and Trustworthy Development and Use of AI. The EO tasks NIST with a number of responsibilities, including development of a companion resource to the AI Risk Management Framework (AI RMF) focused on generative AI, guidance on authenticating content created by humans and watermarking AI-generated content, a new initiative to create guidance and benchmarks for evaluating and auditing AI capabilities, and creation of test environments for AI systems. NIST will rely heavily on engagement with industry and relevant stakeholders in carrying out these assignments. The new institute and consortium are central to those efforts.
Read More

Two Days Left to Register for our NIST Webinar! Learn about Revisions to Two of our Identity Special Publications

Event Date: November 8, 2023

Time: 1:00 PM-2:30 PM ET

Description:

The National Institute of Standards and Technology (NIST) will be hosting a webinar to introduce two recently published Public Draft Special Publications (SPs):  The 3-part Drafts of SP 800-73 Revision 5, Interfaces for Personal Identity Verification (PIV) and Draft SP 800-78 Revision 5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. These publications are complements to FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors.

The webinar will discuss the necessary changes made to the PIV card, its credentials, and cryptographic capability to align with FIPS 201-3. 

Full Agenda:

1:00 PM-1:05 PM – Introduction and Welcome

1:05 PM-1:15 PM – Introduction to the PIV Standard

1:15 PM-1:45 PM – Changes to Draft SP 800-73 Revision 5

1:45 PM-2:15 PM – Changes to Draft SP 800-78 Revision 5

2:15 PM-2:30 PM – Key Dates/Next Steps/Closing

Visit the event page to register and learn more about the webinar. If you have any questions, please reach out to our team at [email protected].

Event Page

The Cybersecurity and Infrastructure Security Agency (CISA) has published When to Issue Vulnerability Exploitability eXchange (VEX) Information, a guide to help strengthen software security and supply chain risk management. This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.

Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.

VEX allows a software supplier or other parties to assert the exploitability status of specific vulnerabilities in a particular product or set of products. Issuing VEX information allows developers, suppliers and others to provide information in a human-readable and machine-comprehensible format, regardless of whether software is affected by a specific vulnerability.

Widespread adoption of VEX is one of three critical steps CISA outlined for transforming and advancing the vulnerability management ecosystem. Also, VEX helps support secure-by-design practices and rewards organizations with proactive product security teams by streamlining responses to newly-discovered risks.

For more information this and other VEX resources, visit Software Bill of Materials (SBOM).

Announcing Microsoft Applied Skills, a new verifiable credential that validates that you have the targeted skills needed to implement critical projects aligned to business goals and objectives. It offers you a new way to showcase your expertise in specific, real-world scenarios and verify technical skills that you—and your organization—need in real-time. We are thrilled to share this exciting news about Applied Skills credentials, and we look forward to sharing more news soon. Read the blog.

A critical information disclosure vulnerability, known as “Citrix Bleed” and affecting Citrix NetScaler ADC/Gateway devices, is being actively exploited by threat actors. The vulnerability, tracked as CVE-2023-4966, is remotely exploitable and can allow threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices. The compromised tokens can be used to hijack active sessions, bypassing authentication – even multi-factor authentication (MFA), to gain uauthorized access.

Citrix initially addressed the vulnerability in a security advisory on October 10, and on October 17, researchers determined that threat actors have exploited the vulnerability since at least August 2023. A Python script to automate the attack chain has been distributed by a ransomware threat group and attacks have become more widespread over the past several days.

Organizations are highly advised to update impacted devices and ensure accounts and devices have not been compromised.

Initial indicators of compromise may include the downloading of executable files from a command-and-control server, running commands consistent with elevating privileges and network enumeration, and preparing files for exfiltration.

Organizations whose Citrix devices were compromised are advised to remove impacted devices from the network, terminate all active sessions, and remove any backdoors or web shells to ensure all threat actor access to the device has been disabled; simply updating the system is insufficient. Mandiant provides guidance on addressing Citrix NetScaler ADC and NetScaler Gateway vulnerabilities.

Affected Citrix devices include:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300

Greynoise maintains a running list of malicious IP addresses involved in the recent exploitation of Citrix NetScaler devices and could be useful for network defenders and forensic analysts.

Today, President Joseph R. Biden signed an Executive Order (EO) to build U.S. capacity to evaluate and mitigate the risks of Artificial Intelligence (AI) systems to ensure safety, security, and trust, while promoting an innovative, competitive AI ecosystem that supports workers and protects consumers. The U.S. Department of Commerce will play a key role in implementing the EO, combining sophisticated standards and evaluation capabilities with a robust combination of reporting requirements and voluntary measures. Specifically, the National Institute of Standards and Technology (NIST), the Bureau of Industry and Security (BIS), the National Telecommunications and Information Administration (NTIA), and the U.S. Patent and Trademark Office (USPTO) will be responsible for carrying out a significant portion of the EO’s objectives.

Learn more about NIST’s responsibilities.

The NIST National Cybersecurity Center of Excellence (NCCoE) has released the second preliminary drafts of volumes B, C, and E for NIST Special Publication (SP) 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The public comment period for the drafts is open through December 15, 2023.

About the Project

Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, could improve the security of networks and IoT devices.

This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The updated drafts of volumes B, C, and E describe advancements to the IoT onboarding functional implementations. NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.

Submit Your Comments

The public comment period for draft vols. B, C, and E is open until 11:59 p.m. EST on Friday, December 15, 2023. The second preliminary drafts of vols. A and D released last month are also available for comment until 11:59 p.m. EST on Friday, November 10, 2023.

Visit the NCCoE IoT Onboarding project page for the draft publications and comment form.

Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: November 27, 2023 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada) November 28, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases. HAR files store information exchanged between the web client and web server and can store sensitive information such as authentication tokens, API keys, and session cookies. Okta’s support team typically requests customers to share these files when submitting a support ticket so that the Okta technician can replicate and troubleshoot the browser activity. Okta stated that all impacted customers were notified, which included BeyondTrust, CloudFlare, and 1Password. These organizations successfully terminated or blocked malicious activity using a defense-in-depth approach.

Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks.