Author: blogmirnet

The Cybersecurity and Infrastructure Security Agency (CISA)—in coordination with the United Kingdom’s National Cyber Security Centre (UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the US National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission Force (CNMF)—released a Joint Cybersecurity Advisory to raise awareness of the specific tactics, techniques, and delivery methods used by this Russia-based threat actor group to target individuals and organizations. Known Star Blizzard techniques include:

Impersonating known contacts’ email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail, and others, and Creating malicious domains that resemble legitimate organizations.

CISA encourages network defenders and critical infrastructure organizations to review the advisory to improve their cybersecurity posture and protect against similar exploitation based on threat actor activity. CISA also urges software manufacturers to incorporate secure-by-design and security-by-default principles into their software development practices, limiting the impact of threat actor activity.

For more guidance to protect against the most common and impactful threats, visit CISA’s Cross-Sector Cybersecurity Performance Goals. For more information on secure by design, see CISA’s Secure by Design webpage.

It is commonplace for consumers to purchase gift cards as a present, especially for special occasions or the holidays. Threat actors seek to exploit this common task in gift card scams. For example, threat actors initiate fraudulent requests by spoofing a known or trusted person—such as a person in leadership or a position of authority within an organization, a friend, or a loved one—to make the request appear more legitimate. They also create a sense of urgency with a fake story or emergency to convince the recipient to act quickly without verifying. These fraudulent requests may be sent through email, SMS text messages, and social media platforms.

Automation Support for Control Assessments: Project Update and Vision

NIST has released Cybersecurity White Paper (CSWP) 30, Automation Support for Control Assessments – Project Update and Vision, which describes planned updates to the NIST Interagency Report (IR) 8011 series. These updates to IR 8011’s methodology, language, and guidance will align with revisions to SP 800-53, SP 800-53A, and SP 800-53B and will be applied to existing (IR 8011 Volumes 1–4) and upcoming volumes. CSWP 30 also shares the vision for the IR 8011 project, as well as a development and maintenance roadmap.

Existing IR 8011 volumes can be downloaded at the NIST Risk Management Framework (RMF) project site (select the project’s Publications page link). Individuals and organizations who may be interested in participating in a planned IR 8011 Community of Interest — especially those who are involved with the development of Governance, Risk, and Compliance (GRC) solutions — are welcome to inform the IR 8011 team at [email protected]. Questions about IR 8011 can be sent to the same address.

Read More

Today, as part of the Secure by Design campaign, CISA published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:

• United States National Security Agency
• United States Federal Bureau of Investigation
• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• United Kingdom National Cyber Security Centre
• New Zealand National Cyber Security Centre
• Computer Emergency Response Team New Zealand

Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.

The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.

CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.

For more information and resources, visit CISA.gov/SecureByDesign.

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: December 11, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) December 12, 2023 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

The NJCCIC assesses with high confidence the cyber threat and overall risk to the healthcare and public health sector is high and increasing.

Many critical infrastructure sectors have been increasingly targeted by disruptive cyberattacks as bad actors find new ways to use and monetize data. One such sector affected by the rise in cyberattacks is the Healthcare and Public Health (HPH) Sector. The attack surface of the HPH Sector is large and includes medical devices and software and patient records, including Protected Health Information (PHI). 

Due to legacy systems and irregular software updates, medical devices remain a viable vector of approach for cybercriminal operations. Historically, healthcare institutions have been perceived as having weak cybersecurity controls, making them desirable targets for threat actors. Unpatched and end-of-life (EOL) operational technology systems and Internet of Things devices, such as office automation equipment, printers, VoIP phones, and networking devices, may be used as initial access points into vulnerable networks or for lateral movement and pivoting. Exploitation of vulnerable medical devices, such as intravenous pumps and ventilators, can adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.  Because this attack vector remains a potential access point and has yet to be exploited, this writing will focus on the theft and exploitation of PHI.  However, it is important to address vulnerabilities found within medical devices to avoid potentially catastrophic outcomes for patients relying upon these life-enabling devices. 

The HPH Sector suffered at least 337 breaches in the first half of 2022 alone, impacting roughly 19 million records. The majority of these breaches originated from third-party vendors, indicating that threat actors are shifting their tactics and finding success by targeting vendors rather than large healthcare systems directly.  Third party vendors include those commercial “off the shelf” systems healthcare systems may use for operations such as electronic patient care reports or asset management, to name a few. Cybercriminals targeting healthcare organizations are focused on brand damage, loss of production, and delay of basic care to motivate organizations to pay their ransom. Cybercriminal gangs are also aware of the strict regulatory environment regarding patients’ PHI and will threaten the disclosure of such information to encourage healthcare organizations to pay their ransom without delay.

The shift from paper health records to electronic health records has brought several benefits to the HPH sector.  One of the most important benefits is quicker access to up-to-date patient medical information which can be used to base treatment regimens.  However, this transition has made these records more vulnerable to attacks and have been shown to be extremely lucrative due to the sensitivity of their content. If sensitive patient information is not protected, healthcare providers face costly legal, ethical, and moral dilemmas.

When the healthcare industry is targeted, data compromise (including ransomware) can result in disruptions to patient records, surgical services, medical devices, appointment systems, all with the potential to disrupt emergency or life-saving care, potentially resulting in worsening of patient conditions and even loss of life. COVID-19 has created many exploitation opportunities for threat actors due to the value of vaccine research and data, a rapid deployment of remote systems to support remote workforces, and an amplified opportunity to target individuals via phishing campaigns to gain access to systems. 

The FBI indicated that it received multiple reports of threat actors increasingly targeting healthcare payment processors to redirect victim payments. Threat actors were observed compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cybercriminals. Current reporting indicates that threat actors will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.

Recent Incidents

In late November 2023, two New Jersey hospitals – Pascack Valley Medical Center and Mountainside Medical Center – were impacted by a ransomware attack that caused incoming emergency room patients to be diverted to other hospitals and follow established downtime protocols. Some elective and non-emergency procedures and surgeries were rescheduled. The ransomware attack originated on the Ardent Health Services network to which the impacted New Jersey hospitals and dozens of others around the United States are connected and several facilities may be impacted. Additionally, Vanderbilt University Medical Center disclosed that they identified and contained a cybersecurity incident on November 23 that resulted in a compromised database. 

Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of 3 million patients PHI in July of 2022. Meta Pixel uses JavaScript to track visitors on websites, supplying vital information on how they interact. However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals, where patients enter sensitive information, caused PHI to be disclosed.  This was exacerbated if users were logged into Facebook or Google at the same time, they accessed the patient portal. 

In May of 2022, a Massachusetts-based medical imaging service provider managed by Shields Health Care Group, reported a cybercriminal had gained unauthorized access to some of its IT systems in March 2022. It is reported that over 2 million patients had their PHI stolen which included names, addresses, Social Security numbers, insurance information, and medical history information. The full cost of this breach is unknown because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, thereby making the scope of the attack massive.

Trinity Health experienced a ransomware attack in 2020, when Blackbaud, a vendor of cloud-based customer relationship management software, came under attack. The attack on one of Blackbaud’s self-hosted cloud servers affected hundreds of customer organizations around the world, including more than two dozen healthcare organizations. This led to the compromise of more than 10 million records.  Blackbaud stopped the cybercriminals before they fully encrypted files in the hacked databases, but not before they exfiltrated sensitive data. The company paid an undisclosed sum to the hackers to destroy the stolen data. In total, 3.32 million people were affected. Trinity Health’s donor database was among the files the attackers managed to steal which included electronic protected health information (ePHI) such as dates of birth, physical and email addresses, Social Security numbers, treatment information, and financial payment data. Blackbaud said it fixed the vulnerability that attackers exploited.

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that CVE-2023-42916 and CVE-2023-42917 may have been actively exploited against versions of iOS released before iOS 16.7.1.

Systems Affected

Versions prior to macOS Sonoma 14.1.2 Versions prior to iOS 17.1.2 and iPadOS 17.1.2 Versions prior Safari 17.1.2

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Block execution of code on a system through application control, and/or script blocking. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

References Apple: https://support.apple.com/en-us/HT201222 https://support.apple.com/en-us/HT214033 https://support.apple.com/en-us/HT214031 https://support.apple.com/en-us/HT214032

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42917

Access Reference Data from NIST’s Various Standards, Guidelines & Frameworks—All in One Place 

The NIST Cybersecurity and Privacy Reference Tool (CPRT) provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications. 

CPRT was developed a few years back— to liberate, manage, and map NIST cybersecurity and privacy data. Today’s launch is the first step to improving the user experience; CPRT now includes more NIST resources than it did when we first unveiled it (and more will continue to be added…so it’ll evolve even more with time).  

NIST will continue to collaborate with the public to ensure access to our community-developed resources is manageable, streamlined and usable—and CPRT is a big step in this direction. We look forward to the further evolution of this tool and welcome your comments, questions, and feedback via [email protected]. 

Learn More

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch agency. This vulnerability presents an improper access control issue impacting specific versions of Adobe ColdFusion, some of which are no longer supported.    In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two federal agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint alerted the agencies of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software, which are vulnerable to various CVEs.     Adobe ColdFusion is a commercial application server used for rapid web-application development, such as supporting proprietary markup languages for building web applications and integrating external components like databases and other third-party libraries.      The advisory provides network defenders with details on the vulnerability; tactics, techniques, and procedures (TTPs): indicators of compromise (IOCs); and methods to detect and protect against similar exploitation. Organizations should prioritize remediating known exploited vulnerabilities, employ proper network segmentation, and enable multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.     Organizations are encouraged to implement the recommended mitigations in the advisory to improve their cybersecurity posture against this particular threat actor activity. CISA also recommends software manufacturers incorporate secure-by-design principles and tactics into their software development practices to limit the impact of threat actor techniques and strengthen the security posture for their customers.

NICE is continuing to refine and clarify the Workforce Framework for Cybersecurity (NICE Framework) as a fundamental reference resource that is agile, flexible, modular, and interoperable. Proposed Insider Threat Analysis Work Role NICE is proposing one new Work Role for addition to the NICE Framework: Insider Threat Analysis. Codifying the Insider Threat Analysis Work Role in the NICE Framework supports learning and career pathways that help ensure that organizations are well equipped to address insider threats. This proposed role includes a name, description, Task statements, and identifies the category to which it best fits. Comments on the proposed new Work Role are due by December 22, 2023. Refactored Task Statements Proposed updates to the NICE Framework Task statements follow the principles set forth in the Task, Knowledge, Skill (TKS) Statements Authoring Guide for Workforce Frameworks. Updates include improvements for: Consistency: Statements follow a common structure that begins with the activity to be executed and focus on the work to be done (not the knowledge or skills needed to do that work) Clarity: Statements are clearly stated Redundancy: Statements are unique and do not duplicate or unnecessarily overlap with others Compound statements: Statements do not include more than one task Comments on the proposed updates to Task statements are due by January 29, 2024.