The US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Analyst Note to provide awareness of NoEscape ransomware.

A relatively new threat actor and ransomware to the cybercriminal community, NoEscape ransomware emerged in May 2023, but is believed to be a rebrand of Avaddon, a now defunct ransomware group shut down in 2021. Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch. Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the Healthcare and Public Health (HPH) sector. Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group.

This HC3 Analyst Note provides an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, recommended defense and mitigations against the ransomware,  and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

Now Available — Final NIST IR 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure

The NIST NCCoE has published the final version of NIST Internal Report (NIST IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. 

Overview

This Profile is designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets within the Electric Vehicle Extreme Fast Charging Infrastructure (EV/XFC) ecosystem (it is not intended to serve as a solution or compliance checklist). 

The Profile is an application of the NIST Cybersecurity Framework Categories and Subcategories in the context of the EV/XFC cybersecurity ecosystem as provided by the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response and Office of Energy Efficiency and Renewable Energy and Electric Power Research Institute. It is a non-regulatory, voluntary profile intended to supplement, not replace, an existing risk management program or the current cybersecurity standards, regulations, and industry guidelines that are in current use by the EV/XFC industry.

The Profile also provides ecosystem relevant parties with a means to assess and communicate their cybersecurity posture in a manner consistent with the Framework. It also offers users an industry level risk-based approach for managing cybersecurity activities and facilitates cross-collaboration between industry parties, vendors, and end users.

Use of the Profile will help organizations:

• Identify key assets and interfaces in each of the ecosystem domains.
• Address cybersecurity risk in the management and use of EV/XFC services.
• Identify the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data.
• Apply protection mechanisms to reduce risk to manageable levels.
• Detect disruptions and manipulation of EV/XFC services.
• Respond to and recover from EV/XFC service anomalies in a timely, effective, and resilient manner.

What changed from the draft to final Profile?

We received over 220 comments. Based on the input received, a few major changes from the draft to final Profile include:

• Added additional informative references for applicable subcategories, including: NIST Special Publication (SP) 800-207 Zero Trust Architecture, International Organization for Standardization (ISO) ISO/SAE 21434, and International Organization for Standardization (ISO) 24089.
• Added acknowledgements for individual contributors from the COI and public comment period.
• Updated content in the subcategories to better articulate relevancy to specific domains within the EV XFC ecosystem.
• Updated front matter language to represent the rapid growth of EV vehicles globally.

Questions? Email the team at [email protected].

View the Publication

Researchers and vendors have disclosed a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild beginning in August 2023 through October 2023.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:

Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack AWS: CVE-2023-44487 – HTTP/2 Rapid Reset Attack NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products

Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:

CISA: Understanding and Responding to Distributed Denial-of-Service Attacks CISA: Additional DDoS Guidance for Federal Agencies

NIST has released the initial public draft of Special Publication (SP) 800-92r1 (Revision 1), Cybersecurity Log Management Planning Guide, for public comment. Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time.

This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.

The public comment period for this draft is open through November 29, 2023. Submit your comments to [email protected].

NOTE: A call for patent claims is included on page iii of this document. For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL Publications.Read More

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this Joint Cybersecurity Advisory to disseminate known TTPs, IOCs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.

AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.

This advisory updates the March 17, 2022, AvosLocker ransomware Joint Cybersecurity Advisory released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes TTPs and IOCs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.

NIST Unveils Newly Named Human-Centered Cybersecurity Program

The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.  

Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology…

Read the Blog!

Join the FREE Digital Trust virtual event on 16 October The rapid growth and challenges in the digital ecosystem mean that organizations need to earn the trust of their customers, but how can organizations demonstrate they are doing everything right in a highly connected marketplace? Join us for the free virtual Digital Trust event which takes place on Zoom on Monday 16 October 2023 from 14:00 BST (09:00 EDT / 15:00 CEST). For further details and to register for this free event, click here or on the button below.     >> MORE DETAILS & REGISTRATION   The Digital Trust Ecosystem Framework is a set of principles created by ISACA as a global standard to help individuals and organizations strengthen digital trust within their organization. The framework will help organizations focus on their individual goals as they build a structure that supports trust, agility and resilience. This event is relevant to anyone who has a responsibility to safeguard customer data such as security, risk, legal, compliance, communications, IT, marketing and operations. You will get the opportunity to gain perspectives from industry professionals and an opportunity to ask our world leading experts questions. Join us if you are interested in….     Understanding the impact of Digital Trust on corporate risk     Coming away being able to recall and understand the definition of Digital Trust     Learning the recommended organizational strategies which earn the trust of your customers     Meeting, networking and collaborating with peers in similar roles and with similar challenges     >> MORE DETAILS & REGISTRATION   Registering will ensure you receive links to event recording.

A vulnerabilities has been discovered in Apple products, which could allow for privilege escalation. Successful exploitation of this vulnerability could allow for privilege escalation in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

Systems Affected

versions of iOS before iOS 16.6

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in Apple products, which could allow for privilege escalation.

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing.  Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Apple: https://support.apple.com/en-us/HT213961

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42824

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and US Department of the Treasury are releasing this Joint Fact Sheet for senior leadership and operations personnel at operational technology (OT) vendors and critical infrastructure facilities. This fact sheet will assist with better management of risk from open source software (OSS) use in OT products and increase resilience using available resources. While several resources and recommendations within this fact sheet are best suited for execution by the vendor or the critical infrastructure owner, collaboration across parties will result in less friction for operator workflows and promote a safer, more reliable system and provision of National Critical Functions. This fact sheet aims to:

Promote the understanding of OSS and its implementation in OT and industrial control systems (ICS) environments. Highlight best practices and considerations for the secure use of OSS in OT.

Critical infrastructure organizations using OSS in OT and ICS face heightened cybersecurity and safety concerns due to the potential far-reaching impacts of incidents and associated life safety implications. Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.

All organizations are encouraged to review the Joint Fact Sheet and visit CISA’s new webpage, Securing Open Source Software in Operational Technology for more information.

Build effective security practices at every level of your organization   Cybersecurity awareness month is here, and this is the perfect time to update security practices and educate employees about safeguarding your organization’s data and resources. The Be Cybersmart Kit includes a series of easy-to-understand infographics to share with your entire organization. Download the kit to: Learn how to defend your organization from common external and internal threats in Aware and Secure: Best practices to safeguard your business.Simplify training with a curated set of infographics designed for employees at all levels of your organization.Help teams improve their data and device security practices.Provide tips for identifying and avoiding tech support scams and phishing.

Get the Be Cybersmart Kit