The Cyber Safety Review Board (CSRB) has published an analysis of cyberattacks by the Lapsus$ threat group and has made recommendations for the public and private sectors on how to improve cybersecurity defenses against attacks by Lapsus$ and similar threat actors.

The CSRB was established by President Biden’s Executive Order on Improving the Nation’s Cybersecurity and has been tasked with reviewing major cyber events and making recommendations on improvements that can be made by public and private sector organizations to better defend against attacks. The CSRB consists of 15 cybersecurity leaders from the federal government and private sector and is chaired by Robert Silvers, Under Secretary for Policy at the U.S. Department of Homeland Security.

Lapsus$ is a cyber threat actor primarily focused on data theft and extortion and has been conducting attacks globally on large companies and government agencies around the world since 2021. The group breaches defenses to gain access to internal networks, steals sensitive data such as source code, and demands payment, although rarely follows up. The group is also known to post political messages in online forums and swiftly moves on to other targets after a successful compromise.

Lapsus$ is thought to be a loosely organized threat group that includes several juveniles. Many of the group’s attacks appear to have been conducted for public notoriety rather than financial gain. The group has successfully breached some of the most well-resourced and well-defended companies and government agencies around the world with apparent ease, using relatively simple techniques without particularly complex or advanced tooling.

The group identifies weak points in systems and then exploits them, and often attacks downstream vendors and telecommunications providers before pivoting to the intended target. The group is particularly adept at targeting individuals using social engineering and tricking them into providing network access. For instance, stealing phone numbers and phishing employees via text and voice calls, The group is also adept at bypassing multi-factor authentication.

The CSRB found commonalities between several different threat groups when investigating Lapsus$. Since the techniques used by the group are also used by other threat groups, cyber intelligence and attribution is fragmented. Similar techniques are used by the ransomware affiliate group, Yanluowang; the financially motivated threat group, Oktapus (Roasted Oktapus); the data extortion group, Karakurt; the financially motivated Lapsus$ splinter group, Nwgen Team; and two groups tracked as #NotLapsus1 and #NotLapsus2. Evidence has been found that proves ties between members of these groups and Lapsus$.

“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their system,” said CSRB Chair, Robert Silvers. “The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

Since many of the attacks involve credential theft, one of the most effective defenses is moving to passwordless technologies and, in the meantime, ensuring phishing-resistant multi-factor authentication (MFA) is implemented. The CSRB found the MFA implementations broadly used by companies and individuals are not sufficient to protect against Lapsus$ attacks. The Lapsus$ attacks highlight the importance of implementing zero-trust architectures that assume that there has already been a breach and attackers are inside the network, verifying authentication and authorization for every request.

The group exploits vulnerabilities in the systems of telecommunications providers, who need to implement better processes and systems to prevent attackers from hijacking their mobile phone services. Many of the attacks are conducted via vendors so it is vital for organizations to design their security programs to cover their own information technology environments as well as any vendors that host critical data or maintain direct access to their networks. The CSRB also recommends giving law enforcement the means to disrupt all types of threat actors, and since the group is known to include teenagers, ensuring that young people are given the opportunity to use their technical skills for positive purposes.

“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors — SIM swap attacks and phishing employees — can be easily addressed, especially for companies like Microsoft and Okta that are so well resourced,” Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive told the HIPAA Journal. “Hardware authentication requires in-person direct engagement preventing remote, phone-based attacks. And training employees to spot and report social engineering attempts like phishing should be the basis of any company’s security awareness training program.”

The CSRB provides 10 actionable recommendations in the report on how to improve defenses against these attacks. The CSRB report on attacks by Lapsus$ and related threat groups can be found here.

The post Even Well-Defended Companies are Vulnerable to Lapsus$ Attacks appeared first on HIPAA Journal.

The National Institute of Standards and Technology (NIST) has published a draft version of an updated version of its popular Cybersecurity Framework (CSF) – version 2.0. This is the first major update to the NIST CSF since its release in 2014.

The NIST CSF helps organizations to understand and reduce cybersecurity risks, improve their security posture, and monitor progress, and has been downloaded more than 2 million times. The NIST CSF was initially released to help critical infrastructure entities improve their security posture and reduce and manage risks; however, the framework has been adopted by a much broader range of entities such as small- and medium-sized organizations that lack internal resources for cybersecurity. The framework is based on five key pillars: identity, protect, detect, respond, and recover, and provides high-level guidance for managing cybersecurity risk. The framework uses a common language and systematic methodology for managing risk and aiding communication between technical and non-technical staff and can easily be tailored to suit the needs of individual organizations.

In February 2022, NIST issued a request for information (RFI) on how to update the framework, in particular, to improve supply chain risk management. More than 130 responses were received in response to the RFI, and the feedback received has been considered when updating the framework. The framework has also been updated to reflect changes in the cybersecurity landscape since its release almost a decade ago and has been revised to make the framework easier to put into practice for organizations of all types and sizes.

The update expands the scope of the framework from protecting critical infrastructure such as hospitals to organizations of all types and sizes. NIST has added a sixth pillar – govern – to help organizations make and execute their own internal decisions to support their cybersecurity strategy, and the update emphasized that cybersecurity is a major source of enterprise risk alongside legal and financial risks. The updated version also includes guidance on implementing the CSF, such as creating profiles tailored to specific situations, and implementation examples have been included for each of the subcategories of each function, specifically to help smaller organizations use the framework effectively.

“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

The draft version of the NIST CSF 2.0 has been released for public comment and comments will be accepted until November 4, 2023. NIST says it has a workshop planned for the fall – the details of which have yet to be announced – which will provide a further opportunity for the public to give feedback on the updated version. No further drafts will be released by NIST, and the final version is expected to be released in early 2024.

The post NIST Releases Draft Version of Cybersecurity Framework 2.0 for Public Comment appeared first on HIPAA Journal.

Ransomware gangs use a variety of methods for initial access to victims’ networks and while phishing is still one of the most common initial access vectors, researchers at the cybersecurity firm Akamai have identified a trend toward zero-day and day-one vulnerabilities for initial access.  Several threat groups are conducting their own research to find exploitable vulnerabilities or are purchasing exploits from gray-market sources.

Ransomware attacks have increased significantly over the past year. Between Q1, 2022, and Q1, 2023 there was a 143% increase in ransomware attacks and there has been a growing trend of data theft and extortion without the use of ransomware to encrypt files. File encryption can cause massive disruption to business operations; however, file encryption is noisy and more resource intensive. Simply accessing victims’ networks, stealing data, and threatening to publish or sell that data is often enough to prompt the victim to pay up. These attacks require fewer resources and are far faster, and are less likely to be detected and blocked by security teams. While data theft was once secondary to file encryption in ransomware attacks, the reverse now appears to be true, with data theft far more effective for extortion than file encryption.

The Clop ransomware group is one of several threat actors to opt for data theft and extortion without file encryption and is also one of the gangs focussing on vulnerability exploitation. The group mass exploited a zero-day vulnerability in Fortra’s GoAnywhere file transfer solution in February 2023 and attacked dozens of companies. Then a few months later, mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution to attack hundreds of companies. When claiming responsibility for the attack, a spokesperson for the group claimed that data encryption was an option, but the decision was taken not to encrypt files. KonBriefing is tracking the MOVEit Transfer attacks and says at least 611 organizations were attacked and the records of between 35.8 million and 40.7 million individuals were stolen by Clop.

The Akamai researchers conducted an analysis of the data leak sites of 90 ransomware groups, where the groups publish the names of their victims and release stolen data when ransoms are not paid. The groups often provide details about whether data was encrypted, the amount of data stolen, and how the attack was conducted. The researchers found that in addition to Clop, several other ransomware groups were favoring zero-day and day-one exploits of vulnerabilities in software and operating systems and, like Clop, were conducting research in-house or were seeking and paying for exploits from third parties. Other ransomware operations that have exploited recently disclosed vulnerabilities include LockBit and ALPHV (BlackCat) which rapidly exploited vulnerabilities before vendors could release patches. For example, the PaperCut vulnerabilities CVE-2023-27350 and CVE-2023-27351 and the VMware ESXi hypervisor vulnerability, CVE-2021-21974.

The main sectors targeted by ransomware gangs in the period studied were manufacturing, healthcare, and financial services. The researchers also identified a much higher percentage of attacks on small- and medium-sized firms compared to larger organizations. 65% of the attacks the researchers analyzed were on small- and medium-sized businesses, compared to 12% on larger organizations. The researchers also found a high probability of a victim experiencing a second attack within 3 months of the first.

The post Ransomware Gangs Increasingly Exploiting 0Day and 1Day Vulnerabilities appeared first on HIPAA Journal.

The risk of a data breach at hospitals doubles in the year before and after mergers and acquisitions (M&As), according to a recent study by University of Texas at Dallas PhD candidate, Nan Clement.

Clement analyzed data breach data from the HHS’ Office for Civil Rights (OCR) from 2010 to 2022 and compared the reported data breaches to M&A records over the same period and found that the probability of a data breach was 3% for hospitals that merged over the analyzed period, but the risk doubled to 6% for merger targets, buyers and sellers over a two year period – one year before and one year after the deal was closed. Clement also found that incidents involving hacking and insider misconduct increased when a hospital merger or acquisition was announced and that Google Trends data showed an increase in searches for the target hospital’s name following the announcement, and a connection was found with hacking activity.

Hacking and ransomware attacks at such a sensitive time were found to occur more frequently during the two-year window around M&As. At such a sensitive time, cybercriminals may feel that there is a higher probability that ransom demands will be paid, and there may be an increase in vulnerabilities that can be exploited due to incompatibilities between two hospitals’ information systems and vulnerabilities and mistakes by employees could easily be exploited by cybercriminals. The Federal Bureau of Investigation previously issued a warning to companies that hackers, and especially ransomware groups, often use significant financial events such as M&As to target companies, as it gives them more leverage. Clement also found an increase in insider misconduct during the two-year period around M&As.

According to the recently published Cost of a Data Breach Study by IBM Security, healthcare data breaches now cost almost $11 million per incident – more than data breaches in any other sector and the HHS’ Office for Civil Rights breach portal data shows there has been a massive increase in hacking incidents in the past few years. “Given the significant cost of data breaches, it is crucial for hospital managers, cybersecurity experts, and health, defense, and finance authorities to work together to enhance cybersecurity measures in hospitals,” suggests Clement in the paper. Clement found that mergers involving publicly traded hospitals often experience a decrease in data breaches during mergers. “Hospital managers should consider adopting the risk management processes commonly employed by professional investors and publicly traded hospitals. This integration of risk management practices can lead to improved overall organizational capital for protecting the hospitals.”

The findings from the peer-reviewed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were presented at the 22^nd Workshop on the Economics of Information Security in Geneva last month.

The post Healthcare Data Breach Risk Doubles in 2-Year Window Around M&As appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a security alert about a new ransomware group – Rhysida – which is conducting high-impact attacks across multiple industry sectors. Attacks have been conducted in North and South America, Western Europe, and Australia, with the United States, Italy, Spain, and the United Kingdom having suffered the most attacks. The primary targets appear to be in the education, government, manufacturing, and technology sectors, although the group has conducted some attacks on the healthcare and public health (HPH) sector.

Rhysida is a ransomware-as-a-service operation that recruits affiliates to conduct attacks using its ransomware variant in exchange for a percentage of any ransom payments they generate. The group was first identified in May 2023, and its ransomware variant appears to still be in the early stages of development as it lacks the advanced features seen in the ransomware variants used by more established threat groups.

Rhysida ransomware is deployed after initial access to victims’ networks has been established through phishing attacks and the exploitation of vulnerabilities in software. The Cobalt Strike attack framework is deployed on compromised systems and used to deliver the ransomware payload. The ransomware uses a 4096-bit RSA key with the ChaCha20 algorithm to encrypt files and a PDF ransom note is dropped on the encrypted drives, which demands payment in Bitcoin for the keys to decrypt data and prevent the publication of stolen data. The ransom amount is not stated in the notes. Victims are required to make contact with the threat group via TOR to negotiate payment. Rhysida was behind a recent attack on the Chilean Army and has listed 8 attacks on its data leak site to date, and published stolen data from five of those attacks.

Security researchers have yet to confirm a connection between the Rhysida ransomware-as-a-service operation and other ransomware or cybercriminal groups, although some security researchers believe there may be a link with the Vice Society group, which also primarily targets the Education sector. HC3 has shared Indicators of Compromise (IoCs) in the alert to help network defenders detect attacks and several proactive steps that healthcare organizations can take to harden their defenses and prevent attacks.

The post HC3 Sounds Alarm About Rhysida Ransomware Group appeared first on HIPAA Journal.

Healthcare and financial services were the two most attacked industries, according to Blackberry’s latest Global Threat Intelligence Report. The data for the report was collected from March to May 2023 from its cybersecurity solutions, which blocked more than 1.5 million attacks at a rate of around 11.5 attacks per minute, with 1.7 novel malware samples detected per minute – A 13% increase from the previous reporting period.

During the reporting period, Blackberry detected 13,433 unique malware binaries and prevented over 109,922 disparate attacks across the wider healthcare sector. Ransomware and information stealing malware were highly prevalent. The RedLine information stealer and the Amadey bot were regularly blocked threats. Amadey has information stealing capabilities and is often used to perform reconnaissance before downloading additional malicious payloads. The Emotet, IcedID, and SmokeLoader malware families were also extensively used in attacks on the sector, all of which have information stealing capabilities and can download additional malware payloads.

The healthcare industry continues to be an attractive target for cyber threat actors due to the volume of sensitive data stored by healthcare organizations, the ease of monetizing that data, and the reliance on access to data and computer systems for providing critical services, which makes the sector a highly attractive target for financially motivated threat groups.

It is not only financially motivated cybercriminal groups that are attacking the healthcare industry. State-sponsored threat actors are breaching healthcare defenses and stealing confidential medical data, and cyber threat groups have targeted the sector in retaliation for the U.S. providing support for Ukraine. The RomCom group, for example, targeted U.S. medical groups providing humanitarian aid to Ukrainian refugees.

Two advanced persistent threat (APT) groups were highly active during the reporting period: APT28 (aka Sofacy/Fancy Bear) and Lazarus Group (aka Labyrinth Chollima, Hidden Cobra, Guardians of Peace, Zinc, and Nickel Academy). APT28 is a highly skilled cyber espionage group thought to operate on behalf of the Russian government and Lazarus Group is thought to be a North Korean state-sponsored threat actor.

Attacks on government and public sector services were up 40% on the previous reporting period, with 55,000 attacks on public sector organizations blocked during the 90-day reporting period. Ransomware groups such as LockBit, Royal, BlackCat/ALPHV, and Clop were highly active, accounting for a large percentage of the attacks on city, state, and government systems and public sector organizations. These attacks included the LockBit ransomware attack on the City of Oakland, CA, BlackByte’s Royal ransomware attacks on the cities of Dallas, TX, and Augusta, GA, and the Clop group’s mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution.

Some of the most common tools used by threat actors include AdFind for stealing information from Active Directory (AD), Mimikatz for credential theft, Cobalt Strike as an attack framework, and Extreme RAT for remote access, malware delivery, and espionage. The most common malware families detected and blocked across all industry sectors were droppers/downloaders such as Emotet, PrivateLoader, and SmokeLoader; information stealers such as RedLine, Racoon Stealer, Vidar, and IcedID; and remote access Trojans such as Agent Tesla. Blackberry’s telemetry shows a 13% increase in unique malware samples, indicating threat actors are diversifying their tooling when compiling their malware. While the malware used is similar, the compilation process produces different hashes for similar samples in order to evade the simple feeds and filters used by more traditional security operations centers.

Blackberry predicts the number of attacks on the healthcare industry will continue to increase and recommends prioritizing detection of the most frequently used tactics in the attacks – discovery and defense evasion. Learning about the tactics, techniques, and procedures used by threat groups can help network defenders significantly reduce the impact of attacks, and will aid their threat hunting, incident response, and recovery efforts.

The post Healthcare and Financial Services Remain Top Targets for Cyber Threat Actors appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their Five Eyes intelligence partners have issued a joint security advisory detailing the most commonly exploited vulnerabilities in 2022. Cyber threat actors target Internet-facing systems that contain unpatched vulnerabilities to gain initial access to organizations’ internal networks, allowing them to steal sensitive data and conduct other post-exploitation activities. The advisory lists the top 12 Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022 along with a further 30 CVEs that have extensively been exploited by threat actors. This year, the vulnerability list includes associated Common Weakness Enumerations (CWEs), which show the root cause that allowed the vulnerabilities to be exploited.

While sophisticated threat groups actively seek out zero-day vulnerabilities or develop exploits for recently disclosed CVEs, in 2022, malicious actors exploited older vulnerabilities much more frequently than recently disclosed flaws. Many of the vulnerabilities in the list had Proof-of-Concept (PoC) exploits in the public domain, which allowed exploitation of the flaws by a much broader range of threat actors. Top of the list is a five-year-old vulnerability in Fortinet’s SSL VPNs (FortiOs/FortiProxy) – CVE-2018-13379, which was also one of the most frequently exploited vulnerabilities in 2020 and 2021. Despite the vulnerability being the 15^th most commonly exploited vulnerability in 2021 and a patch being available since May 2019, many organizations failed to patch and were vulnerable to attack. The vulnerability has been exploited by Advanced Persistent Threat (APT) actors and cybercriminal groups such as ransomware gangs.

It was a similar story with a group of Microsoft Exchange Server vulnerabilities dubbed Proxy Shell (CVE-2021-34473, CVE-2021-31207 & CVE-2021-34523) which allow security features to be bypassed, escalation of privileges, and remote code execution. The vulnerabilities were identified and patched the previous year, and despite extensive media coverage and security warnings about the vulnerabilities, patches failed to be implemented to fix the flaws. An authentication bypass flaw in Zoho ManageEngine which allowed remote code execution and a code execution flaw in Atlassian’s Confluence Server and Data Center were also disclosed and had patches released the previous year.

Threat actors develop exploits for known vulnerabilities and can typically exploit them successfully for a couple of years in low-cost, high-impact attacks due to the failure of many organizations to patch promptly or implement recommended mitigations. The cybersecurity agencies urge all organizations to use the list as a guide to help them prioritize patching. The failure to apply patches promptly, especially known exploited vulnerabilities, makes it easier for attackers to gain access to organizations’ networks.

In addition to implementing a centralized patch management system, patching promptly, and conducting regular vulnerability scans, the cybersecurity agencies encourage vendors, designers, developers, and end-user organizations to take other steps to reduce the risk of compromise by malicious cyber actors, such as implementing secure-by-design principles, prioritizing secure-by-default configurations, and ensuring disclosed CVEs include the correct CWE stating the root cause of the vulnerability.

Most Commonly Exploited CVEs in 2022

The post Cybersecurity Agencies Share 2022’s Most Commonly Exploited Vulnerabilities appeared first on HIPAA Journal.

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.