The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other U.S. and international partners have issued a joint fact sheet warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors seriously. The warning follows on from a February 2024 cybersecurity alert about an advanced persistent threat group known as Volt Typhoon, which was discovered to have embedded itself in the networks of many critical infrastructure entities, including transportation, energy, communications, and water and wastewater systems. The intrusions are believed to be strategic, with the threat actors maintaining persistent access to potentially disrupt or destroy critical services in the event of increased geopolitical tension or military conflicts.

Volt Typhoon uses living-of-the-land techniques rather than malware to maintain access to compromised networks and conduct its activities to evade detection. The extent of the compromises has yet to be determined but they could be extensive. Many critical infrastructure entities have had systems compromised and efforts are ongoing to ensure the threat actors are removed from those systems.

The fact sheet provides leaders of critical infrastructure entities with guidance to help them prioritize the protection of critical infrastructure and functions. The issuing agencies urge leaders to recognize cyber risk as a core business risk, which is essential for good governance and national security. Leaders should empower cybersecurity teams to make informed resourcing decisions to better detect and defend against Volt Typhoon intrusions and malicious cyber activities, such as implementing cybersecurity performance goals. Cybersecurity teams should also be empowered to effectively apply detection and hardening best practices, the staff should receive continuous cybersecurity training and skill development, and organizations should develop and test comprehensive information security plans and drive a cybersecurity culture in their organization.

Leaders have also been advised to secure their supply chains by establishing strong vendor risk management processes, exercising due diligence, selecting vendors that adhere to secure-by-design principles, ensuring vendors have patching plans, and limiting usage of any product that breaks the principle of least privilege.

The post Five Eyes Agencies Urge Critical Infrastructure to Take Volt Typhoon Threat Seriously appeared first on HIPAA Journal.

Healthcare organizations have been warned about the threat of email bombing attacks, which are a type of denial-of-service (DoS) attack that targets email systems. As with other types of DoS attacks, the aim is to render systems unavailable. These attacks, also known as mail bomb or letter bomb attacks, usually involve a botnet – a network of malware-infected computers under the control of an attacker.

Once a target is selected, an email server is flooded with hundreds or thousands of email messages that overload the email system. These attacks are an inconvenience for the victim; however, these attacks can hide other malicious activities. For example, security warnings may be hidden within all the emails making it easier for those warnings to be missed. Those warning emails may be about account sign-in attempts, updates to account information such as changes to contact information, information about financial transactions, or online order confirmations. These attacks can also be used as a smokescreen to draw the attention of security teams while other systems are attacked. When email servers are targeted in email bombing attacks, network performance is often downgraded which can potentially lead to direct business downtime.

There are various types of email bombing attacks, one of the most common of which is registration bombs. These attacks use automated bots to crawl the web to find newsletter sign-up forms on legitimate websites. The targeted user is then signed up to hundreds or thousands of newsletters all at once, resulting in the user getting a steady flow of unwanted emails. An alternative form of this attack involves link listing, where email addresses are added to multiple subscription services that do not require verification. These attacks can result in emails being received for months or even years after the initial attack. In addition, victims’ email addresses are often added to various smalling, phishing, and malware lists.

Attachment attacks involve sending multiple emails with large attachments, which are designed to slow down mail delivery and overload server storage space, rendering email servers unresponsive. A zip bomb attack, aka a decompression bomb or zip of death attack, involves a large, compressed archive being sent to an email address, which consumes available server resources when decompressed, thus impacting server performance. Email bombing attacks may be conducted by a single actor or a group of actors, and threat actors offer these types of services on the dark web. One well-known seller of these services charges $15 for every 5,000 messages, with costs reducing based on the volume of messages required. E.g. $30 for 20,000 messages.

In a recent HC3 Sector Alert, the HHS Health Sector Cybersecurity Coordination Center (HC3) provided an example of a damaging attack in 2016 where an unknown group of assailants subjected thousands of  .gov email inboxes to an email bombing attack that used subscription requests for legitimate companies. The attack rendered the email system unavailable for several days. “Organizations and individuals are encouraged to implement protections, security policies, and address user behavior in order to prevent future attacks,” said HC3. “Given the potential implications of such an attack on the HPH sector, especially concerning unresponsive email addresses, downgraded network performance, and potential downtime of servers, this type of attack remains relevant to all users.”

HC3 offered advice on how to defend against these attacks and mitigations for organizations that experience an email bombing attack. To defend against attacks, user behavior, and technical processes are suggested, such as covering these types of attacks in security awareness training and advising employees not to sign up for non-work-related services with their work email addresses. Online exposure can also be limited by using contact forms that do not expose email addresses. Employees should be told how they can recognize an attack in progress, and if one occurs, told never to engage as doing so can easily result in escalation. In the event of an attack, employees should immediately contact their IT or cybersecurity team.

Businesses can protect against these attacks using reCAPTCHA, which determines if a human is using the platform. reCAPTCHA prevents bots from hijacking sign-up processes that could facilitate email bombing attacks. In the event of an attack, email administrators should contact their email provider, who may be able to offer assistance in deleting the spam/junk emails from the email system.

The post HPH Sector Warned About Email Bombing Attacks appeared first on HIPAA Journal.