Merlin Labs Memo -- Week of March 20-24
CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a pilot program to warn critical infrastructure organizations if their systems contain vulnerabilities that may be exploited in ransomware attacks.
The new?Ransomware Vulnerability Warning Pilot (RVWP), which kicked off on January 30, is meant to help those organizations that might be unaware that a vulnerability targeted by ransomware groups is lurking in their networks.
When such a security defect is identified, CISA’s regional cybersecurity personnel notify the impacted entity via phone or email, so that the issue can be resolved before it’s exploited.
According to CISA, the RVWP uses ‘existing authorities and technology’ to proactively discover information systems affected by flaws known to be exploited in ransomware attacks.
“CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002,” the agency says. – Via: SecurityWeek?
Our Take: The thing I like best about this program is its proactive nature, and that this is the latest in a series of steps taken by CISA to improve the Cybersecurity posture of the FCEB agencies and?critical infrastructure organizations, who are increasingly the target of Ransomware attacks.?Over the past 18 months, CISA has invested a great deal of effort into creating and maintaining the list of Known Exploitable Vulnerabilities (KEV).?CISA issued?BOD 22-01?in November 2021, named “Reducing the Significant Risk of Known Exploited Vulnerabilities,” which instructs federal civilian agencies to review and update their internal vulnerability management procedures in accordance with the directive within 60 days.??CISA issued?BOD 23-01?in October 2022 to improve asset visibility and vulnerability detection on Federal networks.?Each of these efforts focuses on a different but equally important aspect of cybersecurity.?
This latest program builds on existing technologies to?proactively discover information systems affected by flaws known to be exploited in ransomware attacks, and then notify vulnerable entities.?While the security firm VulnCheck (?VulnCheck - Outpace Adversaries) pointed out in a recent news item?Dozens of Exploited Vulnerabilities Missing From CISA 'Must Patch' List - SecurityWeek, the article also notes that in 2022 alone CISA added 550 vulnerabilities to the KEV, and that “ The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry….".??
These CISA sponsored programs are part of the larger much-anticipated?National Cybersecurity Strategy?released earlier this month.?While the strategy has multiple focus points, it also singles out ransomware attacks, and pledges to address that threat “through a comprehensive Federal approach and in lockstep with our international partners.”??Given the funding commitment from the Federal government, these program will only improve with time. – Joe DiMarcantonio, PMP
Additional Reading:
Healthcare Data Breach Impacts 4.2 Million Individuals
Florida-based Independent Living Systems, an organization providing support services to managed care organizations, experienced a breach last summer that impacted over 4.2 million people. The breach was described as one involving “inaccessible computers” which may or may not be synonymous with ransomware. The incident was originally reported in September 2022 to HHS’ HIPAA Breach Reporting Tool website as a hacked server incident impacting 501 people. Interestingly, a 60-day requirement for reporting HIPAA breaches impacting more than 500 individuals means organizations may report breaches prior to understanding the full size and impact. As it turns out, after a full investigation, the size of this breach grew from 501 to 4.2 million impacted users – which had it been fully understood at the time of the first report would have been 2022’s largest single health data breach. Instead, the full impact of the breach including notification to affected individuals just happened this month. According to the article, “potentially compromised information includes name, address, birthdate, government identifiers, financial account information, treatment for mental or physical ailments and diagnosis codes.” – Via: Healthcare Info Security
Our Take: While this article is short on details of the nature of the breach itself, we know that hackers exploited the network’s servers and in some manner gained access to the PHI and PII of an astonishing 4.2 million people. Unfortunately, it’s a reminder that we are all impacted by the cybersecurity posture and protections, or lack thereof, of systems that we use. It’s no longer possible to navigate daily living without our information being processed by and stored in IT systems. We are at the mercy of those IT teams and cybersecurity administrators to protect our data. Next generation firewalls, antivirus software and other malware detection tools, strong FIPS-validated encryption for data at rest and in transit along with anti-phishing technologies and multi-factor authentication are just a few elements that should be implemented and appropriately configured around every system that processes PHI and PII, not to mention adopting a least-privilege, zero-trust approach to system access. 4.2 million people whose private healthcare and personally identifiable information were exposed deserve something different. Let’s commit to doing better. – Sarah Hensley, MS-SLP
Additional Reading:
New Identity Guidance from CISA, NSA
According to the 2022 Verizon Data Breach Investigation Report, 80% of web application attacks use compromised credentials. Phishing attacks are a constant source of pain in terms of compromising user credentials that help attackers penetrate faster and deeper. To respond to this issue, CISA and the NSA have issued new guidelines for identity and access management (IAM).
领英推荐
Our take: The guidelines themselves do not carry surprises: SSO, MFA, asset inventory, identity inventory, SAML, IAM auditing and monitoring, these are all things we’ve heard of before. Heard, yes, but have we listened? With global tensions remaining at higher levels than in previous decades, we have to look at Identity as perhaps the most critical pillar of cybersecurity defense, given its current vulnerability.??
The good news is that the CISA/NSA report (linked below) contains actionable recommendations for security teams to implement. It’s full of best practices and justification for the “why?” behind the security. We need to move away from admin accounts created for ease of implementation and embrace proper Identity hygiene.?– Dean Webb
Additional Reading:
In-Depth Review Shows Fortinet Gateway has been Actively Exploited
“Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong?said?in an advisory last week.
The zero-day flaw in question is?CVE-2022-41328?(CVSS score: 6.5), a medium security path traversal bug in FortiOS that could lead to arbitrary code execution.
“?Mid-2022, Mandiant, in collaboration with Fortinet, investigated the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate (firewall), FortiManager (centralized management solution), and FortiAnalyzer (log management, analytics, and reporting platform).”?
The activity discussed in this blog post is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions.
– Via: The HackerNews
Our Take: The level of sophistication presented in this attack framework is remarkable. It shows a careful level of planning, targeting and execution. The combination of using Fortigate and VM Ware exploits is remarkable and showcases the need to monitor for any changes in the behavior of the network traffic.
As a Zero-Day , good hygiene would not prevent the initial attacks however monitoring ?with an NMS or 3rd party configuration manager for changed firmware and configuration controls might have detected or at least warned of an unexpected change in the Fortigate.
Going forward upgrading to the latest version is vital for any organization.
Considering the number of high impacts VMware CVE's that have been reveled over the last 6 months, any ESX cluster must be considered a vulnerable asset and secured with 3rd party AppControl, Privileged Account Management, and network management solutions as possible.?– Jeremy Newberry
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!?