Cyber Risk Update 12 APR 2024

This is a selection of this week's events.  For more news and advisories, check out our discord server.  CIKR Cyber Sentinels discord server. This server is focused on cybersecurity collaboration with critical infrastructure stakeholders. (TLP Clear Only) Invite: https://discord.gg/PGz3NDKb5V  

Join (ISC)2 East Bay Chapter; membership is free! https://isc2-eastbay-chapter.org/membership/

Events

20 APR 2024, 9 am to noon, Applying Key Governance, Risk Management and Compliance (GRC) Flow of Work Principles Workshop https://womenscyberjutsu.org/events/EventDetails.aspx?id=1836869&group=

Resources

• The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. (SLTT & CIKR partners can use this tool as well.) Microsoft 365 & Google Workspace Secure Configuration Baselines are included with the tool. These security configuration baselines for Microsoft 365 (M365) and Google Workspace (GWS) provide easily adoptable recommendations that complement each agency’s unique requirements and risk tolerance levels as well as include automation features to assist federal agencies in rapidly assessing their M365 and GWS services. https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project

• CISA launches malware analysis tool to help gather intelligence for network defenders (04/11) https://insidecybersecurity.com/daily-news/cisa-launches-malware-analysis-tool-help-gather-intelligence-network-defenders

• NSA Updates Zero-Trust Advice to Reduce Attack Surfaces https://www.darkreading.com/cybersecurity-operations/nsa-updates-zero-trust-advice-to-reduce-attack-surfaces

Chinese Communist Party

• China tests US voter fault lines and ramps AI content to boost its geopolitical interests https://blogs.microsoft.com/on-the-issues/2024/04/04/china-ai-influence-elections-mtac-cybersecurity/

• People's Republic of China Cyber Threat https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china 

• People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

• PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

• Identifying and Mitigating Living Off the Land Techniques https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques 

• MAR-10448362-1.v1 Volt Typhoon https://www.cisa.gov/news-events/analysis-reports/ar24-038a 

• PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders https://www.cisa.gov/resources-tools/resources/prc-state-sponsored-cyber-activity-actions-critical-infrastructure-leaders 

• Some Volt Typhoon victims ‘won’t know they’re impacted,’ Mandiant CEO says https://www.nextgov.com/cybersecurity/2024/04/some-volt-typhoon-victims-wont-know-theyre-impacted-mandiant-ceo-says/395659/

CIRCIA

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia 

Vulnerabilities

Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html

Cyber Incidents

• U.S. Federal Agencies Ordered to Hunt for Signs of Microsoft Breach and Mitigate Risks (You Should Too) https://thehackernews.com/2024/04/us-federal-agencies-ordered-to-hunt-for.html

• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system

• Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

• Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

• Roku warns 576,000 accounts hacked in new credential stuffing attacks https://www.bleepingcomputer.com/news/security/roku-warns-576-000-accounts-hacked-in-new-credential-stuffing-attacks/

• CISA issues warning over 'Midnight Blizzard' Microsoft attack (04/12) https://www.thestack.technology/cisa-issues-warning-over-midnight-blizzard-microsoft-attack

• The Hill: CISA confirms Russia-linked hackers tapped into correspondence between federal agencies, Microsoft (04/11) https://thehill.com/policy/technology/4589382-cisa-confirms-russian-linked-hacker-correspondence-between-federal-agencies-microsoft

• Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects https://thehackernews.com/2024/03/massive-sign1-campaign-infects-39000.html

• US Offers $10M Bounty for Information on ‘Blackcat’ Hackers Who Hit UnitedHealth https://www.insurancejournal.com/news/national/2024/03/28/766990.htm

• Change Healthcare Attack 'Devastating' to Doc Practices https://www.healthcareinfosecurity.com/change-healthcare-attack-devastating-to-doc-practices-a-24842

• Apple Warns Users in 150 Countries of Mercenary Spyware Attacks https://www.darkreading.com/vulnerabilities-threats/apple-warns-users-targeted-by-mercenary-spyware

• Sisense customers told to reset credentials amid supply chain attack fears https://www.scmagazine.com/news/sisense-customers-told-to-reset-credentials-amid-supply-chain-attack-fears

Third-Party Risk

• Krebs on Security: Why CISA is Warning CISOs About a Breach at Sisense (04/11) https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense

TTP & Malware

• LastPass: Hackers targeted employee in failed deepfake CEO call https://www.bleepingcomputer.com/news/security/lastpass-hackers-targeted-employee-in-failed-deepfake-ceo-call/

Governance Risk and Compliance

• IMF evaluates financial sector cyberrisk for first time https://www.wsj.com/articles/imf-warns-of-cyber-risks-to-financial-sector-a37296c3

Privacy

• The federal HR agency finalized a rule Friday that would help prevent potential identity theft by restricting the inclusion of Social Security numbers in mailed documents and establishing criteria for protecting the information. https://www.govexec.com/management/2024/04/opm-rule-removes-social-security-numbers-mailed-documents/395700/

World Affairs

• U.S. Moves Warships to Defend Israel in Case of Iranian Attack https://www.wsj.com/world/middle-east/iranian-attack-expected-on-israel-in-next-two-days-42b0537c

Legislation and Funding

• Mayorkas pushes for full funding to implement upcoming CISA mandatory incident reporting structure effectively (04/11) https://insidecybersecurity.com/daily-news/mayorkas-pushes-full-funding-implement-upcoming-cisa-mandatory-incident-reporting

• Gov Info Security: FBI Calls for Increased Funding to Counter Cyber Threats (04/11) https://www.govinfosecurity.com/fbi-calls-for-increased-funding-to-counter-cyber-threats-a-24845