Cyber Risk Update 7 APR 2023

Cyber risk update for the week of April 7th, 2023.

Bonus

• Reporting to Council: Why Local Governments Should Use the NIST Cybersecurity Framework https://www.learnsecurity.org/single-post/reporting-to-council-why-local-governments-should-use-the-nist-cybersecurity-framework

• Why Cybersecurity Needs to be Separated from IT in Local Governments https://www.learnsecurity.org/single-post/why-cybersecurity-needs-to-be-separated-from-it-in-local-governments

Data Breaches

• 63,341 Customers Impacted in Blue Shield of California Data Breach https://www.securitymagazine.com/articles/99139-63-341-customers-impacted-in-blue-shield-of-california-data-breach

• The police union filed a claim against the City of Oakland related to a February ransomware attack that exposed the personal information of current and former employees, including police. The union has demanded up to $25,000 for each affected officer. https://www.sfchronicle.com/eastbay/article/oakland-police-union-files-claim-city-data-release-17876120.php

• Data Breach at Ticketing Platform Affects Dozens of Universities https://edscoop.com/audienceview-ticketing-data-breach-universities/

• ‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts https://www.cnn.com/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html

Trends

• Legal Liability after data breach: DISH Slapped with Multiple Lawsuits After Ransomware Cyber Attack https://www.bleepingcomputer.com/news/security/dish-slapped-with-multiple-lawsuits-after-ransomware-cyber-attack/

• Phishing Emails Up a Whopping 569% in 2022 https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022

• Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise https://unit42.paloaltonetworks.com/multi-extortion-rise-ransomware-report/

• New Rorschach Ransomware Is The Fastest Encryptor Seen So Far https://www.bleepingcomputer.com/news/security/new-rorschach-ransomware-is-the-fastest-encryptor-seen-so-far/

• Healthcare CISOs Undervalue Dark Web Intelligence https://www.hipaajournal.com/healthcare-cisos-undervalue-dark-web-intelligence/

• Researcher Tricks ChatGPT Into Building Undetectable Steganography Malware https://www.darkreading.com/attacks-breaches/researcher-tricks-chatgpt-undetectable-steganography-malware

• 94% of Organizations Experienced a Cyberattack in 2022 https://www.hipaajournal.com/94-of-organizations-experienced-a-cyberattack-in-2022/

Tools and Resources

• Skyhawk adds ChatGPT functions to enhance cloud threat detection, incident discovery https://www.csoonline.com/article/3691654/skyhawk-adds-chatgpt-functions-to-enhance-cloud-threat-detection-incident-discovery.html

• Microsoft Incident Response offers an end-to-end portfolio of proactive and reactive incident response services. Microsoft Incident Response Retainer provides pre-paid blocks of hours for highly specialized incident response and recovery services before, during, and after a cybersecurity crisis. https://www.microsoft.com/en-us/security/blog/2023/03/27/microsoft-incident-response-retainer-is-generally-available/

Threat Actors

• Dark Power published the names of its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid. The Dark Power payload was written in Nim, a cross-platform programming language with several speed-related advantages. https://www.bleepingcomputer.com/news/security/new-dark-power-ransomware-claims-10-victims-in-its-first-month/

• A new dark web marketplace called STYX launched earlier this year and appears to be on its way to becoming a thriving hub for buying and selling illegal services or stolen data. https://www.bleepingcomputer.com/news/security/new-dark-web-market-styx-focuses-on-financial-fraud-services/

Nation States

• Bitter APT is a cyberespionage hacking group recently seen targeting the Chinese nuclear energy industry. The group uses phishing emails to infect devices with malware downloaders. https://www.bleepingcomputer.com/news/security/bitter-espionage-hackers-target-chinese-nuclear-energy-orgs/

• Mélofée is a previously undetected malware family targeting Linux servers that researchers linked to China-linked APT groups, in particular the Winnti group. https://securityaffairs.com/144210/apt/melofee-malware-linked-to-china.html

• Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine and officials of European nations, attempting to compromise their email accounts. The campaign uses malicious JavaScript customized for individual webmail portals belonging to various NATO-aligned organizations. https://arstechnica.com/information-technology/2023/03/pro-russian-hackers-target-elected-us-officials-supporting-ukraine/

Federal Government

• A new executive order prohibits U.S. government agencies from using commercial spyware that presents a national security risk to the United States. https://cyberscoop.com/white-house-spyware-executive-order/

• The Military Cyber Professional Association is urging lawmakers to establish a U.S. Cyber Force in the 2023 annual defense policy bill. Cyber Force would follow the 2019 arrival of Space Force and increase to six the number of branches of the U.S. military. https://therecord.media/us-cyber-force-creation-proposed-mcpa

• The U.S. Food and Drug Administration (FDA) announced on March 29, 2023, that it will begin to “refuse to accept” medical devices and related systems over cybersecurity reasons beginning October 1, 2023. Developers must now design and maintain procedures able to show “that the device and related systems are cybersecure.” https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1

Best Practices

• Identity and Access Management Recommended Best Practices for Administrators (National Security Agency/Central Security Service) https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF

PSA

• Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors https://www.ic3.gov/Media/Y2023/PSA230324

TikTok

• After South Dakota Gov. Kristi Noem banned TikTok from government-issued devices for state employees last November, more than half of U.S. states did the same in the following weeks. Is Montana next? https://www.wsj.com/articles/tiktoks-next-big-ban-showdown-is-in-montana-c8f07984

• Florida's Board of Governors, which oversees the state university system, banned the use of TikTok and other apps owned by Chinese and Russian companies on campus WiFi networks and university-issued devices. https://www.usatoday.com/story/news/education/2023/04/06/florida-bans-tiktok-at-universities/11614982002/

Legislation

• AB 1637, This bill, no later than January 1, 2025, would require a local agency, as defined, that maintains an internet website for use by the public to ensure that the internet website utilizes a “.gov” top-level domain or a “.ca.gov” second-level domain, and would require a local agency that maintains an internet website that is noncompliant with that requirement to redirect that internet website to a domain name that does utilize a “.gov” or “.ca.gov” domain. https://legiscan.com/CA/text/AB1637/id/2750549#:~:text=This%20bill%2C%20no%20later%20than%20January%201%2C%202025%2C,that%20does%20utilize%20a%20%E2%80%9C.gov%E2%80%9D%20or%20%E2%80%9C.ca.gov%E2%80%9D%20domain

Events

• Identity Management Day 2023 Virtual Conference, Tue, Apr 11, 2023 at 6:00 AM - 1:30 PM (PDT), https://www.accelevents.com/e/imd2023virtualconference

• Identity Management Day 2023. It’s important to be Identity Smart! https://www.learnsecurity.org/single-post/identity-management-day-2023

For Executives

• What is cybersecurity? https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-cybersecurity

Career Trends

The average CISO tenure is 3.5 years.

44% of CISOs are considering changing jobs in the next 12 months.

20% of CISOs did change jobs in the past year.

CISOs who changed employers received a 37% avg. total compensation increase.

16% of CISOs who changed jobs relocated for the new position.

https://www.iansresearch.com/

• Broad Pay Ranges Can Hamper Cybersecurity Hiring. State and local laws were intended in part to provide transparency but comparing compensation listings is often impossible, recruiters say. https://www.wsj.com/articles/broad-pay-ranges-can-hamper-cybersecurity-hiring-2f4fb3c2

Microsoft

• If you have the State's G5 M365 license or have an O365 license you should know that some logs can be sent to Sentinel for free. Here is an explanation on Microsoft Sentinel pricing and monitoring https://cybermohr.ghost.io/2022/08/01/microsoft-sentinel-pricing-and-monitoring/

• Going Passwordless with HID, Microsoft and FIDO2 https://blog.hidglobal.com/2021/03/going-passwordless-hid-microsoft-and-fido2