Cyber Briefing ~ 07/11/2024
McCrary Institute
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
The Streamlining Federal Cybersecurity Regulations Act, introduced by Senators Gary Peters and James Lankford, aims to establish an interagency committee to streamline and harmonize the country's cybersecurity regulations. The committee would identify burdensome and inconsistent requirements, recommend updates, and establish minimum standards and reciprocity among agencies. The bill also includes a pilot program and requires an annual report on the committee's work.
The US Department of Justice has seized internet domains and social media accounts linked to a Russian government bot farm that utilized AI to generate content for political interference. The operation targeted audiences in several countries, including the United States, and aimed to spread disinformation favorable to the Russian government. The seized domains and accounts were allegedly created by a top editor at Russian state-owned news outlet RT, using covert AI-enhanced software called Meliorator. The action is part of ongoing efforts to combat Russian disinformation and interference in upcoming elections.
SiegedSec, a politically motivated cybercrime group, has released approximately two gigabytes of data from the Heritage Foundation in response to their Project 2025 initiative. The leaked data includes blogs and materials from the conservative think tank.
Critical infrastructure providers, including those in the energy sector, are urging the Cybersecurity and Infrastructure Security Agency (CISA) to place guardrails around new incident reporting requirements. They want the reporting mandate to be limited to the most consequential security threats and to allow sufficient time for accurate assessments. TechNet, the American Gas Association, and the American Hospital Association are among the groups expressing concerns and requesting specific changes to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The final rule is set to go into effect next year.
The Australian Signals Directorate (ASD) has warned about a China state-sponsored hacking group, APT40, exploiting small office/home-office devices as a cyberattack launch point. The hackers, believed to be working for China's Ministry of State Security (MSS), have been targeting the region's Australian, government and private sector networks. The group is known for rapidly adopting new vulnerabilities and conducting reconnaissance to identify vulnerable devices.
A group of activists known as SiegedSec, described as "gay furry hackers," has hacked into the servers of right-wing think tank The Heritage Foundation. They released usernames, passwords, and user logs of the foundation's users in protest against Project 2025, a controversial policy document that aims to transform the federal government with a right-wing agenda. The hackers claim that Project 2025 threatens the rights of LGBTQ+ communities and abortion healthcare. This is the second time SiegedSec has targeted The Heritage Foundation this year, and they have also claimed to have hacked NATO and Israel-related targets.
The Supreme Court's decision to overturn the Chevron doctrine will increase judicial scrutiny over regulatory decisions, affecting cybersecurity rules and enforcement actions. This may lead to more legal challenges against cybersecurity regulations and narrower, less effective rules. Congress will be more responsible for writing clear laws, and the deregulatory effect on cybersecurity is expected to continue. The ruling also has implications for the FTC and CFPB, making regulating and enforcing rules more challenging. Businesses should adapt their compliance efforts to address the uneven application of cybersecurity laws and stay informed of litigation and regulatory changes.
The Supreme Court's decision to overturn Chevron's deference complicates AI regulation efforts, requiring clear legislation from Congress to avoid legal challenges and ensure effective regulation. The ruling allows companies to challenge AI-related regulations, potentially leading to fragmented federal rules. State laws and regulations may continue to outpace federal efforts, highlighting the need for a new AI-focused agency and technical expertise in Congress. The Biden administration's executive order on AI may remain mostly unaffected, but challenges may arise in areas such as using the Defense Production Act. The ruling increases the role of courts in making decisions regarding AI regulation.
Experts warn that despite recent efforts to improve software supply chain security, several challenges remain, including the sheer magnitude and complexity of the supply chain, lack of definitional clarity, accountability for open-source software, scarcity of data, and overreliance on a software bill of materials (SBOMs). Collaboration between CISOs and CTOs is crucial, as is the need for better-defining software and developing common frameworks. Open-source software presents a significant challenge, and SBOMs are not a magical solution. However, experts remain optimistic about the future of software security but acknowledge that it will take time to achieve broad industry change.
Evolve Bank & Trust is notifying 7.6 million Americans of a data breach caused by a LockBit ransomware attack. An employee clicked on a malicious link, granting unauthorized access to Evolve's database and file shares. While customer funds remained safe, several fintech customers were affected. Evolve offers credit monitoring and identity protection services for US residents and dark web monitoring services for international residents. The types of data exposed in the breach are unknown at this time.
A large-scale fraud campaign known as Ticket Heist is targeting Russian-speaking users seeking tickets for the Summer Olympics in Paris. The operation uses over 700 domains to sell fake tickets and takes advantage of major sports and music events. The prices of the fake tickets are inflated compared to legitimate ones, possibly to trick victims or take advantage of ticket shortages. Ticket Heist aims to steal money from victims rather than collect credit card information. The operation is ongoing and has not been widely reported.
Progress Software, the company behind the file-transfer service MOVEit, is facing increasing legal liabilities and expenses due to last year's zero-day attacks on its customers. The company is involved in at least 144 class-action lawsuits and has received letters from 38 customers seeking indemnification. Expenses related to the MOVEit vulnerability have grown from $1 million to $3 million in the most recent quarter. Progress is also dealing with government and regulatory investigations, including a formal investigation by the SEC. The company expects additional expenses associated with the vulnerability in future quarters.
Evolve Bank & Trust has confirmed that 7,640,112 individuals were affected in a data breach that occurred in May. While customer funds were not accessed, customer information was compromised. The breach was discovered after unauthorized activity was detected in the company's systems, prompting an investigation. The threat actors, identified as LockBit, could access and download customer information from Evolve's database and file share. The compromised data includes names, Social Security numbers, dates of birth, and other personal information. Wise and Affirm, two financial companies, have also confirmed being affected by the breach. Evolve urges affected individuals to remain vigilant and offers credit monitoring and identity theft protection services.
Thousands of patients in the UK, including kidney patients like Amit Sanchadev, have been affected by a recent hack on Synnovis, a pathology provider conducting lab tests in partnership with major UK hospital groups. The hack has disrupted blood testing services, delaying appointments and operations and leaving patients without critical test results. The consequences have been severe, with potential risks of heart failure and other complications. The UK's National Health Service is investigating the hack, but the recent election has overshadowed the ongoing fallout. The public response has been led by NHS England, which is working with cybersecurity and law enforcement agencies to address the situation.
The SEC's updated regulatory agenda indicates it may gather more feedback before finalizing a proposed rule governing financial advisors' use of AI. But it plans to finalize key rules on advisor outsourcing, cybersecurity, and ESG investing disclosures in October. The agenda comes after a Supreme Court decision questioned agencies' authority to create rules without Congress.
The American Hospital Association (AHA) has provided suggestions to simplify reporting requirements and alleviate stakeholders' burdens under the proposed rule by the Cybersecurity and Infrastructure Security Agency (CISA) for incident reporting. AHA emphasizes the importance of incident reporting but raises concerns about redundancy, privacy risks, harsh penalties, and the ambiguous definition of "substantial cyber incident." They recommend clearer criteria, simplified reporting, and harmonization of cyber regulations. AHA urges CISA to collaborate with federal and state agencies to establish a uniform reporting process.
Firms in the cybersecurity industry highlighted the benefits of artificial intelligence (AI) in response to a proposed rule by the Cybersecurity and Infrastructure Security Agency (CISA) for mandatory cyber incident reporting. While some expressed concerns about the broad coverage of the rule and the potential for AI to increase cyber threats, others emphasized the importance of AI in reducing compliance paperwork burdens and enhancing cybersecurity. Commenters also called for clarification on protections for "good-faith researchers" and raised issues regarding the security of reported data and cyber attackers' potential misuse of AI.
The Senate Armed Services Committee expresses concerns over implementing the Pentagon's Cybersecurity Maturity Model Certification program (CMMC) and the upcoming launch of version 2.0. The committee highlights issues such as lack of clarity, challenges for small businesses, and the need for standardization and adaptation to emerging threats. They also call for a study to assess the implementation and request a briefing on DOD's plan for CMMC compliance.
The Cybersecurity and Infrastructure Security Agency (CISA) is developing a framework to assess the trustworthiness of open-source software components. The framework aims to enhance cybersecurity risk management in the federal government and critical infrastructure heavily relying on open-source software. CISA's framework will focus on four dimensions: the project, the product, protection activities, and policies. The agency is also supporting the development of a tool called "Hipcheck" to automate the measurement process.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) have released a cybersecurity advisory detailing mitigations against a China-affiliated threat group known as APT40. The group, also known as Kryptonite Panda, can rapidly exploit software vulnerabilities in widely used public software. The advisory provides rules for network defenders to detect anomalous activity and highlights mitigations such as patch management, network segmentation, and multifactor authentication.
IT professionals emphasize that organizations need a disaster recovery plan to mitigate outages caused by cyberattacks on third-party service providers. Recent supply-chain attacks have highlighted the importance of being prepared for extended downtime. A cyber-resilience plan that includes tabletop exercises and determining alternative strategies can help organizations navigate and recover from such incidents.
Former UK National Cyber Security Centre head Ciaran Martin warned that the NHS is still vulnerable to cyberattacks after a major ransomware incident disrupted healthcare across London hospitals. The Russian hacker group Qilin demanded a £40 million ransom from the NHS, then published stolen data when refused. Martin said outdated IT infrastructure, lack of understanding of vulnerabilities, and poor security practices put the NHS at risk. Doctors anonymously expressed concerns over outdated equipment and fragmented systems, while experts emphasized that basic measures like strong passwords could prevent many breaches. NHS England said it is improving cybersecurity, but Martin concluded that the recent attack shows that more urgent action is required.
Snowflake has established a new security policy to allow administrators to require multifactor authentication (MFA) for all users or specific roles. This change comes after attacks targeting more than 100 customer environments. While MFA will be enabled by default for newly created Snowflake accounts, existing customer administrators can still opt out. Snowflake is taking additional steps to encourage the adoption of MFA, such as prompting users to enable it upon login and providing a Trust Center to help enforce MFA and monitor security policies.
Research finds that CISO job satisfaction is affected by limited access to company management, leading to increased dissatisfaction and potential burnout. The lack of satisfaction among CISOs can have significant implications for corporate security, including decreased effectiveness, retention challenges, cultural impact, and increased vulnerability. Breaking down barriers between CISOs and leadership, giving them a seat at the table, and proactive cybersecurity investment is crucial for improving job satisfaction and organizational security.
Jen Easterly, Director of CISA, stated that banning ransomware payments in the U.S. is unlikely due to practical reasons. The Ransomware Task Force also discourages a ban, as it could worsen the situation for victims and hinder the response to ransomware threats. Instead, efforts focus on improving incident reporting, law enforcement, intelligence sharing, and secure-by-design practices.
Subscribe to our LinkedIn Cyber Briefing.
Subscribe to the daily Cyber Briefing email.
Subscribe to our Cyber Focus podcast.
Copyright © 2024 Auburn University's McCrary Institute. All Rights Reserved.