Weekly Security Sprint EP 26. Welcome to The Mosh Pit! Cybersecurity, scams, CISA on preparedness, a new White House Office of Pandemic Preparedness and Response Policy (just in time for new malaria threats?) and more.

Please enjoy our newest podcast, the Weekly Security Sprint, on Spotify for Podcasters, Spotify, Apple, Google, as well as other locations accessible via the Spotify for Podcasters link or almost anywhere you listen to your favorite podcasts.

---

In this week’s Security Sprint, Dave and Andy talked about the topics below. For more of these and other security updates, subscribe to our free daily report, delivered directly to your inbox, the Gate 15 SUN.

[ctct form=”3911″ show_title=”false”]

Main Topics.

Jen’s Cyberthreat Mash-Up

• Citrix!
  • CISA Releases Cybersecurity Advisory on Threat Actors Exploiting Citrix CVE-2023-3519. The Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells, to warn organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement. This CSA details tactics, techniques, and procedures (TTPs) shared with CISA by the victim. If activity is detected, CISA strongly urges all critical infrastructure organizations follow the recommendations found within this advisory, such as prioritizing patching known exploited vulnerabilities like Citrix CVE-2023-3519. 
  • New critical Citrix ADC and Gateway flaw exploited as zero-day
  • Citrix Releases Security Updates for NetScaler ADC and Gateway. Citrix has released security updates to address high and critical vulnerabilities (CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467) affecting NetScaler ADC and NetScaler Gateway. An attacker can exploit these vulnerabilities to take control of an affected system. According to Citrix, CVE-2023-3519 is being exploited on unmitigated appliances. CISA encourages users and administrators to review the Citrix security bulletin and apply the necessary updates.
  • ACSC: Citrix Products NetScaler ADC and NetScaler Gateway Zero Day Vulnerability
  • 2023-050: Citrix NetScaler Critical Vulnerability. PDF.
• MOVEit!
  • EMSISOFT – Unpacking the MOVEit Breach: Statistics and Analysis. 
  • The tail of the MOVEit hack may be longer than we realize. “Brett Callow, a ransomware researcher at Emsisoft, has been tracking the ground-level impact of the hack, keeping tabs on every entity published on Cl0p’s site and other disclosures. Thus far, he has identified at least 369 organizations that have confirmed they were impacted by the breach or flagged as a victim by Cl0p. He told SC Media that of those 369, at least 93 have been compromised through a third-, fourth-, or fifth-party supplier.” In other ransomware updates:
  • Clop now leaks data stolen in MOVEit attacks on clearweb sites. A clearweb website is hosted directly on the Internet rather than on anonymous networks like Tor, which require special software to access. This new method makes it easier to access the data and will likely cause it to be indexed by search engines, further expanding the spread of the leaked information.
  • Clop gang to earn over $75 million from MOVEit extortion attacks
• Microsoft expanding cloud logging to give customers deeper security visibility. “In response to the increasing frequency and evolution of nation-state cyberthreats, Microsoft is taking additional steps to protect our customers and increase the secure-by-default baseline of our cloud platforms. These steps are the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis.”
  • CISA: CISA and Microsoft Partnership Expands Access to Logging Capabilities Broadly
  • CISA: Microsoft to Offer Some Cybersecurity Free After Suspected China Hack

New blog posts from CISA!

• CISA: Take the First Steps Towards Better Cybersecurity With these Four Goals.
  • Change default passwords 
  • Implement phishing-resistant multifactor authentication (MFA) 
  • Separate user and privileged accounts 
  • Incident response plans 
• CISA: Evolving CDM to Transform Government Cybersecurity Operations and Enable CISA’s Approach to Interactive Cyber Defense 

Jen manifests her Cybersecurity Evangelist to talk scams!

• Called a bogus airline customer support number? Google is hustling to fix that
• Plane sailing for ticket scammers: How to keep your flight plans safe
• Increase in Tech Support Scams Targeting Older Adults and Directing Victims to Send Cash through Shipping Companies
• Scams Targeting the Elderly: FBI IC3 Increase in Tech Support Scams Targeting Older Adults and Directing Victims to Send Cash through Shipping Companies

Health Preparedness! FACT SHEET: White House Launches Office of Pandemic Preparedness and Response Policy and more on severe weather, climate and health: Mosquitos Are Moving to Higher Elevations—and So Is Malaria.

• Tornado damage to Pfizer plant will probably create long-term shortages of some drugs hospitals need
• WSJ: The World Bakes Under Extreme Heat
• Boiling in Phoenix: City set to break U.S. record for consecutive days over 110 degrees
• Texas power use hits record high as heatwave lingers
• Heatwave brings health warnings as extreme weather grips globe
• The heat index reached 152 degrees in the Middle East — nearly at the limit for human survival
• Tokyo Heat Smashes 150-Year Trend as Extreme Weather Bakes Globe
• Smoke from Canadian wildfires places 60 million US residents under air quality alerts
• Ongoing rounds of rain to keep flash flood risk elevated in northeastern US

Quick Hits.

• SAVE THE DATE! H2OSecCon Powered by WaterISAC. October 19 -20 Virtual 2023. H2OSecCon is coming back for a second year and will be held virtually from October 19 20. This two-day virtual conference will focus on IT and OT cybersecurity, physical security, and resilience for the water and wastewater sector. Spanning two days H2OSecCon will feature panel discussions, presentations, and tabletop exercises with thought leaders and subject matter experts within the industry. Call for presentations now open! Registration and sponsorship opportunities opening shortly.
• United States tops 400 mass shootings in 2023
• IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs. Report overview. PDF in DB.
  • The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.
  • Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. 
  • Nearly half (47%) of studied ransomware victims reportedly paid the ransom. 
  • Costs of Healthcare Breaches Continue to Soar – The average costs of a studied breach in healthcare reached nearly $11 million in 2023 – a 53% price increase since 2020.
  • Critical Infrastructure Breach Costs Break $5 Million – Critical infrastructure organizations studied experienced a 4.5% jump in the average costs of a breach compared to last year – increasing from $4.82 million to $5.04 million – $590K higher than the global average.
  • 51% of organizations are planning to increase security investments as a result of a breach, including incident response (IR) planning and testing, employee training, and threat detection and response tools.
  • The average savings for organizations that use security AI and automation extensively is USD 1.76 million compared to organizations that don’t.
  • What’s new in the 2023 Cost of a Data Breach report
• Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers
  • THE CYBERSECURITY 202 – Cybersecurity labels for smart devices are on their way. “The Biden administration is rolling out a voluntary program today to label internet of things devices — like smart refrigerators and baby monitors  — if they meet cybersecurity benchmarks, similar to the Energy Star labeling program for energy-efficient products.”
• FACT SHEET: Biden-⁠Harris Administration Secures Voluntary Commitments from Leading Artificial Intelligence Companies to Manage the Risks Posed by AI. ‘As part of this commitment, President Biden is convening seven leading AI companies at the White House today – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – to announce that the Biden-Harris Administration has secured voluntary commitments from these companies to help move toward safe, secure, and transparent development of AI technology.’
• New CISA Products Released. 
  • CISA Develops Factsheet for Free Tools for Cloud Environments. CISA has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security. 
  • NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). 
• New Zealand shooter kills two ahead of Women’s Soccer World Cup
• More ransomware!
  • Coveware Q2 Ransomware Report: Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments. In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy, continue to evolve their attack and extortion tactics.
  • Quarterly GRIT Ransomware Report – Q2 2023. Complete Q2 GRIT Ransomware Report here. “At the end of Q2 2023 there was a 38% increase in the volume of public ransomware victims compared to Q1 2023, but more shockingly there was a 100% increase compared to Q2 of last year. LockBit remains the most prolific ransomware threat group despite a 10% decline in volume in Q2 relative to Q1, and a new file-sharing application vulnerability brought another surge of victims claimed by Clop ransomware group.”
  • DOJ merges cyber, cryptocurrency units to go after ransomware attacks
  • The FBI’s Cynthia Kaiser on how the bureau fights ransomware; The deputy assistant director with the FBI Cyber Division says the bureau is making real strides against cybercrime but still needs the public’s assistance.
  • The Week in Ransomware – July 21st 2023 – Avaddon Back as NoEscape
  • Ransomware Roundup – Cl0p
  • QILIN Ransomware Report 
  • Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware
  • Kanti: A NIM-Based Ransomware Unleashed in the Wild
  • DEV-0970/Storm-0970 : The Threat Actors Behind Big Head and Poop69 Ransomware
  • Risky Biz News – TOMRA cyberattack: TOMRA, one of the world’s largest recyclers, has been hit by an “extensive cyberattack” that has impacted some of the company’s IT systems. TOMRA says the attack took place early on Sunday, July 16, and they immediately took steps to isolate the affected systems. This sure sounds like ransomware, even if the company has not confirmed it. 
  • Related reports shared yesterday: FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
  • Linux Ransomware Poses Significant Threat to Critical Infrastructure
  • Between Two Nerds: Shaping ransomware group behaviour (podcast)

Read more about Gate 15’s full podcast menu at our Podcast page. You can subscribe and enjoy all the Gate 15 Podcasts on Spotify for Podcasters, Apple, Spotify, Google, as well as other locations accessible from the Spotify for Podcasters link. Week-to-week, you can hear and learn more about our all-hazards threats, risks, mitigation and other issues impacting homeland security risk management from our team as well as our regular and special guests. The full podcast menu includes:

• The Security Sprint is our weekly rundown of the week’s notable all-hazards security news, risks and threats and some of the key focus areas for organizations to consider behind the headlines. Gate 15 team members discuss physical security, cybersecurity, natural hazards, health threats and other issues across our environment. 
• The Risk Roundtable is a recurring monthly discussion among our team and occasional guests as we explore the all-hazards threats and risks impacting the United States and internationally.
• The Cybersecurity Evangelist, with Jennifer Lyn Walker, is a cybersecurity-focused discussion with Jen and invited guests.
• Nerd Out! Security Panel Discussion, moderated by Dave Pounder, focuses on physical security topics including terrorism, extremism, hostile events, and other pertinent topics.
• The Gate 15 Interview is a monthly interview between Gate 15’s founder and Managing Director, Andy Jabbour and guests from throughout the homeland security risk management community addressing a wide range of all-hazards topics and issues.

We hope you’ll subscribe, listen and share your ideas and other feedback! Reach out to us on Twitter, LinkedIn or via email at: [email protected].