Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients

Article Link: https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/

• Recently the medical transcription company Perry Johnson & Associates (PJ&A) began notifying impacted individuals of a cyberattack that occurred between March 27 and May 2, 2023.
• According to the notifications sent to victims, a significant amount of information was accessed including full names, date of birth, Social Security numbers, medical record and hospital account numbers, insurance information, and more depending on what type of information victims had provided to their healthcare services.
• In addition to other hospitals, Cook County Health, the largest healthcare provider in the Chicago area, and Northwell Health, New York’s largest healthcare provider, were among those with exposed patient data. Additionally, as a result Cook County Health has since announced that they are terminating its relationship with PJ&A.

Google Workspace Weaknesses Allow Plaintext Password Theft

Article Link: https://www.theregister.com/2023/11/15/google_workspace_weaknesses_allow_plaintext/

• Researchers at Bitdefender recently released a report that discussed how the local compromise of a Windows device could allow attackers to bypass MFA for the Google Cloud Platform and eventually steal passwords in plaintext format.
• Specifically, the attack requires the attacker to leverage the organization’s Google Credential Provider for Windows (GCPW) to create a local Google Accounts and ID Administration (GAIA) account with elevated privileges. From there, attackers can steal or generate refresh tokens for the account and then leverage POST requests to gain access to any service within the issued token’s scope, including Google Drive, Gmail, and RSA keys used for passwords.
• Bitdefender informed Google, who stated that they wouldn’t address the perceived issue as it falls out of the scope of what Google considers a “Google-specific bug” as it requires local access to occur.
• Link to Bitdefender’s Report: https://www.bitdefender.com/blog/businessinsights/the-chain-reaction-new-methods-for-extending-local-breaches-in-google-workspace/

New York Proposes Cybersecurity Regulations for State’s Hospitals

Article Link: https://statescoop.com/new-york-cybersecurity-regulations-state-hospitals/

• The governor of New York has recently proposed a new set of cybersecurity regulations for the state’s hospitals. The New York Public Health and Health Planning Council is currently reviewing the rules.
• The rules would require hospitals to develop security programs, hire a CISO, and more.
•  If the rules are adopted, they would likely be published on December 6^th with a 60-day comment period. After that, then the rules would be finalized, and organizations would have a year to comply with the rules.

New Report Examines Pressing K-12 Cybersecurity Concerns

Article Link: https://www.govtech.com/security/new-report-examines-pressing-k-12-cybersecurity-concerns

• A new report from MS-ISAC looked at the top threats and the state of cybersecurity at K-12 schools.
• The top five concerns according to a survey of MS-ISAC members in K-12 schools include a lack of sufficient funding, increasing sophistication of threats, a lack of documented processes, a lack of a cybersecurity strategy, and an inadequate availability of cybersecurity professionals, in that order.
• As the report highlights, K-12 organizations have generally shown maturity in maintaining and repairing industrial control and information systems, maintaining strong identity management and access control processes, and conducting cybersecurity awareness and training. However, they tend to struggle in supply chain risk management, audit log collection, data classification, and defending against malware threats.
• Link to CIS MS-ISAC’s Report: https://www.cisecurity.org/insights/white-papers/k-12-report-cis-ms-isac-cybersecurity-assessment-of-the-2022-2023-school-year

Nuclear and Oil & Gas are Major Targets of Ransomware Groups in 2024

Article Link: https://securityaffairs.com/154113/malware/ransomware-gangs-targets-nuclear-and-oil-gas-2024.html

• According to research from the security company Resecurity, there has been a significant increase in ransomware attacks against the energy sector with trends suggesting a continued escalation of attack quantity and severity going into 2024.
• As the report notes, the energy sector was the fourth-most targeted sector within the last year with attacks likely to continue. Likewise, with ransomware attacks becoming more efficient due to partial data encryption and the usage of initial access brokers, the scope of attacks on the energy sector will likely continue to grow.
• Alongside Resecurity’s report, information was recently released on the largest cyberattack on record to ever hit Denmark in which 22 Danish companies in the energy sector were attacked in May 2023.
• Link to Resecurity’s Report: https://www.resecurity.com/blog/article/ransomware-attacks-against-the-energy-sector-on-the-rise-nuclear-and-oil-gas-are-major-targets-2024
• Link to Information on the Danish Attack: https://securityaffairs.com/154156/apt/denmark-critical-infrastructure-record-attacks.html

Telemetry Gaps Leave Networks Vulnerable as Attackers Move Faster

Article Link: https://www.helpnetsecurity.com/2023/11/16/missing-telemetry/

• Sophos recently released a report that reviewed 232 IR cases between January 1, 2022, and June 30, 2023, with 83% of impacted organizations having less than 1,000 employees. A key finding was that telemetry logs were missing in 42% of attacks studied and of those 42%, attackers disabled or wiped the logs in 82% of the cases.
• The report highlighted the importance of logs in responding to incidents. Of the incidents reviewed, 38% had a dwell time of less than or equal to 5 days, emphasizing the importance of a quick response.
• Link to Sophos’ Report: https://news.sophos.com/en-us/2023/11/14/active-adversary-for-security-practitioners/

CompTIA Advises Retailers to Check their Cybersecurity Preparedness Ahead of the Holiday Shopping Season

Article Link: https://www.darkreading.com/attacks-breaches/comptia-advises-retailers-to-check-their-cybersecurity-preparedness-ahead-of-the-holiday-shopping-season

• CompTIA and other organizations are highlighting the importance of retail organizations preparing for the possibility of malicious hackers launching attacks as the holiday season starts to ramp up.
• In the short-term, it is recommended to verify that the latest security patches and software updates are applied, system inventories are reconciled, and a plan is in place for responding to potential incidents. Long-term, organizations should also focus on awareness training for employees.

Steps CISOs Should Take Before, During & After a Cyberattack

Article Link: https://www.darkreading.com/attacks-breaches/steps-cisos-should-take-before-during-after-cyberattack

• While each cyberattack is unique and requires its own response processes, there are several considerations vital for CISOs in preparing for incidents.
• Much of the incident response legwork should occur prior to an incident occurring. Before a cyberattack, CISOs should forge strong relationships with leadership, build a comprehensive response framework with outlined roles and responsibilities, begin testing plans and playbooks in preparation for potential incidents, and educate stakeholders.
• The article discusses the steps that should be taken during and after incidents as well. Specifically, during an incident CISOs should prioritize effective and empathetic communication with those responding. Following an incident, it is vital that there is reflection of the incident without any blame.

Defense Firms Can Take Steps Now to Comply With Enhanced Cyber Standards, Industry Officials Say

Article Link: https://www.nextgov.com/cybersecurity/2023/11/defense-firms-can-take-steps-now-comply-enhanced-cyber-standards-industry-officials-say/391893/

• As the article notes, the DoD’s Cybersecurity Maturity Model Certification (CMMC) first went into effect in 2020 and the updated CMMC version 2.0 ruling is set to be released in the near future. While CMMC 2.0 has yet to be released, organizations can still work towards meeting the coming rules.
• The article highlights that CMMC 2.0 will likely be long and complex. Likewise, the requirements are said to likely be difficult for some smaller firms as the DoD aims to set the initial bar high.
• Although CMMC compliance will likely be challenging for many organizations, there are a variety of resources available for organizations to begin taking steps to meet the DoD’s requirements.