The IT Nerd

Yesterday, CISA released a joint advisory on the Medusa Ransomware that provided tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with the ransomware group. As of February 2025, Medusa has impacted over 300 victims across critical infrastructure sectors, including medical, education, law, insurance, technology, and manufacturing.

You can read the advisory here.

 James Winebrenner, CEO at Elisity had this to say:

“The CISA recent advisory on Medusa ransomware really reflects how threat actors are getting smarter and adapting. What particularly concerns me is Medusa’s exploitation of legitimate remote management tools like AnyDesk, ConnectWise, and Splashtop, which are the tools many OT environments rely on for maintenance and support.

Medusa’s attack pattern through the lens of IEC 62443 is a classic example of why proper zone boundary protection (CR 5.2) and network segmentation (CR 5.1) are foundational to industrial control system security. The attackers first perform reconnaissance and then leverage legitimate tools for lateral movement before payload deployment, a pattern that traditional detection methods struggle to identify.

Organizations should implement three technical controls aligned with IEC 62443:

1. Implement proper zones and conduits architecture as specified in IEC 62443-3-2, ensuring critical control systems are isolated and protected from IT networks where initial compromise typically occurs.
2. Apply least privilege principles (CR 7.7) for all network communications. Define granular policies based on asset function and operational context rather than just network location to limit lateral movement.
3. Deploy solutions that can detect anomalous behavior in legitimate tools and enforce zone boundary protection (CR 5.2), focusing on monitoring behavioral patterns rather than just the presence of these tools.

The triple extortion scheme mentioned in the advisory indicates that Medusa actors understand the unique pressures facing critical infrastructure operators. Organizations must treat ransomware as a business risk requiring defense-in-depth strategies across people, process, and technology controls.

With Medusa attacks up 42% according to Symantec, OT security teams should reassess their segmentation strategies and ensure alignment with IEC 62443 standards.”

What this advisory highlights is the fact that this is a today problem and every organization needs to treat it as such. Because an advisory like this would not exist if this ransomware were not a clear and present danger.

The CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning of widespread Ghost ransomware attacks targeting and compromising organizations in more than 70 countries with outdated versions of software and firmware on their internet facing services:

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“The joint release has a few new surprises. One is that the ransomware groups move from initial compromise to deployment of ransomware very quickly, often on the same day. This is quite different from traditional ransomware groups that may have days, weeks, or even months from the initial access gained to the deployment of the ransomware. Second, the frequent use of Cobalt Strike. I see the use of Cobalt Strike by ransomware groups fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble. Last, unpatched software and firmware (and zero-days) are involved in at least a third of successful compromises. Every organization has a patching process, but most don’t get it perfect and if one-third of all successful compromises involved finding and exploiting vulnerable software and firmware, it really should be a primary focus for all organizations. You can’t just make it one of the many things you do out of hundreds of things you do. It has to be something you focus on and dedicate significant resources to (as you also need to do to mitigate social engineering). Because if you don’t, you’ll miss something and become the next ransomware victim.”

I would recommend that anyone that is responsible for securing their organizations from cyberattacks take a look at the mitigation section of this advisory as this is pretty serious.

The CISA has just issued an ICS Medical Advisory alert on the Qardio Heart Health app for vulnerabilities that may result in exposure of private personal information to a cyber attacker, and that successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, cause a denial-of-service condition, or other implications. All of which are bad.

George McGregor, VP, Approov had this to say:

   “This recent vulnerability shows once more that mobile apps are the weakest link in the healthcare ecosystem and that it’s not just consumer access to PHI that is the issue.

   “Medical practitioner apps are increasingly used from personal devices, outside the security provided by campus networks. In addition, mobile apps have become a key means of access and control for every new medical device.

   “This is why the upcoming HIPAA Security Rule (https://www.regulations.gov/document/HHS-OCR-2024-0020-0001) must be updated to explicitly target known mobile app attack surfaces and eliminate the risks to US Healthcare posed by the proliferation of Healthcare apps.”

Given how much we all have become reliant on apps to manage our health in some way, this is not good news. But at least there is some good news coming in the form of the HIPAA rule that is inbound. Hopefully that will make something like this an edge case.

Over the past week, President Donald Trump repealed former President Joe Biden’s AI-focused executive order, issued in October 2023. The order had mandated that developers of advanced AI submit safety reports to the federal government. It also outlined plans for setting standards, revising procurement processes, and establishing the U.S. AI Safety Institute.

The new Trump administration also terminated all existing members of advisory committees that report to the Department of Homeland Security which includes members of CISA’s Cyber Safety Review Board (CSRB) in alignment with DHS’s “commitment to eliminating the ‘misuse of resources and ensuring that DHS activities prioritize our national security.”

The CSRB’s purpose has been to examine and assess cyber incidents and construct recommendations for improved security within private and public sectors, providing advise to the Secretary of Homeland Security and the President. At the time of dismissal, the board was apparently deep in the investigation of the Salt Typhoon hacking incident, the Chinese hacking campaign that penetrated telecommunications companies, spying on the calls and messages of US citizens.

Other advisory boards that have been dismantled include the Artificial Intelligence Safety and Security Board, Critical Infrastructure Partnership Advisory Council, National Security Telecommunications Advisory Committee, National Infrastructure Advisory Council, and the USSS Cyber Investigations Advisory Board.

Dismissed members are welcome to submit reapplications for their posts.

Willy Leichter, CMO, AppSOC

  “As the Trump administration continues to throw wrenches into anything the Biden administration championed, there will inevitably be negative repercussions. This will delay or eliminate any proactive role for the US government in guiding AI technology. While you can argue that the private sector should drive this, the government has a legitimate role in issues around privacy and security. Gutting expertise and funding from federal agencies will inevitably put critical infrastructure, cyber security, and individual privacy at risk.”

Trump is putting the nation at risk. And this will come back to haunt the US sooner rather than later. There’s simply no other way to say it. You might want to remember that in four years time.

This week, CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations:

This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.

The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.

Botond Botyánszki, founder and CTO at NXLog, commented:

“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions and continuous monitoring can help detect and prevent breaches before it’s too late.”

“The release of the “Microsoft Expanded Cloud Logs Implementation Playbook” is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”

“The newly added logs available with Microsoft Purview Audit (Standard) include events such as email items accessed, email items sent, user searches in SharePoint and OneDrive, and Exchange Online activities. These audit logs provide critical visibility into key actions, such as monitoring email access for unauthorized data access, tracking outbound email activity to detect possible exfiltration, and identifying unusual searches for sensitive files. The guidance on integrating these logs with SIEM solutions like Microsoft Sentinel and Splunk ensures that security teams can seamlessly leverage their existing tools for proactive threat hunting and incident response. This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”

Every organization should read this playbook from the CISA as it offers excellent guidance which will help them to better defend against cyberthreats which are always evolving.

In a report released Friday, CISA said it saw a 201% increase in its Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations between Aug. 1, 2022, through Aug. 31, 2024.

Of the 7,791 critical infrastructure organizations that enrolled in the agency’s vulnerability scanning service during that period. The following industries lead the surge:

• Communications – 300% 
• Emergency services – 268%
• Critical manufacturing – 243%
• Water and wastewater systems 242%

CISA cited a steady decrease in the number of monitored exploitable services from 12 services per CyHy enrollee in August 2022 to roughly 8 apiece. The number of KEV tickets also declined, with critical-severity KEVs falling 50% and high-severity KEVs dropping by 25%. 

Remediation times for SSL vulnerabilities fell as well, with tickets resolved in less than 50 days, down from about 200 days as of August 2022.

CISA’s report also highlighted the high exposure rate of operational technology protocols to the public internet: 

• 63% – Government services and facilities
• 10% – IT
• 10% – Energy
• 5% – Healthcare

Lawrence Pingree, VP, Dispersive.io had this to say:

  “I think it’s admirable that CISA offers a free scanning service. It’s no surprise that enterprises leverage the free service to check for vulnerabilities, given you get a report regularly from the government for free (no cost). Seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have. Keep in mind, it doesn’t necessarily represent the only way that attackers can breach an environment, and there’s no guarantee that a zero day isn’t used instead. Attackers just rotate to whatever they need to in order to accomplish their goals. So, if the external surface is too much of a challenge, they rotate to third parties, or malware+phishing, or even social engineering. The importance of my past research work in preemptive cyber defense (PCD) and automated moving target defense (AMTD) at Gartner was to point to the need to move to preemptive models instead of the whack-a-mole we play with vulnerabilities and patching.”

I am pretty impressed by this as it shows that organizations may actually be taking cybersecurity seriously. That is a good thing as we’ve seen what happens when cyber criminals are allowed to run wild.

Emily Phelps, Director, Cyware follows with this:

  “CISA’s Cyber Hygiene service growth reflects the critical sectors’ increasing focus on cybersecurity, but the report also highlights persisting risks, like high exposure of operational technology protocols. Improved remediation times are encouraging, but organizations must go beyond addressing vulnerabilities to build resilience against evolving threats. Protecting critical infrastructure demands real-time threat detection, intel and defensive strategy sharing, coordinated responses, and robust strategies to secure essential services.”

The CISA has recently put out a Binding Operational Directive on Implementing Secure Practices for Cloud Services:

Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. This Directive requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats. 

Jim Routh, Chief Trust Officer, Saviynt had this comment:

“IT Hygiene is a way of describing an enterprise’s capabilities to identify IT assets, manage the configuration of those assets, apply vulnerability management to those assets and to update those assets when necessary. The new Directive from CISA is requiring federal agencies to improve their IT Hygiene for cloud hosted services supporting their needs. The configuration management requirements in cloud computing are different from IT assets hosted in proprietary data centers. Federal agencies with legacy infrastructure (non-cloud) must apply a different way to manage the configuration of cloud hosted IT assets that includes discovery, asset inventory management, configuration management and vulnerability management.”

Paul Zolfaghari, President, Saviynt follow up with this:

“As we navigate an increasingly complex cyber landscape, the issuance of Binding Operational Directive 25-01 by the Cybersecurity and Infrastructure Security Agency (CISA) represents a pivotal advance in cloud security. This directive underscores our collective commitment to not only securing our nation’s digital infrastructure but also setting a benchmark for future cloud security measures. By mandating secure configuration baselines and integrating continuous monitoring, CISA is leading the charge in fortifying our federal networks against sophisticated cyber threats. This proactive approach is essential in ensuring the resilience and security of our cloud environments, and we are proud to support these vital initiatives.”

The CISA really has a great grasp as to what it needs to do to ensure that government does not become a target for threat actors. Private industry needs to copy what they are doing as they are really on the ball.

 UPDATE: Chris Botelho, Sr. Solutions Engineer, LimaCharlie adds this:

“The directive forces these agencies to modernize their security controls in order to better protect against malicious actors and software. Given the increase in activity of both nation-state actors and ransomware groups targeting third-parties that contract with the federal government rather than the federal government itself, it has become even more important to not only ensure federal systems are protected, but also the organizations that the federal government contracts with in order to protect data and prevent large-scale incidents. Malicious actors will always go for the weakest link in the chain, which currently are the SMBs that frequently don’t have the knowledge, time, expertise, or budget for implementing recommended security controls.

“Most of the controls being required by the directive are part of Microsoft’s own best practices and should already in place. The controls and scanner are provided for free from CISA, so they can be implemented without any licensing costs. If an organization is using an enterprise M356 license, then they will likely have all the required controls available to them. However, organizations using F3 licenses or purchasing their M365 subscriptions through a third-party provider will likely need to upgrade their licenses or purchase additional licenses to gain access to the security controls required by the directive, such as Microsoft Purview. There will also be a time cost to implement the controls and update internal policies such as password management policies to reflect the new control requirements.

“Controls required by federal agencies frequently influence the controls implemented by private businesses both directly, through direct implementation of the controls based on the agency’s requirements, but also indirectly through regulatory bodies such as HITRUST and PCI-DSS that adopt the federal agency’s requirements as part of their own requirements. Additionally, by adopting federal controls, the effort required by leadership to create their own security controls is reduced while providing a tested and vetted method for ensuring the controls are implemented and can be easily tested through readily-available tools such as CISA’s SCuBA, without additional cost.

“The biggest challenge will be changing the user and management mindset for many of the historical security controls that no longer apply or work in today’s computing environments as well as the cost that would be involved if a business’s current license(s) don’t include the controls prescribed by the mandate. This could be something such as MFA, which may not be included in a business’s current service license and historically is seen by many as an unnecessary extra step, but significantly increases the authentication security of a business. Additionally, there may be regulations in place that a business has to follow that are in conflict with the CISA directive. For example, the new controls require that passwords are set to never expire. Historically, the industry standard was to change passwords every 60-90 days. However, research has shown that this actually decreases password security, but many organizations still do this because it has been the practice for decades and regulations such as PCI-DSS still require it.”

Earlier this week, CISA released its The 2025-2026 International Strategic Plan aimed at enhancing global collaboration to address cyber threats to critical infrastructure.

The plan recognizes the intricate and geographically dispersed nature of cyber risks, emphasizing the importance of quickly sharing threat information and risk reduction guidance with international partners.

CISA International Strategic Plan Goals sets out three goals for CISA to achieve over the 2025-2026 period:

1. Bolster the Resilience of Foreign Infrastructure on which the US Depends – CISA will work with interagency and international partners to identify and understand which international systems and assets are critical and assess how they are vulnerable to create strategies to manage shared risks.
2. Strengthen Integrated Cyber Defense – CISA plans to collaborate with partners, international organizations, and NGOs to shape global cybersecurity practices and standards, promoting widespread cyber safety and security.
3. Unify Agency Coordination of International Activities – The CISA Stakeholder Engagement Division will create a governance structure to advise on international issues and clearly outline the agency’s international priorities. This will involve enhancing systematic information sharing across CISA to ensure situational awareness of ongoing and future international activities.

CISA will also focus on enhancing the skills of its workforce to better influence the international landscape including developing training programs for employees overseas and providing guidance on international affairs for all traveling staff.

“In following this plan, CISA will improve coordination with our partners and strengthen international relationships to reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” CISA Director Jen Easterly commented.

Emily Phelps, Director, Cyware:

“CISA’s 2025-2026 International Strategic Plan underscores the urgency of an interconnected approach to securing critical infrastructure across borders. As cyber threats grow increasingly complex and far-reaching, swift, collaborative information-sharing becomes essential to mitigate risks that could impact not just a single nation but the global landscape. CISA’s commitment to bolstering the resilience of international assets and systems vital to U.S. security reflects a forward-thinking acknowledgement of interdependencies in today’s cyber ecosystem. The focus on strengthening integrated cyber defenses and establishing clearer governance structures is a strategic leap towards a unified, cohesive response to these shared threats. This approach—fostering resilience, enhancing standards, and emphasizing interagency coordination—can set a precedent for global cybersecurity initiatives, reinforcing that collective defense is the linchpin in navigating future cyber challenges.”

A collective approach to defending critical infrastructure is the way to go. And once again I applaud the CISA in terms of leading the way. Hopefully other countries take this just as seriously as the CISA does.

Yesterday, CISA published a joint advisory stating that Iranian hackers are acting as initial access brokers to gain access to critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks by other threat actors. 

The government agencies warn that since October 2023, Iranian actors have used brute force, such as password spraying, and MFA ‘push bombing’ or fatigue to compromise user accounts and obtain access to organizations.

Once threat actors obtain persistent access, they typically register their own devices with the organization’s MFA system, collect more credentials, escalate privileges, and learn about the breached systems and the network, allowing them to move laterally and identify other points of access and exploitation.

The agencies made numerous recommendations including but not limited to:

• Reviewing authentication logs for failed logins
• Looking for MFA registrations with MFA in unexpected locales/devices
• Checking for suspicious privileged account use after resetting passwords 
• Applying user account mitigations after password resets
• Investigating unusual activity in typically dormant accounts
• Scanning for unusual user agent strings

The alert is co-authored by the FBI, NSA, the Communications Security Establishment Canada, the Australian Federal Police, and the Australian Signals Directorate’s Australian Cyber Security Centre.

Evan Dornbush, former NSA cybersecurity expert has some perspective on this:

   “Google released a report noting 70% of exploited flaws disclosed in 2023 were zero-days. Mandiant released a report noting attackers have incredibly decreased the time it takes to convert a disclosed flaw into an easily-available exploit product. Microsoft released a report noting that 78% of nation state activity is against the private sector, often in the form of for-profit actions. And CISA in collaboration with the UK and Australia are noting that criminals and governments are working together, sharing tools and access.

“The essential insight here is the necessity to evolve from purely reactive posturing, and shift to take proactive measures as part of one’s applied cybersecurity strategy. The amount of money criminals can earn is getting too little attention. It is too costly to defend, and too cheap to attack, and until we can affect a paradigm shift, things will continue to escalate.”

This is another one of those documents that’s required reading if your job is to keep your organization from getting pwned. Something that is getting harder to do these days.

UPDATE: I have two more comments on this. Starting with Avishai Avivi, CISO, SafeBreach:

“The CISA alert of Iranian cyber actors’ brute force and credential access activity is a good reminder – especially during cybersecurity awareness month – that these malicious actors are working to abuse ‘Multifactor Authentication (MFA) Exhaustion.’ If, as a good cyber-aware person, you’ve enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won’t pay attention and approve any MFA push notification you may receive. So, as a reminder, when you are prompted to authorize a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they’ve obtained through breaches. They hope that the combination of these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts.”

Followed by James Winebrenner, Chief Executive Officer, Elisity:

“On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organizations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement. Also in 2024, China’s Volt Typhoon group compromised IT networks of multiple critical infrastructure organizations in the U.S., using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organizations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering. A modern identity-based microsegmentation platform would detect and prevent such unauthorized lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices, and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network.”

Finally Ryan Patrick, VP of Adoption, HITRUST:

“In response to the recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their international counterparts, HITRUST acknowledges the escalating threat posed by Iranian cyber actors who are actively targeting critical infrastructure sectors, including healthcare and public health (HPH).

We recognize the critical importance of safeguarding sensitive data and systems in these highly targeted industries. The advisory highlights the need for organizations across healthcare, government, energy, and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks. Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk. A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. HITRUST emphasizes that assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organizations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure.

We encourage all organizations, especially those in the healthcare and public health sectors, to review the joint cybersecurity advisory and ensure that appropriate safeguards are in place, including the use of strong authentication methods, continuous monitoring, and proactive threat intelligence. HITRUST will continue to support these efforts by delivering the tools and resources necessary to meet the highest standards of information protection and compliance.”