The IT Nerd

This week, CISA announced a new plan to align the “collective operational defense capabilities” of over 100 US central Government agencies outside defense to reduce their cyber-risk.

CISA notes in the plan that there is currently “no cohesive or consistent baseline security posture” across agencies, which fails to consider the current threat environment and the complex digital ecosystem.

The plan, known as FOCAL, for Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment, sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement in the coming year. It covers five areas of cybersecurity including:

1. Asset management
2. Vulnerability management
3. Defensible architecture
4. Cyber supply chain risk management
5. Incident detection and response

While CISA stresses that each FCEB agency has its own mission, supported by its own networks and systems, with standardization and consistency, CISA also believes that a collective approach to cybersecurity will further reduce risks across all federal cyber defenses as agencies interact with each other and share data.

Emily Phelps, Director, Cyware had this to say:

  “CISA’s FOCAL plan highlights the value of collective defense in securing the federal cyber landscape. This approach leverages the strengths and knowledge of each entity to build a more robust defense against evolving threats. The interconnected nature of today’s digital ecosystem means that vulnerabilities in one area can ripple across others, making a collective defense strategy essential for reducing risk. By fostering collaboration, information sharing, and standardization, agencies can more effectively defend against sophisticated cyber adversaries while reinforcing the overall security of the nation’s critical infrastructure.”

Stephen Gates, Principal Security SME, Horizon3.ai follows with this:

  “This initiative is not just necessary—it’s long overdue. Now is the time to embrace a proven strategy that aligns with the five key objectives outlined in the plan. Organizations must begin by assessing their own environments, using the same tactics, techniques, and procedures (TTPs) that adversaries use. This ensures they’re effectively managing high-risk assets, identifying and mitigating exploitable vulnerabilities, and fortifying their architectures. This approach should extend to their supply chain, ensuring partners meet the same standards, and that incident detection and response systems are proven to be fully operational.”

This is a good move by the CISA who has a history of coming up with good initiatives to improve cybersecurity inside and outside government. This is something that seriously needs to be copied by the private sector as I think you will see that this is going to be highly effective in terms of deterring cyberattacks.

In a Federal Register posting yesterday, the Federal Highway Administration (FHWA) said that it would adopt the CISA-designed Cyber Security Evaluation Tool, a voluntary program created to help organizations “in identifying, detecting, protecting against, responding to, and recovering from cyber incidents”.

The FHWA said it’s adopting the tool because it’s often called in to deal with cyber incidents with federal and state agencies “whose primary missions revolve around securing critical transportation infrastructure,” and this should streamline the process.

   “The FHWA provides subject matter expertise to those agencies in identifying potential physical and cybersecurity threats and appropriate mitigation efforts.

   “When presented with physical or cybersecurity questions, concerns or incidents from State, local, Tribal, and Territorial transportation authorities, or other stakeholders, FHWA routinely assists in connecting these entities to security-focused government agencies, including the Transportation Security Administration, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation,” the posting states.

The announcement comes after the Transportation Department solicited public feedback on the tool in March. The goal was to avoid building a duplicative cyber tool and to take advantage of the work already done by CISA. 

Emily Phelps, Director, Cyware:

  “The Federal Highway Administration’s decision to adopt a streamlined cybersecurity evaluation tool is a prime example of how leveraging existing frameworks can prevent inefficiencies and unnecessary complexity. Rather than reinventing the wheel, organizations are empowered to strengthen their cybersecurity posture without overwhelming their tech stacks or stretching resources thin. This kind of inter-agency cooperation fosters resilience by aligning efforts, avoiding redundant solutions, and ensuring that critical infrastructure is protected from evolving threats in a cost-effective manner. Ultimately, the collective defense approach is key to sustainable, effective cybersecurity.”

This is a move that will reap benefits in the long term. Hopefully this is something that other sectors copy and implement because more robust cybersecurity with a consistent approach to delivering cybersecurity is always better.

The CISA have put out an advisory on Iran-linked threat actors known as Fox Kitten who are using their exploits for both government espionage and commercial ransomware operations:

This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.

The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.

Adam Maruyama, Field CTO of Garrison Technology had this to say:

“CISA’s recent advisory regarding the joint governmental espionage and commercial ransomware activities of Iran-linked cyber group Fox Kitten shows how groups with the capabilities to attack some of the world’s most hardened networks are turning those capabilities to the broader commercial space. Increasing pressure from Fox Kitten and similarly equipped actors against commercial companies, particularly in non-regulated sectors, raises the stakes significantly in their fight against ransomware and other network intrusions. 

“To put it simply, the architecture and technologies commercial companies use to detect and respond to low-to-moderate sophistication cyber attacks lacks the ability to effectively prevent and deter highly sophisticated cyber criminals and nation-state actors.

“If the trend of blurred lines between nation-state and criminal actors continues, commercial entities will need to augment their defenses by using defense-grade, high-assurance technology that aims to prevent, rather than detect, malicious activity using techniques like hardware-enforced isolation/access and content disarm and reconstruction (CDR). Unlike most commercial cybersecurity solutions, which analyze content and determines whether it’s malicious or not, these technologies treat all content as potentially malicious and use innovative methods to recreate safe, inert versions before content enters an organization’s systems.”

This is a great example of “good enough” security not being nearly “good enough” and nation-state exploits being used against a broader target set. Thus organizations need to shift their thinking and defence strategies to not be the next victim of these groups.

This is something that you should likely pay attention to.  Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about  China-linked cyber espionage group APT40 and its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. Which is of course very bad for all of us.

Rogier Fischer, CEO, Hadrian had this comment:

“We know of its existence since 2009. For the past 15 years, this Chinese state-sponsored threat group has been targeting maritime, defense, aerospace, engineering, and research institutions across the United States, Europe, and Asia-Pacific,” observed Rogier Fischer, CEO of Dutch cybersecurity service Hadrian.

Although its modus operandi includes old-as-the-earth methods such as spear-phishing campaigns, exploitation of web vulnerabilities, deployment of custom malware, and credential harvesting, they stand apart by utilising advanced persistence mechanisms, robust command and control infrastructure, and obfuscation techniques to evade detection, he explained.

According to him, understanding APT40’s strategic targeting helps prioritise defenses around critical sectors and sensitive data.

“To protect against APT40, it is essential to implement advanced threat detection systems and maintain continuous network monitoring to identify and respond to suspicious activities,” he said.”Regularly update and patch software to close exploitable vulnerabilities. Segment networks to limit lateral movement and develop a robust incident response plan to quickly address and mitigate security incidents,” he added.

These sorts of warnings don’t come out every day. Thus they need to be heeded and action needs to be taken so that organizations don’t end up becoming the next victim of groups like APT40.

In notification letters dated June 20, 2024, CISA warned participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program that sensitive data may have been exfiltrated after its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor.

CFATS is a program that regulates high-risk chemical facilities to ensure security measures are in place to reduce the risk of certain hazardous chemicals being weaponized. Any facility that manufactures, uses, stores, or distributes certain levels of chemicals of interest is required to report to CISA via the CSAT.

CISA said on January 26th it identified potentially malicious activity within the CSAT Ivanti Connect Secure appliance and immediately took the system offline. The investigation revealed that a bad actor installed an advanced webshell on the Ivanti device capable of executing malicious commands or writing files to the underlying system.

Information accessed includes:

• Top-Screen Surveys: facility topography, types of chemicals of interest at the facility, and characteristics of chemicals and storage
• Security Vulnerability Assessments: the facility’s use of chemicals of interest and measures related to the facility’s policies, procedures, and resources
• Site Security Plans and Alternative Security Programs
• Personnel Surety Program: Name/aliases, place of birth, citizenship, redress and Global Entry number
• CSAT User Accounts:  name, title, business address, and business phone number

No exfiltration of data from CSAT beyond the Ivanti device was identified. CISA added that all data held in CSAT was encrypted and information from each application had additional security controls limiting the likelihood of lateral access.

Evan Dornbush, former NSA cybersecurity expert, said:  

   “Intrusions like these remind us that turning on logging is often not enough, that robust measures including analysis of network traffic and other forms of defense in depth continue to be the best practices for a strong defensive posture against the adversary”

While the CISA’s investigation did not result in any evidence of exfiltration of data or
lateral movement, this is still bad. Hopefully the CISA gets an handle on this as this isn’t a good look.

Last week, the CISA announced it’s putting together a comprehensive framework to unify government, industry and global partners in their response to significant security incidents involving AI just after conducting the first-ever AI security incident tabletop exercise.
 
The four-hour event held at Microsoft’s Virginia offices brought together over 50 AI experts and was intended to support the development of the AI Security Incident Collaboration playbook that is expected to be released later this year.
 
Participants in the event included the FBI, the NSA, the Office of the Director of National Intelligence and the Defense and Justice departments as well as AI and software developers including, but not limited to:

• OpenAI
• Microsoft
• IBM
• Cisco
• Amazon Web Services

 
The Joint Cyber Defense Collaborative, CISA’s flagship public-private partnership, organized the exercise and is developing the playbook through a planning effort called JCDC.AI. The collaborative is planning a second exercise later this year on AI integration in U.S. critical infrastructure.
 
FBI Cyber Division Assistant Director Bryan Vorndran said the exercise showed that both sectors are better prepared to handle cyberthreats when there is adequate coordination.

“We are stronger when we come together to share information and determine best practices in the evolving AI landscape.”

Dave Ratner, CEO, HYAS had this comment:

   “Determining and aligning on best practices in the evolving AI landscape is a great endeavor and a needed exercise. However, the criminals are clearly not participating and march to their own drum, which is why we need to stay vigilant with the development of cyber resiliency approaches against the ever-increasingly complex and AI-driven attacks.”

Exercises like this one are a good thing in my mind as it helps to flush out weaknesses for improvement and strengthens the things that organizations do well. Others should look at this and copy it as this is a good model to work from.

CISA has added a critical security flaw impacting NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2023-43208, has been actively exploited in the wild.

Mirth Connect is an open-source data integration platform extensively used in the healthcare industry to facilitate standardized data exchange between various systems. It handles over a billion transactions daily across thirty countries. 

The vulnerability allows unauthenticated remote code execution and stems from an incomplete patch for another significant flaw, CVE-2023-37679, which carries a CVSS score of 9.8. Details of CVE-2023-43208 were first disclosed by Horizon3.ai in late October 2023, with additional technical information and a proof-of-concept exploit released in January 2024. 

According to security researcher Naveen Sunkavally, CVE-2023-43208 is linked to the insecure use of the Java XStream library for unmarshalling XML payloads, making it easily exploitable.

CISA has not released details regarding the specific nature of the attacks exploiting this flaw or the entities responsible for weaponizing it. The timing of these exploitations also remains unclear. However, federal agencies are mandated to update to a patched version of the software, specifically Mirth Connect version 4.4.1 or later, by June 10, 2024.

The aforementioned Naveen Sunkavally, Chief Architect, Horizon3.ai had this to say: 

   “It’s not surprising that CVE-2023-43208 was added to the CISA KEV catalog. Back in April, Microsoft threat intelligence reported that CVE-2023-43208 was being exploited by China-based threat actor Storm-1175 for initial access. And there have been reports of exploitation prior to that.

   “We work with a lot of healthcare companies. While Mirth Connect may not be a familiar name, the data we have backs up the fact that it is a widely adopted technology. Our data is what led us to research Mirth Connect for vulnerabilities in the first place last summer. Our own pentesting product, NodeZero, routinely exploits CVE-2023-43208 in client environments, both for initial access and lateral movement.

   “The inclusion of CVE-2023-43208 in the CISA KEV catalog is a reminder that attackers are inherently opportunistic and will exploit anything that seems valuable – not just VPNs, Microsoft Exchange, and Confluence. We highly encourage companies to check for Mirth Connect in their environments and patch to the latest version.”

While patching all the things isn’t a guarantee that it will keep the bad guys from pwning you, it’s a great start as vulnerabilities that have patches available are low hanging fruit for threat actors.

Yesterday, CISA released MITIGATING AI RISK: Safety and Security Guidelines for Critical Infrastructure Owners and Operators, with the intent to address both possible opportunities for the technology and critical infrastructure but also the ways it could be weaponized or misused.

“AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats,” Homeland Security Secretary Alejandro Mayorkas said in a statement.

According to the guidelines, opportunities related to AI include operational awareness, customer service automation, physical security, and forecasting. At the same time, it also warns that AI risks to critical infrastructure could include attacks utilizing AI, attacks targeting AI systems, and “failures in AI design and implementation,” leading to potential malfunctions or unintended consequences.

CISA instructs operators and owners to govern, map, measure, and manage their use of the technology, incorporating the NIST’s AI risk management framework, and emphasizes understanding the dependencies of AI vendors and inventorying AI use cases. It also encourages critical infrastructure owners to create procedures for reporting risks and continuously testing the systems for vulnerabilities.

This release comes just days after the DHS announced the formation of a safety and security board focused on the same topic, including executives Sam Altman of OpenAI and Sundar Pichai from Alphabet.

Jason Keirstead, VP of Collective Threat Defense, Cyware had this to say:

   “I am pleased that CISA is highlighting the challenges AI presents for securing critical infrastructure. These guidelines underscore the need for robust AI system governance, urging infrastructure owners to adopt a structured framework for AI risk management. Simultaneously, CISA should work to highlight the opportunities that AI brings to assist in the defense of critical infrastructure, when leveraged effectively and with the goal of helping to break data silos in order to uncover hidden threats. If we want to avoid recreating the same siloed challenges that have impacted security operations tech and teams, we must encourage adopting consistent standardization and require defensive AI systems to interoperate with each other – this is key to both effectiveness and efficiency.”

This is a good move by the CISA because it is putting something out there that mitigates risk. And there are potentially many risks with AI that we simply aren’t aware of. Thus it would be wise to read and heed this advice.

The CISA has just published Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), an unpublished Proposed Rule by the Homeland Security Department on 04/04/2024. 

CIRCIA speaks all the way back to the Presidential Policy Directive 21 (PPD-21) of 2013 which includes:

“This directive establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as “critical infrastructure owners and operators”). This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.”

And today’s comments from CISA Director Jen Easterly, in the announcement: 

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure, It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”

Ted Miracco, CEO, Approov had this comment:

   “CIRCIA marks a significant advancement in the collective cybersecurity effort, however what constitutes a “significant cyber incident” still presents an ambiguity that could lead to underreporting which is undesirable. Also, the tight reporting windows, while crucial for rapid response, may put pressure on entities to report before fully understanding the scope of an incident. 

   “Successful implementation will hinge on clear guidance, support mechanisms for covered entities, and ongoing dialogue between the public and private sectors. Overall CIRCIA could well set a precedent for cybersecurity collaboration and incident response, not just within the United States but globally.”

Craig Harber, Security Evangelist: Open Systems follows with this comment:

   “I believe the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), if implemented correctly is a big deal, a significant step towards protecting the nation’s critical infrastructure. It is really a collective defense strategy that requires the owners and operators of critical infrastructure to share threat intelligence with CISA in real-time. CISA will use this information to assist all members of the critical infrastructure community. Frankly, this collective defense strategy allows for broader collaboration of a limited set of highly skilled resources across all industrial sectors to identify and defeat cyber threats.”

I’m all for having playbooks like these as it will start to ensure that incidents are handled in a consistent manner and everybody works together. Sure it’s not perfect, and it needs work, but let’s not let perfect be the enemy of good.