The attack led to the “most severe” disruption to connectivity in Ukraine since the Russian invasion began
Yearly Archives: 2022
A Detailed Look at the Conti Ransomware Gang
Based on two years of leaked messages, 60,000 in all:
The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group’s members hidden from law enforcement.
USN-5313-2: OpenJDK 11 regression
USN-5313-1 fixed vulnerabilities and added features in OpenJDK.
Unfortunately, that update introduced a regression in OpenJDK 11 that
could impact interoperability with some popular HTTP/2 servers making
it unable to connect to said servers. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that OpenJDK incorrectly handled deserialization filters.
An attacker could possibly use this issue to insert, delete or obtain
sensitive information. (CVE-2022-21248)
It was discovered that OpenJDK incorrectly read uncompressed TIFF files.
An attacker could possibly use this issue to cause a denial of service via
a specially crafted TIFF file. (CVE-2022-21277)
Jonni Passki discovered that OpenJDK incorrectly verified access
restrictions when performing URI resolution. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2022-21282)
It was discovered that OpenJDK incorrectly handled certain regular
expressions in the Pattern class implementation. An attacker could
possibly use this issue to cause a denial of service. (CVE-2022-21283)
It was discovered that OpenJDK incorrectly handled specially crafted Java
class files. An attacker could possibly use this issue to cause a denial
of service. (CVE-2022-21291)
Markus Loewe discovered that OpenJDK incorrectly validated attributes
during object deserialization. An attacker could possibly use this issue
to cause a denial of service. (CVE-2022-21293, CVE-2022-21294)
Dan Rabe discovered that OpenJDK incorrectly verified access permissions
in the JAXP component. An attacker could possibly use this to specially
craft an XML file to obtain sensitive information. (CVE-2022-21296)
It was discovered that OpenJDK incorrectly handled XML entities. An
attacker could use this to specially craft an XML file that, when parsed,
would possibly cause a denial of service. (CVE-2022-21299)
Zhiqiang Zang discovered that OpenJDK incorrectly handled array indexes.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2022-21305)
It was discovered that OpenJDK incorrectly read very long attributes
values in JAR file manifests. An attacker could possibly use this to
specially craft JAR file to cause a denial of service. (CVE-2022-21340)
It was discovered that OpenJDK incorrectly validated input from serialized
streams. An attacker cold possibly use this issue to bypass sandbox
restrictions. (CVE-2022-21341)
Fabian Meumertzheim discovered that OpenJDK incorrectly handled certain
specially crafted BMP or TIFF files. An attacker could possibly use this
to cause a denial of service. (CVE-2022-21360, CVE-2022-21366)
It was discovered that an integer overflow could be triggered in OpenJDK
BMPImageReader class implementation. An attacker could possibly use this
to specially craft a BMP file to cause a denial of service.
(CVE-2022-21365)
Sanctions Hitting Russian Cyber-Criminals Hard
Healthcare focus: Need for resilience
Data breaches are still on the rise in healthcare. 2021 accumulated 686 healthcare data breaches of 500 or more records in 2021, resulting in 45M exposed or stolen healthcare records. 2022 is off to a poor start with over 3.7M healthcare records compromised as of 3/2/2022.[1]
Healthcare organizations face a landscape that is increasingly riddled with complexities, threats, and a multitude of attack vectors. The pandemic take a toll on hospitals and ransomware attacks increased significantly. Nevertheless, healthcare organizations must continue to provide patient care through various avenues that necessitate emerging and advanced digital solutions, like edge computing. With that, comes cybersecurity risk. This can be challenging for even the most mature organizations, but there are many healthcare organizations that are still lagging behind and do not have the fundamentals of cybersecurity in place.
Cybersecurity frameworks for the healthcare industry
Frameworks are becoming increasingly more important to build that foundation, to measure improvements, and to drive results. Frameworks allow for a defensible and rational approach to managing your cybersecurity risks and complying with regulatory requirements. Many regulations purposely strike a balance between specificity and flexibility to allow organizations latitude in applying the requirements based upon their size, complexity, and risk assessment.
Established frameworks are adopted across industries, some are industry-specific, but all continue to evolve as cybersecurity risks evolve. Most recently we have seen the newly updated ISO 27002 standard published last month, the DoD has come out with CMMC 2.0 (NIST 800-171r2), and the National Institute of Standards and Technology (NIST) regularly publishes new and updated standards.
The need for a vertical-specific framework
Adoption of a particular framework can vary from industry to industry. One such framework is the HITRUST CSF that has been heavily adopted in the healthcare industry. The HITRUST CSF was established to provide prescription and consistency in the application of security and privacy controls for healthcare organizations. It provides for the protection of health data by creating a single framework that harmonizes various, related compliance requirements and industry standards. While HITRUST is no longer focused on only the healthcare industry, the adoption of the HITRUST CSF can help organizations in healthcare lay the foundation and continuously improve their cybersecurity posture and address existing and emerging threats.
The HITRUST CSF is valuable to healthcare organizations for the reasons mentioned above….it provides a defensible approach to compliance with HIPAA, it is prescriptive in control implementation, and is continually updated based upon the threats and risks the healthcare industry faces. The healthcare industry not only has to demonstrate cybersecurity risk management to regulators, but to business partners and clients as well. HITRUST offers certification for this purpose.
HITRUST has added two new assessments to provide organizations options. The assessment formerly known as the HITRUST CSF Validated Assessment could be daunting for some organizations to take on. Given this, HITRUST published in early 2022 what is called the Implemented, 1-Year (i1) Assessment. This assessment allows organizations to take a streamlined and a crawl, walk, run approach to assurance and certification.
The i1 Assessment is based upon a static set of 219 controls with substantial coverage for NIST SP 171 revision 2, The HIPAA Security Rule, and the AICPA Availability Trust Services Principle, evaluating the maturity of control implementation. This is an attractive assessment for organizations that need to demonstrate a moderate level of assurance and are willing to go through the assessment and certification process on an annual basis. It is also a good stepping stone to higher levels of assurance.
This does not replace the former HITRUST CSF Validated Assessment, which is now called the Risk-Based, 2 Year (r2) Assessment. The r2 Assessment’s requirements are risk-based, where the number of controls are dependent on scoping factors and will vary from organization to organization. The evaluation of the controls is very rigorous, analyzes policy, process, implemented, measured, and managed maturity, and demonstrates high assurance.
Also new in 2022 is the Basic, Current-state (“bC”) Assessment, which is a self-assessment focused on good security hygiene controls and is suitable for quick and low assurance requirements. There is coverage for NISTIR 7621: Small Business Information Security Fundamentals.
The bC, i1, and r2 provides various assurance options to meet organizational, partner, and client needs, and continues to reduce efforts in responding to third-party requests to demonstrate a sound, security posture.
A balance of risk and transforming the delivery of patient care necessitate adopting a framework that is sustainable and continually updated, especially as healthcare organizations invest in cybersecurity strategies like securing the edge.
[1] U.S Department of Health and Human Services Office of Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
European Police Bust Multimillion-Dollar Investment Fraud Gang
5.5 years in a US prison for Estonian man linked to $53 million ransomware attacks
After being linked to ransomware attacks that cost companies over US $53 million, an Estonian man has been sentenced to prison for five and a half years.
Read more in my article on the Hot for Security blog.
US charges Russian agents over cyber attacks on oil refineries and nuclear power plants
Compromise of safety systems could have resulted in the release of toxic gas or an explosion – causing physical damage to facilities and the loss of life.
Read more in my article on the Hot for Security blog.
Security Incidents Reported to FCA Surge 52% in 2021
Making security a more welcoming field for women
Alethe Denis was on maternity leave when she decided to participate in DEF CON’s Social Engineering Capture the Flag competition in 2019. She took her three-month-old daughter and her husband to Las Vegas and planned the trip to the finest detail.
“Things could have gone wildly wrong,” Denis says. “It was extremely exhausting just to be there, let alone to compete.”
Bringing an infant to a security conference, where crowds are loud and rooms are filled with cigarette smoke, is not something she recommends. “I found myself standing in a bathroom stall nursing quite frequently, which is pretty gross, or changing her quick enough that nobody would walk by and potentially see and be alarmed or disgusted,” she says.