Find out why healthcare organizations must beware of the Black Basta ransomware group. Meanwhile, a Tenable study found that 95% of surveyed organizations suffered a cloud-related breach, and offers insights for boosting cloud security. Plus, a Cloud Security Alliance report delves into how AI systems can create risky gaps in your cloud environment. And much more!
Dive into six things that are top of mind for the week ending May 17.
Critical infrastructure organizations, especially those in the healthcare sector, should have the Black Basta ransomware-as-a-service (RaaS) group on their radar screens.
So said the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a joint alert detailing Black Basta’s tactics, techniques and procedures, as well as indicators of compromise, along with mitigation recommendations.
Black Basta, first identified in April 2022, has successfully attacked organizations in 12 of the 16 critical infrastructure sectors. To date, the group has hit more than 500 businesses and critical infrastructure organizations globally.
“Black Basta affiliates use common initial access techniques – such as phishing and exploiting known vulnerabilities – and then employ a double-extortion model, both encrypting systems and exfiltrating data,” reads the alert.
Meanwhile, Microsoft warned this week that the Black Basta gang is abusing Windows' Quick Assist tool to carry out voice phishing (vishing) social-engineering attacks.
Last week, CNN reported that Black Basta hit healthcare company Ascension, which operates 140 hospitals in 19 states and Washington, DC. Ascension acknowledged it suffered a ransomware attack but hasn’t named the attacker.
“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the CISA-FBI alert reads.
Co-authored by the U.S. Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center, the alert, titled “#StopRansomware: Black Basta,” includes the following mitigation recommendations:
For more information about the Black Basta ransomware gang:
In a clear sign that proactive and robust cloud security is critical, 95% of organizations surveyed for Tenable’s "2024 Cloud Security Outlook" report suffered a cloud-related breach over an 18-month period.
Among those respondents, 92% reported exposure of sensitive data, and a majority acknowledged being harmed by the data exposure, according to the report, which polled 600 cloud security professionals in North America and Europe.
Tenable’s "2024 Cloud Security Outlook," published this week, delves into the issues plaguing the respondents, their priorities for addressing these challenges, and their tools for measuring success.
“We hope the report helps you understand how your peers are tackling cloud-environment complexity so you can set a strategic, effective path for securing yours,” Tenable Senior Product Marketing Manager Diane Benjuya wrote in a blog announcing the cloud security report.
Topics covered include:
To get more details:
When organizations deploy AI in a cloud environment, they must be careful not to inadvertently offer attackers ways to access applications, networks and data.
That’s the main warning the Cloud Security Alliance (CSA) makes in its new report “Confronting Shadow Access Risks: Considerations for Zero Trust and Artificial Intelligence Deployments,” which was authored by the group’s Identity and Access Management Working Group.
The publication explores the intersections of shadow access, AI, and zero trust, and “underscores the necessity of adapting traditional zero trust IAM approaches to the nuances of AI technology,” according to the CSA.
“A looming threat to IAM is shadow access. This insidious menace, often exacerbated by the rapid adoption of cloud services and automated development practices, introduces vulnerabilities through unintended resource access,” reads a CSA blog about the report.
Recommendations include:
To get more details:
For more information about cloud security and IAM, check out these Tenable resources:
On-demand webinars:
Blogs:
Critical infrastructure organizations will get an extra month to comment on a voluminous set of proposed rules that detail how they will have to report cyberattacks and ransomware payments to the U.S. government.
CISA extended the feedback window for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rules after multiple requests from stakeholders in the energy and IT sectors, among others, according to a report in The Record.
CISA officials say that the Notice of Proposed Rulemaking (NPRM) is a critical component of CIRCIA. The NPRM will help CISA develop proposed regulations for reporting cyber incidents and ransom payments, which is crucial for CIRCIA's implementation.
CIRCIA, which became law in 2022, aims to enhance CISA's ability to use data from cybersecurity incidents and ransomware payments to detect patterns, identify gaps, and mobilize support for organizations that fall victim to a cyberattack.
Speaking to cybersecurity publication README about CIRCIA, Tenable CSO and Head of Research Robert Huber said that cybersecurity is a team sport, so effective reporting helps him and his peers to quickly identify, remediate and set up proactive defenses against cyber incidents.
“And the more quickly we're able to assimilate that information and share that information, the faster we can all respond, and I think that's a win,” Huber said.
CIRCIA requires that critical infrastructure organizations report “substantial” attacks within 72 hours to CISA, and ransom payments within 24 hours.
The comment period now runs until July 3, during which CISA anticipates receiving more detailed feedback on ways to enhance regulations, CISA Executive Director Brandon Wales noted at a roundtable during this year’s RSA Conference.
Wales said CISA is actively seeking high-quality feedback from critical infrastructure sectors to ensure the final rule is effective and fulfills the objectives of the program.
This announcement arrives shortly after legislators and industry representatives voiced concerns about overly stringent measures imposed on critical infrastructure entities by the proposed rule.
In a March statement, CISA Director Jen Easterly highlighted the NPRM’s importance in shaping future cybersecurity defenses.
"It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” she said.
For more information about CIRCIA:
VIDEO
CISA Executive Director Brandon Wales discusses the importance of CIRCIA & cyber incident reporting (CISA)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is trying to help bring the National Vulnerability Database (NVD) up to date.
The NVD’s team, which is part of the National Institute of Standards and Technology (NIST), has fallen behind in its process of analyzing and enriching the information of the Common Vulnerabilities and Exposures (CVE) entries in the database.
As of May 9, the NVD team had received about 14,300 CVEs this year, but had analyzed only about 4,500. In a recent statement, NIST attributed the CVE-enrichment backlog to an increase in software vulnerabilities and to a “change in interagency support.”
In a recent LinkedIn post, CISA announced that it has launched a CVE-enrichment effort called Vulnrichment to add the following information to CVEs:
“Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes,” reads the CISA post on LinkedIn.
To get more details, you can visit Vulnrichment’s GitHub repository and write to CISA at [email protected].
For more information about the NVD’s CVE-enrichment backlog:
The latest updates for the Center for Internet Security’s popular CIS Benchmarks have been announced, and they include new secure-configuration recommendations for Apple iOS 17, Microsoft Azure Kubernetes Service, Cisco ASA 9 and Microsoft 365.
Specifically, these CIS Benchmarks were updated in April:
CIS Benchmarks are secure-configuration guidelines for hardening products against cyberattacks. Currently, there are more than 100 CIS Benchmarks for 25-plus vendor product families. CIS offers Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.
For more information, read the CIS blog “CIS Benchmarks May 2024 Update.”
To get more details about the CIS Benchmarks, check out its home page, as well as:
VIDEO
CIS Benchmarks (CIS)
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.