Friday Five 3/11
Why the healthcare industry should invest in cybersecurity, a critical Azure bug fixed, and more - catch up on the infosec news of the week!
1. Healthcare cybersecurity investment critical to national security, says CISA official by Jessica Davis
We've already heard from one government agency - the U.S. Department of Health and Human Services’ Office for Civil Rights, last week - this year about how healthcare organizations need to review their cyber risk in 2022. Cybersecurity and Infrastructure Security Agency's senior advisor for technology and innovation this week encouraged the healthcare sector to reevaluate its cyber posture and investments. As SC Magazine reports, at this week's ViVE 2022 health information technology event Lauren Boas stressed healthcare orgs "raise the cost of attacking the American healthcare system for the bad guys by investing in the cybersecurity defense of each and every organization who is delivering critical care in our country.” The healthcare industry continues to be targeted by attackers. As Boas noted in her talk, the Conti group - which we'll touch on in a story further down - has been especially devastating; its targeted more than 400 healthcare organizations and first responder organizations worldwide so far.
2. Microsoft fixes critical Azure bug that exposed customer data by Sergiu Gatlan
Bleeping Computer have readers a heads up on Monday about what sounds like could have been a potentially damaging vulnerability. The issue, in Microsoft's Azure Automation service, could have enabled attackers to take control of another Azure customers' data. It's worth noting that nothing sinister happened here - one of the first things Microsoft says in its blog post breaking down the issue is that the company didn't detect any evidence that tokens were misused. The vulnerability affected accounts that used Managed Identities tokens for authorization. Accounts that used the tokens and an Azure Sandbox for job runtime and execution were exposed, according to Microsoft. For some added peace of mind, it's also worth pointing out that the issue was fixed by Microsoft months ago, on December 10 - four days after it was made aware of the bug, by blocking access to all sandboxes except the one that had legitimate access.
3. CISA Urges Organizations to Patch Recent Firefox Zero-Days by Ionut Arghire
Time to refresh those browsers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) kicked the week off by encouraging administrators to ensure Firefox has been updated across their systems. Mozilla, Firefox's parent company, fixed two zero-day vulnerabilities in the browser with an emergency update over the weekend. CISA is stressing that both of the bugs, use-after-free vulnerabilities, need to be fixed by March 21. The two issues join another, an information disclosure vulnerability, and a trio of other bugs (CVE-2020-6819, CVE-2020-6820, and CVE-2019-17026) on CISA's Known Exploited Vulnerabilities Catalog.
4. Conti Ransomware Group Continues to Threaten Healthcare by Jill McKeon
U.S. agencies are calling on defenders to double down their efforts around Conti, the ransomware group that's to blame for more than 1,000 hacks. According to HealthITSecurity, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Secret Service (USSS) re-released their advisory on the group, first published last September, this week. The document includes new indicators of compromise (IOCs), new domains that had registration and naming characteristics that were similar to those used by Conti in the past, and tips for mitigating a Conti attack.
5. Biden signs executive order on digital assets, including security measures by Tonya Riley and Joe Warminsky
The White House is continuing its attempt to quell illicit cryptocurrency use. Earlier this year it unveiled a team, the National Cryptocurrency Enforcement Team (NCET), to fight ransomware operators who use it. This week, an Executive Order signed by President Biden is aiming to refine safeguards around the digital asset industry. It's a multi-pronged effort that will involve evaluating risk, both for the sector and the finance industry, and considering what the future holds for the future of money. One goal of the EO? Consider developing a U.S. Central Bank Digital Currency that could protect Americans' interests.