Cybersecurity Snapshot: CISA Warns Hospitals about Black Basta, as Tenable Study Finds Cloud-Related Breaches Pervasive

Find out why healthcare organizations must beware of the Black Basta ransomware group. Meanwhile, a Tenable study found that 95% of surveyed organizations suffered a cloud-related breach, and offers insights for boosting cloud security. Plus, a Cloud Security Alliance report delves into how AI systems can create risky gaps in your cloud environment. And much more!

Dive into six things that are top of mind for the week ending May 17.

1 - Black Basta ransomware threat triggers CISA-FBI alert

Critical infrastructure organizations, especially those in the healthcare sector, should have the Black Basta ransomware-as-a-service (RaaS) group on their radar screens.

So said the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a joint alert detailing Black Basta’s tactics, techniques and procedures, as well as indicators of compromise, along with mitigation recommendations.

Black Basta, first identified in April 2022, has successfully attacked organizations in 12 of the 16 critical infrastructure sectors. To date, the group has hit more than 500 businesses and critical infrastructure organizations globally.

“Black Basta affiliates use common initial access techniques – such as phishing and exploiting known vulnerabilities – and then employ a double-extortion model, both encrypting systems and exfiltrating data,” reads the alert.

Meanwhile, Microsoft warned this week that the Black Basta gang is abusing Windows' Quick Assist tool to carry out voice phishing (vishing) social-engineering attacks.

Last week, CNN reported that Black Basta hit healthcare company Ascension, which operates 140 hospitals in 19 states and Washington, DC. Ascension acknowledged it suffered a ransomware attack but hasn’t named the attacker.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the CISA-FBI alert reads.

Co-authored by the U.S. Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center, the alert, titled “#StopRansomware: Black Basta,” includes the following mitigation recommendations:

• Keep operating systems, software and firmware updated
• Require multi-factor authentication that’s resistant to phishing attacks
• Secure remote access software
• Back up critical systems and device configurations
• Detect vulnerabilities and prioritize their remediation

For more information about the Black Basta ransomware gang:

• “500 Victims In, Black Basta Reinvents With Novel Vishing Strategy” (Dark Reading)
• “Microsoft's Quick Assist used in scam to drop Black Basta ransomware” (SC Magazine)
• “Black Basta Ransomware Group Received Over $100 Million From 90 Victims” (SecurityWeek)
• “Ascension: 'Systems Are Being Restored' After Cyberattack” (CRN)
• “Black Basta Threat Actor Emerges as a Major Threat to the Healthcare Industry” (Health ISAC)

2 - Tenable study: Cloud-related breaches are widespread

In a clear sign that proactive and robust cloud security is critical, 95% of organizations surveyed for Tenable’s "2024 Cloud Security Outlook" report suffered a cloud-related breach over an 18-month period.

Among those respondents, 92% reported exposure of sensitive data, and a majority acknowledged being harmed by the data exposure, according to the report, which polled 600 cloud security professionals in North America and Europe.

Tenable’s "2024 Cloud Security Outlook," published this week, delves into the issues plaguing the respondents, their priorities for addressing these challenges, and their tools for measuring success. 

“We hope the report helps you understand how your peers are tackling cloud-environment complexity so you can set a strategic, effective path for securing yours,” Tenable Senior Product Marketing Manager Diane Benjuya wrote in a blog announcing the cloud security report.

Topics covered include:

• Key findings about cloud-related breaches and how they harm sensitive data
• Cloud security professionals’ top challenges and priorities
• How organizations measure their cloud security investments’ performance
• The cloud security challenge faced by almost every respondent

 To get more details:

• Read the blog “Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period”
• Download Tenable’s "2024 Cloud Security Outlook" report
• Register for the webinar “Tenable Cloud Security Outlook 2024”

3 - CSA: How AI can raise risk of “shadow access” in cloud environments

When organizations deploy AI in a cloud environment, they must be careful not to inadvertently offer attackers ways to access applications, networks and data.

That’s the main warning the Cloud Security Alliance (CSA) makes in its new report “Confronting Shadow Access Risks: Considerations for Zero Trust and Artificial Intelligence Deployments,” which was authored by the group’s Identity and Access Management Working Group.

The publication explores the intersections of shadow access, AI, and zero trust, and “underscores the necessity of adapting traditional zero trust IAM approaches to the nuances of AI technology,” according to the CSA.

“A looming threat to IAM is shadow access. This insidious menace, often exacerbated by the rapid adoption of cloud services and automated development practices, introduces vulnerabilities through unintended resource access,” reads a CSA blog about the report.

Recommendations include:

• Maintain an “exhaustive” inventory of generative AI assets
• Ensure that generative AI systems’ access to enterprise data is transparent, controlled and compliant with regulations
• Make sure that large language model applications handle unstructured content appropriately by establishing a data classification schema
• Adopt protocols for identity verification and responsible use

To get more details:

• Read the CSA blog “Zero Trust & Identity and Access Management: Mitigating Shadow Access”
• Download the report “Confronting Shadow Access Risks: Considerations for Zero Trust and Artificial Intelligence Deployments”

For more information about cloud security and IAM, check out these Tenable resources:

On-demand webinars:

• “Secure Your Cloud-Native Applications: 5 Key Considerations for Improving the Impact and Efficiency of Your Efforts”
• “Leveraging CIEM to Secure Cloud Identities and Entitlements at Scale” 
• “Operationalize Identity Security in the age of Identity-First and Zero Trust Security”
• “How to Make Your Security Team Experts In Cloud Security In Less Than 48 Hours”

Blogs:

• “Unused Access Analyzer: A Leap Toward Least Privilege, Not the End of the Journey”
• “Cloud Leaders Sound Off on Key Challenges”
• “Identities: The Connective Tissue for Security in the Cloud”
• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft” 

4 - More time to comment on CIRCIA cyberattack-reporting rules

Critical infrastructure organizations will get an extra month to comment on a voluminous set of proposed rules that detail how they will have to report cyberattacks and ransomware payments to the U.S. government.

CISA extended the feedback window for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rules after multiple requests from stakeholders in the energy and IT sectors, among others, according to a report in The Record.

CISA officials say that the Notice of Proposed Rulemaking (NPRM) is a critical component of CIRCIA. The NPRM will help CISA develop proposed regulations for reporting cyber incidents and ransom payments, which is crucial for CIRCIA's implementation. 

CIRCIA, which became law in 2022, aims to enhance CISA's ability to use data from cybersecurity incidents and ransomware payments to detect patterns, identify gaps, and mobilize support for organizations that fall victim to a cyberattack. 

Speaking to cybersecurity publication README about CIRCIA, Tenable CSO and Head of Research Robert Huber said that cybersecurity is a team sport, so effective reporting helps him and his peers to quickly identify, remediate and set up proactive defenses against cyber incidents.

“And the more quickly we're able to assimilate that information and share that information, the faster we can all respond, and I think that's a win,” Huber said.

CIRCIA requires that critical infrastructure organizations report “substantial” attacks within 72 hours to CISA, and ransom payments within 24 hours.

The comment period now runs until July 3, during which CISA anticipates receiving more detailed feedback on ways to enhance regulations, CISA Executive Director Brandon Wales noted at a roundtable during this year’s RSA Conference.

Wales said CISA is actively seeking high-quality feedback from critical infrastructure sectors to ensure the final rule is effective and fulfills the objectives of the program.

This announcement arrives shortly after legislators and industry representatives voiced concerns about overly stringent measures imposed on critical infrastructure entities by the proposed rule.

In a March statement, CISA Director Jen Easterly highlighted the NPRM’s importance in shaping future cybersecurity defenses.

"It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” she said.

For more information about CIRCIA:

• CISA’s CIRCIA page and fact sheet
• “CISA faces resource challenge in implementing cyber reporting rules” (CyberScoop)
• “CISA Courts Private Sector to Get Behind CIRCIA Reporting Rules” (Dark Reading)
• “CISA's proposed framework for cyber incident reporting rules includes subpoena power” (NextGov)
• “CISA’s cyber incident reporting rules will apply to 316K entities” (Federal News Network)

VIDEO

CISA Executive Director Brandon Wales discusses the importance of CIRCIA & cyber incident reporting (CISA)

5 - CISA steps in to help with NVD’s backlog of vulnerability info

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is trying to help bring the National Vulnerability Database (NVD) up to date.

The NVD’s team, which is part of the National Institute of Standards and Technology (NIST), has fallen behind in its process of analyzing and enriching the information of the Common Vulnerabilities and Exposures (CVE) entries in the database.

As of May 9, the NVD team had received about 14,300 CVEs this year, but had analyzed only about 4,500. In a recent statement, NIST attributed the CVE-enrichment backlog to an increase in software vulnerabilities and to a “change in interagency support.” 

In a recent LinkedIn post, CISA announced that it has launched a CVE-enrichment effort called Vulnrichment to add the following information to CVEs:

• Common Platform Enumeration
• Common Vulnerability Scoring System
• Common Weakness Enumeration
• Known Exploited Vulnerabilities

“Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes,” reads the CISA post on LinkedIn.

To get more details, you can visit Vulnrichment’s GitHub repository and write to CISA at [email protected].

For more information about the NVD’s CVE-enrichment backlog:

• “NIST's Vuln Database Downshifts, Prompting Questions About Its Future” (Dark Reading)
• “NIST’s NVD has encountered a problem” (Help Net Security)
• “Recent NVD Delays Won’t Affect Tenable Vulnerability Management Customers Thanks To Our Diverse Scoring Sources” (Tenable)
• “CISA Launches Vulnrichment Program to Address NVD Challenges” (Infosecurity Magazine)

6 - CIS updates Benchmarks for Apple, Microsoft, Cisco products

The latest updates for the Center for Internet Security’s popular CIS Benchmarks have been announced, and they include new secure-configuration recommendations for Apple iOS 17, Microsoft Azure Kubernetes Service, Cisco ASA 9 and Microsoft 365.

Specifically, these CIS Benchmarks were updated in April:

• CIS Apple iOS 17 Benchmark v1.1.0
• CIS Apple iPadOS 17 Benchmark v1.1.0
• CIS Azure Kubernetes Service (AKS) Benchmark v1.5.0
• CIS Cisco ASA 9.x Benchmark v1.1.0 — Final Update
• CIS Fortigate 7.0.x Benchmark v1.3.0
• CIS Microsoft 365 Foundations Benchmark v3.1.0
• CIS Microsoft Windows 10 Stand-alone Benchmark v3.0.0
• CIS Microsoft Windows Server 2016 Benchmark v3.0.0

 CIS Benchmarks are secure-configuration guidelines for hardening products against cyberattacks. Currently, there are more than 100 CIS Benchmarks for 25-plus vendor product families. CIS offers Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

For more information, read the CIS blog “CIS Benchmarks May 2024 Update.” 

To get more details about the CIS Benchmarks, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “The first steps of establishing your cloud security strategy” (Help Net Security)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

VIDEO

CIS Benchmarks (CIS)