The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons.

The APT28 hacking group is believed to be sending emails containing a malicious document name “Nuclear Terrorism A Very Real Threat.rtf.”. The threat actors selected the topic of this email to entice recipients to open it, exploiting the fear that’s spread among Ukrainians about a potential nuclear attack.

Threat actors also used a similar tactic in May 2022, when CERT-UA identified the dissemination of malicious documents warning about a chemical attack.

Source: https://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/

Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.

Insurers and the government’s terrorism risk insurance may not be able to cover such losses. For example, the government’s insurance may only cover cyberattacks if they can be considered “terrorism” under its defined criteria.

Source: https://www.gao.gov/products/gao-22-104256

 REA is pleased to announce it has been assigned patent number, 11,374,961, with an effective issuance date of June 28, 2022 for its Software Assurance Guardian (SAG™) METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY for software products and the software supply chain (C-SCRM). REA was motivated to develop this patented technology to assess risk and trust in a software supply chain starting in November, 2018 after the Federal Energy Regulatory Commission (FERC) issued Order 850, “Supply Chain Risk Management Reliability Standards” [18CFR40] to protect the bulk electric grid from software supply chain risks.

Read More

While many cybersecurity officials strive to achieve “no risk” when it comes to cyber risk management, officials from NASA this week explained that’s just not possible and suggested that agencies instead focus on managing risks that are important to the mission.

At the NASA SEWP (Solutions for Enterprise-Wide Procurement) SCRM Hybrid Forum 2022 on May 24, Joanne Woytek, program manager for the NASA SEWP program, explained how cyber risk management does not mean achieving zero risk.

Read Full Article

The Department of Commerce is proposing new safety criteria for connected software to help better secure information and communications technology and services (ICTS) supply chains, including potential third-party audits of connected software and ICTS transactions, according to a proposed rule posted to the Federal Register Nov. 26.

Read Full Article

Today’s business environment continues to be a challenge. Businesses whether small, or large leverage third-party vendors to provide critical services like data handling (security, transmitting, and storage), cloud storage/applications, and systems security monitoring.

Each business must ask themselves a few simple questions about one of their most valuable assets “Data”. If or when it leaves your secure working environment:

• How secure is your customer data in transit and storage?
• Do your third-party vendors handle your “critical information”?
  • Provide a secure environment for processing?
  • Comply with a proven Cyber Security Framework?
  • Perform a “Due Diligence” on-boarding step for the Nth vendors (how many vendors handles your specific data) in your cyber supply chain?
  • Follow security agreements and service level agreements catered to information security?
  • Ensure data privacy is an important element of their InfoSec Program?

Bipartisan legislation was introduced in the House last week to boost U.S. supply chains and foster domestic manufacturing of “critical goods” by creating a Supply Chain Resiliency and Crisis Response Office in the Department of Commerce.

The Building Resilient Supply Chains Act was introduced by Rep. Tom Malinowski, D-N.J., along with Reps. Adam Kinzinger, R-Ill., and Lisa Blunt Rochester, D-Del.— members of the House Committee on Energy and Commerce.

In addition to creating the supply chain office within Commerce, the bill would authorize $45 billion for the office to create grants and loans that support the “expansion of domestic manufacturing of critical goods and services, industrial equipment, and manufacturing technology.

Read Entire Article

The head of the U.S. cybersecurity enforcement agency “is a huge supporter” of bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyberattacks to the agency.

The proposed legislation is partly in response to a surge of major cyberattacks that targeted government agencies and critical industries, including Colonial Pipeline Co. and meat producer JBS SA. The hacks increased pressure on the Biden administration to bolster U.S. cyber defenses and fueled calls for federal legislation to require companies to share incidents with the federal government to assist in response and recovery. 

Read Entire Article

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory today regarding increased Conti ransomware cyberattacks. The advisory includes technical details on the threat and mitigation steps that public and private sector organizations can take to reduce their risk to this ransomware.

CISA and the FBI have observed over 400 attacks using Conti ransomware against U.S. and international organizations to steal files, encrypt servers and workstations, and demand a ransom payment to return stolen sensitive data. While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack..

Read Full Article