Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program

Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!

Dive into six things that are top of mind for the week ending May 3.

1 - Verizon DBIR: Hackers feasting on unpatched vulnerabilities

This year’s edition of Verizon’s “Data Breach Investigations Report” (DBIR) is out, and a key finding is that attackers tripled down on exploiting vulnerabilities to gain an initial foothold in victims’ networks.

Specifically, the exploitation of vulnerabilities as a first entry point shot up 180% compared to last year’s report. A big driver of this trend: Ransomware attackers’ targeting of unpatched assets. In particular, the zero-day vulnerabilities in Progress Software’s MOVEit Transfer product were a major target.

“While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Chris Novak, Verizon’s Senior Director of Cybersecurity Consulting said in a statement this week.

In an analysis of CISA’s Known Exploited Vulnerabilities (KEV) catalog, which lists known vulnerabilities that are being exploited in the wild, the DBIR authors found a troubling disconnect between the time it takes attackers to exploit these vulnerabilities and the time it takes defenders to patch them.

For example, 30 days after a patch is available, 85% of these vulnerabilities are still unpatched. But mass exploitation of the average CISA KEV vulnerability typically happens in a matter of days.

Survival Analysis of CISA KEV Vulnerabilities

^{(Source: Verizon’s “2024 Data Breach Investigations Report,” May 2024)}

Here are other important findings from the 2024 report, which covers the period of Nov. 1, 2022 to Oct. 31, 2023:

• 68% of breaches involved a person inadvertently making an error or falling prey to a social engineering scheme
• 15% of breaches involved a third party, such as a supplier
• 32% of breaches involved an extortion technique, including ransomware
• Attackers have used stolen credentials in almost one-third of breaches over the past 10 years

For this latest DBIR report, Verizon analyzed about 30,500 security incidents globally and about 10,600 confirmed breaches.

To get more details, check out:

• The report’s announcement: “2024 Data Breach Investigations Report: Vulnerability exploitation boom threatens cybersecurity”
• A complementary infographic
• The “2024 Data Breach Investigations Report” home page
• The full report

For more information about prioritizing and fixing vulnerabilities quickly and continuously as part of an exposure management program, check out these Tenable resources:

Blogs

• “IDC Ranks Tenable No. 1 in Worldwide Device Vulnerability Management Market Share for the Fifth Consecutive Year”
• “Tenable Is Named a Leader in Vulnerability Risk Management by Independent Research Firm”
• “CVSSv4 is Coming: What Security Pros Need To Know”
• “Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog” 
• “Exposure Management: Reducing Risk in the Modern Attack Surface” 
• “You Can't Fix Everything: How to Take a Risk-Informed Approach to Vulnerability Remediation” 
• “Mind the Gap: How Waiting for NVD Puts Your Organization at Risk” 

On-demand webinars

• “When it Comes to Vulnerabilities, ‘Critical’ Doesn’t Always Mean ‘Critical’”
• “Knowing When and Why to Make the Transition from Vulnerability Risk Management to Exposure Management”
• “Maximizing Your Cyber Resilience: Why Now is the Right Time to Transition from Vulnerability to Exposure Management”

2 - Critical infrastructure orgs stamp out hundreds of ransomware-friendly vulns via CISA program

A U.S. government program that helps critical infrastructure organizations fend off ransomware attackers resulted in the mitigation of vulnerabilities in 850-plus devices last year.

Announced in March 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Ransomware Vulnerability Warning Pilot program probes internet-facing assets from participating organizations. 

To identify vulnerable devices, the program uses various methods, including CISA’s free Cyber Hygiene Vulnerability Scanning service. When the program detects vulnerabilities that ransomware gangs commonly exploit, it notifies organizations.

Last year, participating U.S. critical infrastructure organizations received more than 1,700 such notifications, and took action in about half of the cases – 852 – such as by patching the vulnerability or taking the device offline, according to CISA.

“The RVWP program enables organizations from all critical infrastructure sectors to harden their networks with respect to the vulnerabilities that ransomware gangs are known to use,” reads a CISA statement.

Ransomware Vulnerability Warning Pilot Program’s 2023 Notifications

^{(Source: CISA, April 2024)}

To enroll in the Ransomware Vulnerability Warning Pilot program, organizations can email [email protected]. 

To get more details, check out:

• The CISA blog “Cyber Hygiene Helps Organizations Mitigate Ransomware-Related Vulnerabilities”
• The Ransomware Vulnerability Warning Pilot program home page
• Coverage of the program from Tenable, The Record, Cybernews, TechRadar, Infosecurity and Cyberscoop. 

3 - Visit Tenable at RSA Conference 2024!

Tenable will be at the venerable RSA Conference next week – May 6 to May 9 – at the Moscone Center in San Francisco, so please visit our booth (N-5245) and attend our presentations – we’ll make it worth your while! 

Here’s an overview of what we’ve got planned for RSA Conference 2024.

Come to our booth

We’ll be demoing products and hosting lightning talks at our interactive booth (N-5245.) Swing by to learn the latest about Tenable products and pick up free goodies like selfie lights. And try your luck in our raffles for a chance to win prizes including Beats headphones and Polaroid cameras.

Tenable sessions you shouldn’t miss

Get insights and best practices from our experts at these sessions.

AI Shake Up: The Future Risks and Opportunities with AI in Software Development (at the Cloud Security Alliance AI Summit at RSA)

Vincent Gilcreest, VP of Engineering, Data & Analytics at Tenable
Gavin Millard, Deputy CTO, Tenable 
Mon. May 6 from 11:05 am to 11:35 am PT 
Moscone South 303

Gilcreest and Millard will discuss the risks and opportunities AI brings to software development – including real-world examples from the engineering team behind Tenable ExposureAI. 

Cyber Risk Assessment for DIB & Civilian Panel (at the RSA Public Sector Day)

Tenable CSO and Head of Research Robert Huber
Mon. May 6 from 1 pm PT to 1:35 pm PT
Hilton San Francisco Union Square
Registration required

Huber will moderate a panel discussion about risk assessment programs for both civilian and defense contractors. The speakers will also discuss the FedRAMP compliance program for assessing and monitoring the security of cloud products and services used by federal agencies.

Cloud Security Novice to Native in 10 Steps: A CNAPP Approach

Shai Morag, Tenable’s Senior VP and GM of Cloud Security
Tue. May 7 from 2:25 pm to 3:15 pm PT
Moscone South 155

Morag will explain how a unified platform empowers multiple stakeholders to drive identity-driven visibility, risk prioritization and remediation across complex multi-cloud and hybrid environments.

It’s an Acquired Taste

Tenable CSO and Head of Research Robert Huber
Thu. May 9 from 8:30 am to 9:20 am PT
Moscone West 2014

Huber and Merlin Namuth, vCISO at Lodestone, will share their experiences and best practices for integrating security when an organization acquires another company. They’ll talk about the importance of having a plan in place, as well as of performing critical tasks in the 30 days after the acquisition.

AI, Ted Lasso, Alicia Keys

RSA Conference 2024, whose theme is “The Art of the Possible” and which will be attended by about 40,000 people from about 130 countries, will, unsurprisingly, offer a heavy dose of AI, including these keynote sessions:

• “Homeland Security in the Age of Artificial Intelligence”
• “Securing New Limits: Protecting the Pathway for AI Innovation”
• “AI and Democracy”
• “AI Safety: Where’s the Puck Headed?”

Oh, and of course don’t miss Ted Lasso himself, Jason Sudeikis, who’ll be on stage Wednesday at 11:30 a.m. PT with RSA Conference Executive Chairman Hugh Thompson; and music superstar and 16-time Grammy winner Alicia Keys, who’s in charge of the closing celebration on Thursday at 2:40 p.m. PT.

To get more details about RSA Conference 2024, check out:

• The Fortune article “I host the world’s largest cybersecurity conference. Here’s what is top of mind for security experts right now”
• The conference home page
• “RSAC 2024: Real-world cybersecurity uses for GenAI” (TechTarget)
• “Identity, data security expectations for RSA Conference 2024” (TechTarget)

4 - UnitedHealth CEO: Attackers breached Change Healthcare via stolen creds, app with no MFA

And here’s your weekly update on the devastating Change Healthcare hack: UnitedHealth Group’s CEO confirmed that the ransomware attack started when attackers swiped credentials to an application that wasn’t protected with multifactor authentication (MFA).

Specifically, attackers gained initial access to Change Healthcare’s network on February 12 via a Citrix portal that's used to provide remote access to desktop computers, UnitedHealth CEO Andrew Witty told a U.S. Congress subcommittee this week.

“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said, identifying the ransomware attackers as the ALPHV / BlackCat group.

Witty also provided more details about the extent of the data theft, saying he estimates that “maybe a third” of Americans are impacted by the stolen health and personal information. Last week, UnitedHealth said it will take months to identify and notify all impacted customers.

Witty also reiterated that UnitedHealth paid a ransom to the attackers, and that he authorized the payment, which he said is “one of the hardest decisions I’ve ever had to make.” 

Previously, UnitedHealth said the breach cost it about $870 million in the first quarter, and expects costs to balloon to about $1.6 billion by the end of the year. 

Rick Pollack, President and CEO of the American Hospital Association has called the breach “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”.

The breach threw a wrench into Change Healthcare’s systems for over a month, triggering nationwide chaos for patients, hospitals, doctors and pharmacies. Areas impacted included billing, payments processing, patient care and prescription fulfillment.

For more information about the importance of identity and access management, check out these Tenable resources:

• “Identities: The Connective Tissue for Security in the Cloud” (blog)
• “Securing Identities Across Your Entire Attack Surface” (on-demand webinar)
• “Operationalize Identity Security in the age of Identity-First and Zero Trust Security” (on-demand webinar)
• “Why You Need Contextual Intelligence in the Age of Identity-First and Zero Trust Security, and How to Get It Now” (on-demand webinar)
• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft” (blog)

VIDEO

Tenable CEO Amit Yoran Discusses Ransomware Attack on UnitedHealth on CNN

5 - New DHS AI board tasked with helping critical infrastructure orgs

In yet another attempt to stay on top of the development and deployment of AI, the U.S. Department of Homeland Security (DHS) has created a board with industry, government, academia and civil rights experts. 

Its main charter: to help critical infrastructure organizations use AI safely and securely.

“The Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies,” reads a DHS statement.

The board will also craft recommendations aimed at preventing and preparing for AI-related disruptions to critical services in areas such as economic activity, public health and national security.

6 - Alert: Pro-Russia hacktivists targeting OT systems

The U.S., U.K. and Canadian governments are warning critical infrastructure operators in North America and Europe about a threat from pro-Russia hacktivists. At risk are industrial control systems (ICS) and small-scale operational technology (OT) systems.

The attacks seem mostly unsophisticated, aimed at tampering with ICS equipment to cause “nuisance effects,” according to a joint fact sheet issued by multiple law enforcement and cybersecurity agencies, including CISA, the Canadian Centre for Cyber Security and the U.K.’s National Cyber Security Centre.

“However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments,” the document reads.

To get more details, read the Tenable blog “As Pro-Russia Hactivists Target OT Systems, Here’s What You Need To Know.”