Cybersecurity Saturday

David ErmerCybersecurity, OPM

From Capitol Hill, Cyberscoop reports

The House Energy and Commerce Committee voted Wednesday [July 20] to advance sweeping privacy legislation with strong bipartisan support.

The American Data and Privacy Protection Act (ADPPA) [H.R. 8152] could see a full floor vote as early as next week, moving forward what would become the nation’s first comprehensive privacy law.

But some lawmakers and privacy experts are now alarmed the legislation may not address some of the most pressing issues related to consumer privacy — reining the massive growth in data brokers that buy and sell the public’s information and curbing potential abuse of commercial data such as reproductive health information. * * *

The American Data Privacy Protection Act isn’t the only potential mechanism for Congress to crack down on data brokers or the abuse of their services. For instance, [Sen. Ron] Wyden’s bipartisan and bicameral The Fourth Amendment Is Not For Sale Act [S. 1265 and H.R. 2738] would prohibit law enforcement from purchasing data that would otherwise require a warrant. House Judiciary leaders called for a markup of the bill at a hearing on Tuesday [July 19].

Several House Energy and Commerce Committee members made clear Wednesday that they would like to see additional discussion before giving the bill their support for a full floor vote. And even if it gets to the Senate, the bill faces strong resistance from Senate Commerce Chair Maria Cantwell, D. Wash., who has previously said she would not bring the bill for markup.

From the cyber breaches front, Health IT Security informs us

Fortified Health Security’s mid-year report on the state of healthcare cybersecurity observed slight shifts in healthcare data breach trends in the first half of 2022. The HHS Office for Civil Rights data breach portal showed that there have been 337 healthcare data breaches impacting more than 500 individuals each in the first half of this year, signifying a slight decrease from 368 at this time last year.

“While the number of healthcare cybersecurity reported breaches has leveled off after meteoric rises over the past several years, hospitals and health systems still cannot breathe a sigh of relief,” the report stated.

“The percentage of healthcare breaches attributed to malicious activity rose more than 5 percentage points in the first six months of 2022 to account for nearly 80 [percent] of all reported incidents.”

Reuters adds

Plaintiffs’ lawyers representing a class of millions of federal employees in a data-breach lawsuit against the U.S. [Office of Personnel Management] asked a Washington, D.C., judge on Thursday to award more than $8.5 million in legal fees for their work securing a $63 million settlement.

The class attorneys at San Francisco-based Girard Sharp, working with 14 other firms, said in a court filing that the “novelty and complexity” of the litigation, which began in 2015, justified the requested fee. * * *

A fairness hearing is scheduled for Oct. 14.

From the cyber vulnerabilities front —

Cybersecurity Dive reports

Threat actors are likely exploiting a critical vulnerability that surfaced in a pair of Confluence support apps after a hardcoded default password was leaked, Atlassian warned customers in an advisory update on Thursday [July 21].

The culprit, a default password for admin control on Atlassian’s Questions for Confluence app, allows attackers to gain access to unpatched servers. Atlassian released a patch for the vulnerability and advised all organizations running affected Confluence systems to update the app, disable or delete the default “disabledsystemuser” admin account.

The Cybersecurity and Infrastructure Security Agency Friday [July 22] issued an advisory to alert customers to the latest vulnerability impacting Confluence. “An attacker could exploit this vulnerability to obtain sensitive information,” the agency said.

HHS’s Healthsector Cybersecurity Coordination Center (HC3) shared a PowerPoint presentation on Web Application Attacks in Healthcare.

From the ransomware front —

Cybersecurity Dive reports

Affiliates of the LockBit ransomware group are infiltrating on-premises servers to spread malware on targeted networks, according to new research from Broadcom’s threat hunting team at Symantec.

Threat analysts observed a threat actor operating on a victim’s enterprise network with remote desktop protocol access for several weeks before it dropped and executed the LockBit ransomware. This type of sustained and undetected access allows attackers to conduct reconnaissance and identify weaknesses on networks before deploying payloads.

Attackers operating LockBit ransomware can leverage group policy management to spread the malware through a network, run commands and encrypt many machines almost simultaneously, Symantec’s researchers said.

Cyberscoop tells us

Typically, when it comes to ransomware, researcher and cybersecurity companies scramble after attacks to understand the origin of the malware that infected systems and locked crucial data. 

But researchers with Censys, a firm that indexes devices connected to the internet, said Thursday they’ve flipped the typical script and found what appears to be a ransomware command and control network capable of launching attacks, including one host located in the U.S.

Matt Lembright, Censys’ director of federal applications and author of the report, told CyberScoop that they came across the network after running a search through the company’s data for the top 1,000 software products currently observable on Russian hosts. After seeing Metasploit — penetration testing software frequently used for legitimate purposes — on just nine hosts out of more than 7.4 million, the team did some additional digging. 

The team eventually found two Russian-based hosts containing a combination of Acunetix, a web vulnerability tester, and DeimosC2, a command and control tool to use on compromised machines after exploitation.

The American Hospital Association reports

The Justice Department has recovered about $500,000 in ransom that a Kansas hospital and Colorado medical provider paid to state-sponsored North Korean hackers, the agency announced yesterday [July 19].

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco yesterday at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain.”

Federal agencies this month recommended U.S. health care organizations take certain actions to protect against the Maui ransomware threat. [See July 9 Cybersecurity Saturday post.]

And, of course, what would we do without Bleeping Computer’s The Week in Ransomware – headlined “Attacks Abound.”

From the cyberdefenses front —

Health IT Security points us to

Drafted by the Health Information Management Working Group, the Cloud Security Alliance (CSA) released new guidance on third-party risk management in healthcare.

Threat actors are increasingly using third-party business associates as easier entry points into customer networks. Once inside the network, the malicious hackers may be able to access sensitive health data, encrypt files, and deploy ransomware on organizations that the associate does business with.

Cybersecurity Dive discusses public-private efforts to build the cybersecurity workforce.

The National Cyber Workforce and Education Summit highlighted an ongoing push to help meet an urgent demand for qualified cybersecurity professionals. 

Cyberseek research shows there are more than 700,000 open cybersecurity jobs in the U.S. and organizations face serious challenges in finding a diverse pool of workers. There is also heightened pressure to defend against a recent surge in malicious cyber activity. 

A range of government agencies, private sector companies and nonprofit organizations have made commitments to recruit, train and encourage potential employees to pursue careers in cybersecurity. 

Organizations are also making an effort to better train students in math, science and related fields to better prepare the workforce of the future. 

In that regard, the article points out five programs to develop cybersecurity talent. What’s more, Govexec reports

Kiran Ahuja, director of the Office of Personnel Management, told lawmakers on Thursday [July 21] that her agency wants “to work with Congress to develop a governmentwide cyber workforce plan that puts agencies on equal footing in competing for cyber talent.”

Special cyber hiring and pay authorities at the Department of Homeland Authority create competition for talent among government agencies – something that needs to be addressed, she said along with Jason Miller, deputy director for management at the Office of Management and Budget.

“Congress passed a particular cyber talent program for DHS that has now become sort of … the king of programs within the federal government and other agencies are having to compete with that,” said Ahuja during a hearing of the House Oversight and Reform Committee’s Government Operations subcommittee.

Finally, Security Boulevard offers “defense against ransomware” tips.