Cybersecurity Saturday

Cybersecurity Saturday

Cyberscoop reports that

The Justice Department is undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals amid a spate of ransomware attacks and supply chain compromises.

“We need to rethink … and really assess are we using the most effective strategies” against such hacking, Deputy Attorney General Lisa Monaco said Friday at the Munich Cyber Security Conference.

In this regard —

  • Health IT Security discusses “Healthcare’s Biggest Cybersecurity Blind Spots and Misconceptions — While awareness of the threats facing the healthcare sector has improved, providers have inherent blindspots and misconceptions leaving them exposed to a host of cybersecurity risks.”
  • Health Leaders Media explains why “Medical Device cyber-vulnerability casts a cloud over growing use.”
  • ISACA asks whether there are ever can be normalcy in cyberspace? “The cycle of conducting hearings after hacks occur, followed by writing laws and spending money, is exhausting. In short, doing the same things yet expecting different results is senseless. Lawmakers must accept the fact, known universally by security practitioners, that all digital devices are vulnerable—they always have been and always will be. Cybersecurity is a technical risk and, for the foreseeable future, the goal must be to make cyberattacks costly for malicious actors.”

Here’s the latest on the SolarWinds hack from the American Hospital Association. (The ISACA article’s author adds “But to categorize SolarWinds as merely a hack is a disservice, as it is now understood to be a major cybercampaign involving an estimated 1,000 nation-state actors.”).

From the ransomware front —

  • The New York Times warns “Don’t Ignore Ransomware. It’s Bad.”
  • The International Foundation of Employee Benefit Plans sets forth “Five Ransomware Risk Mitigation Strategies” for benefit plan administrators. The FEHBlog adds encrypting data in motion and at rest to that list.

The National Institutes of Standards and Technology is seeking public comments on two cybersecurity documents:

Cybersecurity Saturday

It turns out that this has been that National Supply Chain Integrity month’s theme for this week has been understanding supply chain threats. “Recent software compromises and other security incidents have revealed how new and inherent vulnerabilities in global supply chains can have cascading impacts that affect all users of ICT within and across organizations, sectors, and the National Critical Functions. To help organizations understand these threats and how to mitigate them, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed the Threat Scenarios Report that provides acquisition and procurement personnel and others with practical, example-based guidance on supplier SCRM threat analysis and evaluation.”

Cyberscoops reports that

At least two-dozen U.S. federal agencies run the Pulse Connect Secure enterprise software that two advanced hacking groups have recently exploited, according to the Department of Homeland Security’s cybersecurity agency.

Multiple agencies have been breached, but just how many is unclear. “We’re aware of 24 agencies running Pulse Connect Secure devices, but it’s too early to determine conclusively how many have actually had the vulnerability exploited,” Scott McConnell, a spokesman for DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop on Wednesday.

FireEye, the cybersecurity firm that announced the hacking campaign on Tuesday, said at least one of the two groups had links to China. The suspected Chinese hackers also targeted the trade-secret-rich defense contractors who do business with the Pentagon.

A security fix for the previously unknown software vulnerability exploited by the hackers won’t be available until next month, according to Ivanti, the Utah-based firm that owns Pulse Connect Secure.

FireEye also discovered the SolarWinds hack. Here is a link to the CISA emergency directive on this latest hack.

The Wall Street Journal informs us that

The Justice Department has formed a task force to curtail the proliferation of ransomware cyberattacks, in a bid to make the popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them. In an internal memorandum issued this week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.” * * *

The memo calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.

The task force will consist of the Justice Department’s criminal, national security and civil divisions, the Federal Bureau of Investigation and the Executive Office of U.S. Attorneys, which supports the 93 top federal prosecutors across the country. It will also work to boost collaboration with the private sector, international partners and other federal agencies such as the Treasury and Homeland Security departments.

CSOonline reports that

Faced with increasing payouts and a likely storm of litigation around the recent SolarWinds and Microsoft Exchange server compromises, cyber insurers are facing an “existential battle” for their future, a leading cybersecurity researcher and privacy consultant has warned. Likewise, businesses are grappling with whether to get cyber insurance, over doubts about payouts if attacked from the conflicted cyber insurance industry.

Nevertheless, purchasing cyber liability insurance remains a no-brainer decision in the FEHBlog’s opinion.

Cybersecurity Saturday

Before it’s too late, here is the Cybersecurity and Infrastructure Agency’s Week 2 website for National Supply Chain Integrity month. Week 2 focuses on Assessing ICT Trustworthiness. The website offers new resources. Check it out.

The Labor Department’s Employee Benefits Security Administration which regulates employer sponsored benefit plans governed by ERISA has created a lengthy, yet helpful, list of cybersecurity best practices for ERISA plans which no doubt could be used by FEHB plans too.

Bleeping Computer informs us today that “Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. “BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability but the 107 other vulnerabilities fixed this month.”

The AP discusses Microsoft’s cybersecurity woes.

Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.

Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.

Curtis Dukes was the National Security Agency’s head of information assurance at the time.

The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.

“People took their eye off the ball.”


Last Wednesday, the Senate Intelligence Committee held an open hearing on worldwide threats and of course the SolarWinds hack was a topic. Here is Cyberscoop’s take on that hearing. The following day per the Wall Street Journal, “President Biden announced retaliatory measures against Russia over election interference, the SolarWinds cyberattack and other malign activity, saying he isn’t seeking to kick off “a cycle of escalation” but would take more drastic action if necessary.” The Journal adds that

The U.S. has punished Russia for election interference in the past, notably after its multipronged operations during the 2016 election. But previous administrations typically refrained from retaliating for cyber intrusions they classified as political espionage—no matter how broad or successful—in part because the U.S. and its allies regularly engage in similar conduct, current and former officials said.

Subsequently, again per the Journal, “Russia said it would expel 10 U.S. diplomats and bar a number of senior U.S. officials from entering the country in response to measures against Moscow.”

Cybersecurity Saturday

Cyberscoop reports

The White House on Friday [April 9, 2021] asked Congress for $110 million in additional funding in [fiscal year] 2022 to help the Department of Homeland Security shore up federal and state defenses in the wake of high-profile hacking operations. The money would allow DHS’s Cybersecurity and Infrastructure Security Agency to improve its defensive tools, hire more experts and “obtain support services to protect and defend federal information technology systems,” Shalanda Young, the acting director of the Office of Management and Budget, wrote in an April 9 letter to congressional appropriators. It would add to a recent $650 million funding boost for CISA that was part of the coronavirus relief package cleared by Congress.

A Security Week columnist ponders what cybersecurity policy changes to expect from the Biden Administration.

As the U.S. transitions to a new presidential administration, which can be expected to differ largely from the last, it is hard not to speculate how President Biden’s Administration will reduce the risk of a major cyberattack against the U.S. or her interests. The recent SolarWinds attack, widely attributed to Russian actors, further amplifies the need for improved security and deterrence. Despite my best efforts to come up with a brilliant “thought leadership” piece on what I think the Biden Administration should do, the best answer has already been written and published in March of 2020 as the 2020 Cyberspace Solarium Commission Report.

Co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R – WI), the bipartisan Cyberspace Solarium Commission proactively scrutinized U.S. cybersecurity in much the same way the 2004 9/11 Commission Report reactively assessed failings within the U.S. Intelligence Community (IC) and offered recommendations for sweeping changes. The Cyberspace Solarium Commission, just as the 9/11 Commission before it, made bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyberspace.

The columnist focuses on the Solarium Commission’s recommendations to update the national cybersecurity policy, seat a national cybersecurity director, and improve the pipeline of cybersecurity talent.

Per the FBI, its “Internet Crime Complaint Center (IC3) has released its annual report [for 2020], which includes information from 791,790 complaints of suspected Internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.”

The Wall Street Journal reported last Wednesday that

Data from a 2019 hack of Facebook Inc. was made public in recent days, revealing the phone numbers and personal information of more than a half-billion people. While the data came from a vulnerability of Facebook platforms that the company says it has since fixed, security experts say that scammers could use the information for nefarious purposes like spam email and robocalling.

The hackers began selling the data online to bidders soon after it was accessed. Alon Gol, chief technology officer of the Israeli cybersecurity firm Hudson Rock, said it was initially sold for tens of thousands of dollars, and the price kept dropping until it was recently made available for free on sites like Hackers often release data for free once it has been circulated long enough, said Zack Allen, senior director of threat intelligence at ZeroFOX, a Baltimore-based cybersecurity company.

[S]ome cybersecurity experts have created sites that allow people to see if their information was contained in data leaks. One such site is, where you can enter your phone number or email address and see the result. The website, which allows people to check if their information was swept up in different data breaches, was created by Australian web-security consultant Troy Hunt.

The FEHBlog checked his gmail address on this site and he discovered that his email address “pwned” in 14 different breaches since 2012. The FEHBlog has gone the double authentication route with that address. By the way pwn means “especially in video gaming) utterly defeat (an opponent or rival); completely get the better of. “I can’t wait to pwn some noobs in this game.”

Cybersecurity Saturday

April is National Supply Chain Integrity Month!

In partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners, CISA is promoting a call to action for a unified effort by organizations across the country to strengthen global supply chains.

This week’s focus is on Building Collective Supply Chain Resilience.

Monday April 5 is the effective date for the Health and Human Services Department’s Office of National Coordinator for Health IT (“ONC”) information blocking rule which implements part of the 2016 Cures Act. According to Fierce Healthcare,

While health IT experts have been calling for interoperability for years, they say this particular rule could finally be a major step in achieving a meaningful level of data sharing far beyond what’s been seen before in the healthcare sector.

If effectively enforced, the mandate that prohibits information blocking has the potential to revolutionize how patients interact with the healthcare system, said Deven McGraw, a health privacy expert and co-founder and chief regulatory officer at Ciitizen, a consumer health technology company.

“[The information blocking rule] has enormous potential to open up data sources that have previously been closed to patients but hold rich data about patients and that would be potentially game changing for them to tap into and access,” she told Fierce Healthcare.

EHR Intelligence reports on the ONC’s annual meeting held last Monday.

[National Coordinator Mickey] Tripathi identified the importance of “taking health IT to the next level” by making EHR adoption ubiquitous, delivering on the potential of FHIR-based capabilities, and making interoperability a priority by building on past accomplishments.

“One of the things that we should recognize is that there’s been tremendous progress made in interoperability,” he said. “I don’t think the industry gets enough credit for the amount of progress that’s been made in interoperability.”

The ONC leader said credit is lacking because interoperability permitted purposes remain focused on treatment purposes only, rather than the rest of the healthcare sector.

“We haven’t quite figured out how to integrate all the various layers of interoperability into a seamless experience,” he added.

But, Tripathi said ONC is still trying to decipher how local, state, and regional health information exchange (HIE) networks fit within nationwide networks, such as eHealth Exchange and CommonWell Health Alliance.

In significant news for government contractors, Cyberscoop reports that

Under a forthcoming White House order, companies that do business with the federal government would have to meet software security standards and swiftly report cyber incidents to a new entity within the Department of Homeland Security, sources familiar with a draft version of the document said.

The order’s other upgrades to federal agency security include use of multi-factor authentication and improvements to FedRAMP, the federal process for authorizing and continuously monitoring the security of cloud services.

Federal agencies would need to use data encryption and develop plans for shifting to a “zero trust” model, which assumes that organizations should not automatically assume they can trust anyone or anything inside the network. They would need to keep logs for cyber incidents.

Some of the steps might not come to fruition for some time because they will require additional federal rulemaking, an oft-slow process that includes several phases of public comment.

On the hacking front, Bleeping Computer reports

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.

In the Joint Cybersecurity Advisory (CSA) published today [April 2], the agencies warn admins and users that the state-sponsored hacking groups are “likely” exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379CVE-2020-12812, and CVE-2019-5591.

The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.

Following up on last week’s Cybersecurity Saturday post, Business Insurance reports that

The cyberattack that crippled CNA Financial Corp.’s computer systems nearly two weeks ago has been contained and the insurer has reestablished the functionality of its email, according to an update posted to the CNA website Thursday.

Cyberscoop informs us

The company did say, however, that it now believes it has the attack contained and has ascertained that the hackers and their ransomware lacked the ability to automatically move around in internal and external systems. Bleeping Computer reported that the Phoenix CryptoLocker ransomware was involved, possibly with links to a cybercriminal collective dubbed Evil Corp.

CNA said it was still communicating with regulators, law enforcement and outside forensics experts. CyberScoop has learned that CNA has enlisted help from CrowdStrike.

Cybersecurity Saturday

On Thursday, the Senate Armed Services Committee held a hearing featuring Gen. Paul Nakasone, the director of the National Security Agency, who also serves as the head of U.S. Cyber Command. A topic of discussion was the SolarWinds and Microsoft Exchanges hack.

The Wall Street Journal reports that these hacks have a “scope, a scale, a level of sophistication that we hadn’t seen previously. * * * “This isn’t simply email phishing attempts—this is the use of supply chains, or this is the use of vulnerabilities we hadn’t seen before.” During a discussion of why the private sector discovered the hacks before the government, it was pointed out that

The NSA, for instance, is only authorized to operate outside U.S. borders, whereas the Federal Bureau of Investigation and other agencies are responsible for cybersecurity law enforcement domestically. Foreign attackers are aware of this and use U.S.-based servers to launch attacks from inside the country, effectively bypassing the NSA, Gen. Nakasone said. “It’s not the fact that we can’t connect the dots. We can’t see all of the dots,” he said.

Gen. Nakasone stopped short of calling for the NSA to be given the authority to surveil domestic networks when questioned directly by Sen. Mike Rounds (R., S.D.). He said that there are a number of ways to tackle the issues revealed by such sweeping and complex attacks, including enhanced cooperation with the private sector. The issue of surveillance, he said, carries both policy and legal concerns and was closely linked to the Fourth Amendment, which protects against unreasonable searches and seizures.

Cyberscoop adds

Part of being able to understand and better track adversarial hacking moving forward, even when it takes advantage of U.S. internet infrastructure, could rely on broader government and private sector information sharing.

“How do we take the best tools not only from the government but also from the private sector to look at what’s occurring and being able to shine that spotlight?” Gen. Nakasone said. “I think a lot of times we look and just say we’ll simply go ahead and downgrade that intelligence rapidly. Sometimes the better answer is, okay where are the other streams of information, how can we use that?”

Gen. Nakasone suggested that incentives for private sector could be introduced, adding that legislation could push private sector internet infrastructure companies to better understand who their customers are, as well.

In a recognition of the importance that information sharing between the public and private sector will play a role in responding to the flurry of Microsoft hacking, the Biden administration has convened an emergency cybersecurity incident response group at the National Security Council and invited private sector participation for the first time ever.

In this regard, Health IT Security reports that recently

The Department of Health and Human Services Cybersecurity and Infrastructure Security Agency unveiled the CISA Hunt and Incident Response Program (CHIRP) tool, which is designed to support entities detect threat activity within on-prem environments. * * *

CISA previously launched an IOC tool to help detect compromises within the cloud. The latest provided tool is specifically meant for on-prem networks.

By default, CHIRP scans for signs of compromise within an on-prem environment, particularly IOCs associated with the malicious activity around SolarWinds threat activities “that have spilled into an on-premises enterprise environment.”

“CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise,” CISA explained. “CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures.” 

“CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity,” they added.

Enterprises can leverage the tool without cost directly from DHS CISA. Officials said they intend to continuously monitor for new threats and will release IOC packages and plugins for new threats, as available.

Fortune Magazine reports that

A tool designed to help businesses protect themselves from further compromises after a global hack of Microsoft email server software has been downloaded more than 25,000 times since it was released last week, the White House’s National Security Council said Monday.

As a result, the number of vulnerable systems has fallen by 45%, according to an NSC spokesperson. 

The one-click Microsoft tool was created to protect against cyberattacks and to scan systems for compromises and fix them. It was developed after a massive hack affecting an estimated tens of thousands of users of servers running Microsoft’s Exchange email program.

From the ransomware front, Business Insurance reports that

CNA Financial Corp.’s computer systems remained down on Friday as the insurer grappled with a cyberattack by a hacker group known as Phoenix. Nearly a week after the insurer discovered it had been attacked, its website remained inaccessible and just contained alternative contact information.

Bleeping Computer offers its analysis of the cyberattack.

BleepingComputer has confirmed that CNA suffered an attack by a new ransomware known as ‘Phoenix CryptoLocker.’

Sources familiar with the attack have told BleepingComputer that the threat actors deployed the ransomware on CNA’s network on March 21, where it proceeded to encrypt over 15,000 devices on their network.

BleepingComputer has learned that it also encrypted the computers of employees working remotely who were logged into the company’s VPN at the time of the attack.

BleepingComputer was further told that CNA would be restoring from backups but has not confirmed that with the company.

Bleeping Computer also discusses possible Phoenix links to Evil Corp. which is a ransomware mastermind that the federal government has sanctioned.

Here is a link to the FBI’s computer hygiene guidance that helps prevent ransomware attacks. As the FEHBlog expects that CNA Financial was following these steps and more, it will be interesting to find out how this happened.

Cybersecurity Saturday

Happy first day of Spring. Bloomberg reports that

As the U.S. reels from major cyber-attacks by suspected Russian and Chinese hackers, officials are looking to implement new technologies that would allow the federal government to respond more effectively.

The National Security Agency and the Department of Homeland Security believe they have part of the answer within the Domain Name System, or DNS, often referred to as the phone book of the internet. They are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic.

The payoff could be enormous, officials say. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors. After it was installed in the U.K., the system blocked nearly 60 million connections to suspect sites in 2018 alone, including 450,000 related to the infamous WannaCry strain of ransomware, according to a report issued by the National Cyber Security Centre.

Here’s a link to the NSA / CISA’s March 4, 2021 cybersecurity information sheet, “Selecting a Protective DNS Service.” This publication details the benefits of using a Protective Domain Name System (PDNS), which criteria to consider when selecting a PDNS provider, and how to effectively implement PDNS.” adds

In light of the SolarWinds supply chain attack and the ongoing hacking of unpatched Microsoft Exchange on-premises email servers, organizations need to rethink how they use threat intelligence to block malicious domains and other malicious activity, says Oliver Tavakoli, CTO at security firm Vectra AI. PDNS services can play an important role, he says.

“Having PDNS in place allows for quick leverage of threat intel to actively block access, and it also allows relatively easy retrospective analysis to see if the organization was affected,” Tavakoli says.

Adopting PDNS services and improving security of the aging DNS protocol can help reduce common internet security problems, says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4.

“A far more safe and secure internet can easily be designed. It would not take magic. It would take a few dozen people who control the internet’s future sitting in a room, designing a few global services, like Protective DNS, but on a global level, and agreeing on a few dozen values in a few database tables, and we could do it,” Grimes says. He notes, however that “it’s hard to get people in your own family to agree on something, much less all of the people in the world.”

On March 17, the FBI’s Internet Crime Complaint Center released its annual report.

The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Reportand in the accompanying 2020 State Reports.

The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.

TechRepublic adds that “A report released Wednesday [March 17] by Unit 42, the threat intelligence team at Palo Alto Networks, looks at how ransomware has evolved and provides advice on how to protect your organization. To create its “2021 Ransomware Threat Report,” Unit 42 worked with Palo Alto Networks’ Crypsis incident response team to analyze ransomware based on their collective data across the U.S., Canada and Europe.”

Finally, Cyberscoops offers an interesting perspective on the recent Verkada security camera breach.

Cybersecurity Saturday

The Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Understanding and Responding to the SolarWinds Supply Chain Attack: The Federal Perspective” on Thursday March 18.

Speaking of which, Bleeping Computer reports that as of March 11, 2021 “CISA officials said that, so far, there is no evidence of US federal civilian agencies compromised during ongoing attacks targeting Microsoft Exchange servers. This statement is based on information collected by federal agencies following an emergency directive issued by the US Cybersecurity and Infrastructure Security Agency (CISA) one week ago.”

Following up on this story, Cyberscoop reports that

Suspected Chinese government-linked hackers were the first to allegedly exploit the Microsoft vulnerabilities. As soon as the company released a fix for the bugs, though, taking the issue public, a range of other hacking groups also appeared to try leveraging the flaws. At least ten different advanced threat groups are working to exploit the vulnerabilities now, according to ESET research, while other hackers have stolen email data and others have tried to generate financial revenue.

But with such a large list of victims — 30,000 organizations in the U.S. alone, according to some estimates — and so many attackers trying to leverage the flaws, there is little hope for cybersecurity professionals and affected entities to keep up with the sheer volume of exploits and attackers pummeling them, analysts say. In addition to patching the holes in Microsoft technology, organizations should also be working to evict hackers from their networks, and remain on alert for data theft, credential theft and other potentially damaging follow-up attacks. Security analysts also are warning that the flaws could open the pathway for ransomware attacks, meaning that if organizations fail to act now, it could cost them later.

Here is a link to the latest CISA remedial guidance on the Microsoft vulnerabilities.

Cyberscoop adds that

Over the last several days, Allison Nixon, the chief research officer at cybersecurity consulting firm Unit 221B, rounded up her team to develop a website that would help alert organizations if they’ve been comprised.

The Unit 221B website is designed so users can search to see if they are using compromised Exchange servers with Outlook Web Access (OWA) enabled. Users can go to the site, which launched Tuesday, directly from their Exchange server, which will allow Unit 221B to check their IP address against their victim list. Victims will then be alerted if they are compromised and if the attackers loaded webshells, a malicious tool used to establish a foothold inside targets, Nixon says.

Creating a data backup is one of the most crucial steps that organizations can take right now to protect themselves, Nixon said. Organizations that don’t make a backup of their servers but that do get hit with a ransomware attack, in which hackers lock up their machines and extort them for money, run the risk of losing their businesses entirely, Nixon warned. “It doesn’t matter if they don’t have a regular backup program, or they don’t have a fancy IT team — they just need to take a copy of their servers … put it on a hard drive, put it it in a safe: A one-time thing this week,” Nixon said. 

In federal personnel news, Nextgov informs us that the U.S. Office of Personnel Managements chief information officer (CIO) Clare Martorana has been named the federal government’s CIO. Congratulations to her. OPM Principal Deputy CIO Guy Cavallo will serve as acting CIO until a permanent replacement is named, an OPM spokesperson told Nextgov.

Cybersecurity Saturday

FCW reports that

Rep. Michael McCaul (R-Texas) announced that he and Rep. Jim Langevin (D-R.I.), both members of the House Homeland Security Committee are working on a bill that would establish the Cybersecurity and Information Security Agency as a kind of 911 for breach notification. McCaul said his legislation is designed to protect companies from repercussions in the market by removing sources and methods and company names out of reporting. “It would just simply send a threat information itself to CISA so that they could deal both industrywide and federal government wide and state, the threat information they would need to address it on a larger scale,” McCaul said at a joint hearing of the House Committee on Oversight and Reform and the House Homeland Security Committee on Feb. 26.

Speaking of CISA, last Wednesday March 3, CISA issued an emergency directive 21-02 “requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.” According to the Wall Street Journal this action stems from

A cyberattack on Microsoft Corp.’s MSFT 2.15% Exchange email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter.

Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.

While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.

Cyberscoops informs us that

The White House is moving forward with an executive order to encourage software developers to build more security into their products as the investigation of a suspected Russian supply chain compromise continues, a top security official said Friday [March 5]. The upcoming directive “will focus on building in standards for software, particularly software that’s used in critical areas,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said at the SANS Institute’s ICS Security Summit. “The level of trust we have in our systems has to be directly proportional to the visibility we have. And the level of visibility has to match the consequences of the failure of those systems.”

Cyberscoop further discloses that

Microsoft and FireEye on Thursday [March 4] revealed three more malware strains associated with the suspected Russian perpetrators who breached SolarWinds’ Orion software and used its update to infect federal agencies and major companies. FireEye named one strain Sunshuttle in a blog post. In a separate blog post, Microsoft dubbed two more strains GoldFinder and Sibot, and labeled the strain FireEye called Sunshuttle as GoldMax Microsoft said the strains join the previously known SolarWinds hacker tools Sunburst and Teardrop.

Fortune discusses the nascent use of contact tracing in cybersecurity processes.

concept called Sightings has been gaining traction in the security community, largely at the academic level, for the past few years. The idea is for organizations to be able to share details of how they were attacked and what was targeted—the who, what, and when—as quickly as possible with other organizations. 

This concept could help organizations identify breaches sooner and remediate faster and more effectively. Through sharing, attack techniques could be more thoroughly understood, and with the right reporting mechanism, the resulting threat intelligence could be shared to help more organizations avoid a breach in the first place. MITRE, a leading not-for-profit research organization, is working on incorporating Sightings concepts into a security reporting process that would let breach victims share appropriate data in a secure, anonymized way to benefit the wider community.

Beyond this threat intelligence application, organizations could use this sort of contact tracing approach for their own internal investigations. Data contact tracing can dramatically reduce the time it takes to discover how far into their networks an attacker has penetrated, and identify where related systems in their supply chains, customers, and partner networks have also been compromised.

Finally, Health IT Security reports that

Cyberattacks on healthcare more than doubled in 2020, with ransomware accounting for 28 percent of all attacks. COVID-19 response efforts, including personal protective equipment and the vaccine supply chain were the largest focus of these targeted campaigns, according to the latest IBM X-Force report.

Nearly one out of four of overall cyberattacks last year were ransomware, while the increase in data extortion efforts enabled just one of these ransomware hacking groups to make over $123 million in profits in 2020.

The annual report is generated through insights and observations from monitoring more than 150 billion security events per day in more than 130 countries. Researchers also gathered and analyzed data from multiple sources within IBM, including data from Quad9 and Intezer.

Cybersecurity Saturday

On Tuesday February 23, the Senate Select Committee on Intelligence held a hearing on the SolarWinds hack. FCW and CyberScoop report on the hearing here and there. Per CyberScoop

More than two months after the hack became public, the wide-ranging Senate Select Committee on Intelligence hearing committee demonstrated that the U.S. government, the private sector and digital incident responders still are wrestling with the ramifications of an suspected Russian espionage campaign that leveraged the federal contractor SolarWinds. 

A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.

“It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here,” said Senate Intelligence Chairman Mark Warner, D-Va.

The House Oversight and Reform Committee held its own SolarWinds hack hearing yesterday. “The hearing examine[d] the role of the private sector in preventing, investigating, and remediating these attacks, as well as the need for Congress and the Executive Branch to implement a strategy to strengthen cybersecurity across federal government networks and improve information-sharing with the private sector.”

In other SolarWinds hack related news, CyberScoop reports that

Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.

Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog

By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”

  • CyberScoops reports that on Wednesday February 24, “President Joe Biden signed an executive order on Wednesday directing federal agencies to conduct a review of supply chain security risks in industries including information technology. * * * Specifically, the order directs reports within one year from the the secretaries of Agriculture, Defense, Energy, Health and Human Services and Transportation — along with a joint Commerce/Homeland Security report — that include an assessment of cyber risks within key industry sectors that could disrupt the U.S. supply chain.”

In other cybersecurity related news —

  • Bleeping Computer discusses at reasonable length the Zero Trust security model that the FEHBlog referenced in a recent post. “The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more efficient way for enterprises to defend against today’s increasingly sophisticated threats. The concept has been around for a while and centers on the assumption that an intruder may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary. Cybersecurity companies have pushed the zero-trust network model for years, as a transition from the traditional security design that considered only external threats.”
  • Bitglass, a cloud security vendor, released its seventh annual healthcare data breach report.

Key Findings [from the company’s announcement]

  • The average cost per breached record increased from $429 in 2019 to $499 in 2020. With 26.4 million records exposed in 2020, data breaches cost healthcare organizations $13.2 billion.
  • Outside of hacking and IT incidents, the remaining breach categories exposed the personal details of about 2.3 million people, exposing victims to identity theft, phishing, and other forms of cyberattacks. 
  • This year, breach numbers were up across the board, with 37 out of 50 U.S. states suffering more breaches than they did in 2019. California had the most healthcare breaches in 2020 with 49 incidents–surpassing last year’s leader, Texas, which suffered 43 breaches in 2020. 
  • In 2020, the average healthcare firm took about 236 days to recover from a breach. 
  • The FEHBlog recently noticed that the Office of Personnel Management has posted its 4th Quarter 2020 report on the implementation of its FEHB Master Enrollment Index.