October is National Cybersecurity Awareness Month. The FEHBlog reminds readers that

CISA will host its fourth annual National Cybersecurity Summit on Wednesdays during the month of October. The 2021 Summit will be held as a series of four virtual events bringing stakeholders together in a forum for meaningful conversation:

Oct. 6 – Assembly Required: The Pieces of the Vulnerability Management Ecosystem 

Oct. 13 – Collaborating for the Collective Defense 

Oct. 20 – Team Awesome: The Cyber Workforce 

Oct. 27 – The Cyber/Physical Convergence

Register for this free summit and read more about the presentations at CISA.gov/cybersummit2021

Security Week offers an article on ways to support this national effort.

Also yesterday, October 1, according to ZDNet,

The White House plans to convene a 30-country meeting this month to address cybersecurity, President Biden said in a statement Friday. 

The topics of the meeting, Biden said, will include combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, building trusted 5G technology and better securing supply chains. 

From Capitol Hill, Senator Gary Peters (D Mich.) tells us about American Rescue Plan funding totaling $1 billion that is being used to modernize federal IT systems. Here is a complete list of the unclassified Technology Modernization Funds projects.

With respect to cybersecurity practices

• Earlier this week, CISA and the National Security Administration “released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.” Here is a Cyberscoop article on this development.

• Helpnetsecurity.com offers an interesting article about the move from password verification to identity verification to secure networks against cyberattacks. “Identity verification is the most important step in an organization’s system for providing access, and authentication cannot occur until identity is established. This is known as identity-based authentication and it is the foundation of effective security measures. Once identity is established with a high level of efficacy, password-based credentials become obsolete. The end goal is not passwordless solutions – the goal is identity-based authentication, with passwordless as a means to that end.”

• The National Institute of Standards and Technology issued its 2020 annual report (SP 800-214) last week.

As always, here is a link to Bleeping Computer’s The Week in Ransomware.

From the Capitol Hill front, we learn from Cyberscoop that

• Last Monday, September 20, nine Senate Democrats wrote a letter to the Federal Trade Commission urging the agency to adopt stronger rules cracking down on privacy violations and data breaches.

• “The Department of Homeland Security’s cyber division, a key government agency charged with helping stop and respond to cyberattacks, might be getting ready for a bigger role in the spotlight. * * * Both chambers of Congress are contemplating legislation that would make CISA the hub where vital companies would report major cybersecurity incidents, following the string of monumental cyberattacks that began with the SolarWinds breach in December.” The article also discusses a planned large infusion of federal funding to CISA.

• “The head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency testified at a Senate hearing Thursday [September 23] in favor of requiring critical infrastructure owners and operators, federal contractors and agencies to report attacks to CISA within 24 hours of detection. * * * At Thursday’s hearing, Easterly further advocated for CISA and the Justice Department to decide what kinds of companies would have to meet the reporting requirements, rather than writing them specifically into the bill. She also advocated fines, rather than subpoenas, to compel companies to obey the reporting requirements. * * * National Cyber Director Chris Inglis, testifying at the same hearing, said he agreed with Easterly’s preferences.”

From the guidance front

• On September 21, CISA laid out cybersecurity goals and objectives for critical infrastructure owners. “[W]hile all of the goals outlined in this document are foundational activities for effective risk management, they represent high-level cybersecurity best practices.”

• On the same day, the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules posted a list of ransomware resources for HIPAA covered entities.

• Security Week offers an interesting article on working securely from anywhere with Zero Trust.

From the ransomware front

• A federal government cybersecurity alert was issued on September 22 about Conti ransomware. “CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:  

• Updating your operating system and software, 
• Requiring multi-factor authentication, and  
• Implementing network segmentation.

• Last but not least here is a link to current Bleeping Computer post on the Week in Ransomware.

This week’s biggest news is the USA sanctioning a crypto exchange used by ransomware gangs to convert cryptocurrency into fiat currency. By targeting rogue exchanges, the US government is hoping to disrupt ransomware’s payment system.

This other interesting news this week is a list of vulnerabilities commonly used by ransomware gangs and how the REvil operators reportedly use their operator key to hijack negotiations from affiliates.

Action / Reaction

• Fierce Healthcare reported on September 13 that

An unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users’ data online.

Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered a non-password-protected database that contained tens of millions of records belonging to fitness tracking and wearable devices and apps. The unsecured database belonged to GetHealth, which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, according to a WebsitePlanet report posted Monday.

The cybersecurity team discovered the unsecured database June 30, ZDNet reported. Fowler said he immediately sent a disclosure notice to the company of the security findings. GetHealth responded rapidly, and the system was secured within a matter of hours, ZDNet reported.

“It is unclear how long these records were exposed or who else may have had access to the dataset,” Fowler wrote in the report.

“We are not implying any wrongdoing by GetHealth, their customers or partners. Nor, are we implying that any customer or user data was at risk,” he wrote.

• On Thursday, September 16, Cyberscoop reported

App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.

The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.

From the survey front,

• Health IT Security informs us that “Google and Microsoft amassed the most vulnerabilities compared to other major tech companies in the first half of 2021, researchfrom Atlas VPN revealed. During the first half of 2021, Google accumulated 547 registered vulnerabilities. Microsoft followed close behind at 432.” Ruh roh.

• CRN discusses the ten biggest cybersecurity risks that business face this year.

In ransomware news —

• The Wall Street Journal advised us yesterday that

The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter. 

The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.

The Treasury Department plans to impose the sanctions as soon as next week, the people said, and will issue fresh guidance to businesses on the risks associated with facilitating ransomware payments, including fines and other penalties. Later this year, expected new anti-money-laundering and terror-finance rules will seek to limit the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities.

The actions collectively would represent the most significant attempt yet by the Biden administration to undercut the digital finance ecosystem of traders, exchanges and other elements that cybersecurity experts say has allowed debilitating ransomware attacks to flourish in recent years.

• Security Week offers a related report on understanding the cryptocurrency – ransomware connection.

• And no Cybersecurity Saturday post would be complete without a link to Bleeping Computer’s The Week in Ransomware. “This week’s biggest news is that soon after REvil returned from its two-month absence, Bitdefender released a master decryptor that allows victims encrypted by REvil before July 13th to recover their files for free.”

From the ransomware front, Bleeping Computer reports today that “The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site.” REvil was responsible most recently for the JBS meat packing plant and the Kayesa hacks. Following the Kayesa hack, the gang went into virtual hiding.

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life this week under the same name.

Also here is a link to Bleeping Computer’s the Week in Ransomware.

ZDNet offers an interesting article on ransomware targets.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. * * *

Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system. 

* * * Roughly half of the ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table. * * *

[T{here are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.  

ZDNet further reports that

All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim “Think before you click”.  

IT security company F-Secure analyzed over 200,000 emails that were flagged by employees from organizations across the globe in the first half of 2021, and found that 33% of the reports could be classified as phishing.

On the zero trust front, FCW informs us that “The push to convert federal networks, systems and devices to a zero trust security architecture is accelerating, with the release of three new draft guidance documents as part of the White House administration’s push to improve the nation’s cybersecurity” and the Wall Street Journal provides us with a Deloitte produced guide to zero trust cybersecurity.

For those with a law enforcement orientation, the Wall Street Journal tells us that the secret vulnerability of cybercrime gang is the burnout of their foot soldiers. The reporters had interviewed scores of lower level cybercrime workers, among other investigative techniques. Their conclusions:

[W]hen authorities targeted the support staff—the labor force that the cybercrime industry depends on—with a few arrests and made their jobs even more miserable than usual through coordinated shutdowns of server networks, the effect was much greater. This is not unlike putting pressure on a mafia accountant, as opposed to arresting crime bosses. 

In our research, we saw that when authorities attacked the cybercrime infrastructure this way, the services became unreliable and their customers thought they were being scammed, flooding their chat channels with complaints. When servers went down, so did the business of all the criminals who were renting that infrastructure. Cyberattacks declined.

Conventional wisdom suggests that disrupting the infrastructure of cybercrime services by taking down their servers is merely a game of Whac-A-Mole, with these groups able to set up new systems fairly quickly. But that doesn’t take into account the effect on cybercrime workers: We found that these takedowns were extremely frustrating for the people working behind the scenes. We even began to see people quitting the business, burned out from the stress of having to provide round-the-clock customer service and system administration under increasing scrutiny from the police.

Oh joy, Bleeping Computer’s The Week in Ransomware is back after two weeks and it is chock-a-block full of useful information. Check it out.

From the entrepreneurial hacking front, Bleeping Computer also reports that “Hackers are actively scanning for and exploiting a recently disclosed Atlassian Confluence remote code execution vulnerability to install cryptominers after a PoC exploit was publicly released. Atlassian Confluence is a very popular web-based corporate team workspace that allows employees to collaborate on projects.”

Cyberscoop tells us about on going discussions on Capitol Hill about reaching a consensus on wide ranging cybersecurity incident reporting laws.

Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate.

The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May.

At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if anyone.

Cyberscoop adds

The bill under discussion in the House would provide companies that share breach data protections against lawsuits, and specifies no punishments for not complying. The Senate bill authorizes financial penalties tied to a company’s gross revenue. Naturally, the private sector prefers not to face penalties, according to the Senate aide.

And while the Senate legislation leaves it to CISA to define what kinds of “cybersecurity incidents” trigger notification requirements, the House legislation defines them as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Further, the Senate version requires reporting of confirmed and potential intrusions, while the House bill only applies to confirmed intrusions.

Because there is no Congressional election this year, Congress will have plenty of time this fall to resolve these differences and enact a law.

A friend of the FEHBlog called his attention this very useful list of cybersecurity resources created by the College of Healthcare Information Management Executives (“CHIME”).

On Wednesday August 25, the President led a summit conference between his administration and business leaders about cybersecurity. The Wall Street Journal reports that the President

called the issue “the core national security challenge we are facing.”

Top tech executives, including Apple Inc.’s Tim Cook, Amazon.com Inc.’s Andy Jassy, Microsoft Corp.’s Satya Nadella and Alphabet Inc.’s Sundar Pichai attended the White House meeting, according to a list of participants shared by an administration official. The guest list also included JPMorgan Chase & Co. CEO Jamie Dimon and Brian Moynihan, president and CEO of Bank of America Corp. , among other representatives of the financial industry.

Here’s a link to the White House’s fact sheet on the conference which highlights its significant accomplishments. Cyberscoop adds that “While impressive, observers noted, those commitments will require considerable follow-up, from expansion to other sectors to policy changes that could emerge from closer-knit relationships between industry and government.”

Last Monday, the FEHBlog attended a Federal Contract Institute webinar on combatting ransomware. The speakers, who were lawyers, suggested placing as many speed bumps, e.g., dual authentication, encryption, DMARC, as you reasonably can in front of the ransomware crook. Your run of the mill ransomware crook will switch intended victims if the first intended victims servers appear difficult to crack. The speakers also recommended supplementing NIST 800-171 , which focuses on preserving the confidentiality of data, with NIST IR 8374 , a June 21 draft which focuses on preserving the integrity and available of data. The speakers noted the CISA’s www.ransomware.gov  site provides a helpful double check to identify available speed bumps.

Speaking of ransomware, the author of Bleeping Computer’s The Week in Ransomware must be on vacation because the FEHBlog cannot find the August 27 issue. In any event, Bleeping Computer does report that yesterday August 27, ‘T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments.” Cyberscoop adds that

“Americans already trying to avoid calls from telemarketers, call support scammers and long-winded in-laws now have another reason to ignore that ringing phone: ransomware hackers. Scammers affiliated with a digital extortion outfit known as Hive are using phone calls to dial victims who are infected with a malicious software strain that locks up their files until they agree to pay a hostage fee, according to an August 25 FBI alert. Investigators first observed hackers deploying the malware in June, with attackers leveraging Microsoft’s Remote Desktop Protocol to infect business networks.”

Here are a couple of cybersecurity defense links that are worth a gander in the FEHBlog’s opinion:

• Security Week discusses how threat detection is evolving.
• The publication also explains how to defeat (avoid?) a false sense of cybersecurity.

Today is the 25th anniversary of President Clinton signing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) into law. Ponder that, my friends.

Let’s start of today with a link to Bleeping Computer’s The Week in Ransomware:

Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. [At the link] we have tracked some of the ransomware stories that we are following this week.

Stories of particular interest revolve around new features and tactics used by some of the ransomware operations.

After analyzing the Conti training material leaked earlier this month, we learned that they use a legitimate remote access software to retain persistence on a compromised network. We also learned that they prioritize searching for cyber insurance policies and financial documents after taking control of a network

There is some good news, as Emsisoft has released a SynAck ransomware decryptor after the master decryption keys were released by the threat actors earlier this month.

Earlier this week Security Week reported that the “U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published a new document providing recommendations on how to prevent data compromise during ransomware attacks.”

Although it’s not healthcare, it’s a big hack. The Wall Street Journal reports that “The breach of T-Mobile US Inc. allowed hackers to steal information about more than 54 million people and potentially sell the data to digital fraudsters and identity thieves.” The Journal adds that “T-Mobile has set up a website containing information about the breach and advice on how consumers can protect themselves.”

From the advice column

• Tech Republic informs us based on an interview with a cybersecurity lawyer that “Expert says people are becoming smarter about the links they click on and noticing the ones they shouldn’t, giving hope for the future of cybersecurity.” Keep up the good work, friends.
• HITConsultant.net discusses three way that healthcare organizations can work to prevent insider security threats, to with (1) prioritize employee education without burning them out; (2) improve IT hygiene, and (3) implement a zero trust approach.
• For more on the zero trust approach check out this helpnetsecurity.com article.

Finally, the Wall Street Journal offers an interesting article on a Deloitte study about using technology to improve the health plan member experience. Check out, and again Happy Birthday HIPAA.

This past week the HIMSS conference was held in Las Vegas. Healthcare Dive reports on a session on whether healthcare organizations should pay to settle a ransomware attack. It’s complicated because “With patient lives on the line, continuity of care is essential — and it might cost more to fight the attack by halting operations and bringing in pricey outside cybersecurity consultants.” In this regard, Fierce Healthcare informs us that “

A massive cyberattack May 1 cost Scripps Health $112.7 million through the end of June, with lost revenue bearing most of the cost.

The nonprofit San Diego-based hospital system reported the impact during its second-quarter earnings filed Tuesday.

Healthcare Dive adds

Currently, security experts are experiencing a strategic sea change in how they counter cyberattacks, shifting from a focus on shoring up defense — an increasingly outdated and ineffective plan, given the increasing volume and complexity of cyberattacks, coupled with the massive size of healthcare organization’s IT surfaces that need protection — to survivability. Panelists recommended companies assess their IT strengths and weaknesses to know how to prepare, even role-playing a breach to see how their contingency processes play out and workforce responds.

In that regards, here are some articles that caught the FEHBlog’s eye this week:

• ISACA offers a thought provoking article on this topic: “Today, organizations’ No. 1 prerogative is implementing consistent data security measures and ensuring that it does not cause undue complexity in IT operations and business application changes. Complexity hides attacks by insiders and increases the chance of human error: Thales Data Threat reports 2021 states that respondents consider malicious insiders as the top threat at 35 percent, with human error at 31 percent. This blog post explores the approach and technology that is useful to reduce complexity in data security measures across the organization.”
• SupplyChainBrain discusses “Why Virtual Private Networks Aren’t Enough to Ensure Cybersecurity.” In short, “We still find VPNs being heavily used, but zero-trust is starting to pick up steam. Some of the major firewall vendors and VPN vendors are beginning to introduce zero-trust-based access. Fewer and fewer folks are doing traditional credential-based access on VPN, but the Colonial Pipeline ransomware attack showed us that large infrastructure providers are still using a username and credentials instead of moving to multi-factor. Those that are doing multi-factor are definitely moving toward adding device trust on top of that to create additional security. The multi-factor authentication market is quite strong, but there’s room for improvement, even in traditional VPN architecture.”
• TechTalk looks at steps toward achieving data security in the cloud.

In closing, here’s a link to Bleeping Computer’s The Week in Ransomware. In short, “This week we saw an existing operation rise in attacks while existing ransomware operations turn to Windows vulnerabilities to elevate their privileges.” In this regard, Cyberscoop reports on

The so-called PrintNightmare vulnerability in Microsoft software is turning into a dream for ransomware gangs.

For the second time this week, security researchers have warned that extortionists exploited the critical flaw in an attempt to lock files and shake down victims. It shows how, more than a month after Microsoft disclosed the bug and urged users to update their software, a new round of exploitation is under way against vulnerable organizations.

A ransomware group dubbed Vice Society recently seized on the PrintNightmare bug to move through an unnamed victim’s network and attempt to steal sensitive data, Talos, Cisco’s threat intelligence unit, said Thursday. A day earlier, cybersecurity firm CrowdStrike said that hackers using another type of ransomware had tried to use PrintNightmare to infect victims in South Korea. Neither Talos nor CrowdStrike named the targeted organizations.

ZDNet adds that just this week

Microsoft released an update that changes the default behavior in the operating system and prevents some end users from installing print drivers. 

The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481, aka PrintNightmare, is that users will need admin rights to install print drivers. 

Vulnerability scan anyone?

Security Week informs us that the infrastructure spending bill currently under U.S. Senate consideration includes

approximately $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”

The bill, which contains more than 300 occurrences of the words “cyber” and “cybersecurity,” includes the Cyber Response and Recovery Fund, which provides $20 million per year until 2028 for assisting government and private sector organizations respond to cyber incidents.

A total of $550 million has been allocated to enhancing the security of the power grid. Some of the money is for developing solutions to identify and mitigate vulnerabilities, improve the security of field devices and control systems, as well as addressing issues related to workforce and supply chains.

The Washington Post adds that the “Senate Democrats and Republicans cleared another key procedural hurdle Saturday [August 7] on a roughly $1 trillion bill to improve the country’s infrastructure, though disagreements continue to plague lawmakers and prevent the measure’s swift passage.”

Nextgov informs us that

The Cybersecurity and Infrastructure Security Agency will work with agency stakeholders and new private-sector partners to minimize the risk of cyber incidents and better coordinate defensive actions if successful attacks occur under a new effort announced Thursday [August 5].

The Joint Cyber Defense Collaborative, or JCDC, will aim to take a proactive approach to cyber defense in the wake of several high-profile breaches that affected the federal government and public, according to CISA Director Jen Easterly. * * *

Initial industry partners include Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon. * * *

Current government partners in the effort thus far include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence. 

Here is a link to the JCDC’s website. The NextGov article indicates that the JCDC’s initial focus will be on ransomware.

According to Bleeping Computer’s The Week in Ransomware

If there is one thing we learned this week, it’s that not only are corporations vulnerable to insider threats but so are ransomware operations.

The LockBit 2.0 ransomware is now trying to recruit corporate insiders to help them breach networks. In return, the insider is promised millions of dollars.

On the flip side, ransomware operations are vulnerable too. Yesterday, after being banned from the Conti ransomware operation, a Conti affiliate leaked the training material for the ransomware operation on the XSS hacking forum, giving security researchers and defenders an inside look at the tools being used by the group.

ZDNet advocates “Constant review of third-party security critical as ransomware threat climbs.”

Cyberscoop reports

The Biden administration backed away from the idea of banning ransomware payments after meetings with the private sector and cybersecurity experts, a top cybersecurity official said Wednesday [August 4].

“Initially, I thought that was a good approach,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an Aspen Security Forum event. “We know that ransom payments are driving this ecosystem.”

Experts, including former government officials serving on a non-profit ransomware task force, helped shift that view, following high-profile hacks against Colonial Pipeline, the food production company JBS and Kaseya, a Florida-based IT firm. Payments from the Colonial Pipeline and JBS attacks totaled more than $15 million, a number that likely represents a fraction of the funds sent to extortionists.

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” she said.

The FEHBlog has registered for a free Public Contract Institute webinar on Data Abduction: Combatting and Limiting Ransomware Risks. Here is a link to the registration page.

Finally this past week the National Institute of Standards and Technology released for public comments draft revisions to existing relevant Standard Publications:

• SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations

• SP 800-160 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach

The public comment deadline is October 1, 2021, for SP 800-53 and September 20, 2021 for SP 800-160.