Cyberscoop reports that

The Justice Department is undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals amid a spate of ransomware attacks and supply chain compromises.

“We need to rethink … and really assess are we using the most effective strategies” against such hacking, Deputy Attorney General Lisa Monaco said Friday at the Munich Cyber Security Conference.

In this regard —

• Health IT Security discusses “Healthcare’s Biggest Cybersecurity Blind Spots and Misconceptions — While awareness of the threats facing the healthcare sector has improved, providers have inherent blindspots and misconceptions leaving them exposed to a host of cybersecurity risks.”
• Health Leaders Media explains why “Medical Device cyber-vulnerability casts a cloud over growing use.”
• ISACA asks whether there are ever can be normalcy in cyberspace? “The cycle of conducting hearings after hacks occur, followed by writing laws and spending money, is exhausting. In short, doing the same things yet expecting different results is senseless. Lawmakers must accept the fact, known universally by security practitioners, that all digital devices are vulnerable—they always have been and always will be. Cybersecurity is a technical risk and, for the foreseeable future, the goal must be to make cyberattacks costly for malicious actors.”

Here’s the latest on the SolarWinds hack from the American Hospital Association. (The ISACA article’s author adds “But to categorize SolarWinds as merely a hack is a disservice, as it is now understood to be a major cybercampaign involving an estimated 1,000 nation-state actors.”).

From the ransomware front —

• The New York Times warns “Don’t Ignore Ransomware. It’s Bad.”
• The International Foundation of Employee Benefit Plans sets forth “Five Ransomware Risk Mitigation Strategies” for benefit plan administrators. The FEHBlog adds encrypting data in motion and at rest to that list.

The National Institutes of Standards and Technology is seeking public comments on two cybersecurity documents:

• “NIST is planning to update NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”). NIST’s cybersecurity resources have evolved since SP 800-66, Revision 1, was published in 2008, and stakeholders will benefit from guidance that includes references to these updated resources. The public is invited to provide input by June 15, 2021 for consideration in the update.” 
• NIST’s National Cybersecurity Center of Excellence (NCCoE) has posted for [public] comment a Preliminary Draft of SP 1800-32 (Volumes A and B) on Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.” The public comment deadline is May 24, 2021.

It turns out that this has been that National Supply Chain Integrity month’s theme for this week has been understanding supply chain threats. “Recent software compromises and other security incidents have revealed how new and inherent vulnerabilities in global supply chains can have cascading impacts that affect all users of ICT within and across organizations, sectors, and the National Critical Functions. To help organizations understand these threats and how to mitigate them, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed the Threat Scenarios Report that provides acquisition and procurement personnel and others with practical, example-based guidance on supplier SCRM threat analysis and evaluation.”

Cyberscoops reports that

At least two-dozen U.S. federal agencies run the Pulse Connect Secure enterprise software that two advanced hacking groups have recently exploited, according to the Department of Homeland Security’s cybersecurity agency.

Multiple agencies have been breached, but just how many is unclear. “We’re aware of 24 agencies running Pulse Connect Secure devices, but it’s too early to determine conclusively how many have actually had the vulnerability exploited,” Scott McConnell, a spokesman for DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop on Wednesday.

FireEye, the cybersecurity firm that announced the hacking campaign on Tuesday, said at least one of the two groups had links to China. The suspected Chinese hackers also targeted the trade-secret-rich defense contractors who do business with the Pentagon.

A security fix for the previously unknown software vulnerability exploited by the hackers won’t be available until next month, according to Ivanti, the Utah-based firm that owns Pulse Connect Secure.

FireEye also discovered the SolarWinds hack. Here is a link to the CISA emergency directive on this latest hack.

The Wall Street Journal informs us that

The Justice Department has formed a task force to curtail the proliferation of ransomware cyberattacks, in a bid to make the popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them. In an internal memorandum issued this week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.” * * *

The memo calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.

The task force will consist of the Justice Department’s criminal, national security and civil divisions, the Federal Bureau of Investigation and the Executive Office of U.S. Attorneys, which supports the 93 top federal prosecutors across the country. It will also work to boost collaboration with the private sector, international partners and other federal agencies such as the Treasury and Homeland Security departments.

CSOonline reports that

Faced with increasing payouts and a likely storm of litigation around the recent SolarWinds and Microsoft Exchange server compromises, cyber insurers are facing an “existential battle” for their future, a leading cybersecurity researcher and privacy consultant has warned. Likewise, businesses are grappling with whether to get cyber insurance, over doubts about payouts if attacked from the conflicted cyber insurance industry.

Nevertheless, purchasing cyber liability insurance remains a no-brainer decision in the FEHBlog’s opinion.

Before it’s too late, here is the Cybersecurity and Infrastructure Agency’s Week 2 website for National Supply Chain Integrity month. Week 2 focuses on Assessing ICT Trustworthiness. The website offers new resources. Check it out.

The Labor Department’s Employee Benefits Security Administration which regulates employer sponsored benefit plans governed by ERISA has created a lengthy, yet helpful, list of cybersecurity best practices for ERISA plans which no doubt could be used by FEHB plans too.

Bleeping Computer informs us today that “Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. “BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability but the 107 other vulnerabilities fixed this month.”

The AP discusses Microsoft’s cybersecurity woes.

Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.

Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.

Curtis Dukes was the National Security Agency’s head of information assurance at the time.

The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.

“People took their eye off the ball.”

Interesting.

Last Wednesday, the Senate Intelligence Committee held an open hearing on worldwide threats and of course the SolarWinds hack was a topic. Here is Cyberscoop’s take on that hearing. The following day per the Wall Street Journal, “President Biden announced retaliatory measures against Russia over election interference, the SolarWinds cyberattack and other malign activity, saying he isn’t seeking to kick off “a cycle of escalation” but would take more drastic action if necessary.” The Journal adds that

The U.S. has punished Russia for election interference in the past, notably after its multipronged operations during the 2016 election. But previous administrations typically refrained from retaliating for cyber intrusions they classified as political espionage—no matter how broad or successful—in part because the U.S. and its allies regularly engage in similar conduct, current and former officials said.

Subsequently, again per the Journal, “Russia said it would expel 10 U.S. diplomats and bar a number of senior U.S. officials from entering the country in response to measures against Moscow.”

Cyberscoop reports

The White House on Friday [April 9, 2021] asked Congress for $110 million in additional funding in [fiscal year] 2022 to help the Department of Homeland Security shore up federal and state defenses in the wake of high-profile hacking operations. The money would allow DHS’s Cybersecurity and Infrastructure Security Agency to improve its defensive tools, hire more experts and “obtain support services to protect and defend federal information technology systems,” Shalanda Young, the acting director of the Office of Management and Budget, wrote in an April 9 letter to congressional appropriators. It would add to a recent $650 million funding boost for CISA that was part of the coronavirus relief package cleared by Congress.

A Security Week columnist ponders what cybersecurity policy changes to expect from the Biden Administration.

As the U.S. transitions to a new presidential administration, which can be expected to differ largely from the last, it is hard not to speculate how President Biden’s Administration will reduce the risk of a major cyberattack against the U.S. or her interests. The recent SolarWinds attack, widely attributed to Russian actors, further amplifies the need for improved security and deterrence. Despite my best efforts to come up with a brilliant “thought leadership” piece on what I think the Biden Administration should do, the best answer has already been written and published in March of 2020 as the 2020 Cyberspace Solarium Commission Report.

Co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R – WI), the bipartisan Cyberspace Solarium Commission proactively scrutinized U.S. cybersecurity in much the same way the 2004 9/11 Commission Report reactively assessed failings within the U.S. Intelligence Community (IC) and offered recommendations for sweeping changes. The Cyberspace Solarium Commission, just as the 9/11 Commission before it, made bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyberspace.

The columnist focuses on the Solarium Commission’s recommendations to update the national cybersecurity policy, seat a national cybersecurity director, and improve the pipeline of cybersecurity talent.

Per the FBI, its “Internet Crime Complaint Center (IC3) has released its annual report [for 2020], which includes information from 791,790 complaints of suspected Internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.”

The Wall Street Journal reported last Wednesday that

Data from a 2019 hack of Facebook Inc. was made public in recent days, revealing the phone numbers and personal information of more than a half-billion people. While the data came from a vulnerability of Facebook platforms that the company says it has since fixed, security experts say that scammers could use the information for nefarious purposes like spam email and robocalling.

The hackers began selling the data online to bidders soon after it was accessed. Alon Gol, chief technology officer of the Israeli cybersecurity firm Hudson Rock, said it was initially sold for tens of thousands of dollars, and the price kept dropping until it was recently made available for free on sites like raidforums.com. Hackers often release data for free once it has been circulated long enough, said Zack Allen, senior director of threat intelligence at ZeroFOX, a Baltimore-based cybersecurity company.

[S]ome cybersecurity experts have created sites that allow people to see if their information was contained in data leaks. One such site is haveibeenpwned.com, where you can enter your phone number or email address and see the result. The website, which allows people to check if their information was swept up in different data breaches, was created by Australian web-security consultant Troy Hunt.

The FEHBlog checked his gmail address on this site and he discovered that his email address “pwned” in 14 different breaches since 2012. The FEHBlog has gone the double authentication route with that address. By the way pwn means “especially in video gaming) utterly defeat (an opponent or rival); completely get the better of. “I can’t wait to pwn some noobs in this game.”

April is National Supply Chain Integrity Month!

In partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners, CISA is promoting a call to action for a unified effort by organizations across the country to strengthen global supply chains.

This week’s focus is on Building Collective Supply Chain Resilience.

Monday April 5 is the effective date for the Health and Human Services Department’s Office of National Coordinator for Health IT (“ONC”) information blocking rule which implements part of the 2016 Cures Act. According to Fierce Healthcare,

While health IT experts have been calling for interoperability for years, they say this particular rule could finally be a major step in achieving a meaningful level of data sharing far beyond what’s been seen before in the healthcare sector.

If effectively enforced, the mandate that prohibits information blocking has the potential to revolutionize how patients interact with the healthcare system, said Deven McGraw, a health privacy expert and co-founder and chief regulatory officer at Ciitizen, a consumer health technology company.

“[The information blocking rule] has enormous potential to open up data sources that have previously been closed to patients but hold rich data about patients and that would be potentially game changing for them to tap into and access,” she told Fierce Healthcare.

EHR Intelligence reports on the ONC’s annual meeting held last Monday.

[National Coordinator Mickey] Tripathi identified the importance of “taking health IT to the next level” by making EHR adoption ubiquitous, delivering on the potential of FHIR-based capabilities, and making interoperability a priority by building on past accomplishments.

“One of the things that we should recognize is that there’s been tremendous progress made in interoperability,” he said. “I don’t think the industry gets enough credit for the amount of progress that’s been made in interoperability.”

The ONC leader said credit is lacking because interoperability permitted purposes remain focused on treatment purposes only, rather than the rest of the healthcare sector.

“We haven’t quite figured out how to integrate all the various layers of interoperability into a seamless experience,” he added.

But, Tripathi said ONC is still trying to decipher how local, state, and regional health information exchange (HIE) networks fit within nationwide networks, such as eHealth Exchange and CommonWell Health Alliance.

In significant news for government contractors, Cyberscoop reports that

Under a forthcoming White House order, companies that do business with the federal government would have to meet software security standards and swiftly report cyber incidents to a new entity within the Department of Homeland Security, sources familiar with a draft version of the document said.

The order’s other upgrades to federal agency security include use of multi-factor authentication and improvements to FedRAMP, the federal process for authorizing and continuously monitoring the security of cloud services.

Federal agencies would need to use data encryption and develop plans for shifting to a “zero trust” model, which assumes that organizations should not automatically assume they can trust anyone or anything inside the network. They would need to keep logs for cyber incidents.

Some of the steps might not come to fruition for some time because they will require additional federal rulemaking, an oft-slow process that includes several phases of public comment.

On the hacking front, Bleeping Computer reports

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.

In the Joint Cybersecurity Advisory (CSA) published today [April 2], the agencies warn admins and users that the state-sponsored hacking groups are “likely” exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.

Following up on last week’s Cybersecurity Saturday post, Business Insurance reports that

The cyberattack that crippled CNA Financial Corp.’s computer systems nearly two weeks ago has been contained and the insurer has reestablished the functionality of its email, according to an update posted to the CNA website Thursday.

Cyberscoop informs us

The company did say, however, that it now believes it has the attack contained and has ascertained that the hackers and their ransomware lacked the ability to automatically move around in internal and external systems. Bleeping Computer reported that the Phoenix CryptoLocker ransomware was involved, possibly with links to a cybercriminal collective dubbed Evil Corp.

CNA said it was still communicating with regulators, law enforcement and outside forensics experts. CyberScoop has learned that CNA has enlisted help from CrowdStrike.

On Thursday, the Senate Armed Services Committee held a hearing featuring Gen. Paul Nakasone, the director of the National Security Agency, who also serves as the head of U.S. Cyber Command. A topic of discussion was the SolarWinds and Microsoft Exchanges hack.

The Wall Street Journal reports that these hacks have a “scope, a scale, a level of sophistication that we hadn’t seen previously. * * * “This isn’t simply email phishing attempts—this is the use of supply chains, or this is the use of vulnerabilities we hadn’t seen before.” During a discussion of why the private sector discovered the hacks before the government, it was pointed out that

The NSA, for instance, is only authorized to operate outside U.S. borders, whereas the Federal Bureau of Investigation and other agencies are responsible for cybersecurity law enforcement domestically. Foreign attackers are aware of this and use U.S.-based servers to launch attacks from inside the country, effectively bypassing the NSA, Gen. Nakasone said. “It’s not the fact that we can’t connect the dots. We can’t see all of the dots,” he said.

Gen. Nakasone stopped short of calling for the NSA to be given the authority to surveil domestic networks when questioned directly by Sen. Mike Rounds (R., S.D.). He said that there are a number of ways to tackle the issues revealed by such sweeping and complex attacks, including enhanced cooperation with the private sector. The issue of surveillance, he said, carries both policy and legal concerns and was closely linked to the Fourth Amendment, which protects against unreasonable searches and seizures.

Cyberscoop adds

Part of being able to understand and better track adversarial hacking moving forward, even when it takes advantage of U.S. internet infrastructure, could rely on broader government and private sector information sharing.

“How do we take the best tools not only from the government but also from the private sector to look at what’s occurring and being able to shine that spotlight?” Gen. Nakasone said. “I think a lot of times we look and just say we’ll simply go ahead and downgrade that intelligence rapidly. Sometimes the better answer is, okay where are the other streams of information, how can we use that?”

Gen. Nakasone suggested that incentives for private sector could be introduced, adding that legislation could push private sector internet infrastructure companies to better understand who their customers are, as well.

In a recognition of the importance that information sharing between the public and private sector will play a role in responding to the flurry of Microsoft hacking, the Biden administration has convened an emergency cybersecurity incident response group at the National Security Council and invited private sector participation for the first time ever.

In this regard, Health IT Security reports that recently

The Department of Health and Human Services Cybersecurity and Infrastructure Security Agency unveiled the CISA Hunt and Incident Response Program (CHIRP) tool, which is designed to support entities detect threat activity within on-prem environments. * * *

CISA previously launched an IOC tool to help detect compromises within the cloud. The latest provided tool is specifically meant for on-prem networks.

By default, CHIRP scans for signs of compromise within an on-prem environment, particularly IOCs associated with the malicious activity around SolarWinds threat activities “that have spilled into an on-premises enterprise environment.”

“CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise,” CISA explained. “CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures.” 

“CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity,” they added.

Enterprises can leverage the tool without cost directly from DHS CISA. Officials said they intend to continuously monitor for new threats and will release IOC packages and plugins for new threats, as available.

Fortune Magazine reports that

A tool designed to help businesses protect themselves from further compromises after a global hack of Microsoft email server software has been downloaded more than 25,000 times since it was released last week, the White House’s National Security Council said Monday.

As a result, the number of vulnerable systems has fallen by 45%, according to an NSC spokesperson. 

The one-click Microsoft tool was created to protect against cyberattacks and to scan systems for compromises and fix them. It was developed after a massive hack affecting an estimated tens of thousands of users of servers running Microsoft’s Exchange email program.

From the ransomware front, Business Insurance reports that

CNA Financial Corp.’s computer systems remained down on Friday as the insurer grappled with a cyberattack by a hacker group known as Phoenix. Nearly a week after the insurer discovered it had been attacked, its website remained inaccessible and just contained alternative contact information.

Bleeping Computer offers its analysis of the cyberattack.

BleepingComputer has confirmed that CNA suffered an attack by a new ransomware known as ‘Phoenix CryptoLocker.’

Sources familiar with the attack have told BleepingComputer that the threat actors deployed the ransomware on CNA’s network on March 21, where it proceeded to encrypt over 15,000 devices on their network.

BleepingComputer has learned that it also encrypted the computers of employees working remotely who were logged into the company’s VPN at the time of the attack.

BleepingComputer was further told that CNA would be restoring from backups but has not confirmed that with the company.

Bleeping Computer also discusses possible Phoenix links to Evil Corp. which is a ransomware mastermind that the federal government has sanctioned.

Here is a link to the FBI’s computer hygiene guidance that helps prevent ransomware attacks. As the FEHBlog expects that CNA Financial was following these steps and more, it will be interesting to find out how this happened.

FCW reports that

Rep. Michael McCaul (R-Texas) announced that he and Rep. Jim Langevin (D-R.I.), both members of the House Homeland Security Committee are working on a bill that would establish the Cybersecurity and Information Security Agency as a kind of 911 for breach notification. McCaul said his legislation is designed to protect companies from repercussions in the market by removing sources and methods and company names out of reporting. “It would just simply send a threat information itself to CISA so that they could deal both industrywide and federal government wide and state, the threat information they would need to address it on a larger scale,” McCaul said at a joint hearing of the House Committee on Oversight and Reform and the House Homeland Security Committee on Feb. 26.

Speaking of CISA, last Wednesday March 3, CISA issued an emergency directive 21-02 “requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.” According to the Wall Street Journal this action stems from

A cyberattack on Microsoft Corp.’s MSFT 2.15% Exchange email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter.

Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments. Estimates of total world-wide victims were approximate and ranged broadly as of Friday. Tens of thousands of customers appear to have been affected, but that number could be larger, the people said. It could be higher than 250,000, one person said.

While many of those affected likely hold little intelligence value due to the targets of the attack, it is likely to have netted high-value espionage targets as well, one of the people said.

Cyberscoops informs us that

The White House is moving forward with an executive order to encourage software developers to build more security into their products as the investigation of a suspected Russian supply chain compromise continues, a top security official said Friday [March 5]. The upcoming directive “will focus on building in standards for software, particularly software that’s used in critical areas,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said at the SANS Institute’s ICS Security Summit. “The level of trust we have in our systems has to be directly proportional to the visibility we have. And the level of visibility has to match the consequences of the failure of those systems.”

Cyberscoop further discloses that

Microsoft and FireEye on Thursday [March 4] revealed three more malware strains associated with the suspected Russian perpetrators who breached SolarWinds’ Orion software and used its update to infect federal agencies and major companies. FireEye named one strain Sunshuttle in a blog post. In a separate blog post, Microsoft dubbed two more strains GoldFinder and Sibot, and labeled the strain FireEye called Sunshuttle as GoldMax Microsoft said the strains join the previously known SolarWinds hacker tools Sunburst and Teardrop.

Fortune discusses the nascent use of contact tracing in cybersecurity processes.

A concept called Sightings has been gaining traction in the security community, largely at the academic level, for the past few years. The idea is for organizations to be able to share details of how they were attacked and what was targeted—the who, what, and when—as quickly as possible with other organizations. 

This concept could help organizations identify breaches sooner and remediate faster and more effectively. Through sharing, attack techniques could be more thoroughly understood, and with the right reporting mechanism, the resulting threat intelligence could be shared to help more organizations avoid a breach in the first place. MITRE, a leading not-for-profit research organization, is working on incorporating Sightings concepts into a security reporting process that would let breach victims share appropriate data in a secure, anonymized way to benefit the wider community.

Beyond this threat intelligence application, organizations could use this sort of contact tracing approach for their own internal investigations. Data contact tracing can dramatically reduce the time it takes to discover how far into their networks an attacker has penetrated, and identify where related systems in their supply chains, customers, and partner networks have also been compromised.

Finally, Health IT Security reports that

Cyberattacks on healthcare more than doubled in 2020, with ransomware accounting for 28 percent of all attacks. COVID-19 response efforts, including personal protective equipment and the vaccine supply chain were the largest focus of these targeted campaigns, according to the latest IBM X-Force report.

Nearly one out of four of overall cyberattacks last year were ransomware, while the increase in data extortion efforts enabled just one of these ransomware hacking groups to make over $123 million in profits in 2020.

The annual report is generated through insights and observations from monitoring more than 150 billion security events per day in more than 130 countries. Researchers also gathered and analyzed data from multiple sources within IBM, including data from Quad9 and Intezer.