From Capitol Hill, the Hill informs us that
The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.
The [bipartisan] amendment [to the National Defense Authorization Act] would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority.
“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”
The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.
Cyberscoop provides more breach notice news
Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.
Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. * * *
The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.
The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours.
OPM allows FEHB carriers a 24 hour period to notify the agency about a breach or security incident.
On the advanced persistent threat front, Health IT Security reports that
US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities. * * *
The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange or Fortinet stay cautious and look for the following signs of suspicious activity:
— Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts.
— Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise.
— Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access.
— Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
— Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Look for WinRAR and FileZilla in unexpected locations.
To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.
For more information, see CISA’s assessment and overview of the ongoing Iranian cyber threat.
Also on the prevention front CISA announced that
The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.
CISA also updated its known exploited vulnerabilities catalog.
And of course, here is a link that the Bleeping Computer’s The Week in Ransomware.
While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released.
Security firms released reports on the types of cryptomixers used by ransomware gangs, a detailed report on Conti, and how Russian ransomware gangs are starting to work with Chinese hackers.
ZDnet adds that “Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
File-encrypting malware is where the money is — and that’s changing the whole online crime ecosystem.”