Bleeping Computer’s This Week in Ransomware leads with the following:

This week has quite a bit of news ranging from the USA formally accusing China of the recent ProxyLogon vulnerability and Kaseya mysteriously obtaining the universal decryption key.

The US government this week officially attributed the ProxyLogon Microsoft Exchange attacks to China. Threat actors used this vulnerability to install a variety of malware, including the BlackKingdom ransomware.

In a surprise announcement, Kaseya has stated that they received the universal decryption key for their July 2nd REvil ransomware attack. This key will allow all victims of the attack to recover their files for free.

Cyberscoop has a more detailed story on the Kaseya hack resolution.

In other ransomware news / protective advice

• The RSA Conference offers advanced common sense advice on how to handle a ransomware attack. “In the recent ISACA Ransomware Pulse Poll, 21% of respondents reported that they have already experienced a ransomware attack, and 46% consider ransomware to be the cyberthreat most likely to impact their organization within the next 12 months.”
• ISACA advises that the importance of conducting periodic information security audits of cloud services vendors from the perspectives of the vendor and the customer.
• Threatpost explains the importance of creating a long term remote security strategy as business begin to formalize permanent hybrid working arrangements. In the author’s opinion.

HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules has request public input as follows:

We want to hear from you! OCR and our partners at the HHS Office of the National Coordinator for Health Information Technology (ONC) are seeking user feedback and improvement suggestions on the Security Risk Assessment (SRA) Tool.  The SRA Tool is designed to help small and medium-sized healthcare providers conduct a security risk assessment, as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Services (CMS) Promoting Interoperability Program. If you have suggestions on how to improve the Tool, we ask you to complete our short survey by July 31, 2021:https://stats.altarum.org/limesurvey/index.php/547532?lang=en.

Finally the Washington Examiner reports that

The House Energy and Commerce committee passed eight bipartisan bills this week to better equip the government and businesses with tools to handle the recent explosion in ransomware attacks.

The bills, which passed with overwhelming bipartisan support, are focused on increasing coordination between the government and relevant industries, implementing cybersecurity best practices, educating everyday technology users, limiting the use of Chinese devices, and strengthening the security programs at the Federal Communications Commission and the National Telecommunications and Information Administration. * * *

One key purpose for the bills is to increase coordination between the federal government and affected businesses and industries.

“These bills will really improve the information sharing and cybersecurity readiness testing of the government by forcing all the right people to get into a room and fix things,” said Shane Tews, a senior fellow who focuses on cybersecurity and technology issues at the American Enterprise Institute, a right-of-center think tank.

“Hopefully, we get to a stage where the government is gaming out cyber problems and vulnerabilities in advance and then sending out software patches to solve them every week, like Microsoft, and other companies do internally on a regular basis,” she added.

Sound idea.

The American Hospital Association informs us that

The White House yesterday announced an interagency task force and other initiatives to protect U.S. organizations from ransomware attacks [on July 15]. The task force has been coordinating federal efforts to improve the nation’s cybersecurity as directed by the president in April. In addition, the departments of Homeland Security and Justice yesterday launched a one-stop website for federal resources to help organizations reduce their ransomware risk; the Treasury Department’s Financial Crimes Enforcement Network will convene public and private sector stakeholders in August to discuss ransomware concerns and information sharing; and the State Department will offer up to $10 million for information leading to the identification or location of anyone engaged in malicious cyber activities against U.S. critical infrastructure.

Here’s a link the Bleeping Computer’s Week in Ransomware.

Ransomware operations have been quieter this week as the White House engages in talks with the Russian government about cracking down on cybercriminals believed to be operating in Russia.

This increased scrutiny by law enforcement and the growing fear that Russia is no longer a safe haven for cybercriminals has led to what is believed to be the shutdown of the notorious REvil ransomware operation. * * *

This shutdown is not believed to be caused by law enforcement, and it is likely we will see this group rebrand as a new operation in the future.

On the Microsoft front, Security Week reports yesterday that

After spending the last two months pushing out multiple Print Spooler fixes (one as an emergency, out-of-band update), Redmond’s security response team late Thursday acknowledged a new, unpatched bug that exposes Windows users to privilege escalation attacks.

Microsoft’s advisory describes an entirely new vulnerability — CVE-2021-34481 — that could be chained with another bug to launch code execution attacks.  

There is no patch available and Microsoft says the only workaround is for Windows users to stop and disable the Print Spooler service.

From the advisory:

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Microsoft said the vulnerability has already been publicly disclosed and credited Dragos security researcher Jacob Baines with the discovery.

SC Media informs us

More than 22.8 million patients have been impacted by a health care data breach so far in 2021, a whopping 185% increase from the same time period last year where just 7.9 million individuals were affected according to a new report from Fortified Health Security.

Malicious cyberattacks caused the majority of these security incidents, accounting for 73% of all breaches. Unauthorized access or disclosure accounted for another 22%, and the remaining 5% were caused by smaller thefts, losses, or improper disposals.

Further, the number of breaches reported to the Department of Health and Human Services during the first six months of 2021 increased by 27% year-over-year. Health care providers accounted for the most breaches with 73% of the overall tally, compared to health plans with 16% and business associates that accounted for 11%.

“Healthcare organizations have literally hundreds of electronic entry points into their data networks, everything from EHRs, radiology and lab systems, to admission, discharge and transfer systems, to supply chain ordering and internet-enabled medical devices — and any one of these could be the Achilles’ heel exploited by a bad actor,” the report authors wrote.

In other cybersecurity news

• Per Homeland Security Today, “The Senate [on July 23] confirmed by unanimous consent former NSA deputy for counterterrorism Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.” “Easterly was a managing director at Morgan Stanley, serving as global head of the firm’s Fusion Resilience Center, and a senior fellow at New America’s International Security program. After her NSA role from 2011-2013, she served on the National Security Council as special assistant to the president and senior director for counterterrorism. Easterly served more than 20 years in the Army and was responsible for standing up the Army’s first cyber battalion. She was also instrumental in the creation of U.S. Cyber Command, and served as executive assistant to National Security Advisor Condoleezza Rice for a time.” Good luck, Ms. Easterly
• Earlier this week the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules issued its Summer 2021 Cybersecurity Newsletter. The newsletter is headlined “Controlling access to electronic protected health information; for whose eyes only? “Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.”

Bleeping Computer brings us up to date on the Kaseya cyberattack:

The REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya’s VSA servers to perform a massive and widespread attack without actually accessing a victim’s network.

This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

There’s a lesson in there for both sides.

Cyberscoop provides background on the REvil gang.

[REvil is] one of the more prominent ransomware-as-a-service groups, experts say, in which other criminals can use a strain of ransomware on a rental or subscription basis, or in exchange for a share of the payments. That business model lowers the barrier for anyone to get into the business of ransomware, because it requires no technical expertise in developing the code itself. It’s a trend that’s contributed to the rise of the ransomware phenomenon.

On the good guys side

• The Wall Street Journal reports that “New York City has become the first major American metropolitan area to open a real-time operational center to protect against cybersecurity threats, regional officials said. Set in a lower Manhattan skyscraper, the center is staffed by a coalition of government agencies and private businesses, with 282 partners overall sharing intelligence on potential cyber threats. Its members range from the New York Police Department to Amazon.com Inc. and International Business Machines Corp. to the Federal Reserve Bank and several New York healthcare systems. Until last week, the two-year effort known as New York City Cyber Critical Services and Infrastructure was completely virtual.”
• Cyberscoop informs us that “Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network.  That, combined with the suspicious that most victims don’t, report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them. That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs. “Having public transparency around the impact of ransomware, especially as we’re proposing and considering different actions to try to combat ransomware — we’ll need a way of seeing whether those actions actually work,” Cable said in an interview with CyberScoop.”

On July 6, according to CISA, “Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service.”

For other news, here is a link to Bleeping Computer’s The Week in Ransomware.  

The Wall Street Journal reports this morning that

The ransomware group that collected an $11 million payment from meat producerJBS SA about a month ago has begun a widespread attack that could affect hundreds of organizations world-wide, according to cybersecurity experts.

The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.

The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the “largest and most significant” such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.

SecurityWeek and Bleeping Computer have all of the details on this troubling cyberattack.

In other cyberattack news, Forbes reports on Microsoft’s PrintNightmare, “the name that has been attached to a zero-day vulnerability impacting the Windows print spooler. A vulnerability that can ultimately, it would appear, lead to an attacker taking remote control of an affected system.” Bleeping Computer informs us about available mitigations here and there.

Cyberscoop adds that

Going on offense against attackers and penetrating the secrecy surrounding attacks are two ways the Biden administration is pondering to tackle ransomware, a top White House official [Anne Neuberger] said on Tuesday June 29.]

Neuberger made her remarks as the Biden administration has undertaken a number of initiatives to crack down on ransomware, following the high-profile attacks on Colonial Pipeline and meat supplier JBS. Among them is conducting a ransomware review that includes a focus on disrupting attackers, building an international coalition, studying the U.S. government’s policies and expanding analysis of cryptocurrency given attackers’ use of it to receive payments. 

The administration is wary of banning ransomware payments entirely, something Neuberger called a “difficult policy position” that could harm companies who feel they have to pay up to decrypt their networks, even if the U.S. government discourages such payments.

In the tools department

• This week, “The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET).”
• CISA also “is developing a catalog of Bad Practices that are exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public. Entries in the catalog will be listed here as they are added. * * * While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices.” CISA cautions that the catalog does not necessarily includes all Bad Practices. Nevertheless, it’s worth a periodic gander.

The Wall Street Journal reports that the SolarWinds hackers are back at it.

Microsoft Corp. said [in a blog post] hackers, linked by U.S. authorities to Russia’s Foreign Intelligence Service, installed malicious information-stealing software on one of its systems and used information gleaned there to attack its customers. * * *

Most of the attacks were unsuccessful, but three of Microsoft’s customers were compromised during the campaign, the company said. “We have confirmed that two of the compromises were unrelated to the support agent issue, and are continuing to investigate the third instance,” a Microsoft spokesman said.

Microsoft identified the hackers behind the break-in as Nobelium, the same group associated with the sophisticated hack at Austin, Texas-based software maker SolarWinds Corp. U.S. authorities have said this group is part of Russia’s Foreign Intelligence Service, known as the SVR. Russia has denied involvement in the SolarWinds hack. A Russian embassy representative didn’t immediately return a message seeking comment on Microsoft’s blog post.

“This should concern all of us,” said Sherri Davidoff, chief executive of the security consulting firm LMG Security LLC. “Hackers made it past the defenses of one of the world’s most sophisticated technology suppliers, whose software underlies our entire economy.”

ZDNet explains in an illuminating article about where we stand in ransomware struggle

Regularly updating backups – and storing them offline – also provides another means of lessening the severity of ransomware attacks, because even in the event of the network being encrypted, it’s possible to restore it without paying cyber criminals, which cuts off their main means of income. 

Nonetheless, the rise of double extortion attacks has added an extra layer of complexity to this issue because if the organisation doesn’t pay a ransom, they’re faced with the prospect of potentially sensitive information about employees and customers being leaked. 

“Do you have a plan if if your information starts leaking out?,” says Hultquist. “Those pieces need to be in place now, not when it hits the fan”

While Phoenix NAP Global IT Services describes the 18 best practices to deter ransomware, The Wall Street Journal adds that “companies [now] stress-test systems by emulating successful cyberattacks.” Zurich Insurance via the Financial Times explains “Given that cyber exposures are now seen as inevitable, it only makes sense for businesses to invest in resilience. The fundamentals of resilience are protecting profitability through business continuity and incident response planning. The best way to assess that resilience is to see how quickly and effectively your business can react to any given scenario. That’s what cyber risks stress tests are all about.” The article goes on to break down one of these tests for the reader.

As alway’s here’s a link to the Bleeping Computer’s The Week in Ransomware.

Happy Juneteenth. Cyberscoop reports that

The Senate on Thursday confirmed Chris Inglis as the new White House cyber czar, a role it enacted into law late last year.

The new role will play a key part in coordinating the government response to major hacks and other cybersecurity threats. Inglis takes on the position as the U.S. has dealt with an onslaught of cybersecurity incidents, including ransomware attacks on Colonial Pipeline and meat supplier JBS. The national cyber director will also lead the implementation of cyber policy and strategy, including efforts mandated by the Biden administration to improve federal cybersecurity.

The Wall Street Journal informs us

The private sector in the U.S. must do more to defend against cyberattacks, lawmakers from both major parties stressed Thursday as several senators introduced legislation designed to target hackers. The ransomware incident that brought operations at Colonial Pipeline Co. to a standstill for six days starting May 7, and resulted in fuel shortages across Southeastern states, shows that cybersecurity efforts must improve, said Sen. Sheldon Whitehouse (D., R.I.). “Partly, it’s the national cybersecurity establishment that needs to step up its game. And partly, it’s the corporate community that has been caught with its figurative trousers down,” Mr. Whitehouse said, speaking at a press conference Thursday with Sens. Lindsey Graham (R., S.C.) and Richard Blumenthal (D., Conn.)

* * *

Christopher Roberti, senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce, which says it is the world’s largest business association, said companies don’t stand a chance against determined nation-state attacks regardless of cybersecurity investments. Partnerships between the government and the private sector are essential, he said. “Businesses must take necessary steps to ensure their cyber defenses are robust and up to date, and the U.S. government must act decisively against cyber criminals to deter future attacks. Each has a role to play and both need to work closely to do more,” Mr. Roberti said.

Federal News Network offers an interesting interview with Chris Golden, director of Information Security at Horizon Blue Cross Blue Shield of New Jersey and a founding member of the Defense Department’s Cybersecurity Maturity Model Certification accreditation program. Of note

Tom Temin [FNN]: And then there’s also hints that the CMMC program could spread to the civilian agencies, and therefore some unknown number of additional or marginal numbers of companies added into the mix. So then you’ve got more scaling issues.

Chris Golden: You’ve already seen Department of Homeland Security and the General Services Administration (GSA) put in what I would call contingency CMMC clauses in their contracts, they basically say, “Hey, we may change this contract to include a CMMC requirement. We’ll let you know after you sign” – it kind of thing. So these other government agencies are leaning in that direction, I think it’s probably going to be pretty obvious that most of them will go there. And eventually, it’ll be a whole of government approach. And then I think you’ll start seeing it go to people that don’t do any contracting with the government, right? Once the regulators start looking at and going, hey, in healthcare let’s say – that’s the area I work in – maybe a regulator says, “Well, maybe I’ll take a SOC 2 type 2 audit this year, but next year, maybe the CMMC thing is what I really need? Maybe that’s a better approach to managing risk?” And so once you see that happen, you’ll see sort of grow and balloon, and then we haven’t even talked internationally as our international partners, who do participate in the supply chain and will have to be CMMC-assessed but how do they fit into this sort of big puzzle as it sort of goes global? So yeah, there’s a potential here for a huge ballooning of this thing.

It would not be a true Cybersecurity Saturday post without a link to Bleeping Computers “This Week in Ransomware” post:

Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.

It was a good week for law enforcement, with Ukrainian police arresting members of the Clop ransomware gang and the South Korean police arresting computer repairment installing ransomware.

We also saw some interesting research released on LockBit and the Hades ransomware, as well as an updated Avaddon Ransomware decryptor that can decrypt more victims’ files.

Finally, President Biden met with Russian President Putin to discuss the recent cyberattacks. Whether something changes from that meeting is too soon to tell.

Also here’s a link to a nifty article with cybersecurity tips. Tech Republic informs us about a “new IBM global report examining consumer behaviors finds an average of 15 new online accounts were created and 82% are reusing the same credentials some of the time.”

Ramsonware remained on the front pages this week. Bleeping Computer’s This Week in Ransomware tells us that

It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.

This week’s biggest news was the FBI announcing that they were able to recover the majority of the $4.4 million ransom payment paid by Colonial Pipeline. It is not entirely clear how they obtained the private key for the cryptocurrency wallet, but it is believed DarkSide stored it on a seized server.

We also learned that JBS paid $11 million to the REvil ransomware operation to retrieve a decryptor and prevent stolen files from being leaked.

In a bit of good news, the Avaddon ransomware operation shut down and released the decryption keys of close to 3,000 victims to BleepingComputer. Using these, cybersecurity firm Emsisoft was able to release a free decryptor.

Finally, news broke this week that memory maker ADATA and food services supplier Edward Don suffered ransomware attacks.

The Wall Street Journal reports in greater detail on the FBI’s recovery of a portion of the Colonial Pipeline Bitcoin ransom and a “ruthless’ cybersecurity gang knowns as RYUK which targets healthcare providers, after banks tighten up their security.

Cyberscoop discusses the Senate confirmation hearings last week for President Biden’s two top level cybersecurity nominations, Jen Easterly to lead the Department of Homeland Security’s cybersecurity agency, and Chris Inglis to be the national cyber director.

The nominees labeled ransomware a “scourge” that threatens national security, vowed to work with critical infrastructure firms to improve their defenses, and wondered aloud if additional federal regulations were necessary to incentivize firms to reduce their vulnerabilities to hacking.

The U.S. government, Inglis said, must “seize back the initiative that has too long been ceded to criminals and rogue nations who determine the time and manner of their transgressions.” He called on the U.S. and its allies to “remove the sanctuary [to ransomware criminals] and bring to bear consequences on those who hold us at risk.”

Easterly spoke with similar urgency: “We’re now at a place where nation-states and non-nation-state actors are leveraging cyberspace largely with impunity to threaten our privacy, our security and our infrastructure.”

Govinfo Security informs us that

As the federal government hammers out national infrastructure legislation, implements President Biden’s recent cybersecurity executive order and adopts other related initiatives, more attention and funding needs to be allocated to strengthen the healthcare sector’s cybersecurity posture and resilience, some industry groups urge.

In a letter Wednesday addressed to Biden, but also copied and sent to Senate and House party leaders, the Healthcare and Public Health Sector Coordinating Council requested heightened collaboration between industry and government to provide a road map for driving improvements to the cybersecurity readiness of the healthcare sector.

HSCC, a private-sector critical infrastructure advisory council to the Department of Health and Human Services created by Presidential Policy Directive 21 in 2013 during the Obama administration, represents more than 300 healthcare sector organizations, including patient care delivery networks, health plans, laboratories and health IT vendors.

Ars Technica reports on the long tail of ransomware attacks.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The article directs concerned readers to the Have I Been Pwned website which aggregates breach information as a service to consumers.

In that regard, ISACA reminds us about the important role that data destruction policies play in maintaining cyber hygiene.

The Wall Street Journal reports on its interview with FBI Director Christopher Wray

FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia, and compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Mr. Wray said in an interview Thursday. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Mr. Wray’s comments—among his first publicly since two recent ransomware attacks gripped the U.S. meat and oil-and-gas industries—come as senior Biden administration officials have characterized ransomware as an urgent national-security threat and said they are looking at ways to disrupt the criminal ecosystem that supports the booming industry. Each of the 100 different malicious software variants are responsible for multiple ransomware attacks in the U.S., Mr. Wray said.

In that regard, Cyberscoop informs us about the latest moves in a long dance between the feds and private sector over cybersecurity, with a tempo that has hastened considerably since the Colonial Pipeline ransomware attack, and Bleeping Computer offers its latest week in ransomware report.

Earlier this week, Scripps Health, the San Diego health system, accounted for the protected health information losses, totally 147,000 patient records, that it incurred in its early May ransomware attack.

The FEHBlog shares the American Hospital Association’s sentiments

White House issues memo urging vigilance against ransomware threats. The White House today released a memo from Anne Neuberger, Deputy Assistant to President Biden, and Deputy National Security Advisor for Cyber and Emerging Technology, urging business executives to immediately convene their leadership teams to discuss ransomware threats and review corporate security posture and business continuity plans. The memo reiterates high-impact best practices for organizations to adopt: adoption of multi-factor authentication, endpoint detection and response, encryption and deploying skilled, empowered security teams. In addition, the AHA also recommends as high impact having network segmentation in place; tested, offline secure backups; incident response planning; and staff trained to recognize and report phishing emails.
“We are pleased to see the memo from the White House stressing the importance of some fundamental-but-essential cybersecurity measures which most hospitals and health systems already have in place ” said John Riggi, AHA’s senior advisor for cybersecurity and risk. “From AHA’s perspective, equally important to stopping ransomware attacks is the tangible actions the government will take to, as they stated, ‘hold ransomware actors and the countries who harbor them accountable.’ We agree that neither the private sector nor the government can fight this battle alone. We also reiterate, as we did in our testimony before the Senate and our public statements, that defense is only half of the equation which provides the solution to this national security threat.”

ISACA discusses the importance of security risk assessments and risk-informed decision making to cybersecurity protection.

Over the past two weeks, HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules announced its 19th patient right to access records settlement and a Security Rule related settlement.