Cybersecurity Saturday

Cybersecurity Saturday

To set the stage, last Tuesday, “ECRI, an independent, nonprofit organization that provides technology solutions and evidence-based guidance to healthcare decision-makers worldwide, lists cybersecurity attacks as the top health technology hazard for 2022 in its just-released annual report.”

What’s more, HC3 issued its Fourth Quarter 2021 Healthcare Cybersecurity Bulletin.

Getting down to business, HC3 also released a useful PowerPoint presentation with background and remediation / prevention tips for the Log4j vulnerability.

From the irony department, ZDNet reported yesterday that

Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. 

Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. 

“Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”

On a broader scale, ZDnet also reports that

The US government has urged organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new ‘CISA Insights‘ document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA’s response to this week’s cyberattacks on Ukraine’s systems and websites, which the country’s officials have blamed on hackers linked to Russian intelligence services.

From the latest vulnerabilities front, Cyberscoop informs us that

QR codes are among the few “winners” of the coronavirus pandemic, the joke goes, because restaurants and other businesses have deployed them in far greater numbers over the past few years, in an effort to make more interactions contactless.

The FBI is warning, however, that scammers love them, too.

The bureau’s Internet Crime Complaint Center (IC3), issued a general alert Tuesday about “malicious” QR codes that reroute unsuspecting consumers to the world of cybercrime.

“[C]ybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the announcement says.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

Cybersecurity Saturday

The headline news of the week is brought to us by the Wall Street Journal

The Russian government on Friday [January 14] said it had arrested members of the prolific criminal ransomware group known as REvil that has been blamed for major attacks against U.S. business and critical infrastructure, disrupting its operations at the request of U.S. authorities.

Russia’s security service, the FSB, said in an online press release that it had halted REvil’s “illegal activities” and seized funds belonging to the group from more than two dozen residences in Moscow, St. Petersburg and elsewhere. REvil members were arrested in relation to money-laundering charges, the FSB said. It didn’t provide names of any of the suspects.

The arrests included “the individual responsible for the attack on Colonial Pipeline last spring,” a particularly devastating ransomware offensive that led to the main conduit of fuel on the U.S. East Coast being shut down for days, a senior Biden administration official said. A different Russian ransomware gang had previously been linked to the Colonial hack, but security experts and officials have said they are not neatly defined and that individual hackers often overlap.

“We welcome reports the Kremlin is taking law enforcement steps to address ransomware within its borders,” the official said.

Needless to say this development also is the focus of Bleeping Computer’s The Week in Ransomware.

From the log4j front, Healthcare Dive tells us that

— Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the agency has not yet seen the Log4j vulnerability used for significant intrusions but cautioned that sophisticated threat actors may be lying in wait for cybersecurity defenders to be caught off guard during a lower level of awareness.

— Threat actors have used the vulnerability to install and sell cryptomining software on victims’ computers and to potentially launch future botnet attacks. CISA cannot independently confirm research showing nation-state threat actors developing attacks based on Log4Shell, Easterly said during a presser Monday. 

— Microsoft security researchers identified a China-based threat actor, tracked as DEV-0401, exploiting the Log4j vulnerability in systems using VMware Horizon to deploy NightSky ransomware, researchers said in an updated blog.

Federal News Network interviewed about this infamous yulnerability. Gordon Bitko, former FBI chief information officer, now the senior vice president of policy at the Information Technology Industry Council.

Gordon Bitko: Tom, where there’s a difference from SolarWinds. Log4j wasn’t a coordinated — as far as we know — attack by an adversary. It was a vulnerability that was identified, and so the people who are exploiting it now seem more like cybercriminals who were using it as a way to implant ransomware, things of that nature.

Tom Temin: Alright, so you can never rest on your laurels.

Gordon Bitko: That is 100% the case. It is important for everybody doing cybersecurity and their management to understand it’s a race on a treadmill. You can never stop.

Last Wednesday Cyberscoop reported that

Tech giants and federal agencies will meet at the White House on Thursday to discuss open-source software security, a response to the widespread Log4j vulnerability that’s worrying industry and cyber leaders.

Among the attendees are companies like Apple, Facebook and Google, as well as the Apache Software Foundation, which builds Log4j, a ubiquitous open-source logging framework for websites.

“Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” a senior administration official said in advance of the meeting.

Here’s the White House readout from that meeting. According to that document, the discussion focused on three topics:

Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities.

In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them.

In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use. 

For a government meeting open to you, dear readers:

The Cybersecurity and Infrastructure Security Agency (CISA) is holding virtual mini-Industry Day events throughout this year. These events will allow CISA and industry to have meaningful discussions about cybersecurity capabilities, challenges, top priorities, requirements, and technologies as well as future business opportunities.

The first Virtual Mini-Industry Day will be Wednesday, January 26, at 10 a.m. (EST). This event will provide insight into current and future challenges as well as provide presentations regarding IT  FY22 information technology focus areas, FY23-25 foundational work, engineering, information assurance, information technology operations, and records management/governance. To attend, please register by Tuesday, January 18, at 5 pm ET

Finally ZDnet offers its recommendations on

Cybersecurity Saturday

Health IT Security reports

As a new year begins, threat actors are continuing to overwhelm providers and patients with healthcare data breaches. Some experts predict that ransomware actors will favor data exfiltration over encryption this year and that they will shift their focus to APIs and other attack vectors in order to throw off victims.

Florida-based health system Broward Health recently suffered a protected health information (PHI) breach that impacted 1.3 million individuals. Meanwhile, other healthcare organizations are still recovering from a ransomware attack on HR management solutions vendor Kronos.

Many healthcare organizations are also focused on mitigating threats associated with the recently discovered Apache Log4j vulnerability, which could have catastrophic security implications for multiple sectors if exploited.

HHS urged healthcare organizations to implement the Log4j patch and ramp up incident response functions. Healthcare organizations should also remain wary of ransomware, phishing, and other prominent cyber threats that continue to impact organizations across all sectors.

The more things change, etc.

Cyberscoop adds that

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit.

Cybersecurity Dive concludes

As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months. 

“Exploitation attempts and scanning remained high during the last weeks of December,” Microsoft said in an updated blog post. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. 

The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache. 

And it wouldn’t be a Cybersecurity Saturday post without offering a link to Bleeping Computer’s The Week in Ransomware.

Cybersecurity Friday

Happy New Year.

Due to the holidays, there has been a two week long break in the FEHBlog’s cybersecurity posts. The December 18 post focused on the Java Log4j vulnerability which is still causing cybersecurity problems according to this Cyberscoop article:

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday.

Tech Republic reports on how to check for Log4j vulnerabilities using a “simple to use script.” The article walks the reader through a sample scan. HC3 also released an alert calling attention to the availability of this vulnerability scanner.

This Health IT Security article adds that “The HHS 405(d) Task Group issued a brief outlining the risks associated with the recently discovered Apache Log4j vulnerability that could have catastrophic security implications for healthcare and other sectors.” Bleeping Computer offers a detailed situation report on the Log4j vulnerability.

Speaking of catastrophes, Bleeping Computer looks back at the ten largest healthcare protected health information breaches in 2021 and Tech Republic identifies the ten worst password snafus this year. Tech Republic adds

How can you make sure your employees follow strong password security guidelines to protect your organization’s sensitive data? Dashlane offers the following tips:

Establish a culture of security. Employees need to understand what part they play in securing your company’s data. They must be involved in discussions about security. And they should have the tools required to follow strong password and security hygiene.

Train employees. Show employees how to spot and report possible security risks and threats. You may want to create a special email or contact they can use to report an incident.

Implement the right technology. This means using such tools as email security, endpoint protection and password managers.

Track the results of your security tools. Find ways to measure the effectiveness of your security defenses. For example, some password managers have a health feature that analyzes and rates the strength of your passwords.

Also, Health IT Security offers expert cybersecurity predictions for 2022. For example,

By December 31, 2022, healthcare organizations will be required to migrate to Fast Healthcare Interoperability Resources (FHIR) APIs in order to enable seamless data sharing. As organizations adjust and implement the new data standards, it is likely that threat actors will use APIs as a network entry point.

“As interoperability becomes more of a mainstream priority for healthcare organizations and we see more APIs that are being introduced between critical systems, I think we’re going to see a rise in the number of attacks that are focused on compromising those APIs,” Mac McMillan, CEO of CynergisTek, predicted in an interview with HealthITSecurity.

“It’s another area where don’t typically have a good, consistent approach across the board in healthcare with respect to testing APIs for security.”

Cybersecurity Saturday

Roughly a year after we experienced Solar Winds, we have the Apache Log4j flaw. ZDnet tells us that “A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.” Here is link to ZDnet’s FAQ on the the Log4j flaw and the patches available.

ZDnet adds

If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

Not surprisingly therefore, Federal News Network reports that

The Cybersecurity and Infrastructure Security Agency issued an emergency directive today [December 17] requiring civilian executive branch agencies to determine all Internet-facing assets with the critical “Log4j” vulnerability and either patch or mitigate any vulnerable software within a week.

By Dec. 23 at 5 p.m., agencies are directed to “enumerate all solutions stacks accepting data from the internet” and then check whether any of them have the Log4j vulnerability using a CISA-managed Github repository available on the agency’s website, according to the new directive.

By the same deadline, agencies are given three options for how to address any vulnerable software: “immediately” update assets where patches are available; mitigate the risk of exploitation using another mitigation measure listed on CISA’s website; or remove the affected asset from their networks.

Bleeping Computer’s The Week in Ransomware focuses its attention on cybercriminal exploitation of this flaw.

Health IT Security adds

At least 39 ransomware groups have attacked the healthcare sector across 27 countries in the past 18 months, data from the CyberPeace Institute’s Cyber Incident Tracer revealed. Despite explicitly saying that they would not target healthcare, 12 groups singled out the sector.

Some healthcare organizations may simply be collateral damage, an accompanying blog post explained. Some ransomware operators used vague terms like “medical organizations” when describing which entities were off limits. Others saw pharmaceutical companies as fair game. Half of the 12 ransomware operators targeted hospitals specifically, despite saying that they would not target healthcare. * * *

Other groups target healthcare by choice. The FIN12 affiliate group has a reputation for going after healthcare organizations. Threat intelligence firm Mandiant discovered that nearly 20 percent of the group’s attacks were targeted at healthcare entities, and over 70 percent were aimed at US-based entities.

Sometimes, healthcare organizations may be targeted out of indifference. Usually, this means that the healthcare organizations fell victim to “spray and pray” tactics, where ransomware operators will execute phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks with the hopes of getting some organizations to fall for the attack.

The Wall Street Journal aptly describes 2021 as “the year that hackers went wild and changed everything.”

The U.S. government in 2021 began to take a more decisive—and prescriptive—role in how digital defenses are constructed, on the back of a string of high-profile cyberattacks against the nation’s critical infrastructure.

Jingle Bells.

Cybersecurity Saturday

From Capitol Hill, per Nextgov, “the House [of Representatives] on Tuesday passed the NDAA conference report—language House and Senate Armed Services Committee leaders agree on that reconciles versions of the bill from each chamber. The next step is a vote on the conference report by the Senate.  (H.R. 4350).

Nextgov adds

“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, who chairs the committee’s panel on cybersecurity, said in a joint statement Tuesday.

The annual Defense Authorization Act still “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident,” according to a summary of the bill released by the House Armed Services Committee Tuesday

The bill gives CISA added responsibilities around identifying threats to industrial control systems, and removing cybersecurity vulnerabilities while establishing voluntary partnerships with industrial control system and internet ecosystem companies. 

From the government initiative front, Health IT Security reports that

HHS launched a new website for its 405(d) Program with the goal of aligning healthcare cybersecurity across the industry. Under the Cybersecurity Act of 2015, HHS established the 405(d) Aligning Health Care Industry Security Approaches Program and the 405(d) Task Group, which is comprised of more than 150 industry and government experts.

The program aims to uphold the motto that “cyber safety is patient safety,” and its website contained resources, videos, products, and tools to help raise awareness and promote cybersecurity best practices, the HHS announcement stated.

“Healthcare professionals understand the importance of hand washing when it comes to mitigating the spread of diseases. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches,” the website maintained.

Also the HHS Cybersecurity Program issued a healthcare sector alert yesterday

A highly utilized application called Log4j contains a severe, known vulnerability that is being actively and aggressively attacked. Upon successful exploitation, a compromised system or device can be used to execute arbitrary code, which can serve as the beginning of a larger cyberattack potentially resulting in any number of effects including data exfiltration and ransomware. HC3 advises healthcare and public health organizations to survey their infrastructure and ensure they are not running vulnerable versions of Log4j. Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified.

Report

Log4j is a very common Java library/framework that provides logging capabilities to any number of software platforms that it serves. In late November, a remote code execution (RCE) vulnerability (tracked as CVE-2021-44228) was identified in certain versions which are now being actively exploited in the wild. Proof of concept exploit code has been circulating social media for several days and is publicly posted on well-known code repositories. The Log4j software is maintained by Apache and they have released an update which should be deployed (after testing, as needed) across all vulnerable devices in the enterprise in a timely manner.

From the interviews department

  • Tech Republic interviews Walgreens Boots Alliance CTO Mike Maresca “about what keeps him up at night and why building internal and external partnerships is key for digital transformation success.”
  • The Wall Street Journal interviews Kathy Hughes, the CISO for Northwell Health, a hospital / healthcare system in New York City and Long Island, and Joey Johnson, the CISO for Premise Health, which offers health and wellness services to employers, among others. This tidbit from the interview grabbed the FEHBlog’s attention:

WSJ: Can you briefly explain a couple of technologies that you had to deploy?

MS. HUGHES: The most significant one was, because we had seen such an uptick in phishing emails, we deployed a technology that actually does a live scan of a URL when it’s clicked within an email. The technology that we had before, if a URL had been accessed that was previously determined and rated to be malicious, it would be blocked. But this enabled us to do that in real time

Cool.

From the hacking front, Cyberscoop reports

Hackers associated with the SolarWinds supply chain compromise have been busy in the year since that attack was revealed, compromising multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims, new research reveals.

Findings published Monday [December 6] by a team of analysts at Mandiant collate previous observations and analysis — along with the efforts of “hundreds of consultants, analysts and reverse engineers — to paint a picture of potentially distinct groups working alongside or within a more established Russian intelligence hacking group known as Nobelium, a name given to the group by Microsoft. The group is also known as Cozy Bear.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

This week has quite a bit of ransomware news, including arrests, a new and sophisticated ransomware, and an attack bringing down 300 supermarkets in England.

This week’s biggest story is a law enforcement operation conducted by the FBI and Ontario Provincial Police (OPP) that arrested a Candian ransomware affiliate allegedly involved in hundreds of attacks.

We also learned about the new ALPHV (aka BlackCat) ransomware that appears to be one of the most sophisticated ransomware families we have seen this year.

Finally, this week’s largest known ransomware attack was on James Hall and Co, which affected point-of-sale systems and led to the temporary closing of over 300 Spar supermarkets in England. This week’s other known attack is on Nordic Choice Hotels by the Conti ransomware gang.

Cybersecurity Saturday

From the Capitol Hill front, Bank Info Security reviews the cybersecurity and breach notice measures found in the National Defense Authorization Act for the current government fiscal year. Defense One reports that the Senate at this point is not expected to pass its version of the bill until next month.

From the administrative front, Cyberscoop reports that

The Cybersecurity and Infrastructure Security Agency on Wednesday [December 1] named members to a new [Congressionally mandated] cyber advisory panel that will make recommendations on subjects ranging from battling misinformation to gaining aid from the hacker community on national cyber defense.

Among the 23 members selected are leaders from social media, cybersecurity companies, major technology firms and critical infrastructure sectors such as finance and energy. It includes officials from Johnson & Johnson and Walmart, as well as a longtime cybersecurity journalist and the mayor of Austin, Texas. * * *

Bylaws for the committee published in July said it would address subjects like critical infrastructure protection, information sharing, risk management and public-private partnerships. Wednesday’s announcement added potential subjects like the cyber workforce and disinformation. Its first meeting is Dec. 10.

Federal News Network informs us that

The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is putting the final touches on several guidance documents to help ease the transition to a zero trust cybersecurity environment.

The entire goal of this effort to move security away from the network and to the data and application layers.

John Simms, the deputy branch chief of the Cybersecurity Assurance Branch in CISA, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to the data.

Over the last three months, CISA, along with the Office of Management and Budget, rolled out the draft zero trust strategy, the draft cloud security technical reference architecture and the draft zero trust maturity model.

From the reports front

  • On Thursday December 2, the Government Accountability Office issued a report in connection with GAO testimony before Congress “on the need for the federal government to develop and execute a comprehensive national cyber strategy, and to strengthen the role that it plays in protecting the cybersecurity of critical infrastructure. Ensuring the cybersecurity of the nation is on our High Risk List, and we have urged federal agencies to act on it.”
  • The HHS Office of Information Security released a presentation on December 2 about the risks that the cybercriminal group FIN12 posts to the healthcare sector.
  • Health IT Security reports about new Healthcare ISAC guidance to help CISOs navigate interoperability, patient access, and identity-centric data sharing under the 21st Century Cures Act. New interoperability mandates under the Cures Act require healthcare organizations to implement APIs to promote the digitization of electronic health information (EHI). “While APIs are the ‘door’ to enabling interoperability of EHR between healthcare organizations, strong identity solutions are the ‘key’ that keeps EHI secure,” the guide explained. OPM is eager for FEHB plans to offer these APIs to their members.

Here is a link to Bleeping Computer’s The Week in Ransomware.

The biggest news over the past two weeks is the unsealing of a United States’ Complaint for Forfeiture detailing how the FBI seized 39.89138522 bitcoins from an Exodus wallet belonging to an REvil affiliate. Based on the email listed in the court document, it is believed that the affiliate is one known as ‘Lalartu.’

The FBI also disclosed that Cuba ransomware has attacked 49 US critical infrastructure orgs and received at least US $43.9 million in ransom payments.

ZD Net adds that

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  

The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.

In closing, an expert in Security Week offers his four cybersecurity predictions for 2022.

Cybersecurity Saturday

The FEHBlog hopes that his readers enjoyed the 400th Thanksgiving holiday.

Congress will be in session for the next two weeks. Cyberscoop brings us up to date on the legislative effort to include a data breach and ransomware reporting provision in the must pass National Defense Authorization Act bill for the current federal fiscal year.

As we enter our country’s major holiday season, Tech Republic reports that “An alert issued Monday [November 22] by the Cybersecurity and Infrastructure Security Agency [CISA] and the FBI urged organizations to be on guard for ransomware attacks that take advantage of worker downtime during Thanksgiving [etc.].”

In the alert, CISA stressed that neither it nor the FBI have identified any specific threats that might occur on or around Thanksgiving. But with or without advanced warning, organizations need to be prepared for attacks designed to take advantage of the holiday.

ISACA offers an expert column on using zero trust and XDR to stop ransomware. The FEHBlog has linked to several columns on zero trust but he had not heard of XDR. It turns out that

XDR brings together information about possible attack elements (e.g., indicators of compromise [IoCs]) with logs of network traffic, quirky endpoint behavior, cloud and Software-as a-Service (SaaS) service requests, and server events for analysis. The power of XDR is that it goes beyond security information and event management (SIEM) which aggregates log data to include correlation, analysis and machine learning (ML)-augmented modelling. This forms the basis for an effective response.

By deploying an XDR solution (which can detect many attack elements) with a zero trust-enabled architecture (which hardens infrastructure against malicious attacks), one can substantially improve survivability against ransomware. So, deploy an IAM tool. Use multifactor authentication (MFA), at least for high-privilege accounts. Segment the network. And put an XDR tool in place for the security operations center (SOC). You will have a much calmer, more predictable, less eventful day-to-day work experience.

Because Bleeping Computer’s The Week in Ramsomware was not published Thanksgiving week, here is a Health IT Security overview of cybersecurity issues affecting the healthcare sector.

Cybersecurity Saturday

From Capitol Hill, the Hill informs us that

The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.  

The [bipartisan] amendment [to the National Defense Authorization Act] would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority. 

“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”

The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.

Cyberscoop provides more breach notice news

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.

Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. * * *

The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.

The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours.

OPM allows FEHB carriers a 24 hour period to notify the agency about a breach or security incident.

On the advanced persistent threat front, Health IT Security reports that

US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities. * * *

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange or Fortinet stay cautious and look for the following signs of suspicious activity:

— Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. 

— Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 

— Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 

— Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

— Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).

Review antivirus logs for indications they were unexpectedly turned off.

Look for WinRAR and FileZilla in unexpected locations. 

To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.

For more information, see CISA’s assessment and overview of the ongoing Iranian cyber threat. 

Also on the prevention front CISA announced that

The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  
 
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.  
 
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.

CISA also updated its known exploited vulnerabilities catalog.

And of course, here is a link that the Bleeping Computer’s The Week in Ransomware.

While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released.

Security firms released reports on the types of cryptomixers used by ransomware gangs, a detailed report on Conti, and how Russian ransomware gangs are starting to work with Chinese hackers.

ZDnet adds that “Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
File-encrypting malware is where the money is — and that’s changing the whole online crime ecosystem.”

Cybersecurity Saturday

Inside Cybersecurity provides useful legal perspectives on the Defense Department’s recent changes to its Cybersecurity Maturity Model Certification program for defense contractors.

The evolution of DOD’s Cybersecurity Maturity Model Certification program reflects a response to concerns from the defense industrial base, according to attorneys, who said recent major changes show the Pentagon is taking into account pre-existing mechanisms for contractor compliance with cyber standards and is considering how the program can be implemented effectively.

CMMC 2.0 consolidates DOD’s cyber certification effort into three levels and relies heavily on NIST publications 800-171 and 800-172. The extra 20 controls in level two (formerly level three) are removed from the new model along with maturity processes.

Attorneys surveyed by Inside Cybersecurity questioned whether the Pentagon’s decision to walk back the CMMC model to align with the 110 controls in NIST 800-171 for level two is an effective approach and where things stand with assessment organizations who have been preparing to conduct assessments since the first version of the maturity model debuted in early 2020.

Check it out.

In Security Week a cybersecurity consultant Torsten George reflects on the recent Cybersecurity Awareness Month.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.

The reality is that many breaches can be prevented using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue investing the largest percentage of their security budget on protecting their network perimeter rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: credential abuse and endpoints serving as main access points to an enterprise network.

And as usual Bleeping Computer’s The Week in Ransomware is chock full of news:

This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency.

On Monday, the US Department of Justice, Europol, and Interpol announced arrests of REvil affiliates and members in Kuwait and Romania. The FBI also announced the arrest of the REvil affiliate behind the July Kaseya attack that encrypted over 1,500 organizations.

In addition, the US announced that $6 million in ransom payments was seized from the REvil ransomware operation.

This week, the other big news is a massive attack on the European electronics retailer MediaMarkt by the Hive Ransomware operation.

What’s more Krebs on Security reports that

The Federal Bureau of Investigation (FBI) confirmed today [November 13] that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.