From the cyberpolicy front —

Cyberscoop reports

The Government Accountability Office said Thursday that U.S. federal departments have implemented just 40% of the cybersecurity recommendations the watchdog agency has issued since 2010.

The lethargic pace in which government agencies put in place cybersecurity precautions and best practices underlines the need for the Biden administration to “urgently” release a comprehensive national cybersecurity strategy with effective oversight, the GAO said in its report.

The GAO said that the updated national cybersecurity strategy, which the administration is reportedly planning to release soon, should address key “desirable characteristics of national strategies” such as performance measures that was missing in President Trump’s 2018 cybersecurity strategy.

“We stressed that moving forward, the incoming administration needed to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics,” the report noted. 

The GAO noted that only about 145 of its 335 recommendations have been put in place. The agency recommended such actions establishing the national cyber director and the General Service Administration updating their security plans.

The Cybersecurity and Infrastructure Security Agency released a report on 2022 year in review. Health IT Security examines the CISA report from the standpoint of the healthcare sector.

The FEHBlog noticed that two Federal Acquisition Regulation proposed rules that he has been tracking are now pending review at OMB’s Office of Information and Regulatory Affairs.

DOD/GSA/NASA (FAR)

AGENCY: FAR RIN: 9000-AO34 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: Yes
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

AGENCY: FAR RIN: 9000-AO35 Status: Pending Review
TITLE: Federal Acquisition Regulation (FAR); FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems
STAGE: Proposed Rule ECONOMICALLY SIGNIFICANT: No
RECEIVED DATE: 12/19/2022 LEGAL DEADLINE: None

Should these regulations clear OIRA review, then the next step will be published in the Federal Register.

From the cyberbreach front,

Cybersecurity Dive reports

T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.

The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.

T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants. 

This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.

The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.

From the cyber vulnerabilities front —

Cybersecurity Dive reports

• Potential cyber incidents and business interruption remained the two leading worldwide corporate risk concerns for the second year in a row, according to a report published Tuesday by Allianz Group’s corporate insurance unit, Allianz Global Corporate & Specialty. 
• Both cyber and business interruptions were the top concerns among 34% of respondents in the annual Allianz Risk Barometer. The study measured the responses of 2,712 risk management experts in 94 countries and territories, including CEOs, risk managers, brokers and other insurance experts. 
• Respondents were concerned about a range of potential incidents, from ransomware to data breaches and IT outages. The report noted ransomware remains a frequent threat and cited IBM data showing the average cost of a data breach hit a record of $4.35 million, with the cost expected to surpass $5 million this year.

Health IT Security tells us

Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.

The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.

CISA added one more known exploited vulnerability to its catalog.

The Healthcare Sector Cybersecurity Coordination Center issues three reports this week:

• Healthcare Cybersecurity Bulletin for Q4 2022 “Ransomware attacks, data breaches, and often both together, continued to be prevalent attacks against the health sector,” the bulletin notes. “Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”

• December Vulnerabilities of Interest to the Health Sector “In December 2022, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Google/Android, Apple, Intel, Cisco, SAP, Citrix, VMWare, and Fortinet.”

• Artificial Intelligence and Its Current Potential to Aid in Malware Development Artificial intelligence (AI) has now evolved to a point where it can be effectively used by threat actors to develop malware and phishing lures. While the use of AI is still very limited and requires a sophisticated
  user to make it effective, once this technology becomes more user-friendly, there will be a major paradigm shift in the development of malware. One of the key factors making AI particularly dangerous for the healthcare sector is the ability of a threat actor to use AI to easily and quickly customize attacks against the healthcare sector.

In this regard CSO offers a feature on how ChatGPT changes the phishing game. “The Microsoft-backed free chatbot is improving fast and can not only write emails, essays but can also code. ChatGPT is also polyglot and that could facilitate and increase exponentially phishing attacks.” Wonderful.

From the ransomware front —

• An ISACA expert explains why ransomware looms large on the third party risk landscape. “As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.”

• Bleeping Computer’s The Week in Ransomware covers several ransomware topics this week.

• In Cybersecurity Dive, a ransomware negotiator shares three tips for victim organizations.

• Dark Reading adds “in another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.”

From the cyber defenses front, Tech Republic explains that while the cybersecurity implications of ChatGPT are vast, especially for email exploits, putting up guardrails, flagging elements of phishing emails that it doesn’t touch and using it to train itself could help boost defense. Ah, a double edged sword.

While Congress did enact a nationwide data breach law for healthcare organizations, including FEHB plans, Cyberscoop reports that last month’s data breach affecting password manager LastPass “exposes how US breach notification laws can leave consumers in the lurch.”

The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime. 

“It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”

Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.

As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods. 

Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate. 

The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.

Congress can fix this problem.

Cybersecurity Dive tells us

The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CES in Las Vegas.

Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.

“We cannot accept that 10 years from now it’s going to be the same or worse than where we are now,” Easterly said. “The critical infrastructure that Americans rely on every day … is underpinned by a technology base and that technology base was created effectively in an insecure way.”

This won’t change until priorities and incentives are realigned, she said.

Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.

“We’ve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,” she said.

Companies are automatically blamed when they’ve been breached or didn’t patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.

“Why did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?” she said.

Organizations are relying on technology that short shrifts security.

“We can’t just let technology off the hook,” Easterly said.

Good point, Ms. Easterly

From the cyber vulnerabilities front,

Cybersecurity Dive informs us

• “For the second consecutive year, disputes over cybersecurity and data represent the greatest global risk to organizations, according to a report from Baker McKenzie. 
• “The majority, 3 in 5, of senior legal and risk officers name cybersecurity and data as presenting the greatest risk to organizations, according to the firm’s 2023 Global Disputes Survey, which is based on responses from 600 legal and risk officers at organizations in the U.S., U.K., Singapore and Brazil with annual revenue of at least $500 million. 
• “Cybersecurity concerns are becoming more frequent and they represent a range of challenges for companies, including the risk of financial, operational and reputational damage, according to the survey.”

Cybersecurity Dive also points out

The Cybersecurity and Infrastructure Security Agency added a Microsoft Exchange Server flaw linked to the Play ransomware attack on Rackspaceto its catalog of known exploited vulnerabilities Tuesday [January 10]. 

The escalation of privilege vulnerability, listed as CVE-2022-41080, was linked to the Dec. 2 ransomware attack that disrupted email access for thousands of Hosted Exchange customers at Rackspace. 

CrowdStrike disclosed an attack method using CVE-2022-41080 and CVE-2022-41082 that achieves remote code execution via Outlook Web Access.  * * *

CISA also added CVE-2023-21674, which is a Microsoft Windows advanced local procedure call (ALPC) to its catalog. The escalation of privilege vulnerability happens when Windows improperly handles calls to ALPC, allowing an attacker to escalate privileges from sandboxed execution inside Chromium to kernel execution, according to researchers at Automox. 

Here’s a link to the CISA catalog for your ease of reference.

FYI, the Wall Street Journal reports, that “Biden administration officials and cybersecurity experts said the Federal Aviation Administration’s system outage on Wednesday didn’t appear the result of a cyberattack.”

From the ransomware front,

Security Weeks relates, “Security researchers at Microsoft are flagging ransomware attacks on Apple’s flagship macOS operating system, warning that financially motivated cybercriminals are abusing legitimate macOS functionalities to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

The Health Sector Cybersecurity Coordination Center issued an analysis of “Royal & BlackCat Ransomware: The Threat to the Health Sector.”

Bleeping Computer’s The Week in Ransomware tells us

New research on ransomware was also disclosed, or discovered, with various reports listed below:

• A technical report from Rapid 7 on the Hive Ransomware.
• The Cuba Ransomware operation exploits the Microsoft Exchange OWASSRF flaw.
• The Lorenz ransomware group is planting backdoors for initial access months later.

CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

From the cyber defense front,

• The Wall Street Journal reports, “Cloud-infrastructure company Cloudflare Inc. announced Wednesday new email security capabilities aimed at helping businesses defend against phishing, malware and other cyberattacks commonly targeting corporate email accounts.”

• Health IT Security informs us, “More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.”

• Following up on Ms. Easterly’s comments on cyber safety, Federal News Network notes that “CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.”

Happy New Year! Cybersecurity Dive offers viewpoints of “six security experts on what cyber threats they expect in 2023. In sum
Organizations will keep a close eye on geopolitical tension and supply chain attacks. But at the core, the biggest threats are built on mistakes.”

Becker’s Health IT provides the viewpoints of healthcare cybersecurity experts on what’s in store for 2023.

Security Week discusses five stories that shaped cybersecurity in 2022.

From the ransomware front —

The Healthsector Cybersecurity Coordination Center released an analyst note on CLOP ransomware last Wednesday:

Clop operates under the Ransomware-as-service (RaaS) model, and it was first observed in 2019. Clop was a highly used ransomware in the market and typically targeted organizations with a revenue of $5 million U.S. Dollars (USD) or higher. Since its appearance, HC3 is aware of attacks on the Health and Public Health (HPH) sector. The HPH sector has been recognized as being a highly targeted industry for the Clop ransomware.

Health IT Security provides a related article.

Bleeping Computer’s The Week in Ransomware reports

BitDefender and law enforcement released a free decryptor for the MegaCortex ransomware.  Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.

From the cyber defense front —

• Health Tech informs us about “Tips for health systems on managing legacy systems to strengthen security bolstering; basic security can help protect legacy systems as healthcare organizations make strides to modernize infrastructure.”

• ISACA posted articles about the relationship between “high IP address IQ” and strong cybersecurity and the new emergent CISO.

• The National Institute of Standards and Technology informs us

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published the second version of volumes A-D and the first version of volume E of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on their contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture.

The Wall Street Journal reports on Chief Information Officer cybersecurity priorities for 2023:

At Cisco Systems Inc., CIO Fletcher Previn said the company is focusing on addressing cyber threats for a remote and in-office workforce, where “we might have video games and smart thermostats on the same network segment as an employee’s remote workplace.”

That means the networking-equipment maker is adopting a zero-trust architecture, as well as practices like two-factor authentication, investing in network automation, and application scanning, Mr. Previn said.

“The threat landscape has become more challenging and our networks more porous,” Mr. Previn said. “All it takes is one slip-up or letting your guard down for a minute for an adversary to get in.”

The Journal also lists CIO favorite reads in 2022.

Health IT Security “spoke with a variety of industry leaders who shared their healthcare cybersecurity and privacy predictions for the upcoming year.”

The experts suggested that in order to maintain cybersecurity and patient privacy, organizations will have to continue to adapt and enhance existing security practices to combat ongoing cyber threats.

However, positive regulatory changes may be on the horizon, and the lasting effects of the pandemic have shown that the sector is more than willing to pivot its strategies and remain resilient amid constant challenges.

The Cybersecurity Infrastructure Security Agency added two more known exploited vulnerabilities to its catalog.

Health IT Security also reminds us

Improper disposal of protected health information (PHI) can result in HIPAA violations, Office for Civil Rights (OCR) investigations, and hefty fines. * * *

Fortunately, HHS maintains a great deal of guidance on the proper and improper ways to dispose of physical records and electronic PHI as required under the HIPAA Privacy and Security Rules.

Happy New Year!

The American Hospital Association informs us

The Healthcare Cyber Communications Center, FBI, Cybersecurity & Infrastructure Security Agency and National Security Agency in December warned of new ransomware strains and other cyber threats targeting health care.

• The FBI and CISA warned of the “Cuba” Ransomware threat.
• HC3 warned of the Royal ransomware threat.
• HC3 warned that a new ransomware strain known as Blackcat was also targeting health care and appeared to be the successor of the notorious Russian speaking REvil ransomware gang.
• HC3 also warned of the latest version of the LockBit ransomware, known as LockBit 3.0. The LockBit “ransomware as service” in its various forms has targeted health care since 2019.
• The NSA advised of an advanced persistent threat known as APT5, which may be affiliated with the Chinese government, targeting the Citrix Application Delivery Controller which then provides the adversary broad network access.

“Our cyber adversaries believe we may pause for the holidays, which may result in their increased targeting of hospitals and health systems as we have seen around past holidays,” said John Riggi, AHA national advisor for cybersecurity and risk. “But our hospitals never close and our network defenders never cease their vigilance.

Cybersecurity Dive provides guidance on the same topic.

Health IT Security reports

HITRUST plans to release version 11 of its cybersecurity framework (CSF) in January with new and improved features for managing emerging cybersecurity threats and reducing certification efforts, the organization announced.

As previously reported, HITRUST can help healthcare organizations improve their security postures and manage third-party risk. The HITRUST CSF is a risk and compliance-based framework that aims to provide structure and guidance across a variety of data privacy and security regulations and standards, helping organizations reduce burden and complexity.

Specifically, CSF v11 offers improved control mappings and precision in order to reduce certification efforts by 45 percent. In addition, the new version “enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.”

CSF v11 also includes expanded authoritative sources, including the National Institute of Standards and Technology (NIST) SP 800-53, Rev 5, and the Health Industry Cybersecurity Practices (HICP) standards.  

HITRUST also developed artificial intelligence-based standards development capabilities to assist its assurance experts in mapping and maintaining authoritative sources. HITRUST said that this AI-based toolkit will reduce maintenance and mapping efforts by up to 70 percent.

In event news, CMS announced

The National Standards Group (NSG), on behalf of the Department of Health and Human Services (HHS), issued a Notice of Proposed Rulemaking (NPRM) CMS-0053-P. The proposed rule, if finalized, would make a regulatory change that would implement requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patient Protection and Affordable Care Act (Pub. L. 111-148).

This webinar will provide a public forum for CMS to hear feedback on the proposed rule. The call will cover the following topics:

• Background on the current standards
• What the proposed rule would do
• How to submit comments on the proposed rule

Note: Feedback received during this call is not a substitute for formal comments on the rule. See the proposed rule for information on submitting comments.

This free webinar will be held on January 25, 2023, at 2 pm ET. You can register here.

From the vulnerabilities front, the Healthcare Sector Cybersecurity Coordination Center issued an Analyst Note last Thursday. According to the Executive Summary:

HC3 is closely tracking hacktivist groups which have previously affected a wide range of countries and industries, including the United States Healthcare and Public Health (HPH) sector. One of these hacktivist groups—dubbed ‘KillNet’—recently targeted a U.S. organization in the healthcare industry. The group is known to launch DDoS attacks primarily targeting European countries perceived to be hostile to Russia, and operates multiple public channels aimed at recruitment and garnering attention from these attacks.

From the ransomware front, Cybersecurity Dive reports

• CrowdStrike researchers discovered a new exploit method by Play ransomware actors that can bypass URL rewrite mitigations released by Microsoft in October, according to a Tuesday blog post from the incident response firm. Microsoft’s updates were designed to mitigate ProxyNotShell vulnerabilities.
• Crowdstrike researchers discovered the new method while investigating Play ransomware activity. The entry vector was suspected to be zero-day vulnerabilities CVE-2022-41080 and CVE-2022-41082, according to the blog. 
• While investigating the attacks, researchers found threat actors entered through Outlook Web Access (OWA) and leveraged Plink and AnyDesk in order to maintain access.

Bleeping Computer’s The Week in Ransomware is available here. After sharing its thoughts on the Microsoft issue, Bleeping Computer adds

TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.

Other reports this week shed light on various ransomware operations:

• A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
• A report on the Nokoyawa ransomware operation.
• Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations’ malware.
• A technical report on the Play ransomware, which has expanded its operations recently.

From the cybersecurity defenses front

• Healthcare IT News offers a roundup of strategies and next steps for improving cybersecurity in 2023.

• ISACA offers interesting articles titled “Cybersecurity: What is Changing and What Isn’t” and “Top Cyberattacks of 2022: Lessons Learned.”

• The Wall Street Journal reports that Chief Information Officers and Chief Information Security Officers are working together to better align their respective positions.

From Capitol Hill, Roll Call informs us

The Senate voted overwhelmingly Thursday to pass the final defense authorization bill for fiscal 2023, clearing the sweeping measure for President Joe Biden’s signature.

If Biden signs the NDAA into law, as he is expected to do, it would be the 62nd straight fiscal year that the defense policy measure has been enacted.

The Senate’s final NDAA passage vote was 83-11, and 60 votes were required. The House passed the bicameral compromise on Dec. 8.

Of note to FEHB carriers in the bill, as noted last week, is the Chinese-made semiconductor provision. The law requires a FAR rule to implement the provision within three years, and the FAR rule cannot take effect until December 2027, five years after enactment, which will occur when the President signs the bill.

The New York Times adds

The Biden administration on Thursday stepped up its efforts to impede China’s development of advanced semiconductors, restricting another 36 companies and organizations from getting access to American technology.

The action, announced by the Commerce Department, is the latest step in the administration’s campaign to clamp down on China’s access to technologies that could be used for military purposes and underscored how limiting the flow of technology to global rivals has become a prominent element of United States foreign policy. * * *

Among the most notable companies added to the list is Yangtze Memory Technologies Corporation, a company that was said to be in talks with Apple to potentially supply components for the iPhone 14.

On Thursday, Congress passed a military bill including a provision that will prevent the U.S. government from purchasing or using semiconductors made by Y.M.T.C. and two other Chinese chip makers, Semiconductor Manufacturing International Corporation and ChangXin Memory Technologies, because of their reported links to Chinese state security and intelligence organizations.

The Wiley law firm helpfully offers details on this important provision.

From the cyber vulnerabilities front —

The Cybersecurity Infrastructure and Security Agency (CISA) added five known exploited vulnerabilities and then one more to its catalog.

Healthcare Dive reports

The HHS’ Office of Information Security has released a report looking at the implications of automation for healthcare cybersecurity and how criminals are using artificial intelligence in their hacking activities.

Cyberattackers are using AI to build better malware, the office said. The technology includes machine learning-enabled penetration testing tools, AI-supported password guessing and data to enable impersonation on social networking platforms.

Hackers are also using automated software to identify valuable information such as emails, passwords, credit cards and personal data, according to the report.

The Healthcare Sector Cybersecurity Coordination Center issued this sector alert:

Citrix released patches for a vulnerability that impacts both their Application Delivery Controller and Gateway platforms. This vulnerability allows a remote attacker to completely compromise a target system. These vulnerabilities are known to be actively exploited by a highly capable state-sponsored adversary. Furthermore, the Department of Health and Human Services is aware of U.S. healthcare entities that have already been compromised by the exploitation of this vulnerability. HC3 strongly urges all healthcare and public health organizations to review their inventory for these systems and prioritize the implementation of these patches.

Forbes explains “Why Employee-Targeted Digital Risks Are The Next Frontier Of Enterprise Cybersecurity.”

From the ransomware front —

Bleeping Computer’s The Week in Ransomware has a long introduction which begins

To evade detection by security software, malware developers and threat actors increasingly use compromised code-signing certificates to sign their malware.

This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.

Health IT Security reports

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued two new analyst notes detailing the tactics and indicators of compromise for LockBit 3.0 and BlackCat. The LockBit ransomware family and the BlackCat ransomware variant have been observed targeting the healthcare sector.

Healthcare organizations should remain vigilant and apply recommended mitigations to reduce risk.

CISA released an update to its Cuba ransomware advisory.

From the cybersecurity defenses front

• Health IT Security tells us

Organization executives are doubling down on investments toward cybersecurity reliance as an uptick in data security breaches jeopardizes business operations and overwhelms industries, including the healthcare sector, according to a recent Cisco report.

The “Security Outcomes Report, Volume 3: Achieving Security Resilience” revealed that 96 percent of executives consider security resilience crucial, with 62 percent of organizations surveyed reporting a data security event that impacted business in the past two years.

When asked to elaborate on the types of resilience-impacting incidents, over half the respondents reported data breaches and system outages. Further, ransomware events and distributed denial of service (DDoS) attacks impacted more than 46 percent of surveyed organizations.

The report also indicated that the state of security resilience among organizations is mixed less than 40 percent confident their organization would fare well during a cybersecurity event.

• Forbes identifies ten qualities of a good security program and delves into “Tackling Mental Health And Burnout In Cybersecurity.”

From the cybersecurity policy front, Cyberscoop reports on the highlights of the cybersecurity provisions of the bipartisan National Defense Authorization Act that the House of Representatives passed this week and the Senate is expected to pass next week.

The December 7 FEHBlog quote included the following Roll Call quote:

Also of note, the bill would ban contractors across the government from using Chinese-made semiconductors, after a lengthy phase-in period, an aide with knowledge of the provision said Tuesday. Many federal contractors and other businesses say they are unclear how they will comply.

The Cyberscoop article does not treat this provision as a highlight of the bill. The FEHBlog turned to ComputerWorld, which provides more details on this provision —

While the draft legislation still provides for [Chinese made semiconductor] restrictions to be enacted, contractors now have five years to comply with them, rather than the two years stipulated in an earlier version of the proposal, and the language of the new draft leaves room for waivers to the restrictions under certain circumstances.

Cyberscoop adds

There are a few major exclusions in the combined House and Senate versions, too.

[For example,] FedScoop’s John Hewitt Jones reports that the NDAA left out an amendment to codify a software bill of materials, or SBOM, in the federal procurement process. Lawmakers removed it following strong criticism from industry.

That piece of the legislation would have required “all holders of existing covered contracts and those responding to requests for proposals from the U.S. Department of Homeland Security to provide a bill of materials and to certify that items in the bill of materials are free of vulnerabilities or defects,” Hewitt Jones reported.

Health IT Security tells us

Experts gathered in Boston on December 5 and 6 for the HIMSS Healthcare Cybersecurity Forum to explore topics such as risk quantification, clinical perspectives on cybersecurity, and medical device security.

Speakers included leaders from the Health Sector Coordination Council (HSCC), Northwell Health, Forrester, the Federal Bureau of Investigation, the National Institute for Standards and Technology (NIST), and more.

The presentations collectively showed that healthcare cybersecurity experts are well aware of the risks facing the sector. However, more collaboration, communication, and balance are needed to effectively tackle those risks and emerge stronger as an industry.

The Cybersecurity Infrastructure and Security Agency (CISA) offers a readout from the December 6 meeting of its Cybersecurity Advisory Committee:

[CISA] Director [Jen] Easterly led a discussion with committee members on the CSAC’s strategic focus for 2023.   

“I truly appreciate the caliber of experts who have taken the time to participate in this committee and, moreover, for their continuous work in helping CISA become the Cyber Defense Agency our nation needs and deserves,” said CISA Director Jen Easterly. “I look forward to working with the Committee in the new year to ensure we are continuing to build a more cyber resilient nation to confront the challenges we face in cyber space.”   

“In a time of critical cybersecurity threats, CISA is in a unique position to make a meaningful impact on our Nation’s security,” said the CSAC Chair and Chairman, President & CEO of Southern Company, Tom Fanning. “The Committee members and I look forward to providing strategic recommendations to CISA’s Director Jen Easterly in the coming year to advance CISA’s mission, as they continue to strengthen the cybersecurity posture of the United States.” 

From the cyber vulnerabilities front —

HHS’s Health Sector Cybersecurity Coordinating Center (HC3) released the following documents on this topic:

• November Vulnerabilities of Interest to the Health Sector

• A presentation titled “Automation and Hacking: Potential Impacts on Healthcare.”

CISA added one more known exploited vulnerability to its catalog.

Cybersecurity Dive looks back at the log4shell cybersecurity crisis that first gained widespread public attention in December 2021.

One year after the disclosure of a critical vulnerability in the Apache Log4j logging utility, the nation’s software supply chain remains under considerable threat as federal authorities and the information security community struggle to transform how it develops, maintains and consumes applications in a more secure fashion. 

The vulnerability, dubbed Log4Shell, allowed unauthenticated and untrained threat actors to gain control over applications using a single line of code. 

Thus far, many of the initial fears of catastrophic cyberattacks have failed to materialize, but federal authorities warn this constitutes a long-term threat that must be carefully monitored and fully remediated to prevent a major security crisis. 

From the ransomware front —

Cybersecurity Dive reports, “Ransomware attacks shift beyond US borders; U.S.-based organizations remain the top target for ransomware gangs, but the scale of that misfortune is waning, according to Moody’s.” Here’s the Moody report on 2023 Global Cyber Risk.

HC3 released an analyst report on Royal ransomware. “Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.”

The Bleeping Computer’s Week in Ransomware informs us

This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.

Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone’s fears that a ransomware attack caused the outage.

However, today [December 9] they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.

From the cyber defenses front —

CISA provides us with

a Phishing Infographic to help protect both organizations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organizations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations.

ZDNet also discusses how people can identify and deter phishing attacks.

The National Institute of Standards and Technology issued Special Publication (SP) 1800-34, which offers organizations guidance on verifying that the internal components of the computing devices they acquire are genuine and have not been tampered with.

From the cybersecurity policy front —

Health IT Security reports

Following reports that patient data was transmitted to Facebook through the use of tracking technology on hospital websitesand within password-protected patient portals, the HHS Office for Civil Rights (OCR) issued a bulletin outlining the dos and don’ts of using tracking tech as a HIPAA-covered entity or business associate.

Covered entities and business associates using tracking tools such as Google Analytics and Meta Pixel should pay close attention to their obligations under HIPAA, OCR noted.

Cybersecurity Dive informs us

The Cyber Safety Review Board is set to examine the Lapsus$ ransomware gang, the U.S. Department of Homeland Security announced Friday. A prolific group, Lapsus$ has targeted a wide range of global companies and government agencies, sometimes with ruthless digital extortion, since late 2021. * * *

“The CSRB will review how this group has allegedly impacted some of the biggest companies in the world, in some cases with relatively unsophisticated techniques, and determine how we all can build resilience against innovative social engineering tactics and address the role of international partnerships in combating criminal cyber actors,” Mayorkas said Friday during a conference call with reporters. “As cyberthreats continue to evolve, we have to evolve the methods we use to protect ourselves against cybercriminal activity and increase our resilience against future attacks.” * * *

CSRB Deputy Chair Heather Adkins, VP of security engineering at Google, noted that many of the reported targets of Lapsus$ were considered to have very strong cybersecurity programs. These organizations had followed recommended security controls, and in some cases even advanced controls, but still felt a significant impact from the attacks. 

Several alleged members of the extortion gang have been arrested, but researchers suspect other affiliates of Lapsus$ remain unaccounted for.

Healthcare Dive offers an interview with the National Coordinator for Health IT, Mickey Tripathi, about federal health information blocking enforcement.

From the cybersecurity breaches/vulnerabilities front —

• Health IT Security summarizes recent breaches suffered by healthcare organizations.

• ZDNet explains that

• ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs. 
• The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.  
• That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware. 

From the ransomware front —

• The Health Sector Cybersecurity Coordination Center shared an updated CISA / FBI alert about a Cuba ransomware actor.

• The Bleeping Computer released its Week in Ransomware.

From the cybersecurity defenses front —

• Venture Beat offers Gartner analysts’ eight cybersecurity predictions for 2023.

• Health IT Security reports “Connected device security company Ordr published a maturity model to help healthcare organizations evaluate and improve the security of their connected devices. The guide is broken down into five stages of maturity, each with recommended actions and detailed descriptions.”

• The Wall Street Journal warns “Companies should do a better job of handling internal cybersecurity complaints before they escalate to whistleblowing, which is becoming more common in the cyber field, lawyers and industry veterans said.”

From the cybersecurity policy front, Cybersecurity Dive tells us

The Defense Department officially launched its zero trust strategy and road map Tuesday, part of a larger strategy to overhaul the way federal agencies combat sophisticated threat actors, including those from criminal organizations and rogue nation states. 

The DOD will move away from a perimeter-based approach for IT systems defense to a system that essentially assumes the risk of breach during regular interactions and will act accordingly. The plan calls for the Pentagon’s full implementation of the strategy and road map by fiscal 2027.  * * *

Microsoft, in a blog post released Tuesday, praised the DOD announcement on zero trust, noting the challenge of collaborating on zero trust amid the difficulties of comparing implementations across various organizations and technology stacks. 

“However the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights on cybersecurity,” Steve Faehl, federal security CTO at Microsoft, said in the blog post. 

From the cybersecurity vulnerabilities front, Forbes offers “A Boiling Cauldron: Cybersecurity Trends, Threats, And Predictions For 2023.”

From the ransomware front, Health IT Security reports

Lorenz ransomware poses a threat to the healthcare sector, particularly larger organizations, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note. The human-operated ransomware group has been known to focus on “big-game hunting,” targeting large, high-profile entities rather than private users.

Lorenz threat actors are known to publish data publicly as a tactic to pressure victims during the extortion process. The actors have been observed demanding hefty ransoms, ranging from $500,000 to $700,000.

From the cybersecurity defenses front, Cybersecurity Dive informs us

Cybercriminals are prepared and ready to target online shoppers with fake websites, malicious links and fake charities, the Cybersecurity and Infrastructure Security Agency warned as the holiday shopping season gets underway.

“By following a few guiding principles like checking your devices, shopping from trusted sources, using safe purchasing methods, and following basic cyber hygiene like multifactor authentication, you can drastically improve your online safety when shopping online for gifts this year,” CISA Director Jen Easterly said in a statement.

The federal agency shared tips for individuals to limit cyber risks while shopping online, and encouraged organizations to review guidance it released last year with the FBI to manage cyberthreats during the holidays.

From Capitol Hill, Politico tells us about developments in privacy and cybersecurity legislative efforts.

From the cyber vulnerabilities front —

• The HHS Health Sector Cybersecurity Coordination Center (HC3) issued its monthly vulnerabilities bulletin for October 2022.

• The Cybersecurity and Information Security Agency (CISA) added another known exploited vulnerability to its catalog.

• ZDNet reports on a “concerning” tactic that hackers are using to dodge multi-factor authentication.

• Health IT Security adds “Numerous cloud attacks are successfully exploiting the healthcare sector for financial gain, according to a newly released 2022 Cloud Security Report by cybersecurity vendor Netwrix.”

Cybersecurity Dive warns us

More than one-third of respondents said it took their organization longer to assess the scope, stop and recover from a holiday or weekend attack compared to a weekday, according to a Cybereason survey published Wednesday November 16]. Larger organizations with more than 2,000 employees were even more likely to experience delays.

Organizations would lose more money as a result of a ransomware attack on a weekend or holiday than they were a year ago, according to Cybereason. One-third of respondents said their organization lost more money from a holiday or weekend ransomware attack, up from 13% in 2021.

Organizations in education and travel and transportation reported a greater likelihood of financial losses from a holiday or weekend attack instead of a weekday. About 2 in 5 respondents in those industries said their organization suffered a larger economic impact.

From the ransomware front —

Health IT Security reports

HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about Hive ransomware actors. The ransomware actors have been repeatedly targeting critical infrastructure, especially the healthcare sector since they were first observed in June 2021.

As of November 2022, Hive ransomware actors have victimized more than 1,300 companies globally and gained $100 million in ransom payments. The group has claimed multiple healthcare victims, including an attack on Memorial Health System in August 2021 that resulted in appointment cancellations, clinical disruptions, and EHR downtime. * * *

Healthcare organizations should secure and monitor RDP, install updates for software, firmware, and operating systems as soon as they are released, and maintain offline data backups. In addition, organizations were encouraged to enable PowerShell Logging and install and regularly update antivirus software.

The federal bodies also urged organizations to prepare for the event of a ransomware attack by reviewing the security postures of third-party vendors, implementing a recovery plan, and documenting external remote connections.

In the event of a Hive ransomware attack, organizations should isolate infected systems, secure backups, and turn off other computers and devices to manage the attack. Paying the ransom is also highly discouraged, as it may incentivize threat actors to continue victimizing organizations.

“This is another example of foreign-based, primarily Russian-speaking, hackers attacking U.S. health care, John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk, said in a subsequent announcement.

Here is Bleeping Computer’s current Week in Ransomware.

Other news this week are new reports on rising ransomware operations:

• Both Microsoft and SecurityScorecard released reports on the Royal Ransomware operation, which is believed to be comprised of ex-Conti members.

• ASEC released a report on Dagon Locker, a rebrand of the Quantum ransomware operation.

• BlackBerry warns of the expanding operations of the ARCrypter ransomware.

From the cybersecurity defenses front

• Cybersecurity Dive informs us that “The Cybersecurity and Infrastructure Security Agency on Thursday [November 17] released its Guide for Stakeholder-Specific Vulnerability Categorization and outlined three areas of focus for continued improvement.”

• The National Institutes of Standards and Technology issued SP 800-125, which is a “Guide to a Secure Enterprise Network Landscape.”

• Mitre shared a “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.“

• Forbes provides a new approach to closing the cybersecurity talent gap.