From the cyber threats and concerns front —

Health IT Security reports

The Health Sector Cybersecurity Coordination Center (HC3) issued a threat profile about Evil Corp and warned that the prolific group could threaten healthcare cybersecurity.

The Russian-based cybercriminal syndicate has been operational since 2009 and is responsible for creating some of the most powerful ransomware and malware variants. The group maintains strong connections to the Russian government and other cybercriminal gangs.

HC3 described the group as “exceptionally aggressive and capable.” Considering the group’s past crimes, this description seems highly accurate. In 2019, Evil Corp used Dridex malware to harvest login credentials from hundreds of banks, raking in more than $100 million in stolen funds.

The HC3 threat profile points out

Evil Corp should be considered a significant threat to the U.S. health sector based on several factors. Ransomware is one of their primary modus operandis as they have developed and maintained many strains. Many ransomware operators have found the health sector to be an enticing target as, due to the nature of their operations, they are likely to pay some form of ransom to restor operations. Healthcare organizations are particularly suceptible to data theft as personal health information (PHI) is often sold on the dark web to those looking to leverage it for fraudulent purposes. Foreign governments often find it to be more cost effective to steal research and intelliectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves. This includes intellectual property related to the health sector. It is entirely plausable that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government.

Bleeping Computer, which is not offering the Week in Ransomware this holiday weekend, delves into the Lockbit ransomware gang.

Cybersecurity Dive informs us

A critical, but long-anticipated decision by Lloyd’s last week to phase out coverage for state-sponsored cyberattacks illustrates an insurance market that has been under increasing financial pressure for years. It also raises questions for U.S. companies about their preparedness and long-term risks amid more dangerous and sophisticated threats. 

“Cyber remains a priority area for Lloyd’s,” a spokesman said in an emailed statement. This month’s advisory guidance, “following consultation with our market, is to ensure we take on the right kinds of risk as a market while approaching this complex field with the expertise and diligence it requires.” 

The company said it will continue to take a pragmatic and innovative approach to supporting the growth of cyber. 

Lloyd’s policy says the company’s role is to support a competitive and resilient cyber insurance market, but the bulletin has not mandated clauses for managing agents. Instead of applying a one-size-fits-all approach, the new guidance encourages managing agents to apply due diligence to the specific complexities of state-sponsored attacks. 

From the cyber defenses front —

• Cybersecurity Dive discusses best practices for getting full value out of multi-factor authentication and a city for a passwordless future.

• Health IT Security says, “When properly implemented, zero trust security strategies can help healthcare organizations bolster their security efforts. However, the sector faces unique challenges surrounding IoT devices and identity and access management that are worth considering when contemplating zero trust in healthcare. In a new white paper, Health-ISAC provided guidance for healthcare CISOs to help them understand and implement zero trust security strategies.”

• ZDNet offers Microsoft guidance on how to reduce exposure to ransomware attacks.

• CISA calls attention to necessary updates to certain Apple products.

• Fortune lists “five free online cybersecurity courses hosted by top universities.”

From the cyber breach front —

Cybersecurity Dive reports

LastPass, a password manager used by more than 33 million registered users, said an authorized actor was able to breach its systems, taking portions of its source code and some proprietary technical information, CEO Karim Toubba said Thursday. 

LastPass said the incident was detected about two weeks ago after it identified unusual activity in the company’s development environment. However, after an investigation, it was determined no customer data or encrypted vaults were accessed. 

The company, which has more than 100,000 business customers, deployed containment and mitigation measures and hired a leading cybersecurity and forensics firm to help determine what happened. 

“While our investigation is ongoing, we have achieved a state of containment, implemented enhanced security measures, and see no further evidence of unauthorized activity,” Toubba said. 

The company is currently evaluating further mitigation measures.

Healthcare Dive adds

Cyberattacks are increasingly being focused on smaller healthcare companies and specialty clinics without the resources to protect themselves, instead of larger health systems that — despite being treasure troves of personal and medical data — generally have more sophisticated security, according to a new report from Critical Insight.

Cybercriminals hit the jackpot this year with the Eye Care Leaders electronic medical records breach, which exposed more than 2 million records. Other major attacks include those against revenue cycle management vendor Practice Resources, printing services vendor OneTouchPoint and accounts receivable firm Professional Financial Company that exposed the data of about 940,000 individuals, 1.1 million individuals and 1.9 million individuals respectively.

Overall breaches are steadily declining from their peak in the second half of 2020. But the trend of focusing on a systemic technology used across most providers is one the cybersecurity firm expects to continue throughout the remainder of the year, the report, which analyzes breach data reported to the HHS, said.

From the cyber vulnerabilities front —

CISA announced on August 24, 2022

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the Mozilla security advisories for Firefox 104, Firefox ESR 91.13, Firefox ESR 102.2 and Thunderbird 91.13, Thunderbird 102.2 and apply the necessary updates.

On August 23, 2022, CISA updated its August 16, 2022, alert on “Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite.”

From the ransomware front —

Cyberscoop tells us

Ransomware cases jumped 47 percent amid a rise in attacks involving newer strains of malicious software infecting targets, according to the cybersecurity firm NCC Group.

Reported incidents increased to 198 in July from 135 in June, according to the firm that issues semi-regular reports on ransomware activity by tracking websites that post victims’ details.

The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst’s note on the Karakut threat profile.

Karakurt ransomware group, also known as the Karakurt Team and Karakurt Lair, is a relatively new cybercrime group, with researchers reporting its first emergence in late 2021. Karakurt actors claim to steal data and then threaten to auction it off or release it to the public unless they receive payment of the demanded ransom, which have been known to range from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. The group likely has ties to the Conti ransomware group, either as a business relationship or as a side business with Conti. Karakurt is also known for extensive harassment campaigns against victims to shame them. HC3 recommends the Healthcare and Public Health Sector (HPH) be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Here’s a link to the latest Week in Ransomware from the Bleeping Computer, which has the following lead —

We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.

From the cyber defenses front —

Security Intelligence offers businesses advice on creating and improving a Ransomware Playbook.

Cybersecurity Dive tells us

With all the uncertainty around the economy — and recession fears — organizations have to make some tough decisions as they plan 2023 budgets. 

IT budgets are expected to take a hit, as Gartner predicts that, while organizations will continue spending on IT, it will be at a much slower pace than in recent years.

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? The answer is probably not. Gartner predicts that the end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years, and many security professionals agree with that assessment.

That’s the way it should be, according to Bob Stevens, VP of public sector at GitLab.

“If it isn’t already, I foresee security becoming one of the top investment areas for companies and government agencies in the coming year – especially in the form of DevSecOps,” said Stevens. 

In fact, cybersecurity is now one of the top spending considerations for government and private sector leaders, according to GitLab’s 2022 Global DevSecOps Survey. 

Health IT Security reports

More healthcare organizations are engaging with healthcare cybersecurity and data privacy consulting vendors to help mitigate risk and avoid the numerous repercussions of healthcare cyberattacks, data breaches, and HIPAA violations, a new KLAS reportnoted.

Researchers asked healthcare professionals about the security and privacy consulting vendors that their organizations worked with and how satisfied they were with vendor relationships, services, operations, and value.

Respondents reported being highly satisfied with First Health Advisory and Impact Advisors in particular. Healthcare professionals also reported improved executive involvement within Clearwater and CynergisTek, the latter of which recently entered 

Other assessed vendors included tw-Security, Intraprise Health, Guidehouse, Fortified Health Security, and Meditology Services.

From the cyber policy front —

Cybersecurity Dive reports

Cybersecurity and Infrastructure Security Agency Director Jen Easterly praised the efforts of the Joint Cyber Defense Collaborative (JCDC) following its one-year anniversary, saying in a blog post the public-private partnership has helped limit cyber risk at scale. 

JCDC helped federal agencies and private sector partners mitigate some major cybersecurity threats, Easterly said, including the Log4Shell crisis from December 2021; the development of the Shields Up campaign related to the Russia invasion of Ukraine; and the Daxin malware discovery from February. 

JCDC recently expanded to include industrial control partners. The change comes at a time when sophisticated malware threatens major critical infrastructure targets in the U.S. JCDC is also working to protect the nation’s election infrastructure from nation-state threats ahead of the November midterm elections.

and

U.S. executives now consider cyberattacks the No. 1 risk companies are confronting, according to a PwC Pulse survey released Thursday. The study shows 40% of top business executives consider cyberattack risk their top concern, followed by talent acquisition at 38%. 

Cybersecurity concerns have moved well beyond the office of the CISO or cyber risk officer, as the entire C-suite and corporate boards are focused on the risks of cyberattack. 

Almost half of all corporate executives said they are making additional investments in cybersecurity, while slightly more than half of executives said they are increasing investments in digital transformation.

Health IT Security adds

US Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), both co-chairs of the Cyberspace Solarium Commission (CSC), wrote a letter to HHS Secretary Xavier Becerra asking about the current status of HHS’ healthcare cybersecurity efforts.

King and Gallagher, who also authored the Sector Risk Management Agency (SRMA) legislation, urged HHS and the Biden administration to bolster cybersecurity efforts and called on HHS to hold an urgent briefing on the administration’s current cybersecurity posture and plans for improvement.

From the cyber vulnerabilities front —

The Wall Street Journal reports

All companies should be using two-factor authentication at least to secure their systems, but relying on text messages alone is foolish, cybersecurity experts say.

The process, known as 2FA, adds another level of protection to systems by requiring users to verify their identity through more than just a password. Often, this takes the form of a verification code sent by text message—or SMS—or voice calls, but experts warn that these systems are becoming increasingly out of date.

“SMS was never designed to be a 2FA method,” said Jamie Boote, associate principal consultant at cybersecurity company Synopsys Software Integrity Group. “Originally, it was a maintenance communication channel between cell towers and phones. It only became a consumer-centric communications channel after users discovered they could send text messages to one another.”

The widespread use of SMS as a security mechanism has also increased hackers’ focus on compromising the technology, Mr. Boote said. Hackers also use SMS as an avenue to launch other attacks, he said. Common methods include phishing attacks by text message, known as smishing, and SIM-swapping, in which a cellphone is cloned, meaning attackers can read messages sent to a device. * * *

Mobile security specialists say the best forms of protection for 2FA are security tokens such as those developed by the Fast Identity Online Alliance, or FIDO, a consortium including Apple Inc., MicrosoftCorp. and Alphabet Inc.’s Google that is creating open security standards. The general lack of security in mobile phones means they are often easy targets for hackers without the added protection that more advanced security technologies such as those developed by FIDO provide, said Hank Schless, senior manager of security solutions at cyber company Lookout Inc.

ZDNet adds

Using [Multi factor authorization] MFA protects against the vast majority of attempted account takeovers, but recently there’s been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organizations have been targeted in this way during the last year. 

One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they’re trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit – in this case to steal email. The user simply thinks they have logged into their account as usual.

“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses,” as Microsoft notes of that particular campaign. * * *

While it isn’t totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cybercriminals get smarter they’re increasingly going to go after it – and that requires extra levels of defense, particularly from those responsible for securing networks. 

“It’s good it’s recommended because you won’t be the lower hanging fruit. But you definitely need to augment it with additional layers of security because, just like any other siloed security solution, it can be circumvented and you can’t think everything is secure, just because of one security layer,” says Etay Maor, senior director of security strategy at Cato Networks.  

and

There’s been a big rise in cybercriminals combining fraudulent emails and telephone calls to trick victims into disclosing sensitive information like passwords and bank details.

Known as vishing attacks, criminals and scammers telephone victims and attempt to use social engineering to trick them into giving up personal data.  

Researchers warn that vishing and other email-based phishing attacks will continue to be a problem – but there are steps with organisations can take to help prevent attacks. 

“Capabilities to automatically detect and remove threats from all infected employee inboxes before users can interact with them also plays a critical role, as well as a proper security training regimen, to prepare users to be on the lookout for such threats,” said John Wilson, the senior fellow responsible for threat research at Agari. 

The Health Sector Cybersecurity Coordination Center (HC3) issued an analysts note on vishing this week.

This week

• CISA “and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform.

• CISA also added seven known exploited vulnerabilities to its catalog.

• HC3 issued a Sector Alert on Apple fixes to two Zero Day Exploits.

• HC3 also released its vulnerability bulletin concerning “July Vulnerabilities of Interest to the Health Sector.”

HC3 posted a PowerPoint presentation on the impact of social engineering on healthcare.

From the ransomware front, here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the Cyber defenses front —

Cybersecurity Dive reports

A fundamental shift in information security practices is underway, as 55% of organizations now have a zero trust initiative in place, more than double the 24% totals from a year ago, according to the State of Zero Trust report from Okta released Tuesday. 

The report shows almost universal adoption of zero-trust principles, as 97% of businesses either have a zero trust initiative in place or will adopt one in the next 12-18 months. 

“Today we’ve seen that zero trust is no longer a theoretical idea — it’s an active initiative that almost every organization across [every] industry is implementing,” Christopher Niggel, regional chief security officer for the Americas at Okta, said via email.

Security Week offers expert opinions on prevention being the future of cybersecurity and the future of endpoint management.

From the cyber policy front, the FEHBlog noticed that OMB’s Office of Information and Regulatory Affairs recently had concluded its work on FAR Case 2017-016, a proposed rule on Controlled Unclassified Information (CUI). Surprisingly, the proposed rule has been withdrawn. The FEHBlog had been tracking this rule because health claims data is considered CUI.

From the cyber vulnerabilities front,

Tech Republic discusses “how credential phishing attacks threaten a host of industries and organizations.”

For the first half of 2022, email attacks against organizations rose by 48%, according to the report. Out of all those attacks, 68% were credential phishing attempts that contained a link designed to steal sensitive account information. Over the same time, 265 different brands were spoofed in phishing emails.

The HHS Health Sector Cybersecurity Coordination Center (HC3) released last week analyst notes on the following topics:

• Secure Message/Evernote Themed Phishing Campaign,

• Cloud Security Risk, and

• Open Source Intelligence How-To.

CISA added two new known exploited vulnerabilities to its catalog.

Cybersecurity Dive reports

Researchers from Rapid7 discovered 10 vulnerabilities in Cisco firewall and network security products, however after reporting them to the company in February and March, six of the flaws have not been fully patched. 

The vulnerabilities were found in Cisco Adaptive Security Software (ASA), ASDM and Firepower Services Software for ASA. Cisco has more than 300,000 security customers, and more than 1 million ASA devices are deployed worldwide. 

Most of the vulnerabilities allow attackers to execute arbitrary code, Jake Baines, lead security researcher at Rapid7, said via email. Rapid7 researchers presented the findings this week at Black Hat USA in Las Vegas.

From the ransomware front, CISA announced on August 11 that

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: Zeppelin Ransomware, to provide information on Zeppelin Ransomware. Actors use Zeppelin Ransomware, a ransomware-as-a-service (RaaS), against a wide range of businesses and critical infrastructure organizations to encrypt victims’ files for financial gain.

CISA encourages organizations to review #StopRansomware: Zeppelin Ransomware for more information. Additionally, see StopRansomware.gov for guidance on ransomware protection, detection, and response. 

ZDNet delves into Zeppelin ransomware at this link.

Zeppelin actors are known to have demanded ransoms of several thousand dollars to in excess of $1 million. The advisory references Core Security’s research, which describes Zeppelin as a “well-organized” threat. 

Security Week reports

Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business.

Cisco on Wednesday released a security incident notice and a technical blog post detailing the breach. The intrusion was detected on May 24, but the company shared its side of the story now, shortly after the cybercriminals published a list of files allegedly stolen from its systems.

The level of attacker sophistication disclosed in the technical blog post is eye-opening.

Here is a link to Bleeping Computer’s The Week in Ransomware, which leads with the Cisco hack.

From the cyber defense front

An ISACA expert discusses the state of the cyber insurance market.

While premiums are leveling off, the hardening of the cyber insurance market is ongoing and will impact how policies are underwritten. In the meantime, organizations can benefit from improving their security and control postures with the goal of reducing insurance costs.

The Wall Street Journal reports

A group of 18 tech and cyber companies said Wednesday they are building a common data standard for sharing cybersecurity information. They aim to fix a problem for corporate security chiefs who say that cyber products often don’t integrate, making it hard to fully assess hacking threats.

Amazon. com Inc.’s AWS cloud business, cybersecurity companySplunk Inc. and International Business Machines Corp.’s security unit, among others, launched the Open Cybersecurity Schema Framework, or OCSF, Wednesday at the Black Hat USA cybersecurity conference in Las Vegas.

Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber monitoring tools, network loggers and other software, to simplify and speed up the interpretation of that data, said Patrick Coughlin, Splunk’s group vice president of the security market. “Folks expect us to figure this out. They’re saying, ‘We’re tired of complaining about the same challenges.’”

Other companies involved in the initiative are CrowdStrike HoldingsInc., Rapid7 Inc., Palo Alto Networks Inc., Cloudflare Inc., DTEX Systems Inc., IronNet Inc., JupiterOne Inc., Okta Inc., Salesforce Inc.,Securonix Inc., Sumo Logic Inc., Tanium Inc., Zscaler Inc. and Trend Micro Inc.

From the cyber vulnerabilities front —

CISA released an alert on 2021 top malware strains and added one more known exploited vulnerability to its catalog.

The Health Sector Cybersecurity Coordination Center (H3C) released an analyst note on internet of things security and a PowerPoint presentation on the Open Web Application Security Project’s (OWASP) Top 10.

OWASP is a nonprofit foundation dedicated to improvingsoftware security, and its Top 10 is “a standard awareness document for developersand web application security that represents a broad consensus about the most critical security risks to web applications.”

Cybersecurity Dive reported last Tuesday

VMware disclosed yet another critical vulnerability that threat actors could exploit to bypass authentication in the same products that carried a similar defect in May with equal potential for severe damage.

The latest vulnerability, CVE-2022-31656, impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation, according to an initial security advisory issued Tuesday by VMware. This is the second authentication bypass vulnerability to hit these products in less than three months.

VMware issued patches for three impacted products and rated the vulnerability in the critical severity range with a 9.8 score on the common vulnerability scoring system, bearing another similarity to the previous bug.

From the ransomware front, Bleeping Computer’s The Week in Ransomware is back. This issue concerns cyberinsurance.

Cybersecurity Dive reported last Monday

Ransomware and business email compromise accounted for more than two-thirds of all cyberattacks during the past 12 months, according to Palo Alto Networks’ Unit 42.

The pair of top attacks represent the most lucrative means by which threat actors can turn illicit network access into financial gain.

Software vulnerabilities accounted for nearly half of all cases of initial access used by threat actors to deploy ransomware, Unit 42 wrote in a report published last week. The outsized threat posed by software vulnerabilities is further exacerbated by threat actors that can scan the internet at scale for weak points.

and last Thursday

A new report created to help organizations navigate ransomware risks exemplifies the challenges small- to medium-sized businesses confront in the battle against just one of many cyberthreats. 

The recommendations, identified to help SMBs with limited cybersecurity expertise, include 40 safeguards. That’s a curated subset of the guidance in the Center for Internet Security’s critical security controls.

The report’s authors acknowledge not every organization has the resources to implement every safeguard immediately, but they maintain any actions taken, full or partial, represent a step in the right direction.

An ISACA experts offers an interesting perspective on “midgame” defenses against ransomware.

From the cyberdefense front —

The FEHBlog ran across this HHS 405(d) site with news and awareness resources. The awareness resources include information on data patching and security for small, medium, large businesses. “The 405(d) program is a collaborative effort between industry and the federal government to align healthcare industry security practices in an effort to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture against cyber threats.”

Health IT Security discusses about how to identify and address insider threats in healthcare.

CSO explains how to create defense in depth by layering tools and processes for better cybersecurity.

From the cyber breaches front, Health IT Security reports

Healthcare data breaches cost an average of $10.1 million per incident last year, IBM Security found in the 2022 edition of its “Cost of a Data Breach Report.” The figure signified a 9.4 percent increase from the 2021 report and a 41.6 percent increase from 2020. For the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs compared to any other industry examined in the report. * * *

The use of stolen or compromised credentials remained the top cause of a data breach in the 2022 report, accounting for 19 percent of all analyzed breaches.

[P]hishing attacks emerged as the second most common cause of a breach, accounting for 16 percent of all analyzed breaches. Additionally, phishing was the most expensive breach type, averaging $4.91 million.

Business email compromise (BEC) averaged $4.89 million in costs, making it nearly as expensive as a phishing attack. Unsurprisingly, incidents that had the longest average times to identify and contain them were also the most expensive.

From the cybervulnerabilities front —

Cybersecurity Dive tells us

Threat actors are increasingly distributing malware via container files, including ISO and RAR, as well as Windows shortcut files (LMK), following prior decisions by Microsoft to block macros by default in Microsoft Office, according to Proofpoint research released Thursday.  

Microsoft previously disclosed plans to block XL4 and VBA macros in Office by default in October 2021 and February, respectively. 

Proofpoint researchers said the use of VBA and XL4 macros fell by 66%  between October 2021 and June of this year. The researchers call the movement one of the “largest email threat landscape shifts in recent history.”

CISA added another known exploited vulnerability to its catalog. Hackers News explains

The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances. “A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,” CISA notes in its advisory.

From the ransomware front, while regrettably Bleeping Computer’s The Week in Ransomware is off again this week, Bleeping Computer does report

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.

Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116).

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report.

“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.” The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller yet financially healthy organizations to disrupt, the company says.

Security Week adds

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

From the cybersecurity policy front, Cyberscoop reports

An amendment that includes cyber protections to defend “systemically important” critical infrastructure — such as large energy utilities, telecom providers and major financial institutions — won adoption in the U.S. House of Representatives Thursday.

The legislation is an outgrowth of the work of the Cyberspace Solarium Commission, which originally recommended a model similar to that envisioned in the bill. It mandates that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) designate infrastructure needed for “national critical functions,” with operators at designated entities required to report to CISA the national cyber director on their management of cyber risk.

Designation will require organizations to disclose risk management strategies for critical assets and supply chains; share and receive threat intelligence with the government, and allow federal agencies to examine operations and assess performance-based security goals.

The amendment was made to the must-pass annual National Defense Authorization Act by voice vote. The Senate is working on its own version of the FY 2023 NDAA.

Cyberscoop adds, “The U.S. Chamber of Commerce criticized the amendment as written and sent a letter to all House members Wednesday, noting that many businesses’ “core policy goals” are not acknowledged, including legal liability protections and national preemption of state cybersecurity and protection laws.”

Health IT Security informs us

In its first-ever report, the Cyber Safety Review Board (CSRB) labeled Log4j (CVE-2021-44228) as an “endemic vulnerability” and said that vulnerable instances of Log4j could remain in systems for “a decade or longer.”

President Biden established the Cyber Safety Review Board in February 2022 as part of the administration’s executive order (EO 14028) on improving the nation’s cybersecurity. The Board is made up of 15 cybersecurity leaders from the federal government and the private sector and functions to review major cyber events and make suggestions for improving security in the private and public sectors.

For the report, CSRB reviewed instances of Log4j exploitation by engaging with approximately 80 organizations to gain an understanding of how organizations dealt with and are still dealing with Log4j.

Cybersecurity Dive explains

The [open source Log4j] vulnerability made it easy for threat actors to take control of compromised systems, and, since it was so difficult to spot without a comprehensive Log4j “customer list,” organizations struggled to identify and remediate it, according to the board. 

What made the vulnerability particularly disruptive is that a third party disclosed the flaw before the Apache Software Foundation, which supports Log4j, could create a fix, the review board said. A race between threat actors and companies to exploit or fix the vulnerability ensued.

Log4j highlighted how the open source community, often composed of volunteers, has inherent risks stemming from resource constraints. In response, the board called for public and private sector stakeholders to create a hub of centralized resources to better support the open source community. 

The board’s recommendations echo what the security industry has taken up as a battle cry in the last year: the software industry needs to change to create a better model of vulnerability management. 

Nextgov adds

[The CSRB] has said all it plans to say on the incident referred to as “SolarWinds,” under an executive order mandate. That order came in response to the intrusion event’s compromise of several federal agencies and high-profile tech companies.

“We have fully complied with the executive order,” said Rob Silvers, undersecretary for policy at DHS. “The White House and the Department of Homeland Security together determined that when the board was launched, that at that point in time, the best use of the board’s expertise and resources was to examine the recent events involved in the Log4j vulnerability.”

Cybersecurity Dive reports

A decades-old ambition to foster a worldwide, open, secure and interoperable internet hasn’t materialized. In lieu of that, cyberspace is more fragmented, less free and more dangerous, the Council on Foreign Relations wrote this week in a report.

The U.S. is losing the cyberspace race because it remains too rigidly focused on achieving traditional American values, such as global openness, to the detriment of domestic privacy legislation, the report said. Adversaries have exploited this weakness with alarming precision and are now projecting power and exerting influence in the digital realm.

Meanwhile, federal authorities are still organizing efforts for a more cohesive and effective response by identifying roles and responsibilities in government, and strengthening collaboration between agencies and enterprises.

Many challenges remain unmet. National Cyber Director Chris Inglis, during a keynote at last month’s RSA Conference, estimated the U.S. is about four-fifths of the way there before it can effectively “crowdsource [transgressors] the way they’ve crowdsourced us.”

NIST announced activating its brand new SP 800-53 Public Comment Site. Learn more about the SP 800-53 Comment Site, and leverage the online User Guide for step-by-step instructions on how to participate in the public comment process, available under “View Candidates” and “Provide comments on candidates.” NIST 800-53 is the only NIST publication mentioned in the OPM standard FEHB contracts.

From the cyber vulnerabilities front —

• HHS’s Healthcare Cybersecurity Coordination Council (HC3) released its report on June 2022 vulnerabilities of interest to the healthcare sector.

• CISA added “one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

• Cybersecurity Dive reports “U.S. companies are facing an enormous challenge in managing enterprise security, as almost half of all endpoint devices — including computers and other mobile devices — cannot be detected by IT departments or they are running on outdated operating system software, according to a study from Adaptiva and the Ponemon Institute released [last] Wednesday.” 

• Cybersecurity Dive also tells us, “Brute-force attacks remain, overwhelmingly, the most common threat vector for cloud service providers, comprising 51% of all attacks in the first quarter of 2022, according to analysis from Google Cloud. Threat actors automatically scan for and compromise misconfigured cloud services, but the continued use of weak or default passwords poses the greatest risk, Google’s Cybersecurity Action team concluded in its latest Threat Horizons report.”

From the ransomware front — while The Week in Ransomware’s writer is evidently on summer vacation, Bleeping Computer does alert us

Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.

Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware.

However, over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue.

When the target calls the numbers, the threat actors use social engineering to convince users to install remote access software on their devices, providing initial access to corporate networks. This access is then used to compromise the entire Windows domain [by implementing ransomware code].

From the cybersecurity defense front —

• Cybersecurity Dive discusses the challenges facing mid sized employers. For example, “The rising cost of cyber insurance continues to be an issue for mid-sized companies. Research shows almost half of all the companies surveyed saw rate increases of 76% or more during the past year.”

• Speaking of which Cybersecurity Dive also reports, “The “vast majority” of cyber insurers plan to remain in the market over the next three years as the industry establishes an operations baseline to cope with very high claim volume, research from Panaseer released this week shows.  * * * [T]o keep up with demand, cyber insurers acknowledge the need to rethink the underwriting process. Nine out of 10 respondents want to create a consistent, metric-based approach to measuring an organization’s cyber risk, the survey of 400 cyber insurance decision makers shows.” 

From the policy front, Health IT Security reports that

In its latest report, the US Government Accountability Office (GAO) called on HHS to improve the healthcare data breach reporting process. Specifically, GAO urged HHS to create a mechanism for entities to provide feedback on the breach reporting process. * * *

HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process.

“Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” GAO stated.

“The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes. We will continue to follow-up with HHS to validate its implementation of this recommendation.”

Health IT Security adds that

GAO’s report also analyzed OCR’s methods of assessing whether covered entities had implemented recognized security practices, as required by the HIPAA Safe Harbor bill, a January 2021 amendment to HITECH.

To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices. Additionally, OCR issued a request for information to seek input on the contents of the recognized security practices in early April. OCR received feedback from a variety of industry groups and later announced that it would produce a video presentation on HITECH recognized security practices.

“OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022,” the report explained.

From the cyber vulnerabilities front —

CISA informs us

The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.

CISA encourages users and administrators to review the 2022 CWE Top 25 Most Dangerous Software Weaknesses and evaluate recommended mitigations to determine those most suitable to adopt.

CISA added nine known exploited vulnerabilities to its catalog this week in this post and that.

Here’s a link to a ZDNet article about this CISA action.

From the ransomware front

CISA posted the following joint cybersecurity advisory yesterday (“CSA”) yesterday

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder. 

Download the PDF version of this report: pdf, 633 kb

Healthcare Dive adds

MedusaLocker operates under the ransomware as a service model, splitting payments with affiliates who typically get 55% to 60% of the proceeds. The group has been active as recently as May, launching phishing and spam email campaigns to gain initial access. 

A report from CyberReason said the MedusaLocker first emerged in late 2019, targeting companies across industries. The group was particularly active in the healthcare space, where many organizations were attacked in connection to the COVID-19 pandemic.

ZDNet tells us

A recently developed form of malware has quickly become a key component in powering ransomware attacks. 

The malware, called Bumblebee, has been analysed by cybersecurity researchers at Symantec, who’ve linked it to ransomware operations including Conti, Mountlocker and Quantum.  

“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team. 

Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.

It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.

This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.

We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.

From the cyberdefenses front

ZDNet reports

Many businesses will fail to see the benefits of their zero-trust efforts over the next few years, while legislation around paying off ransomware gangs will be extended and attacks on operational technology might have real-life consequences, according to set of cybersecurity predictions.

The list comes from tech analyst Gartner, which said business leaders should build these strategic planning assumptions into their security strategies for the next two years.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” said Gartner senior director, Richard Addiscott. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”

[Here’s the list:}

1. Consumer Privacy Rights will be extended * * *

2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access * * *

3. Many organizations will embrace zero-trust, but fail to realize the benefits * * *

4. Cybersecurity will become key to choosing business partners * * *

5. Ransomware payment legislation will rise * * *

6. Hackers will weaponize operational technology environments to cause human casualties [by 2025] * * *

7. Resilience will be about more than just cybersecurity * * *, and

8. Cybersecurity will matter for the CEO’s bonus * * *.

Cybersecurity Dive reports

Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to research from global insurance firm Marsh released Wednesday.

Half of Marsh’s U.S. clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. More businesses understand the financial risks of a cyberattack affecting their bottom line, Marsh said.

Meanwhile, cyber insurance rates are leveling out. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. That rate increase dropped to 107% in March and 90% in April. Research firm AM Best also found a more moderate pace of rate increases in Q1, Chris Graham, senior industry analyst, said.

Health IT Security adds

Surveyed healthcare cybersecurity leaders reported leveraging multifactor authentication (MFA), identity and access management, and privileged access management (PAM) solutions in hopes of lessening the likelihood of a cyber insurance premium hike, a report from Imprivata conducted by WBR Insights found.

Closer to the desktop, Cybersecurity Dive tells us

Google is rolling out key updates to its password management capabilities as part of an effort to boost security across multiple operating systems and browsers for mobile and desktop users, the company said in an announcement Thursday.

Google Password Manager users will now have the same unified experience whether using Chrome or Android, and iPhone users can now manage passwords through the iOS platform.

Google will automatically warn users about compromised credentials, on top of reused and weak passwords. In addition, Google will warn users about compromised passwords on a range of operating systems and platforms, including Android, Chrome OS, Windows, iOS, MacOS and Linux.