From the policy front, Health IT Security reports that

In its latest report, the US Government Accountability Office (GAO) called on HHS to improve the healthcare data breach reporting process. Specifically, GAO urged HHS to create a mechanism for entities to provide feedback on the breach reporting process. * * *

HHS concurred with GAO’s recommendations and said it would begin soliciting feedback related to the breach reporting process.

“Specifically, OCR plans to add language and contact information to the confirmation email that regulated entities receive when they submit breach reports through the HHS Breach Portal to invite feedback and questions about the breach reporting process,” GAO stated.

“The agency also plans to implement procedures for OCR’s regional offices to regularly review and address emails received about the breach reporting process through their respective mailboxes. We will continue to follow-up with HHS to validate its implementation of this recommendation.”

Health IT Security adds that

GAO’s report also analyzed OCR’s methods of assessing whether covered entities had implemented recognized security practices, as required by the HIPAA Safe Harbor bill, a January 2021 amendment to HITECH.

To advance these efforts, in March 2022, OCR finalized standard operating procedures for investigators to use when assessing these security practices. Additionally, OCR issued a request for information to seek input on the contents of the recognized security practices in early April. OCR received feedback from a variety of industry groups and later announced that it would produce a video presentation on HITECH recognized security practices.

“OCR plans to finalize the review process for considering whether covered entities and business associates have implemented recognized security practices no later than the summer of 2022,” the report explained.

From the cyber vulnerabilities front —

CISA informs us

The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.

CISA encourages users and administrators to review the 2022 CWE Top 25 Most Dangerous Software Weaknesses and evaluate recommended mitigations to determine those most suitable to adopt.

CISA added nine known exploited vulnerabilities to its catalog this week in this post and that.

Here’s a link to a ZDNet article about this CISA action.

From the ransomware front

CISA posted the following joint cybersecurity advisory yesterday (“CSA”) yesterday

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder. 

Download the PDF version of this report: pdf, 633 kb

Healthcare Dive adds

MedusaLocker operates under the ransomware as a service model, splitting payments with affiliates who typically get 55% to 60% of the proceeds. The group has been active as recently as May, launching phishing and spam email campaigns to gain initial access. 

A report from CyberReason said the MedusaLocker first emerged in late 2019, targeting companies across industries. The group was particularly active in the healthcare space, where many organizations were attacked in connection to the COVID-19 pandemic.

ZDNet tells us

A recently developed form of malware has quickly become a key component in powering ransomware attacks. 

The malware, called Bumblebee, has been analysed by cybersecurity researchers at Symantec, who’ve linked it to ransomware operations including Conti, Mountlocker and Quantum.  

“Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” said Vishal Kamble, principal threat analysis engineer on Symantec’s Threat Hunter team. 

Of course, here’s a link to Bleeping Computer’s The Week in Ransomware.

It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.

This week’s big news was the release of LockBit 3.0, which includes a new bug bounty reward program where the threat actors pay between $1,000 to $1 million for submitted bugs and new ways of enhancing their operation.

We also learned that a LockBit affiliate is distributing the ransomware through fake copyright infringement emails, Word docs are used to install AstraLocker directly, and the Black Basta gang is exploiting the PrintNightmare vulnerabilities.

From the cyberdefenses front

ZDNet reports

Many businesses will fail to see the benefits of their zero-trust efforts over the next few years, while legislation around paying off ransomware gangs will be extended and attacks on operational technology might have real-life consequences, according to set of cybersecurity predictions.

The list comes from tech analyst Gartner, which said business leaders should build these strategic planning assumptions into their security strategies for the next two years.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” said Gartner senior director, Richard Addiscott. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”

[Here’s the list:}

1. Consumer Privacy Rights will be extended * * *

2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access * * *

3. Many organizations will embrace zero-trust, but fail to realize the benefits * * *

4. Cybersecurity will become key to choosing business partners * * *

5. Ransomware payment legislation will rise * * *

6. Hackers will weaponize operational technology environments to cause human casualties [by 2025] * * *

7. Resilience will be about more than just cybersecurity * * *, and

8. Cybersecurity will matter for the CEO’s bonus * * *.

Cybersecurity Dive reports

Rate pressures on the cyber industry sector began to moderate as a surge in new buyers, and corporate enforcement of cyber hygiene led to a more stable market, according to research from global insurance firm Marsh released Wednesday.

Half of Marsh’s U.S. clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. More businesses understand the financial risks of a cyberattack affecting their bottom line, Marsh said.

Meanwhile, cyber insurance rates are leveling out. Rate increases have steadily dropped from the high reached in Dec. 2021 when businesses paid, on average, 133% more for cyber insurance year over year. That rate increase dropped to 107% in March and 90% in April. Research firm AM Best also found a more moderate pace of rate increases in Q1, Chris Graham, senior industry analyst, said.

Health IT Security adds

Surveyed healthcare cybersecurity leaders reported leveraging multifactor authentication (MFA), identity and access management, and privileged access management (PAM) solutions in hopes of lessening the likelihood of a cyber insurance premium hike, a report from Imprivata conducted by WBR Insights found.

Closer to the desktop, Cybersecurity Dive tells us

Google is rolling out key updates to its password management capabilities as part of an effort to boost security across multiple operating systems and browsers for mobile and desktop users, the company said in an announcement Thursday.

Google Password Manager users will now have the same unified experience whether using Chrome or Android, and iPhone users can now manage passwords through the iOS platform.

Google will automatically warn users about compromised credentials, on top of reused and weak passwords. In addition, Google will warn users about compromised passwords on a range of operating systems and platforms, including Android, Chrome OS, Windows, iOS, MacOS and Linux.

From Capitol Hill, Security Week reports

Two bipartisan cybersecurity bills were signed into law on Tuesday, June 21, 2022, by US President Joe Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.

The Federal Rotational Cyber Workforce Program Act, which has been around since 2018, proposes a program under which certain federal employees can be temporarily moved to other agencies in an effort to boost their skills.

Agencies can determine whether a position involving IT or cybersecurity is eligible for the program. The Office of Personnel Management is tasked with creating an operation plan, and the Government Accountability Office must assess the effectiveness of the program.

The State and Local Government Cybersecurity Act of 2021, is meant to improve collaboration between the Department of Homeland Security and state, local, tribal and territorial governments.

From the cyber vulnerabilities front —

Health IT Security informs us

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

In healthcare, evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange. In addition, providers are increasingly implementing APIs to comply with the CMS Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard is quickly gaining recognition in the health IT space.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

“These estimates provide a view on losses that are entirely avoidable,” the report suggested.

“If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”

Cybersecurity Dive tells us

Malicious actors continue to dog VMware Horizon and Unified Access Gateway server deployments, capitalizing on unpatched Log4Shell, the Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory with the U.S. Coast Guard Cyber Command.

The agencies are calling for organizations to update all VMware Horizon and UAG systems and, if fixes weren’t applied in Dec. 2021, organizations should consider their systems compromised and start threat hunting. 

Cybersecurity Dive adds

Two of every five organizations don’t have strong confidence in their open source software security, according to a joint study from The Linux Foundation and Snyk, a firm that specializes in developer security. Just half of organizations actually have a security policy related to open source development or usage, the research showed. 

The average application development project has 49 vulnerabilities and 80 direct dependencies, according to the report. 

The time required to fix vulnerabilities in open source more than doubled to 110 days in 2021, compared with 41 days during 2018, the report found.

From the ransomware front, we have a link to the latest Bleeping Computer’s The Week in Ransomware.

The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation.

Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month.

The members are now long spread out in smaller cells among different operations, making it more challenging to target the crime syndicate.

From the cyber defenses front, ISACA reports on “Why (and How to) Dispose of Digital Data.”

From the cyberattack front, Federal News Network reports

A D.C. federal judge this week preliminarily approved a $63 million settlement as part of a class action lawsuit brought by victims of the breach into OPM databases. The breach was uncovered in 2015. By then, hackers had stolen the records of nearly 22 million current and former federal employees. The Chinese government is widely thought to be behind the attack. The proposed settlement would only compensate those who can prove they were financially affected by the breach. The court’s order set a Dec. 23 deadline to submit a claim.

Health IT Security adds “Shields Health Care Group reported a healthcare cyberattack to HHS impacting 2 million individuals. The Massachusetts-based healthcare group provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations.”

From the cybervulnerabilities front, Cyberscoop explains

When the Cybersecurity and Infrastructure Security Agency [CISA] debuted its list of known, exploited vulnerabilities in November, it was nearly 300 flaws long and came attached to an order for federal agencies to fix them quickly.

Now, as of this week, the catalog known as “KEV” or the “Must-Patch” list is well on its way to 800 listings, and it’s the “No. 1 topic” that CISA Executive Director for Cybersecurity Eric Goldstein says comes up in his frequent, daily meetings with businesses.

The reason, said Goldstein, is that the private sector has — without any order from his agency — adopted the KEV list as a guide for the vulnerabilities they focus on, rather than relying on the traditional open-source industry standard Common Vulnerability Scoring System for assessing the severity of software weaknesses.

This week, CISA first added 36 and then three more known, exploited vulnerabilities to its catalog.

The HHS Health Sector Cybersecurity Coordination Center posted its May report about vulnerabilities of interest to the health sector.

Cybersecurity Dive updates us on Microsoft’s Follina and Atlassian’s Confluence recent zero-day vulnerabilities.

CISA released a joint federal agency alert on People’s Republic of China-sponsored cyber actors.

From the ransomware front, Security Week reports

It doesn’t pay to pay [ransom]. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper. 

It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.

Health IT Security adds

Healthcare ransomware attacks are not slowing down, prompting an increased demand for reliable cyber insurance policies. But as healthcare cyberattacks skyrocket, cyber insurers are pushing up prices or leaving the market altogether, Sophos stated in its “State of Ransomware in Healthcare 2022” report.

Sophos surveyed 5,600 IT professionals, including 381 in healthcare, to garner insights on how healthcare organizations are navigating the cyber threat landscape.

The report found that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021, up from just 34 percent in 2020. About 61 percent of those attacks resulted in data encryption. Survey results also revealed that healthcare was the most likely sector to pay a ransom. Just over 60 percent of respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.

Here is a link to Bleeping Computer’s Week in Ransomware.

From the cyber defense front, here are links to a Wall Street Journal report on personal password management and a CISA article on multi-factor authentication.

From Capitol Hill, Cyberscoop reports

A sweeping federal privacy bill unveiled Friday [June 3] would give Americans unprecedented control over how companies collect and use their data. 

The discussion draft was released by Sen. Roger Wicker, R-Miss., and Reps. Cathy McMorris Rodgers, R-Wa., and Frank Pallone, D-Mass. It represents the results of months of intense negotiations and is a step toward federal privacy protections long-awaited by civil society groups.

The 64-page privacy framework introduces a range of changes designed to give consumers more control over their data. It would require covered companies to limit data collection, allow consumers to turn off targeted advertisements, grant broad protections for Americans against discriminatory uses of their data and rein in third-party data collection.

The bill also carves out special protections regarding biometric data, a growing source of concern for privacy and human rights activists. Under the legislation, companies can only collect and share biometric data under specific instances including responding to a warrant and affirmative consent.

The FEHBlog notes that the data security and protection of covered data section 208 is integrated with the corollary HIPAA and Gramm-Leach-Bliley rules.

From the law enforcement front

Cybersecurity tells us

The FBI managed to detect and mitigate an attack by Iranian state-sponsored hackers against Boston’s Children’s Hospital last summer, FBI Director Christopher Wray revealed on Wednesday.

“Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids that were dependent on it,” Wray said at the Boston Conference on Cyber Security. 

Wray called the incident one of the “most despicable cyberattacks” he’s seen, but he noted that the threat was hardly an isolated one. In 2021 the FBI saw ransomware attacks against 14 of the 16 services deemed critical infrastructure by the U.S. government, including hospitals. The FBI issued a warning last November that Iranian hackers were seeking data that could be used to hack U.S. companies.

The agency has been “laser-focused” on potential threats to critical infrastructure resulting from the United States’ support of Ukraine during an ongoing invasion of the nation by Russia. The United States has observed Russia “taking specific preparatory steps towards potential destructive attacks, both here and abroad,” Wray said. And the fallout of those attacks could get worse.

Nextgov informs us

Federal law enforcement agencies have seized several internet domain names in pursuit of an international investigation into websites that permit users to buy stolen personal data and information or hack other networks. 

Announced on Wednesday [June 1], the domain names OVH Booter, WeLeakInfo and IPStress.in have all been procured by the Federal Bureau of Investigation and Department of Justice with a seizure warrant issued by a U.S. District Court for the District of Columbia. 

“Today, the FBI and the department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses,” said U.S. Attorney Matthew Graves. “Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the globe.”

From the vulnerabilities front over the last week

• CISA has updated Cybersecurity Advisory AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control, originally released May 18, 2022. The advisory has been updated to include additional indicators of compromise and detection signatures, as well as tactics, techniques, and procedures reported by trusted third parties. CISA encourages organizations to review the latest update to AA22-138B and update impacted VMware products to the latest version or remove impacted versions from organizational networks. 

• Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild. CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.  Bleeping Computer offers more details on Follina, and Wired offers an update on this Follina warning.

• Atlassian has released new Confluence Server and Data Center versions to address remote code execution vulnerability CVE-2022-26134 affecting these products. An unauthenticated, remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability. CISA strongly urges organizations to review Confluence Security Advisory 2022-06-02 and upgrade Confluence Server and Confluence Data Center.

• The Healthcare Cybersecurity Coordination Center offered a webinar on the Return of Emotet and the Threat to the Health Sector. Emotet has been called the world’s most dangerous malware.

From the ransomware front over the last week

The Wall Street Journal reports, “Russia-linked ransomware groups are splitting into smaller cells or cycling through different types of malware in attempts to evade a growing array of U.S. sanctions and law-enforcement pressure, cybersecurity experts say.”

CISA issued an alert on the Karakurt Data Extortion Group. “Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

Here is a link to the latest Bleeping Computer’s Week in Ransomware.

From the cyber defense front

• Cyberscoop offers a video interview with Jim Richberg, Public Sector Field CISO and VP of Information Security at Fortinet concerning “important strategies to counter today’s heightened threat environment.”

• ZDNet identifies five simple errors that can make your “cloud” an attractive target for hackers.

• Security Week discusses four tactics to protect email systems.

• Health IT Security delves into the topic of HIPAA Physical Safeguards.

From Capitol Hill, Health IT Security reports

The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a full committee hearing on May 18 to discuss the need for an increased focus on education and healthcare cybersecurity.

“Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life,” Joshua Corman, founder of I Am the Cavalry, said in his testimony.

“While directionally correct steps have been taken, we’re getting worse faster than we’re getting better. Bold actions and assistance will be required to change this trajectory, address these market failures, lack of incentives, and historical under-investments.”

Healthcare Dive adds

* Internal actors continue to pose a sticky cybersecurity problem for healthcare companies despite not causing a majority of data breaches, according to a new data breach report from Verizon.

* Employees were responsible for 39% of healthcare breaches last year. That’s compared to just 18% across all industries, Verizon found.

* The makeup of the insider breach has shifted from generally malicious misuse incidents to miscellaneous errors, with employees being more than 2.5 times more likely to make an error than purposefully misuse their access. Data misdelivery — like sending an email to the wrong person — along with device or document loss are the most common employee errors in healthcare, according to the report.

CISA offers its assistance:

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands,and the United Kingdom.

Download the PDF version of this report (pdf, 430kb).

Also from the vulnerability front, Cybersecurity Dive reports

Recurring critical vulnerabilities for VMware products this year indicate a worrying trend for customers that suggests the virtualization leader is taking a more reactive approach to security.

The company’s VMware Horizon product got hit hard by the Log4j vulnerability, and earlier this month VMware found itself entangled in an emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) that impacts up to 10 VMware products. 

It was the 10th emergency directive issued by CISA since the agency was founded in late 2018. 

Virtualization software is ubiquitous and managing the technology is further complicated by its many parts, ExtraHop CISO Jeff Costlow wrote in an email. Threat actors target vulnerabilities across these disaggregated systems before patches are released or deployed by impacted organizations.

VMware’s reputation in this regard has also taken a hit. 

Perhaps that’s what lead to this Wall Street Journal reports

Broadcom Inc. Chief Executive Hock Tan’s $61 billion deal to buy VMware Inc. marks the biggest bet yet that the boom in enterprise software demand will endure despite the economic tumult—and that bundling disparate offerings of low-profile products can yield outsize returns. 

Mr. Tan built Broadcom into a microchip powerhouse by acquiring makers of a host of unsexy-but-essential components, then cutting costs and leveraging the company’s growing pricing power. He is now banking that the same model will work in corporate software.

The deal to buy VMware, announced Thursday after The Wall Street Journal reported on details of the talks earlier in the week, would push Broadcom deeper into a software world populated by incumbents such as International Business Machines Corp. and Oracle Corp. as well as independent companies that specialize in niche applications. 

CISA added 20 known exploited vulnerabilities to its catalog this past week.

Bleeping Computer’s the Week in Ransomware was not published this week. Have a good Memorial Day Weekend.

From Capitol Hill, Nextgov informs us

Having cleared the Senate in January, the State and Local Government Cybersecurity Actpassed the House Tuesday and now awaits President Joe Biden’s signature.

The bill updates the House Homeland Security Act to direct the Department of Homeland Security to improve information sharing and coordination with state, local and tribal governments—all of which face growing risks of cyberattack. The legislation requires federal cybersecurity officials to share cybersecurity threat, vulnerability and breach data with states and localities, and provide some recovery resources when attacks occur.

From the vulnerabilities front —

Federal News Network reports

Agencies have until Monday [May 23] to mitigate vulnerabilities in five products from VMware that permit attackers to have deep access without the need to authenticate.

The Cybersecurity and Infrastructure Security Agency issued a new emergency directive today saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

Here’s a link to the CISA website on this emergency directive.

CISA also released an analysis of Fiscal Year 2021 Risk and Vulnerability Assessments.

[This] analysis and infographic details the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21). 

The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY21 RVAs. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework. 

CISA also added two known exploited vulnerabilities to its catalog last week.

From the ransomware front

Cybersecurity Dive reports

Most executives have and are willing to pay ransoms in the event of an attack, despite broad and consistent advice to the contrary. 

Nearly four in five organizations impacted by ransomware attacks have paid the ransom to regain access to corporate data, according to a survey conducted last month by Kaspersky.

The findings, while not surprising, highlight the extent to which a widely acknowledged best practice is rarely followed. Cybersecurity professionals, including Kaspersky, consistently advise businesses hit by ransomware to never pay the ransom.

Cyberscoop tells us

The federal government has made strides in deterring ransomware over the past year, but still has a number of milestones to reach, according to a new paper from the Institute for Security and Technology’s Ransomware Task Force. * * *

Of the 48 specific recommendations the Ransomware Task Force made in its initial report, 12 have seen tangible progress in the year since. Some initial steps have been taken on 29 recommendations, while seven recommendations have seen no action.

The United States has made the most progress in addressing the RTF’s recommendations for deterring ransomware, according to Friday’s update. In addition to the Department of Homeland Security launching a hiring “sprint” to combat cyber crime, the Justice Department last year created its own ransomware task force. And at the event Friday, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the DHS unit is creating another task force to collaborate with the FBI and other agencies that fight cybercrime.

The Healthcare Cybersecurity Coordination Center released a PowerPoint on major cyber organizations of the Russian Intelligence Services.

Bleeping Computer reports

The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.

This news comes from Advanced Intel’s Yelisey Boguslavskiy, who tweeted [last Thursday] afternoon that the gang’s internal infrastructure was turned off. * * *

While it may seem strange for Conti to shut down in the middle of their information war with Costa Rica, Boguslavskiy tells us that Conti conducted this very public attack to create a facade of a live operation while the Conti members slowly migrated to other, smaller ransomware operations.

Of course, here is a link to the Bleeping Computer’s Week in Ransomware

From the cyber defenses front

The Wall Street Journal reports

The Justice Department on Thursday [May 19] urged prosecutors to narrow their enforcement of the nation’s main anti-hacking law in a bid to protect legitimate researchers who probe technology for security flaws.

The policy change is a victory for the many cyber professionals and academics who have criticized the Computer Fraud and Abuse Act for potentially criminalizing research that security experts see as key to protecting computer systems from cyberattacks.

Health Data Management discusses seven key steps for avoiding cyberattacks.

CISA offers an updated list of its “free” cybersecurity services, tools, and resources.

From our Nation’s Capital, Cybersecurity Dive reports

On the one-year anniversary of the Executive Order on Improving the Nation’s Cybersecurity, industry experts say the Biden administration has made significant inroads in raising software security standards, but additional work and financial support is necessary to achieve security end goals. 

The Office of Management and Budget’s (OMB) federal zero trust strategy enjoys almost unanimous support from federal cybersecurity decision makers, however two-thirds of federal cybersecurity decision makers said the three-year timeline was unrealistic, according to a study from MeriTalk, sponsored by AWS, CrowdStrike and Zscaler. Just 14% of those surveyed believe the program is properly funded.

Almost two-thirds of federal officials expect to achieve zero trust goals by the goal date of 2024, according to a separate study from General Dynamics Information Technology. However, many of those officials see significant challenges, including a lack of sufficient IT staff and the need to replace legacy infrastructure.

My, how time flies.

Cyberwire adds

A $63 million settlement has been reached in the class-action lawsuit filed over the 2015 data breach of the US Office of Personnel Management (OPM) that exposed the data of over 21 million current, former, and prospective federal employees and families members, the Epoch Times reports. The files were allegedly stolen by China-backed hackers, who exfiltrated highly sensitive information such as fingerprints and psychological and emotional health histories, and it is reported that the Chinese government has been using data from such breaches to build a database on American citizens for political and economic espionage. The agreement explains, “The settlement is the result of extensive negotiations and accounts for the unique aspects of this litigation, including the strict limitation on recovering from the Government and the causation problems that Defendants would have argued result from the hack’s attribution to a foreign state actor…That these data breaches were attributed to the Chinese government, apparently motivated by foreign policy considerations, would have compounded the risks associated with tracing plaintiffs’ harm to [OPM].” Under the settlement, which is still awaiting approval from a federal judge, OPM will pay $60 million and OPM contractor Peraton will pay $3 million into a fund for victims of the hack. 

The news strikes the FEHBlog as a good deal for the government.

From the ransomware front, Cyberscoop informs us

vosLocker, a prolific ransomware group that was the subject of a recent joint FBI and U.S. Treasury Department warning, claimed this week that it had hit a Dallas-based nonprofit Catholic health system with more than 600 facilities across four U.S. states, Mexico, Chile and Colombia.

The attack on CHRISTUS Health marks the second health care system AvosLocker targeted in the last two months. Michigan-based McKenzie Health System began notifying customers this week that patients’ personal data had been stolen from the company’s network in a “security incident” that “disrupted” some of its IT systems in March. The company did not identify the attacker, but AvosLocker posted purported McKenzie data to its dark web leak site April 6. * * *

Security Week adds

Over the past several months, Iran-linked cyberespionage group Charming Kitten has been engaging in financially-motivated activities, the Secureworks Counter Threat Unit (CTU) reports.

Also referred to as APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, the advanced persistent threat (APT) actor is known for the targeting of activists, government organizations, journalists, and various other entities. * * *

The security researchers assess that, while the group has managed to compromise a large number of targets worldwide, “their ability to capitalize on that access for financial gain or intelligence collection appears limited.” However, the use of publicly available tools for ransomware operations shows that the group remains an ongoing threat, Secureworks concludes.

For more on Charming Kitten, check out this Cyberscoop article.

Here is a link to the Bleeping Computer’s Week in Ransomware column.

From the cyber vulnerabilities front, CISA added one new known vulnerability to its catalog.

From the cyber defenses front, here’s a link to a press release of note

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an advisory today [May 11] with cybersecurity best practices for information and communications technology (ICT), focusing on enabling transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data. CISA, NCSC-UK, ACSC, CCCS, NZ-NCSC, NSA, and FBI expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks. 

Security Week offers an expert view on seven steps to reduce risk to your critical infrastructure quickly.

From the ransomware front

The HHS Cybersecurity Program released a PowerPoint presentation on ransomware trends in the first quarter of this year.

Here’s a link to Bleeping Computers’ The Week in Ransomware.

Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups. * * * [For example,] the notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks.

Bleeping Computer adds

The US Department of State is offering up to $15 million for information that helps identify and locate leadership and co-conspirators of the infamous Conti ransomware gang.

Up to $10 million of this reward are offered for info on Conti leaders’ identity and location, and an additional $5 million for leading to the arrest and/or convictions of individuals who conspired or attempted to participate in Conti ransomware attacks.

From the vulnerabilities front

• CISA added “five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.”

• The HHS Cybersecurity Program issued a bulletin on “April Vulnerabilities of Interest to the Health Sector”

• ZDNet informs us

The FBI has warned that business email compromise (BEC) fraud cost businesses around the world $43 billion in losses during the period between June 2016 and December 2021.  The FBI’s Internet Crime Center (IC3) logged a whopping 241,206 complaints in the four-and-a-half-year period, with losses totaling $43 billion, according to a new public service announcement. 

From the cyberdefenses front, CISA “is beginning a month-long mission to rock the message that multifactor authentication keeps you more secure! So, join us for MFA May!” Throughout the month of May:

Follow CISA on Twitter, Facebook, LinkedIn, and Instagram for rocking content all month on MFA.

Tell us on social media that your business or personal devices are now protected by MFA with the hashtag #EnableMFA!  We’ll do our best to Pour Some Sugar on your posts!

And since we all get by With A Little Help from Our Friends, challenge your friends, family, co-workers, and fellow rockers to #EnableMFA too.

For What it’s Worth, you can always learn more about multi-factor authentication at https://www.cisa.gov/mfa