Today is the 113th anniversary of the birth of President Abraham Lincoln who, in the FEHBlog’s opinion, is the best President our Nation ever had.

From the federal legislative and regulatory proposals front —

Nextgov tells us

[On February 8, 2022] Leaders of the Homeland Security and Governmental Affairs Committee introduced the Strengthening American Cybersecurity Act bundling provisions they view as crucial in the wake of vulnerabilities like one found in open-source software library log4j, but couldn’t get over the finish line in previous attempts.

“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, [the Cybersecurity and Infrastructure Security Agency], with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches,” Committee Chairman Gary Peters, D-Mich., said in a press release Tuesday. “Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.” 

Health IT Security adds that also last week, “US Senators Tammy Baldwin (D-WI) and Bill Cassidy (R-LA) introduced the Health Data Use and Privacy Commission Act intending to modernize health data privacy laws to reflect the current tech landscape. * * * If passed, the act would establish a commission to review existing health data protections and assess current practices for health data use. The commission, whose members would be appointed by the Comptroller General, would also submit a report to Congress and the President six months after formation with recommendations on modernizing health data privacy.”

Evidently, in furtherance of this legislative proposal, AHIP announced  its “core guiding priorities and a detailed roadmap to further protect the privacy, confidentiality, and cybersecurity of consumer health information.”

Reginfo.gov tells us that the Office of Management and Budgets’ Office of Information and Regulatory Affairs has received for its review the following: “HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH.” As the HITECH Act of 2009 asked the Department of Health and Human Services to issue such a rule, this RFI falls into the better late than never category.

From the Apache Log4j vulnerability front, Cybersecurity Dive reports

Apache Software Foundation President David Nalley on Tuesday told the Senate Homeland Security & Government Affairs Committee it could take months, or even years, to fully eliminate the Log4j vulnerability. 

Every stakeholder in the software industry, especially the federal government and major customers, should be investing in supply chain security, Nalley said. He endorsed efforts like the software bill of materials (SBOM), but said the legislation won’t prevent vulnerabilities, only uncover them more quickly. 

Sen. Alex Padilla, D-Calif., raised questions over whether there is a “free rider” problem where large companies benefit from open source contributors, while providing very little compensation in return.

Another Cybersecurity Dive article explains

Security flaws in free and open-source software (FOSS) will be a recurring source of cyber risk, Moody’s Investors Service found. It could take organizations three to five years to fully resolve issues related to the Log4j vulnerability.

Certain industries vary in their ability to respond to vulnerabilities, according to 2021 data from BitSight, a Moody’s partner on cyber issues. The telecommunications industry trails other sectors, remediating only 29% of critical vulnerabilities within 90 days. The legal industry, with the quickest response time, remediated 68% of critical vulnerabilities in the same time frame.

The use of FOSS can save organizations considerable time and funding. But issues remain about the lack of financial support and, due to the voluntary participation of many contributors, developers experience high levels of burnout. * * *

While open source helps organizations save considerable time and effort on development, security concerns must be accounted for, said Sandy Carielli, a principal analyst at Forrester.

“However, the mistake is to assume that you can grab an open source library and then never look at it or update it again,” Carielli said via email. “Organizations need to get better about managing their open source — understanding where it is used and automating updates so that when something like Log4j happens, it’s a blip on the radar and can be remediated with practiced upgrade procedures.”

The Moody’s report follows a January report from Fitch warning about the increased cyber risk of Log4j to public finance entities, including local governments, small utilities and critical infrastructure providers. 

From the cybersecurity business front, Cyberscoop informs us

Sustained demand for cybersecurity services and continued innovation across the industry helped 2021 become a record-setting year for deals involving cyber companies, analysts say.

The funding that flowed into cyber companies increased 136% over 2020 levels, to $29.3 billion, up from $12.4 billion the previous year, according to a report published Wednesday by Momentum Cyber, which advises cyber companies on mergers and acquisitions.

Likewise, the total volume of mergers and acquisitions activity reached $77.5 billion, up 294% from calendar year 2020, according to the report.

Several trends are driving those numbers, analysts and executives say: Companies across the economy have expanded their budgets for reliable cybersecurity services, boosting revenues for the industry. In turn, big investors — including private equity groups and venture capitalists — are following that money. And as cyberthreats increase in severity and complexity, smaller firms continue to develop valuable expertise in niche areas of information security.

From the government alert front, the HHS Cybersecurity Program issued an alert last week captioned “Indicators of Compromise Associated with LockBit 2.0 Ransomware and Additional Mitigations.”

Also,

“The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory outlining the growing international threat posed by ransomware over the past year.  

“The advisory titled “2021 Trends Show Increased Globalized Threat of Ransomware” outlines top trends seen across three nations including:

• Cybercriminals are increasingly gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities.
• The market for ransomware became increasingly “professional” and there has been an increase in cybercriminal services-for-hire.
• More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.
• Cybercriminal are diversifying their approaches extorting money.
• Ransomware groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain.
• Ransomware groups are increasingly targeting organizations on holidays and weekends.

“Importantly, today’s Cybersecurity Advisory also lays out mitigations to help network defenders reduce their risk of compromise, appropriate responses to ransomware attacks, and key resources from each respective cyber agency.”

Here is a link to that advisory and, of course, a link to Bleeping Computer’s The Week in Ransomware.

Happy Super Bowl weekend.

Cyberscoop tells us

The Homeland Security Department is establishing a Cyber Safety Review Board that will convene after major cyber events to review and act on them, according to a Federal Register notice.

The notice brings to fruition an idea long circulated among cybersecurity policymakers and thinkers, one set in motion by an executive order President Joe Biden signed in May 2021. The idea is to mimic the National Transportation Safety Board that reviews civil aviation accidents.

The board (CSRB) will have no more than 20 members, with one each required from DHS, its Cybersecurity and Infrastructure Security Agency, the Department of Justice, the National Security Agency and the FBI. The DHS undersecretary for strategy, policy and plans — a post held by Rob Silvers — will serve as the inaugural two-year chair.

It will kick into effect when an incident prompts formation of a Cyber Unified Coordination Group, a National Security Council-established organization for unifying government response to cyber incidents such as those that hit critical infrastructure owners and operators. The 2020 SolarWinds breach, which caused the compromise of both federal agencies and major tech companies, led to a public announcement of a coordination group forming.

From the breach and vulnerability front —

Health IT Security reports

Cyberattacks targeted at health plans and third-party business associates increased last year, while attacks against healthcare providers dipped slightly, a report by Critical Insight discovered.

Researchers analyzed 2021 data from the Office for Civil Rights (OCR) data breach portal and compared it to years past. The report revealed that health plan cyberattacks increased by 35 percent from 2020 to 2021, and attacks against third-party business associates increased by 18 percent.

Interestingly, cyberattacks aimed at healthcare providers declined by approximately 4 percent. Although the decrease is not extreme, it shows that cybercriminals are adapting their tactics and targets as organizations continue to implement safeguards against common exploitation techniques.

and

Threat actors continually leverage unpatched vulnerabilities as their primary ransomware attack vector, a new report by Ivanti in partnership with Cyware and Cyber Security Works found. Researchers discovered 65 new vulnerabilities connected to ransomware in 2021, which signified a 29 percent growth compared to 2020.

Over a third of the 65 newly discovered vulnerabilities were being actively searched for on the internet, further stressing the need to prioritize patching.

More specifically, Bleeping Computer informs us in a report posted yesterday

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch their systems against an actively exploited Windows vulnerability that enables attackers to gain SYSTEM privileges.

Per a binding operational directive (BOD 22-01) issued in November and today’s announcement, all Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to patch all systems against this vulnerability, tracked as CVE-2022-21882 within two weeks, until February 18th.

While BOD 22-01 only applies to FCEB agencies, CISA strongly urges all private and public sector organizations to reduce their exposure to ongoing cyberattacks by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws.

Cybersecurity Dive discusses four cyberthreat trends to watch this year.

If there is one predictable constant in cybersecurity, it’s the omnipresence of ransomware. As Mandiant put it best, “There’s no end in sight for ransomware.”

But don’t expect ransomware to continue as we kow it today. Mandiant predicts threat actors will develop new ways to gain a profit from ransomware, starting with a shift to globalized attacks. * * *

The common thread around these trends is cybercriminals finding a way to manipulate corporate data, and for that problem, there really is no end in sight. 

Of course this quote naturally leads the FEHBlog to offer a link to the Bleeping Computer’s The Week in Ransomware.

From the cyberdefense front

• Healthcare Dives discusses three tactics shaping ransomware mitigation this year.

• A Wall Street Journal commentator who is the Cato Network‘s CEO explains

Just as Software as a Service revolutionized the internet by letting everyone access applications online rather than buying, installing and managing expensive software, [Cato Network offers] a new [cybersecurity] model, Secure Access Service Edge, promises to do the same thing for network security. To understand roughly what it does, look at your iPhone, which is a telephone, a computer, a high-resolution camera and a global positioning device all in one machine. Secure Access Service Edge will do something similar for network access and security, allowing businesses of all sizes, including small and medium-size ones, network access and security without a host of costly components.

Cool.

To set the stage, last Tuesday, “ECRI, an independent, nonprofit organization that provides technology solutions and evidence-based guidance to healthcare decision-makers worldwide, lists cybersecurity attacks as the top health technology hazard for 2022 in its just-released annual report.”

What’s more, HC3 issued its Fourth Quarter 2021 Healthcare Cybersecurity Bulletin.

Getting down to business, HC3 also released a useful PowerPoint presentation with background and remediation / prevention tips for the Log4j vulnerability.

From the irony department, ZDNet reported yesterday that

Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. 

Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. 

“Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”

On a broader scale, ZDnet also reports that

The US government has urged organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new ‘CISA Insights‘ document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA’s response to this week’s cyberattacks on Ukraine’s systems and websites, which the country’s officials have blamed on hackers linked to Russian intelligence services.

From the latest vulnerabilities front, Cyberscoop informs us that

QR codes are among the few “winners” of the coronavirus pandemic, the joke goes, because restaurants and other businesses have deployed them in far greater numbers over the past few years, in an effort to make more interactions contactless.

The FBI is warning, however, that scammers love them, too.

The bureau’s Internet Crime Complaint Center (IC3), issued a general alert Tuesday about “malicious” QR codes that reroute unsuspecting consumers to the world of cybercrime.

“[C]ybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the announcement says.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

The headline news of the week is brought to us by the Wall Street Journal

The Russian government on Friday [January 14] said it had arrested members of the prolific criminal ransomware group known as REvil that has been blamed for major attacks against U.S. business and critical infrastructure, disrupting its operations at the request of U.S. authorities.

Russia’s security service, the FSB, said in an online press release that it had halted REvil’s “illegal activities” and seized funds belonging to the group from more than two dozen residences in Moscow, St. Petersburg and elsewhere. REvil members were arrested in relation to money-laundering charges, the FSB said. It didn’t provide names of any of the suspects.

The arrests included “the individual responsible for the attack on Colonial Pipeline last spring,” a particularly devastating ransomware offensive that led to the main conduit of fuel on the U.S. East Coast being shut down for days, a senior Biden administration official said. A different Russian ransomware gang had previously been linked to the Colonial hack, but security experts and officials have said they are not neatly defined and that individual hackers often overlap.

“We welcome reports the Kremlin is taking law enforcement steps to address ransomware within its borders,” the official said.

Needless to say this development also is the focus of Bleeping Computer’s The Week in Ransomware.

From the log4j front, Healthcare Dive tells us that

— Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said the agency has not yet seen the Log4j vulnerability used for significant intrusions but cautioned that sophisticated threat actors may be lying in wait for cybersecurity defenders to be caught off guard during a lower level of awareness.

— Threat actors have used the vulnerability to install and sell cryptomining software on victims’ computers and to potentially launch future botnet attacks. CISA cannot independently confirm research showing nation-state threat actors developing attacks based on Log4Shell, Easterly said during a presser Monday. 

— Microsoft security researchers identified a China-based threat actor, tracked as DEV-0401, exploiting the Log4j vulnerability in systems using VMware Horizon to deploy NightSky ransomware, researchers said in an updated blog.

Federal News Network interviewed about this infamous yulnerability. Gordon Bitko, former FBI chief information officer, now the senior vice president of policy at the Information Technology Industry Council.

Gordon Bitko: Tom, where there’s a difference from SolarWinds. Log4j wasn’t a coordinated — as far as we know — attack by an adversary. It was a vulnerability that was identified, and so the people who are exploiting it now seem more like cybercriminals who were using it as a way to implant ransomware, things of that nature.

Tom Temin: Alright, so you can never rest on your laurels.

Gordon Bitko: That is 100% the case. It is important for everybody doing cybersecurity and their management to understand it’s a race on a treadmill. You can never stop.

Last Wednesday Cyberscoop reported that

Tech giants and federal agencies will meet at the White House on Thursday to discuss open-source software security, a response to the widespread Log4j vulnerability that’s worrying industry and cyber leaders.

Among the attendees are companies like Apple, Facebook and Google, as well as the Apache Software Foundation, which builds Log4j, a ubiquitous open-source logging framework for websites.

“Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” a senior administration official said in advance of the meeting.

Here’s the White House readout from that meeting. According to that document, the discussion focused on three topics:

Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities.

In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them.

In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use. 

For a government meeting open to you, dear readers:

The Cybersecurity and Infrastructure Security Agency (CISA) is holding virtual mini-Industry Day events throughout this year. These events will allow CISA and industry to have meaningful discussions about cybersecurity capabilities, challenges, top priorities, requirements, and technologies as well as future business opportunities.

The first Virtual Mini-Industry Day will be Wednesday, January 26, at 10 a.m. (EST). This event will provide insight into current and future challenges as well as provide presentations regarding IT  FY22 information technology focus areas, FY23-25 foundational work, engineering, information assurance, information technology operations, and records management/governance. To attend, please register by Tuesday, January 18, at 5 pm ET

Finally ZDnet offers its recommendations on

• VPNs

• Password Managers, and

• Security Keys

Health IT Security reports

As a new year begins, threat actors are continuing to overwhelm providers and patients with healthcare data breaches. Some experts predict that ransomware actors will favor data exfiltration over encryption this year and that they will shift their focus to APIs and other attack vectors in order to throw off victims.

Florida-based health system Broward Health recently suffered a protected health information (PHI) breach that impacted 1.3 million individuals. Meanwhile, other healthcare organizations are still recovering from a ransomware attack on HR management solutions vendor Kronos.

Many healthcare organizations are also focused on mitigating threats associated with the recently discovered Apache Log4j vulnerability, which could have catastrophic security implications for multiple sectors if exploited.

HHS urged healthcare organizations to implement the Log4j patch and ramp up incident response functions. Healthcare organizations should also remain wary of ransomware, phishing, and other prominent cyber threats that continue to impact organizations across all sectors.

The more things change, etc.

Cyberscoop adds that

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit.

Cybersecurity Dive concludes

As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months. 

“Exploitation attempts and scanning remained high during the last weeks of December,” Microsoft said in an updated blog post. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. 

The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache. 

And it wouldn’t be a Cybersecurity Saturday post without offering a link to Bleeping Computer’s The Week in Ransomware.

Happy New Year.

Due to the holidays, there has been a two week long break in the FEHBlog’s cybersecurity posts. The December 18 post focused on the Java Log4j vulnerability which is still causing cybersecurity problems according to this Cyberscoop article:

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday.

Tech Republic reports on how to check for Log4j vulnerabilities using a “simple to use script.” The article walks the reader through a sample scan. HC3 also released an alert calling attention to the availability of this vulnerability scanner.

This Health IT Security article adds that “The HHS 405(d) Task Group issued a brief outlining the risks associated with the recently discovered Apache Log4j vulnerability that could have catastrophic security implications for healthcare and other sectors.” Bleeping Computer offers a detailed situation report on the Log4j vulnerability.

Speaking of catastrophes, Bleeping Computer looks back at the ten largest healthcare protected health information breaches in 2021 and Tech Republic identifies the ten worst password snafus this year. Tech Republic adds

How can you make sure your employees follow strong password security guidelines to protect your organization’s sensitive data? Dashlane offers the following tips:

— Establish a culture of security. Employees need to understand what part they play in securing your company’s data. They must be involved in discussions about security. And they should have the tools required to follow strong password and security hygiene.

— Train employees. Show employees how to spot and report possible security risks and threats. You may want to create a special email or contact they can use to report an incident.

— Implement the right technology. This means using such tools as email security, endpoint protection and password managers.

— Track the results of your security tools. Find ways to measure the effectiveness of your security defenses. For example, some password managers have a health feature that analyzes and rates the strength of your passwords.

Also, Health IT Security offers expert cybersecurity predictions for 2022. For example,

By December 31, 2022, healthcare organizations will be required to migrate to Fast Healthcare Interoperability Resources (FHIR) APIs in order to enable seamless data sharing. As organizations adjust and implement the new data standards, it is likely that threat actors will use APIs as a network entry point.

“As interoperability becomes more of a mainstream priority for healthcare organizations and we see more APIs that are being introduced between critical systems, I think we’re going to see a rise in the number of attacks that are focused on compromising those APIs,” Mac McMillan, CEO of CynergisTek, predicted in an interview with HealthITSecurity.

“It’s another area where don’t typically have a good, consistent approach across the board in healthcare with respect to testing APIs for security.”

Roughly a year after we experienced Solar Winds, we have the Apache Log4j flaw. ZDnet tells us that “A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.” Here is link to ZDnet’s FAQ on the the Log4j flaw and the patches available.

ZDnet adds

If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.

Not surprisingly therefore, Federal News Network reports that

The Cybersecurity and Infrastructure Security Agency issued an emergency directive today [December 17] requiring civilian executive branch agencies to determine all Internet-facing assets with the critical “Log4j” vulnerability and either patch or mitigate any vulnerable software within a week.

By Dec. 23 at 5 p.m., agencies are directed to “enumerate all solutions stacks accepting data from the internet” and then check whether any of them have the Log4j vulnerability using a CISA-managed Github repository available on the agency’s website, according to the new directive.

By the same deadline, agencies are given three options for how to address any vulnerable software: “immediately” update assets where patches are available; mitigate the risk of exploitation using another mitigation measure listed on CISA’s website; or remove the affected asset from their networks.

Bleeping Computer’s The Week in Ransomware focuses its attention on cybercriminal exploitation of this flaw.

Health IT Security adds

At least 39 ransomware groups have attacked the healthcare sector across 27 countries in the past 18 months, data from the CyberPeace Institute’s Cyber Incident Tracer revealed. Despite explicitly saying that they would not target healthcare, 12 groups singled out the sector.

Some healthcare organizations may simply be collateral damage, an accompanying blog post explained. Some ransomware operators used vague terms like “medical organizations” when describing which entities were off limits. Others saw pharmaceutical companies as fair game. Half of the 12 ransomware operators targeted hospitals specifically, despite saying that they would not target healthcare. * * *

Other groups target healthcare by choice. The FIN12 affiliate group has a reputation for going after healthcare organizations. Threat intelligence firm Mandiant discovered that nearly 20 percent of the group’s attacks were targeted at healthcare entities, and over 70 percent were aimed at US-based entities.

Sometimes, healthcare organizations may be targeted out of indifference. Usually, this means that the healthcare organizations fell victim to “spray and pray” tactics, where ransomware operators will execute phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks with the hopes of getting some organizations to fall for the attack.

The Wall Street Journal aptly describes 2021 as “the year that hackers went wild and changed everything.”

The U.S. government in 2021 began to take a more decisive—and prescriptive—role in how digital defenses are constructed, on the back of a string of high-profile cyberattacks against the nation’s critical infrastructure.

Jingle Bells.

From Capitol Hill, per Nextgov, “the House [of Representatives] on Tuesday passed the NDAA conference report—language House and Senate Armed Services Committee leaders agree on that reconciles versions of the bill from each chamber. The next step is a vote on the conference report by the Senate.  (H.R. 4350).

Nextgov adds

“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, who chairs the committee’s panel on cybersecurity, said in a joint statement Tuesday.

The annual Defense Authorization Act still “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident,” according to a summary of the bill released by the House Armed Services Committee Tuesday

The bill gives CISA added responsibilities around identifying threats to industrial control systems, and removing cybersecurity vulnerabilities while establishing voluntary partnerships with industrial control system and internet ecosystem companies. 

From the government initiative front, Health IT Security reports that

HHS launched a new website for its 405(d) Program with the goal of aligning healthcare cybersecurity across the industry. Under the Cybersecurity Act of 2015, HHS established the 405(d) Aligning Health Care Industry Security Approaches Program and the 405(d) Task Group, which is comprised of more than 150 industry and government experts.

The program aims to uphold the motto that “cyber safety is patient safety,” and its website contained resources, videos, products, and tools to help raise awareness and promote cybersecurity best practices, the HHS announcement stated.

“Healthcare professionals understand the importance of hand washing when it comes to mitigating the spread of diseases. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches,” the website maintained.

Also the HHS Cybersecurity Program issued a healthcare sector alert yesterday

A highly utilized application called Log4j contains a severe, known vulnerability that is being actively and aggressively attacked. Upon successful exploitation, a compromised system or device can be used to execute arbitrary code, which can serve as the beginning of a larger cyberattack potentially resulting in any number of effects including data exfiltration and ransomware. HC3 advises healthcare and public health organizations to survey their infrastructure and ensure they are not running vulnerable versions of Log4j. Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified.

Report

Log4j is a very common Java library/framework that provides logging capabilities to any number of software platforms that it serves. In late November, a remote code execution (RCE) vulnerability (tracked as CVE-2021-44228) was identified in certain versions which are now being actively exploited in the wild. Proof of concept exploit code has been circulating social media for several days and is publicly posted on well-known code repositories. The Log4j software is maintained by Apache and they have released an update which should be deployed (after testing, as needed) across all vulnerable devices in the enterprise in a timely manner.

From the interviews department

• Tech Republic interviews Walgreens Boots Alliance CTO Mike Maresca “about what keeps him up at night and why building internal and external partnerships is key for digital transformation success.”

• The Wall Street Journal interviews Kathy Hughes, the CISO for Northwell Health, a hospital / healthcare system in New York City and Long Island, and Joey Johnson, the CISO for Premise Health, which offers health and wellness services to employers, among others. This tidbit from the interview grabbed the FEHBlog’s attention:

WSJ: Can you briefly explain a couple of technologies that you had to deploy?

MS. HUGHES: The most significant one was, because we had seen such an uptick in phishing emails, we deployed a technology that actually does a live scan of a URL when it’s clicked within an email. The technology that we had before, if a URL had been accessed that was previously determined and rated to be malicious, it would be blocked. But this enabled us to do that in real time

Cool.

From the hacking front, Cyberscoop reports

Hackers associated with the SolarWinds supply chain compromise have been busy in the year since that attack was revealed, compromising multiple cloud solution companies with the goal of stealing data relevant to Russian interests and finding routes to additional victims, new research reveals.

Findings published Monday [December 6] by a team of analysts at Mandiant collate previous observations and analysis — along with the efforts of “hundreds of consultants, analysts and reverse engineers — to paint a picture of potentially distinct groups working alongside or within a more established Russian intelligence hacking group known as Nobelium, a name given to the group by Microsoft. The group is also known as Cozy Bear.

Last but never least, here is a link to Bleeping Computer’s The Week in Ransomware.

This week has quite a bit of ransomware news, including arrests, a new and sophisticated ransomware, and an attack bringing down 300 supermarkets in England.

This week’s biggest story is a law enforcement operation conducted by the FBI and Ontario Provincial Police (OPP) that arrested a Candian ransomware affiliate allegedly involved in hundreds of attacks.

We also learned about the new ALPHV (aka BlackCat) ransomware that appears to be one of the most sophisticated ransomware families we have seen this year.

Finally, this week’s largest known ransomware attack was on James Hall and Co, which affected point-of-sale systems and led to the temporary closing of over 300 Spar supermarkets in England. This week’s other known attack is on Nordic Choice Hotels by the Conti ransomware gang.

From the Capitol Hill front, Bank Info Security reviews the cybersecurity and breach notice measures found in the National Defense Authorization Act for the current government fiscal year. Defense One reports that the Senate at this point is not expected to pass its version of the bill until next month.

From the administrative front, Cyberscoop reports that

The Cybersecurity and Infrastructure Security Agency on Wednesday [December 1] named members to a new [Congressionally mandated] cyber advisory panel that will make recommendations on subjects ranging from battling misinformation to gaining aid from the hacker community on national cyber defense.

Among the 23 members selected are leaders from social media, cybersecurity companies, major technology firms and critical infrastructure sectors such as finance and energy. It includes officials from Johnson & Johnson and Walmart, as well as a longtime cybersecurity journalist and the mayor of Austin, Texas. * * *

Bylaws for the committee published in July said it would address subjects like critical infrastructure protection, information sharing, risk management and public-private partnerships. Wednesday’s announcement added potential subjects like the cyber workforce and disinformation. Its first meeting is Dec. 10.

Federal News Network informs us that

The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is putting the final touches on several guidance documents to help ease the transition to a zero trust cybersecurity environment.

The entire goal of this effort to move security away from the network and to the data and application layers.

John Simms, the deputy branch chief of the Cybersecurity Assurance Branch in CISA, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to the data.

Over the last three months, CISA, along with the Office of Management and Budget, rolled out the draft zero trust strategy, the draft cloud security technical reference architecture and the draft zero trust maturity model.

From the reports front

• On Thursday December 2, the Government Accountability Office issued a report in connection with GAO testimony before Congress “on the need for the federal government to develop and execute a comprehensive national cyber strategy, and to strengthen the role that it plays in protecting the cybersecurity of critical infrastructure. Ensuring the cybersecurity of the nation is on our High Risk List, and we have urged federal agencies to act on it.”

• The HHS Office of Information Security released a presentation on December 2 about the risks that the cybercriminal group FIN12 posts to the healthcare sector.

• Health IT Security reports about new Healthcare ISAC guidance to help CISOs navigate interoperability, patient access, and identity-centric data sharing under the 21st Century Cures Act. New interoperability mandates under the Cures Act require healthcare organizations to implement APIs to promote the digitization of electronic health information (EHI). “While APIs are the ‘door’ to enabling interoperability of EHR between healthcare organizations, strong identity solutions are the ‘key’ that keeps EHI secure,” the guide explained. OPM is eager for FEHB plans to offer these APIs to their members.

Here is a link to Bleeping Computer’s The Week in Ransomware.

The biggest news over the past two weeks is the unsealing of a United States’ Complaint for Forfeiture detailing how the FBI seized 39.89138522 bitcoins from an Exodus wallet belonging to an REvil affiliate. Based on the email listed in the court document, it is believed that the affiliate is one known as ‘Lalartu.’

The FBI also disclosed that Cuba ransomware has attacked 49 US critical infrastructure orgs and received at least US $43.9 million in ransom payments.

ZD Net adds that

Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  

The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  

Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.

In closing, an expert in Security Week offers his four cybersecurity predictions for 2022.

The FEHBlog hopes that his readers enjoyed the 400th Thanksgiving holiday.

Congress will be in session for the next two weeks. Cyberscoop brings us up to date on the legislative effort to include a data breach and ransomware reporting provision in the must pass National Defense Authorization Act bill for the current federal fiscal year.

As we enter our country’s major holiday season, Tech Republic reports that “An alert issued Monday [November 22] by the Cybersecurity and Infrastructure Security Agency [CISA] and the FBI urged organizations to be on guard for ransomware attacks that take advantage of worker downtime during Thanksgiving [etc.].”

In the alert, CISA stressed that neither it nor the FBI have identified any specific threats that might occur on or around Thanksgiving. But with or without advanced warning, organizations need to be prepared for attacks designed to take advantage of the holiday.

ISACA offers an expert column on using zero trust and XDR to stop ransomware. The FEHBlog has linked to several columns on zero trust but he had not heard of XDR. It turns out that

XDR brings together information about possible attack elements (e.g., indicators of compromise [IoCs]) with logs of network traffic, quirky endpoint behavior, cloud and Software-as a-Service (SaaS) service requests, and server events for analysis. The power of XDR is that it goes beyond security information and event management (SIEM) which aggregates log data to include correlation, analysis and machine learning (ML)-augmented modelling. This forms the basis for an effective response.

By deploying an XDR solution (which can detect many attack elements) with a zero trust-enabled architecture (which hardens infrastructure against malicious attacks), one can substantially improve survivability against ransomware. So, deploy an IAM tool. Use multifactor authentication (MFA), at least for high-privilege accounts. Segment the network. And put an XDR tool in place for the security operations center (SOC). You will have a much calmer, more predictable, less eventful day-to-day work experience.

Because Bleeping Computer’s The Week in Ramsomware was not published Thanksgiving week, here is a Health IT Security overview of cybersecurity issues affecting the healthcare sector.