The Wall Street Journal recently interviewed IBM’s CEO Arvind Krishna. The interview concludes as follows:

WSJ: What is the biggest challenge facing the CIO and enterprise technology going forward?

Mr. Krishna: Cybersecurity is the issue of the decade. I think that is the single biggest issue we all are going to face. You have to take an enterprise approach, layered defenses. You have got to encrypt your data. You have got to worry about access control. You have got to believe you will get broken into. You make sure that you can recover really quickly, especially when it comes to critical systems.

Well put

The Cybersecurity and Infrastucture Security Agency informs us

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.

CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. 

Security Week and Bleeping Computer expand on this FBI alert for those interested.

CISA also added three known exploited vulnerabilities to its catalog.

In other vulnerability news, Cyberscoop tells us

More than 450 security researchers working through the Department of Homeland Security’s “Hack the DHS” bug bounty program identified more than 122 vulnerabilities, 27 of which were deemed critical, according to a DHS statement first obtained by CyberScoop.

The agency awarded $125,600 to participants in the program for finding and identifying the vulnerabilities, the agency said in the statement. The researchers, vetted by the agency before participating, were eligible to receive between $500 and $5,000 for verified vulnerabilities, depending on the severity. * * *

Friday’s results represent the first phase of the DHS bug bounty program. The second phase will consist of a live, in-person hacking event, while the third will identify lessons learned to inform future bug bounty programs.

Cybersecurity Dive reports

Amazon Web Services is scrambling to assist customers after security researchers at Palo Alto Networks found severe vulnerabilities in AWS hotpatches that were supposed to protect customers from the Log4Shell vulnerability. 

AWS released a software tool in mid-December designed to patch vulnerabilities found in the Log4j library, however security researchers at Palo Alto’s Unit 42 discovered code vulnerabilities that could let attackers break out of a container environment and gain escalated privileges. 

After working with Palo Alto researchers for months, Amazon released a new hotpatch earlier this week, Unit 42 said in research released Tuesday. Unit 42 researcher Yuval Avrahami is urging organizations to review their container environments and upgrade to the fixed version. A large number of users may have downloaded the original hotpatches. 

The HHS Health Sector Cybersecurity Coordination Center (HC3) released a comprehensive PowerPoint presentation about insider threats in healthcare.

From the ransomware front HC3 issued an an alert on Hive ransomware.

Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.

Beckers Health IT Issues explains

Here a four things to know about the cyber group, according to the warning: 

1. The group uses many common ransomware tactics, including the exploit of remote desktop protocol or VPN, and phishing attacks, in addition to more aggressive methods like directly calling the victims to apply pressure and negotiate ransom payments.

2. Other tactics deployed by the group include searching the victim’s systems that are tied to backups and either terminating or disrupting those connections, deleting shadow copies, backup files and even system snapshots.

3, Hive also conducts double extortion and supports this with their data leaks site, while operating as a ransomware-as-a-service model.

In total, Hive has claimed attacks on approximately 355 companies within 100 days of operations.

HHS is urging healthcare organizations to increase its preventive security measures, such as two-factor authentication, strong passwords, sufficient backups of the most critical data and continuous monitoring.

Speaking of passwords, Cybersecurity Dive discusses the efforts of the FIDO Alliance to gain industry acceptance of using smartphones as the IT authentication standard while the tech industry presses for new methods.

Cyberscoop reports

A joint federal advisory Wednesday says that foreign government-linked hackers are targeting specific industrial processes with tools meant to breach and disrupt them, with one cybersecurity firm noting that the prospective intruders demonstrate an unprecedented “breadth of knowledge” about industrial control systems.

The alert arrives one day after Ukrainian officials and a cyber firm discussed deflecting another ICS-targeting malware that attempted to shut down power in Ukraine. “ICS” is a term that encompasses a number of systems that are especially common in the energy and manufacturing sectors, including a variety known as supervisory control and data acquisition (SCADA).

Cybersecurity company Dragos, which aided in Wednesday’s alert, said it had named the advanced persistent threat (APT) group behind the tools Chernovite, and named the tools themselves Pipedream. Dragos said one potential use of the tools would be to disable an emergency shutdown system. Mandiant, which also aided in the alert, said the malware posed the greatest risk to Ukraine and other nations responding to the Russian invasion.

It’s helpful to know where the Russians are focusing their cyberattack. The latest Bleeping Computer’s Ransomware Week adds “The tables have turned with the NB65 hacking group modifying the leaked Conti ransomware to use in attacks on Russian entities.”

On the other hand, STAT News tells us,

Ransomware is no longer a threat reserved for only the largest health institutions. Small and rural providers are also getting hit with a wave of attacks, in some cases forcing them to resort to pen-and-paper record keeping to continue serving patients. “We were woefully unprepared,” said John Gaede, director of information services at Sky Lakes Medical Center in rural Oregon. The health system was hit with an attack in October 2020, just as it was responding to its first local surge of Covid cases, making a tough situation nearly impossible to manage.

Such attacks not only create logistical challenges, but also cut off access to electronic medical histories needed to safely care for patients. Read the full story from Marion Renault.

This past week, the Cybersecurity and Infrastructure Security Agency added nine new vulnerabilities to its catalog. CISA explains

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

From the cybersecurity business front, Cybersecurity Dive informs us,

Kaseya, an IT security and remote monitoring firm, said Monday it will buy Datto for $6.2 billion cash. The deal comes about nine months after Kaseya was hit by a major ransomware and supply chain attack that targeted the company’s small- and medium-size customers. 

The price tag is being funded by an equity consortium, led by Insight Partners, along with significant participation from TPG and Temasek, as well as other firms, including Sixth Street. The agreement represents a 52% premium to Datto’s stock price of $23.37 as of March 16th.

Also on Monday, software investment firm Thoma Bravo announced it struck a $6.9 billion deal for identity management firm SailPoint Technologies Holdings and will take the firm private. SailPoint stockholders will receive $65.25 per share in cash, a 48% premium above the 90-day volume weighted average price. However, the deal has a special “go-shop” provision that allows the board to seek higher bids until May 16th.

From the cyberdefenses front —

• Federal News Network offers a transcript of an expert conversation about the Administration’s “signature cybersecurity initiative, namely to get every agency to move to zero trust systems architectures.”

• Cybersecurity Dive stresses the importance of any HIPAA-covered business going well beyond the minimum HIPAA privacy and security rule standards.

• Security Week reviews necessary cyberdefenses in the healthcare context.

• Another Security Week article recommends that the good guys think like hackers in order to improve their cyberdefenses.

The HHS Cybersecurity Program was a very active publisher last week. It issued

• On April 5, HC3 released a list of March vulnerabilities of interest to the healthcare sector;
• On April 6, HC3 issued a second ICS Medical Advisory – Philips Vue PACS;
• On April 7, HC3 provided a comprehensive slide deck about “Lapsus$, Okta and the Health Sector,” and
• On April 8, HC3 issued a sector alert titled “Phishing Campaigns Leveraging Legitimate Email Marketing Platforms.”

Meanwhile, the Cybersecurity and Infrastructure Security Agency released

• A one-pager on how to report cyber incidents to CISA. This document should help FEHB carriers when they need to report cyber incidents to OPM pursuant to the standard FEHB carrier contract;
• A “Secure Tomorrow Series Toolkit: Using Strategic Foresight to Prepare for the future.” CISA explains “The Secure Tomorrow Series is a unique platform that brings together SMEs, thought leaders, and others from academia, think tanks, the private sector, and National Labs to think proactively about future risks”, and
• A list of four known exploited vulnerabilities added to CISA’s vulnerabilities catalog.

CISA also announced that

April is Emergency Communications Month! Throughout the month, we’ll be recognizing the important work of both CISA and the emergency response community. The 911 operating system only begins to scratch the surface of emergency communications. This is a broad, complex, and strategically critical field that includes everything from radio communications systems, broadband and narrowband data systems, to alerts and warning systems, and so much more. It’s only because of this communications backbone that our emergency response community can be operational, collaborative, secure and resilient at the most critical moments.

From the cyberthreats front, ZDnet informs us

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. 

Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. 

Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  

APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. * * *

Defending against a well-resourced nation-state backed hacking group isn’t easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities– such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication. 

Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. 

The Wall Street Journal reports on how hackers target bridges between blockchains to engage in massive cryptoheists. A recent heist reaped $540 million in cryptocurrency for the hackers.

Hackers moved the funds by exploiting the Ronin Network, software that allows users of the online game “Axie Infinity” to transfer digital assets across different blockchains. Growing sums of money exchanged over such bridges has turned them into targets.

The FEHBlog understood that decentralized blockchains were hack proof, but apparently not.

From the cyberdefense front, Security Week offers a commentary on using a resilient zero trust policy.

The FEHBlog was delighted earlier this week to read this Department of Health and Human Services announcement requesting public comment to help HHS crafting a rule to implement the December 2021 HITECH Act amendmentl creating a limited safe harbor for HIPAA covered entities and business associates that use recognized security practices. HHS seeks public input on identifying these recognized security practices. The public comment deadline is June 6, 2022.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerat

From Capitol Hill, Health IT Security reports

Senators Bill Cassidy (R-LA) and Jacky Rosen (D-NV) introduced the bipartisan Healthcare Cybersecurity Act (S. 3904), shortly after President Biden warned all critical infrastructure sectors to harden their cyber defenses to safeguard against potential Russian cyberattacks. * * *

The act aims to strengthen healthcare cybersecurity by partnering the Cybersecurity and Infrastructure Security Agency (CISA) with HHS. Specifically, the act would require CISA and HHS to enter into an agreement, as defined by CISA, that would improve cybersecurity in the healthcare and public health sector.

If passed, CISA will work with information sharing organizations and analysis centers to create resources specific to the healthcare sector and to promote threat sharing. The act also supports training efforts for private sector healthcare experts. CISA would be responsible for educating healthcare asset owners and operators on the cybersecurity risks within the sector and ways to manage those risks.

The act also mandated that CISA conduct a thorough study on the cybersecurity risks facing the healthcare sector. The study would explore strategies for securing medical devices and electronic health records, and how data breaches impact patient care.

The Senate Homeland Security and Governmental Affairs Committee held a business meeting on March 30, at which the Committee favorably reported an amended version of S. 3904 (Item 18). This action suggests that the bill has legislative legs. The FEHBlog will keep an eye on it.

Nextgov identifies six cybersecurity takeaways from the President’s proposed FY 2023 budget that was delivered to Capitol Hill last Monday.

In cybersecurity news, CISA announced yesterday

the start of National Supply Chain Integrity Month. CISA in partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners is promoting a call to action for a unified effort by organizations across the country to strengthen information and communications technology (ICT) supply chain.

CISA’s themes for each week include:

Week 1: Power in Partnership – Fortify The Chain!

Week 2: No Shortages of Threats – Educate to Mitigate

Week 3: Question, Confirm, and Trust – Be Supplier Smart

Week 4: Plan for the Future – Anticipate Change

Resources include those developed by the ICT SCRM Task Force, a public-private partnership that embodies the Agency’s collective approach to enhancing supply chain resilience.

Check out our webpage weekly for resources, a social media toolkit, videos, and the latest news: CISA.gov/supply-chain-integrity-month. 

The HHS Cybersecurity Program informs us

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In recent years, UPS vendors have added an Internet of Things (IoT) capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.

CISA Insight – Mitigating Attacks Against Uninterruptible Power Supply Devices

Health IT Security reports

H-ISAC and Booz Allen Hamilton released a report and survey outlining the top cyber threats concerning healthcare executives in today’s sophisticated cyber threat landscape.

H-ISAC surveyed cybersecurity, IT, and non-IT executives and found no significant differences between the disciplines when the experts were asked to rank the top five greatest cybersecurity concerns facing their organizations in 2021 and 2022.

Ransomware deployment was the top-rated concern, followed by phishing and spear-phishing, third-party breaches, data breaches, and insider threats.

Medical Economics tells us, “The Confidentiality Coalition and the Workgroup for Electronic Data Interchange sent a letter to the Commerce and HHS Secretaries outlining their concerns with allowing unregulated third-party apps to get access to patient health information.”

From the ransomware front —

Cybersecurity Dive alerts us

The average ransomware payment to cybercriminals surged 78% last year to $541,010, fueled in part by the rapid spread of ransomware as a service (RaaS) business models that reduce barriers to entry for cyber extortionists, Palo Alto Networks said.

Ransomware attacks “show no signs of slowing down,” according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks. “The long-term effects of these ransomware attacks can be devastating, going beyond the actual cost of the ransom to include a number of ancillary costs associated with downtime, remediation and disruptions to business,” the company said in a report.

Ransomware criminals last year targeted companies in the Americas in 60% of their attacks and demanded on average $2.2 million from their victims, a 144% increase compared with 2020, Palo Alto Networks said.

GCN reports

Ransomware encrypts faster than organizations can respond, making it unlikely that they can prevent a total loss of data from an attack, according to a new study.

The research by SURGe, Splunk’s new cybersecurity research arm, found that the median ransomware variant can encrypt 98,561 files totaling almost 54 gigabytes in 42 minutes and 52 seconds.

“Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found,” according to “An Empirically Comparative Analysis of Ransomware Binaries,” which Splunk published March 23.

As usual, here is a link to Bleeping Computer’s The Week in Ransomware.

From the cyberdefense front, CIS identifies best practices for regulatory compliance.

Speaking of regulatory compliance, HHS’s Office for Civil Rights announced four HIPAA Privacy Rule enforcement actions last week.

Cyberscoop and Federal News Network discuss the history and next steps of the cyber incident reporting rules found in Division Y of the Consolidated Appropriations Act, 2022.

In other policy news, Healthcare Dive offers an interview with National Coordinator for Health IT Micky Tripathi in which he “shared his thoughts on the scope and content of the interoperability complaints, when industry can expect penalties for providers found information blocking and how the government plans to build on TEFCA moving forward.”

Health IT Security informs us

The Biden-Harris Administration recently called on all private sector organizations to immediately harden their cyber defenses in preparation for potential Russian cyberattacks.  

“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure,” Biden stated publicly.

While there have been no direct threats against healthcare, the sector is known to be a top target for cyberattacks. The Health Sector Cybersecurity Coordination Center’s (HC3) most recent threat brief outlined a detailed history of Russian attacks on US healthcare entities.

Conti ransomware group, which has ties to Russia, was connected to at least 300 cyberattacks against US-based organizations. Conti claimed responsibility for at least 16 US healthcare sector cyberattacks.

HC3 listed past attacks committed by NotPetya, FIN12, and Ryuk, all of which have ties to Russia. In addition, the government identified two new forms of disk-wiping malware, HermeticWiper and WhisperGate, which threat actors used to attack Ukrainian organizations shortly before Russia’s invasion.

Echoing the President’s sentiments, HC3 and Health-ISAC released a statement warning the healthcare sector to take the Administration’s advice and tighten security controls.

Health IT Security adds

Of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the Federal Bureau of Investigation’s (FBI) 2021 Internet Crime Report revealed. The FBI’s Internet Crime Complaint Center (IC3) also observed a 7 percent increase in total internet crime complaints in 2021 compared to 2020.  

Phishing scams, non-payment or non-delivery scams, and personal data breaches were the most reported cybercrimes in 2021, the report continued. The victims tracked by the IC3 in 2021 lost over $6.9 billion in total, thanks to a multitude of cyber threats. Many of those cyber threats hid in plain sight, disguising themselves as legitimate investment opportunities, tech support, and real estate prospects.

The IC3 received 148 complaints of healthcare ransomware attacks. The next-highest number came from the finance sector, with just 89 complaints.

Looking at the issue from the perspective of a different data source, Politico reports

Nearly 50 million people in the U.S. had their sensitive health data breached in 2021, a threefold increase in three years, according to a POLITICO analysis of the latest HHS data.

Health care organizations including providers and insurers in every state except South Dakota reported such incidents last year. About half of states and Washington, D.C., saw more than 1 in 10 of their residents directly impacted by unauthorized access to their health information, according to the analysis. And hacking accounted for nearly 75 percent of all such breaches — up from 35 percent in 2016.

Experts say the increased hacking can be attributed to the health care industry’s rapid move to digital, particularly amid the Covid-19 pandemic; an increase inremote work, which allows more avenues for attacks with employees using more personal devices; the financially lucrative information for cybercriminals in health care; and greater awareness of attacks across the industry, thus more reporting.

Also from the cyberthreat front —

• “The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) published a joint Cybersecurity Advisory [on March 24] with information on multiple intrusion campaigns targeting U.S. and international energy sector organizations conducted by indicted Russian state-sponsored cyber actors from 2011 to 2018. In conjunction with the U.S. Department of Justice unsealed indictments today, this advisory provides the technical details of a global energy sector intrusion campaign using Havex malware, and the compromise of a Middle East-based energy sector organization using TRITON malware.”  

• CISA added “66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.”

• TechRepublic reports “A relatively new cybercriminal group has quickly gained an infamous reputation for its unique tactics and successful attacks against several major organizations. Known as Lapsus$, the gang uses social engineering to target its victims and has reportedly hit such companies as Samsung, Okta, NVIDIA and Microsoft. In a blog post published Tuesday, Microsoft provides insight into the group’s tactics and techniques and offers tips on how to protect your organization from these attacks.”

• The FBI and Treasury’s FinCen released “a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. AvosLocker is a ransomware-as-a-service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors.”

• Here is a link to Bleeping Computer’s The Week in Ransomware.

From the cyber defense and responsibilities front —

• The Department of Health and Human Services released “guidance to clarify covered entities’ obligation to require that business associates comply with HIPAA regulations, as specified by 45 Code of Federal Regulations (C.F.R.) § 162.923(c).”

• Cybersecurity Dive discusses “how to keep business operations running after a cyber incident.”

• ZDNet offers small business and individuals Windows 11 security advice.

Following up on the President’s signature of the Consolidated Appropriations Act on March 15, Cybersecurity Dive discusses the new critical infrastructure cyberattack reporting requirements. Those requirements will take effect after the Cybersecurity and Infrastructure Security Agency issues implementing regulations. Those regulations, in turn, will let us know whether and to what extent healthcare entities are part of the critical infrastructure subject to the new reporting requirements.

From the vulnerability front, the HHS Cybersecurity Program released its February 2022 vulnerability bulletin on March 18.

Tech Republic reviews the latest vulnerabilities that CISA has added to its catalog.

More specifically, Bleeping Computer informs us

The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.

This was disclosed in a joint cybersecurity advisory published this week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).

“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” the FBI said [PDF].

Cybersecurity Dive adds

The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday warned U.S. organizations about Russian state-sponsored threat actors exploiting the PrintNightmare vulnerability, as well as misconfigured account settings used in multifactor authentication (MFA) to launch attacks. 

The threat actors were able to launch an attack against a non-government organization (NGO) dating back to May 2021 using a misconfigured MFA setting set to default. They used the flaw to enroll a new device and gained network access, according to the bulletin. The attackers later exploited the PrintNightmare vulnerability to steal documents after gaining access to the cloud and email accounts. 

Separately, ESET researchers are warning about a third data wiping malware called CaddyWiper, which destroys user data and partition information. The wiper was found Monday on several dozen systems in a limited set of organizations in Ukraine, but does not share code similarities with either HermeticWiper or IsaacWiper.

From the ransomware front

• Here’s a link to the latest The Week in Ransomware” from the Bleeping Computer.

• Cyberscoop reports

In early September, researchers with Google’s Threat Analysis Group started tracking a financially motivated hacking group exploiting a since-patched Microsoft vulnerability to gain access to targeted computers. 

Later it became clear that the group is what’s known as an initial access broker — a crew specializing in gaining entry to high-value networks and selling that access to other cybercriminals — and that it is closely affiliated with the notorious Conti ransomware organization.

In findings published Thursday, the Google researchers detail how the group they’re calling “Exotic Lily” employed relatively novel tactics to gain access to targets, and how, at its peak, the hackers sent an estimated 5,000 emails per day to as many as 650 targeted organizations globally.

From the cyberdefense front

• The HIPAA Journal assesses the March 2022 cybersecurity newsletter from HHS’s Office for Civil Rights, the agency that enforces the HIPAA Privacy and Security Rules.

• Next Gov explains the new NIST Publication 800-172A

As the government looks to tighten procurement regulations for critical software, the National Institute of Standards and Technology issued a special publication detailing appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information.  

“Assessors obtain evidence during the assessment process to allow designated officials to make objective determinations about compliance to the CUI enhanced security requirements,” reads NIST guidance—SP 800-172A—published Tuesday. “The evidence needed to make such determinations can be obtained from various sources, including self-assessments, independent third-party assessments, government-sponsored assessments, or other types of assessments, depending on the needs of the organization establishing the requirements and the organization conducting the assessments.”

• The Wall Street Journal offers an article by Stuart Madnick, who is the John Norris Maguire Professor of Information Technologies, Emeritus, at the MIT Sloan School of Management and the founding director of the Cybersecurity at MIT Sloan (CAMS) research consortium. Mr. Madnick explains why “[u]nless organizations fix the internal decision-making that allowed a cyberattack to occur, they could be vulnerable to further breaches, researchers say.”

Following up on last week’s post on Google’s acquistion of Mandiant, Cybersecurity Dive puts that transaction in perspective.

“Let’s face it, Google’s in a sort of a death race with AWS and Azure in terms of cloud supremacy, right,” said Garrett Bekker, a principal research analyst with S&P Global’s 451 Research. “To some extent, security is a tool that helps them get there more than an end in and of itself.”

Google’s gobbling up of Mandiant is the latest in a sector feeding frenzy. There were more than 200 M&A deals last year, with aggregate disclosed deal valuations exceeding $55 billion. In the past five years, there were more than 1,000 cybersecurity M&A deals, data from CB Insights show. 

This week recorded a $616.5 million acquisition, with SentinelOne’s plans to add Attivo Networks’ identity security to its XDR suite. 

Cyberscoop reports

The Senate cleared legislation Thursday evening that would make the Cybersecurity and Infrastructure Security Agency (CISA) a hub to receive mandatory industry reports about major cyber incidents and ransomware payments, as well as boost its budget 22% over last year.

Security Week adds

[The new law] requires any entity that’s considered part of the nation’s critical infrastructure, which includes the finance, transportation and energy sectors, to report any “substantial cyber incident” to the government within three days and any ransomware payment made within 24 hours.

[It] also empowers CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

The FEHBlog examined the new’s law definition of a covered entity and it appears to be sufficiently broad to encompass healthcare.

The FEHBlog learned that the cyber reporting provisions are found in Division Y of the Consolidated Appropriations Act, 2022 (the new law’s official name) and the cyber reporting requirements will take effect following CISA promulgation of implementing rules.

In related news, Bleeping Computer reports

The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they’re determined as being a material incident (one that shareholders would likely consider important).

“In some cases, the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date,” the Wall Street watchdog explained.

According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K.

The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

In cybersecurity business news, the Wall Street Journal informed us on March 8

Google said it reached a deal to buy cybersecurity company Mandiant Inc.for nearly $5.4 billion, aiming to bolster its cloud unit with more cybersecurity offerings at a time when businesses have seen a wave of attacks on their systems.

The deal is the second-largest in history for the Alphabet Inc.GOOG -1.66% unit and comes as the company is facing antitrust lawsuits from the Justice Department and multiple states for allegedly anticompetitive practices. 

In buying Mandiant, Google provides a boost to its cloud business, which is rapidly growing but remains smaller than its key rivals. In the most recent quarter, the business saw revenue rise by about 45% to $5.54 billion, or about 7% of the company’s total quarterly revenue.

Thomas Kurian, chief executive of Google Cloud, said that Google wanted to draw from the insights of Mandiant’s threat research in how it applies security solutions to its products, and that the computing giant intended to retain the Mandiant brand. * * *

The companies said the deal is expected to close later this year. Google has faced intense regulatory scrutiny for smaller acquisitions. It took more than a year for Google to close its $2.1 billion acquisition of Fitbit LLC as regulators took a close look at the deal.

From the cyberthreat front, the HHS Cybersecurity Program this past week issued alerts on “PTC Axeda agent and Axeda Desktop Server Vulnerabilities” and a Conti ransomware update. Health IT Security reported on the Conti ransomware update here.

Conti actors typically gain initial access via spearphishing campaigns, stolen Remote Desktop Protocol (RDP) credentials, fake software promoted via search engine optimization, or common asset vulnerabilities.

CISA updated the advisory to include new indicators of compromise, including new domains that had registration and naming characteristics that were similar to those used by Conti in the past.

US organizations, especially in the healthcare sector, should remain on high alert and implement technical safeguards to prevent cyberattacks. Organizations should adopt multi-factor authentication, network segmentation, and frequent vulnerability scanning.

In addition, the advisory recommended that organizations remove unnecessary applications, implement endpoint and detection response tools, restrict access to RDP, and secure user accounts.

In other cybersecurity news, Health IT Security tells us

Although cyberattacks and data breaches have bombarded the healthcare sector in recent years, recent research from Immersive Labs found that healthcare conducts cyber incident response exercises far less than other industries.

Immersive Labs analyzed 35,000 members of the cybersecurity workforce from a variety of industries and found that the healthcare sector conducted only two cyber crisis exercises per year on average. The technology and financial services sectors conducted nine and seven crisis exercises per year on average, respectively.

It makes sense that highly targeted industries like technology and finance would prepare accordingly. But healthcare is an equally high-profile and highly regulated cyberattack target, making the lack of crisis response exercises troubling.

From Capitol Hill, Cyberscoop reports

The Senate passed legislation (S. 3600) Tuesday evening requiring critical infrastructure owners to report to the feds when they suffer a major cyberattack or make a ransomware payment — shaking loose a bill that got stuck in the chamber last year.

Under the measure, which now moves to the House for potential consideration, those critical infrastructure owners and operators as well as federal agencies would have to disclose a significant incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The same owners and operators would have to report any ransomware payments to CISA, too, only within 24 hours.

Its intent is to give CISA the information it needs to more widely share threat data to help curtail major cyberattacks rippling through key targets, such as what happened in late 2020 when federal contractor SolarWinds suffered a compromise that ended up spreading to federal agencies and major tech companies.

The bill also contains other provisions designed to strengthen federal agencies’ digital defenses. The package got sidelined at the end of 2021 when lawmakers couldn’t resolve a dispute in time over whom the ransomware requirements should apply to, leaving it out of an annual defense policy bill that Congress has enacted for 61 straight years.

The Senate, which passed the bill by unanimous consent, sent S. 3600 over to the House of Representatives for its consideration.

From the Ukrainian war front —

• CISA continues to update its Shields Up website.

• The HHS Cybersecurity Program issued an Analysts Note on “The Russia-Ukraine Cyber Conflict and Potential Threats to the US Health Sector.:

• Cybersecurity Dive informs us

With the risk of cyberattacks on the rise due to the war in Ukraine, experts say HR teams should be increasingly vigilant for threats that will disrupt operations.

Beyond phishing trainings and ransomware education, HR may feel divorced from cybersecurity concerns. In the event of an outage or attack, however, people operations managers will be the ones to put their companies back on track, serving as a key liaison between the IT department and company staff at large, so preparation is key.

“HR has historically been responsible for communicating policies and work expectations even if they aren’t produced through a written policy. That’s really what’s necessary for cybersecurity to be effective,” Elizabeth Chilcoat, an associate at Sherman & Howard, said. 

It’s HR’s job to break down post-attack protocol into layman’s terms, both to keep the peace internally and for compliance reasons, she said. 

• The American Hospital Association offers a podcast and other resources concerning “Russia, Ukraine and Cybersecurity in U.S. Health Care Sector.”

More generally, on Thursday, the HHS Cybersecurity Program posted a PowerPoint on “Health SeZdctor Cybersecurity: 2021 Retrospective and 2022 Look Ahead,” and Bleeping Computer’s The Week in Ransomware” is back.

This week’s biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.

From the cyberdefense front

• ZdNet reports “The US Cybersecurity and Infrastructure Security Agency (CISA) just added a whopping 95 new bugs to its catalogue of known exploited vulnerabilities, including multiple critical Cisco router flaws, Windows flaws new and old, and bugs in Adobe Flash Player, and more. “CISA has added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” the agency said.”

• CNBC reports on why companies are moving to the zero trust model of cybersecurity.

• ISACA describes a five layer view of data center systems security.

• Health IT Security tells us

Proper employee cyber hygiene is crucial to maintaining healthcare cybersecurity, a new report conducted by the Center for Generational Kinetics (CGK) and commissioned by Mobile Mentor suggested.

A survey of 1,500 employees across four highly regulated industries—finance, education, government, and healthcare— found that poor password hygiene and new employee onboarding left organizations vulnerable to cyber risks.

More than a third of respondents admitted to finding ways to work around their organization’s security policies, and 72 percent of respondents reported valuing their personal privacy over company security.

The HHS Cybersecurity Program offers us timely “CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure.”

Health IT Security adds “The American Hospital Association (AHA) urged hospitals and health systems to remain vigilant against healthcare cyberattacks amid Russia’s invasion of Ukraine” in a public advisory.

Cyberscoop provides the following example.

An infamous ransomware group with potential ties to Russian intelligence and known for attacking health care providers and hundreds of other targets posted a warning Friday saying it was “officially announcing a full support of Russian government.”

The gang said that it would use “all possible resources to strike back at the critical infrastructures” of any entity that organizes a cyberattack “or any war activities against Russia.” The message appeared Friday on the dark-web site used by ransomware group Conti to post threats and its victims’ data. Security researchers believe the gang to be Russia-based.

Conti ransomware was part of more than 400 attacks against mostly U.S. targets between spring 2020 and spring 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reported in September.

From the FEHB front, FedScoop reports

The Office of Personnel Management has named James Saunders as chief information security officer.

He starts work in the new role Feb. 28 after joining the agency last year as a senior adviser for cloud and cybersecurity.

Previously, Saunders held the post of CISO at the Small Business Administration and moved to OPM in April 2021. One federal IT source speaking to this publication said that Saunders has already been acting as an “unofficial CISO” since joining the agency.

Good luck, Mr. Saunders.

From the good old Log4j front, Security Magazine reports

Security professionals around the globe continue to mitigate the effects of the Log4j vulnerability, which was discovered in December 2021. 

Cybersecurity nonprofit (ISC)² published the results of an online poll examining the Log4j vulnerability and the human impact of the efforts to remediate it. The poll surveyed 269 cybersecurity professionals, revealing the severity and long-term consequences of the Log4j attack for both security teams and the organizations they protect.

Key findings from the poll include:

— Nearly half (48%) of cybersecurity teams gave up holiday time and weekends to assist with Log4j remediation

— Fifty-two percent of respondents said their team collectively spent weeks or more than a month remediating Log4j

— Nearly two-thirds (64%) of cybersecurity professionals believe their peers are taking the zero-day exploit seriously

— Twenty-three percent noted that they are now behind on 2022 security priorities as a result of the change in focus

— More than one in four (27%) professionals believe their organization was less secure while remediating the vulnerability

“The main takeaway from the Log4j crisis and this data is that dedicated cybersecurity professionals are spread thin and need more support to effectively remediate zero-day exploits while still maintaining overall security operations,” said Clar Rosso, CEO of (ISC)

Regrettably, Bleeping Computer’s The Week in Ransomware was not published this week.