From Capitol Hill, the Hill informs us that

The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.  

The [bipartisan] amendment [to the National Defense Authorization Act] would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority. 

“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”

The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.

Cyberscoop provides more breach notice news

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.

Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. * * *

The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.

The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours.

OPM allows FEHB carriers a 24 hour period to notify the agency about a breach or security incident.

On the advanced persistent threat front, Health IT Security reports that

US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities. * * *

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange or Fortinet stay cautious and look for the following signs of suspicious activity:

— Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. 

— Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 

— Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 

— Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

— Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).

Review antivirus logs for indications they were unexpectedly turned off.

Look for WinRAR and FileZilla in unexpected locations. 

To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.

For more information, see CISA’s assessment and overview of the ongoing Iranian cyber threat. 

Also on the prevention front CISA announced that

The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  
 
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.  
 
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.

CISA also updated its known exploited vulnerabilities catalog.

And of course, here is a link that the Bleeping Computer’s The Week in Ransomware.

While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released.

Security firms released reports on the types of cryptomixers used by ransomware gangs, a detailed report on Conti, and how Russian ransomware gangs are starting to work with Chinese hackers.

ZDnet adds that “Ransomware is now a giant black hole that is sucking in all other forms of cybercrime
File-encrypting malware is where the money is — and that’s changing the whole online crime ecosystem.”

Inside Cybersecurity provides useful legal perspectives on the Defense Department’s recent changes to its Cybersecurity Maturity Model Certification program for defense contractors.

The evolution of DOD’s Cybersecurity Maturity Model Certification program reflects a response to concerns from the defense industrial base, according to attorneys, who said recent major changes show the Pentagon is taking into account pre-existing mechanisms for contractor compliance with cyber standards and is considering how the program can be implemented effectively.

CMMC 2.0 consolidates DOD’s cyber certification effort into three levels and relies heavily on NIST publications 800-171 and 800-172. The extra 20 controls in level two (formerly level three) are removed from the new model along with maturity processes.

Attorneys surveyed by Inside Cybersecurity questioned whether the Pentagon’s decision to walk back the CMMC model to align with the 110 controls in NIST 800-171 for level two is an effective approach and where things stand with assessment organizations who have been preparing to conduct assessments since the first version of the maturity model debuted in early 2020.

Check it out.

In Security Week a cybersecurity consultant Torsten George reflects on the recent Cybersecurity Awareness Month.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.

The reality is that many breaches can be prevented using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue investing the largest percentage of their security budget on protecting their network perimeter rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: credential abuse and endpoints serving as main access points to an enterprise network.

And as usual Bleeping Computer’s The Week in Ransomware is chock full of news:

This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency.

On Monday, the US Department of Justice, Europol, and Interpol announced arrests of REvil affiliates and members in Kuwait and Romania. The FBI also announced the arrest of the REvil affiliate behind the July Kaseya attack that encrypted over 1,500 organizations.

In addition, the US announced that $6 million in ransom payments was seized from the REvil ransomware operation.

This week, the other big news is a massive attack on the European electronics retailer MediaMarkt by the Hive Ransomware operation.

What’s more Krebs on Security reports that

The Federal Bureau of Investigation (FBI) confirmed today [November 13] that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.

From Capitol Hill, the House of Representatives passed the Senate’s bipartisan $1 trillion infrastructure bill on a bipartisan 228-to-206 vote. Data Center Knowledge discusses how the $2 billion in the bill targeted at cybersecurity will be spent. The key comment is “The Infrastructure Bill Is the Carrot — The Stick May Come Later.”

In this regard, ZDNet adds that

Four US Senators have introduced a new bipartisan amendment to the [must pass] 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.

Two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to push the amendment, which they said was based on Peters and Portman’s Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.

The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months. 

Victim[ized] organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.  

But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being made. 

From the federal government technology front —

Cyberscoop reports that “A winning streak of hitting deadlines under President Joe Biden’s ambitious May cybersecurity executive order is widely expected to end Monday [November 8], affecting changes that administration officials have touted most: implementing multifactor authentication and encryption at all civilian federal agencies.”

Cyberscoop adds

The Cybersecurity and Infrastructure Security Agency [CISA] is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday [November 3].

It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021.

Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future.

The Wall Street Journal explains

Many of the cybersecurity gaps outlined in a new White House directive that calls on federal agencies to patch hundreds of online vulnerabilities stem from the government’s aging computer systems, current and former federal tech chiefs, lawmakers and industry analysts say.

But ongoing efforts to upgrade these systems tend to get bogged down by budget restrictions, chronic talent shortages and a revolving door of agency information-technology leaders.

As a result, some of the vulnerabilities listed in the directive, issued by the Biden Administration Wednesday, date back years in older versions of software from Microsoft Corp. and other large technology firms. Agencies that haven’t continually upgraded these and other apps may lack protections needed to ward off the kinds of organized, sophisticated and widespread attacks that have crippled public- and private-sector systems in recent years.

Also Cyberscoop notes that

The Biden administration is working on an executive order that spells out the responsibilities of myriad top cybersecurity officials in the federal government, National Cyber Director Chris Inglis said Wednesday. Specifically, the idea would be to solidify the position of his office, only established by law in January, Inglis told the House Homeland Security Committee.

From the defense contractor front, Nextgov informs us that

The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.

The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.

“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” reads a notice set to publish Friday in the Federal Register. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”

At the heart of CMMC was an assertion by Pentagon officials that the current system of allowing defense contractors to self-attest, or simply pledge, their adherence to cybersecurity standards outlined by the National Institute of Standards and Technology is not working. The officials pointed to continued theft of intellectual property by Chinese nation-state actors as their chief indicator.

In preventive steps news, Health IT Security tells us that

Healthcare organizations can have the most sophisticated internal security protocols, but failing to assess third-party risk may leave organizations vulnerable to data breaches nonetheless.

Threat actors are increasingly using third-party business associates as entry points into customer networks. Once inside the network, the malicious hackers may be able to encrypt files, access sensitive health data, and deploy ransomware on any organization that the associate does business with.

Hackers using third-party entities as an attack vector became a very prevalent threat in July 2021, when REvil threat actors launched a ransomware attack against IT management software company Kaseya and compromised the data of over 1,500 of its customers.

According to Jeremy Huval, HITRUST’s chief innovation officer, the Kaseya attack signaled an increase in impactful and frequent supply chain cyberattacks and underscored the need for better third-party risk management procedures.

Last but not least here is a link to the Bleeping Computer’s latest The Week in Ransomware.

The FBI issued advisories this week warning that HelloKitty has added DDoS attacks to their arsenal, that ransomware gangs commonly conduct attacks “during time-sensitive financial events,” and that gangs are targeting tribal-owned businesses, including casinos.

The Wall Street Journal reported on Monday that

The Russia-linked hackers behind last year’s compromise of a wide swath of the U.S. government and scores of private companies, including SolarWinds Corp. SWI -3.19% , have stepped up their attacks in recent months, breaking into technology companies in an effort to steal sensitive information, cybersecurity experts said.

In a campaign that dates back to May of this year, the hackers have targeted more than 140 technology companies including those that manage or resell cloud-computing services, according to new research from Microsoft Corp. The attack, which was successful with as many as 14 of these technology companies, involved unsophisticated techniques like phishing or simply guessing user passwords in hopes of gaining access to systems [a/k/a “password spraying”], Microsoft said.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” said Tom Burt, Microsoft’s corporate vice president for customer security and trust, according to a blog post provided ahead of the announcement by Microsoft on Monday.

Security Week adds that

Microsoft has also made available technical guidance that can help organizations detect attacks launched by Nobelium.

Last month, Microsoft published a blog post detailing a piece of malware used by the threat group to exfiltrate data from compromised servers.

ZDNet delves into the password spraying approach to hacking.

Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the first of which it calls ‘low and slow’. Here, a determined attacker deploys a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.” 

The other technique, ‘availability and reuse’, exploits previously compromised credentials that are posted and sold on the dark web. “Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites,” Microsoft explains.

From our Nation’s capital, Cyberscoop informs us that

The Cybersecurity and Infrastructure Security Agency [(CISA)] has begun working to map out the U.S. critical infrastructure that, if hacked, could result in serious consequences for national security and economic interests, CISA Director Jen Easterly said Friday.

Labeling such infrastructure is the subject of a proposal of the Cyberspace Solarium Commission, a congressional committee, which recommended identifying “systemically important critical infrastructure,” or SICI. Lawmakers have introduced SICI legislation in recent months, but Easterly said her Department of Homeland Security agency is proceeding ahead with or without a bill.

Moreover, per Cyberscoop

Federal Chief Information Security Officer Chris DeRusha, who has played an integral part in responding to the SolarWinds hack, is getting a second gig as deputy national cyber director for federal cybersecurity.

National Cyber Director Chris Inglis hailed DeRusha’s appointment on Twitter Thursday. * * *

DeRusha steps into his additional role at a time when questions persist on Capitol Hill about the breakdown of cyber roles within the federal bureaucracy. The national cyber director’s office is the newest addition to that bureaucracy, established only this year. The office is coming into being as the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency is increasingly focused on incident response and information sharing in the federal government, and as Deputy National Security Adviser Anne Neuberger probes ways for the U.S. to combat ransomware.

In an interview with The Washington Post that published Thursday, Inglis said the coordination with DeRusha should benefit federal agency cyber officials. “Particularly if you’re a chief information security officer, you’ll see us speaking complementary ways and using our resources in a collaborative manner,” he said.

Also HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, issued its Fall 2021 Cybersecurity Newsletter. This newsletter’s topic is securing legacy systems.

Health IT Security explores the value of applying the zero trust model to health data.

Under the watchful eye of a zero trust security model, no device or user is automatically trusted before being vetted by strict authentication processes. Zero trust is not a single technology or tactic, but a set of cyber defenses that collectively look for threats outside and within a network perimeter.

Implementing a zero trust architecture could make a life-or-death difference in how healthcare organizations operate and respond to cybersecurity incidents. * * *

HC3 recommended that organizations begin zero trust implementation by employing a software-defined perimeter (SDP). SDP is a computer security approach that effectively hides internet-connected infrastructure, such as servers and routers, so that unauthorized third parties cannot see it. With this approach, the network perimeter is based in software rather than hardware and is less vulnerable to hackers.

Organizations should also consider Mesh VPNs, which use a peer-to-peer (P2P) architecture so that every device in the network can connect directly to a peer without going through a central gateway. Mesh VPNs are typically less expensive and easier to scale, HC3 noted.

Healthcare organizations may also benefit from a modern network access control (NAC) platform that can enforce access control and identify every device and user on the network before granting access. This approach provides continuous monitoring and ensures that every device and user is authenticated and trusted.

And as alway here’s a link to Bleeping Computers weekly report on ransomware.

Security Week reported yesterday that

The global fight against ransomware took a new twist this week with the United States leading a law enforcement effort to hack back and disrupt the extortion group behind the Colonial Pipeline cyberattack.

SecurityWeek has confirmed a Reuters report that the Tor servers associated with the REvil ransomware gang were seized in what was described as a “multi-country” hack-back operation that remains active.

Bleeping Computer discusses this ransomware development and others in its weekly update.

The Wall Street Journal adds that

A criminal organization believed to have built the software that shut down a U.S. fuel pipeline has set up a fake company to recruit potential employees, according to researchers at the intelligence firm Recorded Future and Microsoft Corp. MSFT -0.51%

The fake company is using the name Bastion Secure, according to the researchers. On a professional-looking website, the company says it sells cybersecurity services. But the site’s operator is a well-known hacking group called Fin7, Recorded Future and Microsoft say.

Fin7 is believed to have hacked hundreds of businesses, stolen more than 20 million customer records and written the software used in a hack that disrupted gasoline delivery in parts of the Southeastern U.S., federal prosecutors and researchers say.

From the prevention front:

The American Hospital Association has summarized the recent HC3 vulnerability news of interest to the health sector.

CISA has released a presentation on blockchain for the healthcare sector.

Security Week discusses efforts underway to fill encryption gaps.

The Society for Human Resources Management offers an article on reducing cybersecurity risks in hybrid (remote and office) work:

A Tessian survey found that 88 percent of data breaches involved human error.

And in a hybrid work environment, employees may pay less heed to the rules or simply be more likely to make mistakes since they’re not in a formal office, especially if they’re juggling family and other demands. In the Tessian survey, 43 percent of employees said they have made mistakes at work that compromised cybersecurity; 58 percent admitted having sent a company e-mail to the wrong person, often because they were distracted or tired.

“Every CISO [chief information security officer] I’ve spoken to is wondering what work-from-home means in terms of security, when there is zero distance between the office, the living room and the kitchen,” says Robert Holmes, Proofpoint’s vice president and general manager of email fraud defense.

To that end, executives would do well to encourage more cooperation between the technology side of the house and the people side. “This is an area where there’s a huge opportunity for the CHRO [chief human resource officer] and the CISO to have a strong relationship,” [Deloitte cyber leader Emily] Mossberg says. First, they can team up on training programs to increase security awareness. Second, the CISO can help HR strengthen practices, processes and systems to ensure the security of employee data in distributed work environments.

Tech Republic reports on a White House sponsored “virtual ransomware summit this week with over 30 countries in attendance—although a few notable nations were excluded, such as China, Russia and North Korea. Australia, Brazil, Canada, France, Germany, India, Japan, United Arab Emirates and the United Kingdom were among the attendees.”

Cyberscoop adds that

Nations must better clamp down on money laundering in order to disrupt ransomware gangs’ illicit financial transactions, according to a statement Thursday from more than 30 countries that participated in two days of White House meetings focused on slowing hackers and digital extortion.

The joint statement also included commitments to other methods of countering ransomware, such as encouraging cyber hygiene practices to the private sector, collaborating across law enforcement and national security agencies and using diplomatic pressure against nations that harbor cybercriminals. 

Bleeping Computer’s This Week in Ransomware discusses the summit and more.

ZDNet reports that

More than $5 billion in bitcoin transactions has been tied to the top ten ransomware variants, according to a report released by the US Treasury on Friday. 

The department’s Financial Crimes Enforcement Network (FinCen) and Office of Foreign Assets Control (OFAC) released two reports illustrating just how lucrative cybercrime related to ransomware has become for the gangs behind them. Parts of the report are based on suspicious activity reports (SAR) financial services firms filed to the US government.

FinCen said the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the $416 million reported for all of 2020.

Finally at this week’s CISA summit event marking Cybersecurity Awareness Week, the Acting U.S. Assistant Attorney General for the Civil Division Brian M. Boyton spoke about the Department’s Civil Cyber-fraud Initiative which leverages the False Claims Act to” identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.”

We have identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement through this initiative. 

First, the False Claims Act is a natural fit to pursue knowing failures to comply with cybersecurity standards. When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements. For example, cybersecurity standards may require contractors to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems or to avoid using components from certain foreign countries. The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for. 

Second, False Claims Act liability may be based on the knowing misrepresentation of security controls and practices. In seeking a government contract, or performing under it, companies often make representations to the government about their products, services, and cybersecurity practices. These representations may be about a system security plan detailing the security controls it has in place, the company’s practices for monitoring its systems for breaches, or password and access requirements. Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place. Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act.   

Finally, the knowing failure to timely report suspected breaches is another way a company may run afoul of the Act. Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems. Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm. 

At bottom, the department’s Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk.     

October is National Cybersecurity Awareness Month. The FEHBlog reminds readers that

CISA will host its fourth annual National Cybersecurity Summit on Wednesdays during the month of October. The 2021 Summit will be held as a series of four virtual events bringing stakeholders together in a forum for meaningful conversation:

Oct. 6 – Assembly Required: The Pieces of the Vulnerability Management Ecosystem 

Oct. 13 – Collaborating for the Collective Defense 

Oct. 20 – Team Awesome: The Cyber Workforce 

Oct. 27 – The Cyber/Physical Convergence

Register for this free summit and read more about the presentations at CISA.gov/cybersummit2021

Security Week offers an article on ways to support this national effort.

Also yesterday, October 1, according to ZDNet,

The White House plans to convene a 30-country meeting this month to address cybersecurity, President Biden said in a statement Friday. 

The topics of the meeting, Biden said, will include combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, building trusted 5G technology and better securing supply chains. 

From Capitol Hill, Senator Gary Peters (D Mich.) tells us about American Rescue Plan funding totaling $1 billion that is being used to modernize federal IT systems. Here is a complete list of the unclassified Technology Modernization Funds projects.

With respect to cybersecurity practices

• Earlier this week, CISA and the National Security Administration “released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.” Here is a Cyberscoop article on this development.

• Helpnetsecurity.com offers an interesting article about the move from password verification to identity verification to secure networks against cyberattacks. “Identity verification is the most important step in an organization’s system for providing access, and authentication cannot occur until identity is established. This is known as identity-based authentication and it is the foundation of effective security measures. Once identity is established with a high level of efficacy, password-based credentials become obsolete. The end goal is not passwordless solutions – the goal is identity-based authentication, with passwordless as a means to that end.”

• The National Institute of Standards and Technology issued its 2020 annual report (SP 800-214) last week.

As always, here is a link to Bleeping Computer’s The Week in Ransomware.

From the Capitol Hill front, we learn from Cyberscoop that

• Last Monday, September 20, nine Senate Democrats wrote a letter to the Federal Trade Commission urging the agency to adopt stronger rules cracking down on privacy violations and data breaches.

• “The Department of Homeland Security’s cyber division, a key government agency charged with helping stop and respond to cyberattacks, might be getting ready for a bigger role in the spotlight. * * * Both chambers of Congress are contemplating legislation that would make CISA the hub where vital companies would report major cybersecurity incidents, following the string of monumental cyberattacks that began with the SolarWinds breach in December.” The article also discusses a planned large infusion of federal funding to CISA.

• “The head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency testified at a Senate hearing Thursday [September 23] in favor of requiring critical infrastructure owners and operators, federal contractors and agencies to report attacks to CISA within 24 hours of detection. * * * At Thursday’s hearing, Easterly further advocated for CISA and the Justice Department to decide what kinds of companies would have to meet the reporting requirements, rather than writing them specifically into the bill. She also advocated fines, rather than subpoenas, to compel companies to obey the reporting requirements. * * * National Cyber Director Chris Inglis, testifying at the same hearing, said he agreed with Easterly’s preferences.”

From the guidance front

• On September 21, CISA laid out cybersecurity goals and objectives for critical infrastructure owners. “[W]hile all of the goals outlined in this document are foundational activities for effective risk management, they represent high-level cybersecurity best practices.”

• On the same day, the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules posted a list of ransomware resources for HIPAA covered entities.

• Security Week offers an interesting article on working securely from anywhere with Zero Trust.

From the ransomware front

• A federal government cybersecurity alert was issued on September 22 about Conti ransomware. “CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:  

• Updating your operating system and software, 
• Requiring multi-factor authentication, and  
• Implementing network segmentation.

• Last but not least here is a link to current Bleeping Computer post on the Week in Ransomware.

This week’s biggest news is the USA sanctioning a crypto exchange used by ransomware gangs to convert cryptocurrency into fiat currency. By targeting rogue exchanges, the US government is hoping to disrupt ransomware’s payment system.

This other interesting news this week is a list of vulnerabilities commonly used by ransomware gangs and how the REvil operators reportedly use their operator key to hijack negotiations from affiliates.

Action / Reaction

• Fierce Healthcare reported on September 13 that

An unsecured database containing over 61 million records related to fitness trackers and wearables exposed Apple and Fitbit users’ data online.

Researchers with WebsitePlanet and security researcher Jeremiah Fowler discovered a non-password-protected database that contained tens of millions of records belonging to fitness tracking and wearable devices and apps. The unsecured database belonged to GetHealth, which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps, according to a WebsitePlanet report posted Monday.

The cybersecurity team discovered the unsecured database June 30, ZDNet reported. Fowler said he immediately sent a disclosure notice to the company of the security findings. GetHealth responded rapidly, and the system was secured within a matter of hours, ZDNet reported.

“It is unclear how long these records were exposed or who else may have had access to the dataset,” Fowler wrote in the report.

“We are not implying any wrongdoing by GetHealth, their customers or partners. Nor, are we implying that any customer or user data was at risk,” he wrote.

• On Thursday, September 16, Cyberscoop reported

App developers and device operators that collect health data about Americans must alert consumers in the event their personal information is compromised or shared without permission, the Federal Trade Commission ruled Wednesday.

The U.S. consumer protection agency voted 3-2 on a new regulation that is meant to clarify the 2009 Health Notification Rule, which details how companies should tell consumers if their data is improperly shared or breached. The decision Wednesday extends the 2009 rule to cover health apps, fitness trackers and other connected devices that have risen in popularity over the past decade.

From the survey front,

• Health IT Security informs us that “Google and Microsoft amassed the most vulnerabilities compared to other major tech companies in the first half of 2021, researchfrom Atlas VPN revealed. During the first half of 2021, Google accumulated 547 registered vulnerabilities. Microsoft followed close behind at 432.” Ruh roh.

• CRN discusses the ten biggest cybersecurity risks that business face this year.

In ransomware news —

• The Wall Street Journal advised us yesterday that

The Biden administration is preparing an array of actions, including sanctions, to make it harder for hackers to use digital currency to profit from ransomware attacks, according to people familiar with the matter. 

The government hopes to choke off access to a form of payment that has supported a booming criminal industry and a rising national security threat.

The Treasury Department plans to impose the sanctions as soon as next week, the people said, and will issue fresh guidance to businesses on the risks associated with facilitating ransomware payments, including fines and other penalties. Later this year, expected new anti-money-laundering and terror-finance rules will seek to limit the use of cryptocurrency as a payment mechanism in ransomware attacks and other illicit activities.

The actions collectively would represent the most significant attempt yet by the Biden administration to undercut the digital finance ecosystem of traders, exchanges and other elements that cybersecurity experts say has allowed debilitating ransomware attacks to flourish in recent years.

• Security Week offers a related report on understanding the cryptocurrency – ransomware connection.

• And no Cybersecurity Saturday post would be complete without a link to Bleeping Computer’s The Week in Ransomware. “This week’s biggest news is that soon after REvil returned from its two-month absence, Bitdefender released a master decryptor that allows victims encrypted by REvil before July 13th to recover their files for free.”