From the ransomware front, Bleeping Computer reports today that “The REvil ransomware gang has fully returned and is once again attacking new victims and publishing stolen files on a data leak site.” REvil was responsible most recently for the JBS meat packing plant and the Kayesa hacks. Following the Kayesa hack, the gang went into virtual hiding.

After their shutdown, researchers and law enforcement believed that REvil would rebrand as a new ransomware operation at some point. However, much to our surprise, the REvil ransomware gang came back to life this week under the same name.

Also here is a link to Bleeping Computer’s the Week in Ransomware.

ZDNet offers an interesting article on ransomware targets.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. * * *

Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system. 

* * * Roughly half of the ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table. * * *

[T{here are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.  

ZDNet further reports that

All the time spent ticking boxes in cybersecurity training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim “Think before you click”.  

IT security company F-Secure analyzed over 200,000 emails that were flagged by employees from organizations across the globe in the first half of 2021, and found that 33% of the reports could be classified as phishing.

On the zero trust front, FCW informs us that “The push to convert federal networks, systems and devices to a zero trust security architecture is accelerating, with the release of three new draft guidance documents as part of the White House administration’s push to improve the nation’s cybersecurity” and the Wall Street Journal provides us with a Deloitte produced guide to zero trust cybersecurity.

For those with a law enforcement orientation, the Wall Street Journal tells us that the secret vulnerability of cybercrime gang is the burnout of their foot soldiers. The reporters had interviewed scores of lower level cybercrime workers, among other investigative techniques. Their conclusions:

[W]hen authorities targeted the support staff—the labor force that the cybercrime industry depends on—with a few arrests and made their jobs even more miserable than usual through coordinated shutdowns of server networks, the effect was much greater. This is not unlike putting pressure on a mafia accountant, as opposed to arresting crime bosses. 

In our research, we saw that when authorities attacked the cybercrime infrastructure this way, the services became unreliable and their customers thought they were being scammed, flooding their chat channels with complaints. When servers went down, so did the business of all the criminals who were renting that infrastructure. Cyberattacks declined.

Conventional wisdom suggests that disrupting the infrastructure of cybercrime services by taking down their servers is merely a game of Whac-A-Mole, with these groups able to set up new systems fairly quickly. But that doesn’t take into account the effect on cybercrime workers: We found that these takedowns were extremely frustrating for the people working behind the scenes. We even began to see people quitting the business, burned out from the stress of having to provide round-the-clock customer service and system administration under increasing scrutiny from the police.

Oh joy, Bleeping Computer’s The Week in Ransomware is back after two weeks and it is chock-a-block full of useful information. Check it out.

From the entrepreneurial hacking front, Bleeping Computer also reports that “Hackers are actively scanning for and exploiting a recently disclosed Atlassian Confluence remote code execution vulnerability to install cryptominers after a PoC exploit was publicly released. Atlassian Confluence is a very popular web-based corporate team workspace that allows employees to collaborate on projects.”

Cyberscoop tells us about on going discussions on Capitol Hill about reaching a consensus on wide ranging cybersecurity incident reporting laws.

Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate.

The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May.

At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if anyone.

Cyberscoop adds

The bill under discussion in the House would provide companies that share breach data protections against lawsuits, and specifies no punishments for not complying. The Senate bill authorizes financial penalties tied to a company’s gross revenue. Naturally, the private sector prefers not to face penalties, according to the Senate aide.

And while the Senate legislation leaves it to CISA to define what kinds of “cybersecurity incidents” trigger notification requirements, the House legislation defines them as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Further, the Senate version requires reporting of confirmed and potential intrusions, while the House bill only applies to confirmed intrusions.

Because there is no Congressional election this year, Congress will have plenty of time this fall to resolve these differences and enact a law.

A friend of the FEHBlog called his attention this very useful list of cybersecurity resources created by the College of Healthcare Information Management Executives (“CHIME”).

On Wednesday August 25, the President led a summit conference between his administration and business leaders about cybersecurity. The Wall Street Journal reports that the President

called the issue “the core national security challenge we are facing.”

Top tech executives, including Apple Inc.’s Tim Cook, Amazon.com Inc.’s Andy Jassy, Microsoft Corp.’s Satya Nadella and Alphabet Inc.’s Sundar Pichai attended the White House meeting, according to a list of participants shared by an administration official. The guest list also included JPMorgan Chase & Co. CEO Jamie Dimon and Brian Moynihan, president and CEO of Bank of America Corp. , among other representatives of the financial industry.

Here’s a link to the White House’s fact sheet on the conference which highlights its significant accomplishments. Cyberscoop adds that “While impressive, observers noted, those commitments will require considerable follow-up, from expansion to other sectors to policy changes that could emerge from closer-knit relationships between industry and government.”

Last Monday, the FEHBlog attended a Federal Contract Institute webinar on combatting ransomware. The speakers, who were lawyers, suggested placing as many speed bumps, e.g., dual authentication, encryption, DMARC, as you reasonably can in front of the ransomware crook. Your run of the mill ransomware crook will switch intended victims if the first intended victims servers appear difficult to crack. The speakers also recommended supplementing NIST 800-171 , which focuses on preserving the confidentiality of data, with NIST IR 8374 , a June 21 draft which focuses on preserving the integrity and available of data. The speakers noted the CISA’s www.ransomware.gov  site provides a helpful double check to identify available speed bumps.

Speaking of ransomware, the author of Bleeping Computer’s The Week in Ransomware must be on vacation because the FEHBlog cannot find the August 27 issue. In any event, Bleeping Computer does report that yesterday August 27, ‘T-Mobile’s CEO Mike Sievert said that the hacker behind the carrier’s latest massive data breach brute forced his way through T-Mobile’s network after gaining access to testing environments.” Cyberscoop adds that

“Americans already trying to avoid calls from telemarketers, call support scammers and long-winded in-laws now have another reason to ignore that ringing phone: ransomware hackers. Scammers affiliated with a digital extortion outfit known as Hive are using phone calls to dial victims who are infected with a malicious software strain that locks up their files until they agree to pay a hostage fee, according to an August 25 FBI alert. Investigators first observed hackers deploying the malware in June, with attackers leveraging Microsoft’s Remote Desktop Protocol to infect business networks.”

Here are a couple of cybersecurity defense links that are worth a gander in the FEHBlog’s opinion:

• Security Week discusses how threat detection is evolving.
• The publication also explains how to defeat (avoid?) a false sense of cybersecurity.

Today is the 25th anniversary of President Clinton signing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) into law. Ponder that, my friends.

Let’s start of today with a link to Bleeping Computer’s The Week in Ransomware:

Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. [At the link] we have tracked some of the ransomware stories that we are following this week.

Stories of particular interest revolve around new features and tactics used by some of the ransomware operations.

After analyzing the Conti training material leaked earlier this month, we learned that they use a legitimate remote access software to retain persistence on a compromised network. We also learned that they prioritize searching for cyber insurance policies and financial documents after taking control of a network

There is some good news, as Emsisoft has released a SynAck ransomware decryptor after the master decryption keys were released by the threat actors earlier this month.

Earlier this week Security Week reported that the “U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published a new document providing recommendations on how to prevent data compromise during ransomware attacks.”

Although it’s not healthcare, it’s a big hack. The Wall Street Journal reports that “The breach of T-Mobile US Inc. allowed hackers to steal information about more than 54 million people and potentially sell the data to digital fraudsters and identity thieves.” The Journal adds that “T-Mobile has set up a website containing information about the breach and advice on how consumers can protect themselves.”

From the advice column

• Tech Republic informs us based on an interview with a cybersecurity lawyer that “Expert says people are becoming smarter about the links they click on and noticing the ones they shouldn’t, giving hope for the future of cybersecurity.” Keep up the good work, friends.
• HITConsultant.net discusses three way that healthcare organizations can work to prevent insider security threats, to with (1) prioritize employee education without burning them out; (2) improve IT hygiene, and (3) implement a zero trust approach.
• For more on the zero trust approach check out this helpnetsecurity.com article.

Finally, the Wall Street Journal offers an interesting article on a Deloitte study about using technology to improve the health plan member experience. Check out, and again Happy Birthday HIPAA.

This past week the HIMSS conference was held in Las Vegas. Healthcare Dive reports on a session on whether healthcare organizations should pay to settle a ransomware attack. It’s complicated because “With patient lives on the line, continuity of care is essential — and it might cost more to fight the attack by halting operations and bringing in pricey outside cybersecurity consultants.” In this regard, Fierce Healthcare informs us that “

A massive cyberattack May 1 cost Scripps Health $112.7 million through the end of June, with lost revenue bearing most of the cost.

The nonprofit San Diego-based hospital system reported the impact during its second-quarter earnings filed Tuesday.

Healthcare Dive adds

Currently, security experts are experiencing a strategic sea change in how they counter cyberattacks, shifting from a focus on shoring up defense — an increasingly outdated and ineffective plan, given the increasing volume and complexity of cyberattacks, coupled with the massive size of healthcare organization’s IT surfaces that need protection — to survivability. Panelists recommended companies assess their IT strengths and weaknesses to know how to prepare, even role-playing a breach to see how their contingency processes play out and workforce responds.

In that regards, here are some articles that caught the FEHBlog’s eye this week:

• ISACA offers a thought provoking article on this topic: “Today, organizations’ No. 1 prerogative is implementing consistent data security measures and ensuring that it does not cause undue complexity in IT operations and business application changes. Complexity hides attacks by insiders and increases the chance of human error: Thales Data Threat reports 2021 states that respondents consider malicious insiders as the top threat at 35 percent, with human error at 31 percent. This blog post explores the approach and technology that is useful to reduce complexity in data security measures across the organization.”
• SupplyChainBrain discusses “Why Virtual Private Networks Aren’t Enough to Ensure Cybersecurity.” In short, “We still find VPNs being heavily used, but zero-trust is starting to pick up steam. Some of the major firewall vendors and VPN vendors are beginning to introduce zero-trust-based access. Fewer and fewer folks are doing traditional credential-based access on VPN, but the Colonial Pipeline ransomware attack showed us that large infrastructure providers are still using a username and credentials instead of moving to multi-factor. Those that are doing multi-factor are definitely moving toward adding device trust on top of that to create additional security. The multi-factor authentication market is quite strong, but there’s room for improvement, even in traditional VPN architecture.”
• TechTalk looks at steps toward achieving data security in the cloud.

In closing, here’s a link to Bleeping Computer’s The Week in Ransomware. In short, “This week we saw an existing operation rise in attacks while existing ransomware operations turn to Windows vulnerabilities to elevate their privileges.” In this regard, Cyberscoop reports on

The so-called PrintNightmare vulnerability in Microsoft software is turning into a dream for ransomware gangs.

For the second time this week, security researchers have warned that extortionists exploited the critical flaw in an attempt to lock files and shake down victims. It shows how, more than a month after Microsoft disclosed the bug and urged users to update their software, a new round of exploitation is under way against vulnerable organizations.

A ransomware group dubbed Vice Society recently seized on the PrintNightmare bug to move through an unnamed victim’s network and attempt to steal sensitive data, Talos, Cisco’s threat intelligence unit, said Thursday. A day earlier, cybersecurity firm CrowdStrike said that hackers using another type of ransomware had tried to use PrintNightmare to infect victims in South Korea. Neither Talos nor CrowdStrike named the targeted organizations.

ZDNet adds that just this week

Microsoft released an update that changes the default behavior in the operating system and prevents some end users from installing print drivers. 

The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481, aka PrintNightmare, is that users will need admin rights to install print drivers. 

Vulnerability scan anyone?

Security Week informs us that the infrastructure spending bill currently under U.S. Senate consideration includes

approximately $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”

The bill, which contains more than 300 occurrences of the words “cyber” and “cybersecurity,” includes the Cyber Response and Recovery Fund, which provides $20 million per year until 2028 for assisting government and private sector organizations respond to cyber incidents.

A total of $550 million has been allocated to enhancing the security of the power grid. Some of the money is for developing solutions to identify and mitigate vulnerabilities, improve the security of field devices and control systems, as well as addressing issues related to workforce and supply chains.

The Washington Post adds that the “Senate Democrats and Republicans cleared another key procedural hurdle Saturday [August 7] on a roughly $1 trillion bill to improve the country’s infrastructure, though disagreements continue to plague lawmakers and prevent the measure’s swift passage.”

Nextgov informs us that

The Cybersecurity and Infrastructure Security Agency will work with agency stakeholders and new private-sector partners to minimize the risk of cyber incidents and better coordinate defensive actions if successful attacks occur under a new effort announced Thursday [August 5].

The Joint Cyber Defense Collaborative, or JCDC, will aim to take a proactive approach to cyber defense in the wake of several high-profile breaches that affected the federal government and public, according to CISA Director Jen Easterly. * * *

Initial industry partners include Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon. * * *

Current government partners in the effort thus far include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence. 

Here is a link to the JCDC’s website. The NextGov article indicates that the JCDC’s initial focus will be on ransomware.

According to Bleeping Computer’s The Week in Ransomware

If there is one thing we learned this week, it’s that not only are corporations vulnerable to insider threats but so are ransomware operations.

The LockBit 2.0 ransomware is now trying to recruit corporate insiders to help them breach networks. In return, the insider is promised millions of dollars.

On the flip side, ransomware operations are vulnerable too. Yesterday, after being banned from the Conti ransomware operation, a Conti affiliate leaked the training material for the ransomware operation on the XSS hacking forum, giving security researchers and defenders an inside look at the tools being used by the group.

ZDNet advocates “Constant review of third-party security critical as ransomware threat climbs.”

Cyberscoop reports

The Biden administration backed away from the idea of banning ransomware payments after meetings with the private sector and cybersecurity experts, a top cybersecurity official said Wednesday [August 4].

“Initially, I thought that was a good approach,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an Aspen Security Forum event. “We know that ransom payments are driving this ecosystem.”

Experts, including former government officials serving on a non-profit ransomware task force, helped shift that view, following high-profile hacks against Colonial Pipeline, the food production company JBS and Kaseya, a Florida-based IT firm. Payments from the Colonial Pipeline and JBS attacks totaled more than $15 million, a number that likely represents a fraction of the funds sent to extortionists.

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” she said.

The FEHBlog has registered for a free Public Contract Institute webinar on Data Abduction: Combatting and Limiting Ransomware Risks. Here is a link to the registration page.

Finally this past week the National Institute of Standards and Technology released for public comments draft revisions to existing relevant Standard Publications:

• SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations

• SP 800-160 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach

The public comment deadline is October 1, 2021, for SP 800-53 and September 20, 2021 for SP 800-160.

The Federal Bureau of Investigation announced that on July 28, 2021, “The Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), United Kingdom’s National Cyber Security Centre (NCSC) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory today, highlighting the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021. Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. It’s recommended that organizations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralized patch management system.” Check it out because as the FBI explains “One of the most effective best practices to mitigate many vulnerabilities is to update software once patches are available and as soon as is practicable. Focusing cyber defense resources on patching those vulnerabilities that malicious cyber actors most often use should be ingrained in the culture of every organization. This approach offers the potential of not only bolstering network security, but also impeding the disruptive, destructive operations of our adversaries.”

To help reduce such vulnerabilities, the federal government’s Cybersecurity and Infrastructure Security Agency (“CISA”) announced yesterday July 30

the launch of its VDP Platform for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset. * * *

Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified. BugCrowd and EnDyna, the service providers, will conduct an initial assessment of the vulnerability reports submitted. This initial assessment will free up agencies’ time and resources and allow agencies to focus on those reports that have real impact. * * *

For more information about QSMO and CISA’s new VDP platform, visit Cyber QSMO Marketplace, VDP Fact Sheet, or contact us at QSMO@cisa.dhs.gov.

On a related note, per CISA,

The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. CISA encourages organization leaders, administrators, and users to review NSA’s guidance on Securing Wireless Devices in Public Settings and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting devices and data.

These preventive measures are timely because according to Security Weekly, “A global study commissioned by IBM Security shows that the average cost of a data breach exceeded $4.2 million during the coronavirus pandemic, which the company pointed out is the highest in the 17-year history of its “Cost of a Data Breach” report.”

Last but not least, here is a link to Bleeping Computer’s The Week in Ransomware.

Ransomware continues to be active this week, with new threat actors releasing new features, No More Ransom turning five, and a veteran group rebrands.

This week marked the fifth anniversary of No More Ransomware, where they announced that they had saved €1 billion in ransom payments through the decryptors on their platform.

We also saw ransomware groups continue to innovate with LockBit 2.0 now using group policiesto automate the deployment of their ransomware over a Windows domain.

I shared what I know about the inner conflict of the Babuk ransomware gang that led to the Admin starting a new RAMP cybercrime forum and the rest of the team launching Babuk version 2.0.

Finally, DoppelPaymber has rebranded as a new ransomware operation known as Grief, which began operating in May.

Also Bleeping Computer informs us that “A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.” Oh joy.

Bleeping Computer’s This Week in Ransomware leads with the following:

This week has quite a bit of news ranging from the USA formally accusing China of the recent ProxyLogon vulnerability and Kaseya mysteriously obtaining the universal decryption key.

The US government this week officially attributed the ProxyLogon Microsoft Exchange attacks to China. Threat actors used this vulnerability to install a variety of malware, including the BlackKingdom ransomware.

In a surprise announcement, Kaseya has stated that they received the universal decryption key for their July 2nd REvil ransomware attack. This key will allow all victims of the attack to recover their files for free.

Cyberscoop has a more detailed story on the Kaseya hack resolution.

In other ransomware news / protective advice

• The RSA Conference offers advanced common sense advice on how to handle a ransomware attack. “In the recent ISACA Ransomware Pulse Poll, 21% of respondents reported that they have already experienced a ransomware attack, and 46% consider ransomware to be the cyberthreat most likely to impact their organization within the next 12 months.”
• ISACA advises that the importance of conducting periodic information security audits of cloud services vendors from the perspectives of the vendor and the customer.
• Threatpost explains the importance of creating a long term remote security strategy as business begin to formalize permanent hybrid working arrangements. In the author’s opinion.

HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules has request public input as follows:

We want to hear from you! OCR and our partners at the HHS Office of the National Coordinator for Health Information Technology (ONC) are seeking user feedback and improvement suggestions on the Security Risk Assessment (SRA) Tool.  The SRA Tool is designed to help small and medium-sized healthcare providers conduct a security risk assessment, as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Services (CMS) Promoting Interoperability Program. If you have suggestions on how to improve the Tool, we ask you to complete our short survey by July 31, 2021:https://stats.altarum.org/limesurvey/index.php/547532?lang=en.

Finally the Washington Examiner reports that

The House Energy and Commerce committee passed eight bipartisan bills this week to better equip the government and businesses with tools to handle the recent explosion in ransomware attacks.

The bills, which passed with overwhelming bipartisan support, are focused on increasing coordination between the government and relevant industries, implementing cybersecurity best practices, educating everyday technology users, limiting the use of Chinese devices, and strengthening the security programs at the Federal Communications Commission and the National Telecommunications and Information Administration. * * *

One key purpose for the bills is to increase coordination between the federal government and affected businesses and industries.

“These bills will really improve the information sharing and cybersecurity readiness testing of the government by forcing all the right people to get into a room and fix things,” said Shane Tews, a senior fellow who focuses on cybersecurity and technology issues at the American Enterprise Institute, a right-of-center think tank.

“Hopefully, we get to a stage where the government is gaming out cyber problems and vulnerabilities in advance and then sending out software patches to solve them every week, like Microsoft, and other companies do internally on a regular basis,” she added.

Sound idea.

The American Hospital Association informs us that

The White House yesterday announced an interagency task force and other initiatives to protect U.S. organizations from ransomware attacks [on July 15]. The task force has been coordinating federal efforts to improve the nation’s cybersecurity as directed by the president in April. In addition, the departments of Homeland Security and Justice yesterday launched a one-stop website for federal resources to help organizations reduce their ransomware risk; the Treasury Department’s Financial Crimes Enforcement Network will convene public and private sector stakeholders in August to discuss ransomware concerns and information sharing; and the State Department will offer up to $10 million for information leading to the identification or location of anyone engaged in malicious cyber activities against U.S. critical infrastructure.

Here’s a link the Bleeping Computer’s Week in Ransomware.

Ransomware operations have been quieter this week as the White House engages in talks with the Russian government about cracking down on cybercriminals believed to be operating in Russia.

This increased scrutiny by law enforcement and the growing fear that Russia is no longer a safe haven for cybercriminals has led to what is believed to be the shutdown of the notorious REvil ransomware operation. * * *

This shutdown is not believed to be caused by law enforcement, and it is likely we will see this group rebrand as a new operation in the future.

On the Microsoft front, Security Week reports yesterday that

After spending the last two months pushing out multiple Print Spooler fixes (one as an emergency, out-of-band update), Redmond’s security response team late Thursday acknowledged a new, unpatched bug that exposes Windows users to privilege escalation attacks.

Microsoft’s advisory describes an entirely new vulnerability — CVE-2021-34481 — that could be chained with another bug to launch code execution attacks.  

There is no patch available and Microsoft says the only workaround is for Windows users to stop and disable the Print Spooler service.

From the advisory:

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Microsoft said the vulnerability has already been publicly disclosed and credited Dragos security researcher Jacob Baines with the discovery.

SC Media informs us

More than 22.8 million patients have been impacted by a health care data breach so far in 2021, a whopping 185% increase from the same time period last year where just 7.9 million individuals were affected according to a new report from Fortified Health Security.

Malicious cyberattacks caused the majority of these security incidents, accounting for 73% of all breaches. Unauthorized access or disclosure accounted for another 22%, and the remaining 5% were caused by smaller thefts, losses, or improper disposals.

Further, the number of breaches reported to the Department of Health and Human Services during the first six months of 2021 increased by 27% year-over-year. Health care providers accounted for the most breaches with 73% of the overall tally, compared to health plans with 16% and business associates that accounted for 11%.

“Healthcare organizations have literally hundreds of electronic entry points into their data networks, everything from EHRs, radiology and lab systems, to admission, discharge and transfer systems, to supply chain ordering and internet-enabled medical devices — and any one of these could be the Achilles’ heel exploited by a bad actor,” the report authors wrote.

In other cybersecurity news

• Per Homeland Security Today, “The Senate [on July 23] confirmed by unanimous consent former NSA deputy for counterterrorism Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.” “Easterly was a managing director at Morgan Stanley, serving as global head of the firm’s Fusion Resilience Center, and a senior fellow at New America’s International Security program. After her NSA role from 2011-2013, she served on the National Security Council as special assistant to the president and senior director for counterterrorism. Easterly served more than 20 years in the Army and was responsible for standing up the Army’s first cyber battalion. She was also instrumental in the creation of U.S. Cyber Command, and served as executive assistant to National Security Advisor Condoleezza Rice for a time.” Good luck, Ms. Easterly
• Earlier this week the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules issued its Summer 2021 Cybersecurity Newsletter. The newsletter is headlined “Controlling access to electronic protected health information; for whose eyes only? “Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.”

Bleeping Computer brings us up to date on the Kaseya cyberattack:

The REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya’s VSA servers to perform a massive and widespread attack without actually accessing a victim’s network.

This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

There’s a lesson in there for both sides.

Cyberscoop provides background on the REvil gang.

[REvil is] one of the more prominent ransomware-as-a-service groups, experts say, in which other criminals can use a strain of ransomware on a rental or subscription basis, or in exchange for a share of the payments. That business model lowers the barrier for anyone to get into the business of ransomware, because it requires no technical expertise in developing the code itself. It’s a trend that’s contributed to the rise of the ransomware phenomenon.

On the good guys side

• The Wall Street Journal reports that “New York City has become the first major American metropolitan area to open a real-time operational center to protect against cybersecurity threats, regional officials said. Set in a lower Manhattan skyscraper, the center is staffed by a coalition of government agencies and private businesses, with 282 partners overall sharing intelligence on potential cyber threats. Its members range from the New York Police Department to Amazon.com Inc. and International Business Machines Corp. to the Federal Reserve Bank and several New York healthcare systems. Until last week, the two-year effort known as New York City Cyber Critical Services and Infrastructure was completely virtual.”
• Cyberscoop informs us that “Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network.  That, combined with the suspicious that most victims don’t, report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them. That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs. “Having public transparency around the impact of ransomware, especially as we’re proposing and considering different actions to try to combat ransomware — we’ll need a way of seeing whether those actions actually work,” Cable said in an interview with CyberScoop.”

On July 6, according to CISA, “Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service.”

For other news, here is a link to Bleeping Computer’s The Week in Ransomware.